Merge pull request #4473 from yyforyongyu/allow-no-auth-private-addr

lncfg: allow no auth on private addresses

config.go

@@ -170,7 +170,7 @@ type Config struct {
 	TLSAutoRefresh     bool     `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"`
 	TLSDisableAutofill bool     `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set"`
 
-	NoMacaroons     bool          `long:"no-macaroons" description:"Disable macaroon authentication"`
+	NoMacaroons     bool          `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
 	AdminMacPath    string        `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
 	ReadMacPath     string        `long:"readonlymacaroonpath" description:"Path to write the read-only macaroon for lnd's RPC and REST services if it doesn't exist"`
 	InvoiceMacPath  string        `long:"invoicemacaroonpath" description:"Path to the invoice-only macaroon for lnd's RPC and REST services if it doesn't exist"`

docs/macaroons.md

@@ -81,7 +81,14 @@ methods. This means a few important things:
 You can also run `lnd` with the `--no-macaroons` option, which skips the
 creation of the macaroon files and all macaroon checks within the RPC server.
 This means you can still pass a macaroon to the RPC server with a client, but
-it won't be checked for validity.
+it won't be checked for validity. Note that disabling authentication of a server
+that's listening on a public interface is not allowed. This means the
+`--no-macaroons` option is only permitted when the RPC server is in a private
+network. In CIDR notation, the following IPs are considered private,
+- [`169.254.0.0/16` and `fe80::/10`](https://en.wikipedia.org/wiki/Link-local_address).
+- [`224.0.0.0/4` and `ff00::/8`](https://en.wikipedia.org/wiki/Multicast_address).
+- [`10.0.0.0/8`, `172.16.0.0/12` and `192.168.0.0/16`](https://tools.ietf.org/html/rfc1918).
+- [`fc00::/7`](https://tools.ietf.org/html/rfc4193).
 
 Since `lnd` requires macaroons by default in order to call RPC methods, `lncli`
 now reads a macaroon and provides it in the RPC call. Unless the path is

lncfg/address.go

@@ -54,10 +54,10 @@ func NormalizeAddresses(addrs []string, defaultPort string,
 // interface.
 func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error {
 	// We'll now examine all addresses that this RPC server is listening
-	// on. If it's a localhost address, we'll skip it, otherwise, we'll
-	// return an error if macaroons are inactive.
+	// on. If it's a localhost address or a private address, we'll skip it,
+	// otherwise, we'll return an error if macaroons are inactive.
 	for _, addr := range addrs {
-		if IsLoopback(addr.String()) || IsUnix(addr) {
+		if IsLoopback(addr.String()) || IsUnix(addr) || IsPrivate(addr) {
 			continue
 		}
 
@@ -117,6 +117,39 @@ func IsUnix(addr net.Addr) bool {
 	return strings.HasPrefix(addr.Network(), "unix")
 }
 
+// IsPrivate returns true if the address is private. The definitions are,
+//   https://en.wikipedia.org/wiki/Link-local_address
+//   https://en.wikipedia.org/wiki/Multicast_address
+//   Local IPv4 addresses, https://tools.ietf.org/html/rfc1918
+//   Local IPv6 addresses, https://tools.ietf.org/html/rfc4193
+func IsPrivate(addr net.Addr) bool {
+	switch addr := addr.(type) {
+	case *net.TCPAddr:
+		// Check 169.254.0.0/16 and fe80::/10.
+		if addr.IP.IsLinkLocalUnicast() {
+			return true
+		}
+
+		// Check 224.0.0.0/4 and ff00::/8.
+		if addr.IP.IsLinkLocalMulticast() {
+			return true
+		}
+
+		// Check 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
+		if ip4 := addr.IP.To4(); ip4 != nil {
+			return ip4[0] == 10 ||
+				(ip4[0] == 172 && ip4[1]&0xf0 == 16) ||
+				(ip4[0] == 192 && ip4[1] == 168)
+		}
+
+		// Check fc00::/7.
+		return len(addr.IP) == net.IPv6len && addr.IP[0]&0xfe == 0xfc
+
+	default:
+		return false
+	}
+}
+
 // ParseAddressString converts an address in string format to a net.Addr that is
 // compatible with lnd. UDP is not supported because lnd needs reliable
 // connections. We accept a custom function to resolve any TCP addresses so

lncfg/address_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/btcsuite/btcd/btcec"
+	"github.com/stretchr/testify/require"
 )
 
 // addressTest defines a test vector for an address that contains the non-
@@ -265,3 +266,57 @@ func validateAddr(t *testing.T, addr net.Addr, test addressTest) {
 		)
 	}
 }
+
+func TestIsPrivate(t *testing.T) {
+	nonPrivateIPList := []net.IP{
+		net.IPv4(169, 255, 0, 0),
+		{0xfe, 0x79, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+		net.IPv4(225, 0, 0, 0),
+		{0xff, 0x01, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+		net.IPv4(11, 0, 0, 0),
+		net.IPv4(172, 15, 0, 0),
+		net.IPv4(192, 169, 0, 0),
+		{0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+		net.IPv4(8, 8, 8, 8),
+		{2, 0, 0, 1, 4, 8, 6, 0, 4, 8, 6, 0, 8, 8, 8, 8},
+	}
+	privateIPList := []net.IP{
+		net.IPv4(169, 254, 0, 0),
+		{0xfe, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+		net.IPv4(224, 0, 0, 0),
+		{0xff, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+		net.IPv4(10, 0, 0, 1),
+		net.IPv4(172, 16, 0, 1),
+		net.IPv4(172, 31, 255, 255),
+		net.IPv4(192, 168, 0, 1),
+		{0xfc, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+	}
+
+	testParams := []struct {
+		name    string
+		ipList  []net.IP
+		private bool
+	}{
+		{
+			"Non-private addresses should return false",
+			nonPrivateIPList, false,
+		},
+		{
+			"Private addresses should return true",
+			privateIPList, true,
+		},
+	}
+
+	for _, tt := range testParams {
+		test := tt
+		t.Run(test.name, func(t *testing.T) {
+			for _, ip := range test.ipList {
+				addr := &net.TCPAddr{IP: ip}
+				require.Equal(
+					t, test.private, IsPrivate(addr),
+					"expected IP: %s to be %v", ip, test.private,
+				)
+			}
+		})
+	}
+}