wasm: update HasPermissions to account for custom perms

This commit updates the HasPermissions function to account for the case
where the session has custom permissions which would specify "uri" as
the permission entity and the actual URI as the permission action.

Author: ellemouton

cmd/wasm-client/main.go

@@ -35,6 +35,7 @@ import (
 	"github.com/lightningnetwork/lnd/lnrpc/walletrpc"
 	"github.com/lightningnetwork/lnd/lnrpc/watchtowerrpc"
 	"github.com/lightningnetwork/lnd/lnrpc/wtclientrpc"
+	"github.com/lightningnetwork/lnd/macaroons"
 	"github.com/lightningnetwork/lnd/signal"
 	"google.golang.org/grpc"
 	"gopkg.in/macaroon-bakery.v2/bakery"
@@ -119,6 +120,7 @@ func main() {
 	callbacks.Set("wasmClientGetExpiry", js.FuncOf(wc.GetExpiry))
 	callbacks.Set("wasmClientHasPerms", js.FuncOf(wc.HasPermissions))
 	callbacks.Set("wasmClientIsReadOnly", js.FuncOf(wc.IsReadOnly))
+	callbacks.Set("wasmClientIsCustom", js.FuncOf(wc.IsCustom))
 	js.Global().Set(cfg.NameSpace, callbacks)
 
 	for _, registration := range registrations {
@@ -353,6 +355,32 @@ func (w *wasmClient) IsReadOnly(_ js.Value, _ []js.Value) interface{} {
 	return js.ValueOf(isReadOnly(macOps))
 }
 
+func (w *wasmClient) IsCustom(_ js.Value, _ []js.Value) interface{} {
+	if w.mac == nil {
+		log.Errorf("macaroon not obtained yet. IsCustom should " +
+			"only be called once the connection is complete")
+		return js.ValueOf(false)
+	}
+
+	macOps, err := extractMacaroonOps(w.mac)
+	if err != nil {
+		log.Errorf("could not extract macaroon ops: %v", err)
+		return js.ValueOf(false)
+	}
+
+	// We consider a session type to be "custom" if it has any permissions
+	// with the "uri" entity.
+	var isCustom bool
+	for _, op := range macOps {
+		if op.Entity == macaroons.PermissionEntityCustomURI {
+			isCustom = true
+			break
+		}
+	}
+
+	return js.ValueOf(isCustom)
+}
+
 func (w *wasmClient) HasPermissions(_ js.Value, args []js.Value) interface{} {
 	if len(args) != 1 {
 		return js.ValueOf(false)
@@ -385,7 +413,7 @@ func (w *wasmClient) HasPermissions(_ js.Value, args []js.Value) interface{} {
 
 	// Check that the macaroon contains each of the required permissions
 	// for the given URI.
-	return js.ValueOf(hasPermissions(macOps, ops))
+	return js.ValueOf(hasPermissions(uri, macOps, ops))
 }
 
 // extractMacaroonOps is a helper function that extracts operations from the
@@ -421,14 +449,27 @@ func isReadOnly(ops []*lnrpc.Op) bool {
 
 // hasPermissions returns true if all the operations in requiredOps can also be
 // found in macOps.
-func hasPermissions(macOps []*lnrpc.Op, requiredOps []bakery.Op) bool {
+func hasPermissions(uri string, macOps []*lnrpc.Op,
+	requiredOps []bakery.Op) bool {
+
 	// Create a lookup map of the macaroon operations.
 	macOpsMap := make(map[string]map[string]bool)
 	for _, op := range macOps {
 		macOpsMap[op.Entity] = make(map[string]bool)
 
 		for _, action := range op.Actions {
 			macOpsMap[op.Entity][action] = true
+
+			// We account here for the special case where the
+			// operation gives access to an entire URI. This is the
+			// case when the Entity is equal to the "uri" keyword
+			// and when the Action is equal to the URI that access
+			// is being granted to.
+			if op.Entity == macaroons.PermissionEntityCustomURI &&
+				action == uri {
+
+				return true
+			}
 		}
 	}
 

example/index.html

@@ -189,8 +189,11 @@
         }
 
         // Determine if the session is a read only session.
-        let readOnly = window[namespace].wasmClientIsReadOnly();
-        if (readOnly) {
+        let readOnlySession = window[namespace].wasmClientIsReadOnly();
+        let customSession = window[namespace].wasmClientIsCustom();
+        if (customSession) {
+            document.getElementById('sessiontype').textContent = "This is a Custom Session"
+        } else if (readOnlySession) {
             document.getElementById('sessiontype').textContent = "This is a Read-Only Session"
         } else {
             document.getElementById('sessiontype').textContent = "This is an Admin Session"