session: add super macaroon root key ID

guggero · ellemouton · commit 1ff2411cfecc · 2022-02-15T10:41:43.000Z
Whenever we bake a supermacaroon, we want it to be recognizable as such.
For that we use the 64bit unsigned integer that is used as the
macaroon's storage ID (or root key ID) and set the first 4 bytes to a
specific value that we can detect later on.
diff --git a/session/interface.go b/session/interface.go
@@ -1,7 +1,6 @@
 package session
 
 import (
-	"encoding/binary"
 	"fmt"
 	"time"
 
@@ -69,7 +68,10 @@ func NewSession(label string, typ Type, expiry time.Time, serverAddr string,
 		return nil, fmt.Errorf("error deriving private key: %v", err)
 	}
 	pubKey := privateKey.PubKey()
-	macRootKey := binary.BigEndian.Uint64(pubKey.SerializeCompressed()[0:8])
+
+	var macRootKeyBase [4]byte
+	copy(macRootKeyBase[:], pubKey.SerializeCompressed())
+	macRootKey := NewSuperMacaroonRootKeyID(macRootKeyBase)
 
 	sess := &Session{
 		Label:           label,
diff --git a/session/macaroon.go b/session/macaroon.go
@@ -0,0 +1,80 @@
+package session
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/hex"
+	"strconv"
+
+	"github.com/lightningnetwork/lnd/lnrpc"
+	"google.golang.org/protobuf/proto"
+	"gopkg.in/macaroon-bakery.v2/bakery"
+	"gopkg.in/macaroon.v2"
+)
+
+var (
+	// SuperMacaroonRootKeyPrefix is the prefix we set on a super macaroon's
+	// root key to clearly mark it as such.
+	SuperMacaroonRootKeyPrefix = [4]byte{0xFF, 0xEE, 0xDD, 0xCC}
+)
+
+// NewSuperMacaroonRootKeyID returns a new macaroon root key ID that has the
+// prefix to mark it as a super macaroon root key.
+func NewSuperMacaroonRootKeyID(id [4]byte) uint64 {
+	rootKeyBytes := make([]byte, 8)
+	copy(rootKeyBytes[:], SuperMacaroonRootKeyPrefix[:])
+	copy(rootKeyBytes[4:], id[:])
+	return binary.BigEndian.Uint64(rootKeyBytes)
+}
+
+// ParseMacaroon parses a hex encoded macaroon into its native struct.
+func ParseMacaroon(macHex string) (*macaroon.Macaroon, error) {
+	macBytes, err := hex.DecodeString(macHex)
+	if err != nil {
+		return nil, err
+	}
+
+	mac := &macaroon.Macaroon{}
+	if err := mac.UnmarshalBinary(macBytes); err != nil {
+		return nil, err
+	}
+
+	return mac, nil
+}
+
+// IsSuperMacaroon returns true if the given hex encoded macaroon is a super
+// macaroon baked by LiT which can be identified by its root key ID.
+func IsSuperMacaroon(macHex string) bool {
+	mac, err := ParseMacaroon(macHex)
+	if err != nil {
+		return false
+	}
+
+	rawID := mac.Id()
+	if rawID[0] != byte(bakery.LatestVersion) {
+		return false
+	}
+	decodedID := &lnrpc.MacaroonId{}
+	idProto := rawID[1:]
+	err = proto.Unmarshal(idProto, decodedID)
+	if err != nil {
+		return false
+	}
+
+	// The storage ID is a string representation of a 64bit unsigned number.
+	rootKeyID, err := strconv.ParseUint(string(decodedID.StorageId), 10, 64)
+	if err != nil {
+		return false
+	}
+
+	return isSuperMacaroonRootKeyID(rootKeyID)
+}
+
+// isSuperMacaroonRootKeyID returns true if the given macaroon root key ID (also
+// known as storage ID) is a super macaroon, which can be identified by its
+// first 4 bytes.
+func isSuperMacaroonRootKeyID(rootKeyID uint64) bool {
+	rootKeyBytes := make([]byte, 8)
+	binary.BigEndian.PutUint64(rootKeyBytes, rootKeyID)
+	return bytes.HasPrefix(rootKeyBytes, SuperMacaroonRootKeyPrefix[:])
+}
diff --git a/session/macaroon_test.go b/session/macaroon_test.go
@@ -0,0 +1,37 @@
+package session
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	// testMacHex is a read-only supermacaroon.
+	testMacHex = "0201036c6e6402f802030a1011540404373b4d0b3682b15ea7af60c" +
+		"c121431383434313932313339323432393138343738341a0f0a076163636" +
+		"f756e741204726561641a0f0a0761756374696f6e1204726561641a0d0a0" +
+		"561756469741204726561641a0c0a04617574681204726561641a0c0a046" +
+		"96e666f1204726561641a100a08696e7369676874731204726561641a100" +
+		"a08696e766f696365731204726561641a0f0a046c6f6f701202696e12036" +
+		"f75741a100a086d616361726f6f6e1204726561641a0f0a076d657373616" +
+		"7651204726561641a100a086f6666636861696e1204726561641a0f0a076" +
+		"f6e636861696e1204726561641a0d0a056f726465721204726561641a0d0" +
+		"a0570656572731204726561641a0d0a0572617465731204726561641a160" +
+		"a0e7265636f6d6d656e646174696f6e1204726561641a0e0a067265706f7" +
+		"2741204726561641a130a0b73756767657374696f6e731204726561641a0" +
+		"c0a04737761701204726561641a0d0a057465726d7312047265616400000" +
+		"6202362c91888e95dfbbf1eb995bd0fef2b549e2de7f4e9fa11aff445273" +
+		"60a6caf"
+)
+
+func TestSuperMacaroonRootKeyID(t *testing.T) {
+	someBytes := [4]byte{02, 03, 44, 88}
+	rootKeyID := NewSuperMacaroonRootKeyID(someBytes)
+	require.True(t, isSuperMacaroonRootKeyID(rootKeyID))
+	require.False(t, isSuperMacaroonRootKeyID(123))
+}
+
+func TestIsSuperMacaroon(t *testing.T) {
+	require.True(t, IsSuperMacaroon(testMacHex))
+}
