multi: implement BakeSuperMacaroon method

Author: ellemouton

perms/permissions.go

@@ -68,6 +68,10 @@ var (
 			Entity: "proxy",
 			Action: "read",
 		}},
+		"/litrpc.Proxy/BakeSuperMacaroon": {{
+			Entity: "supermacaroon",
+			Action: "write",
+		}},
 	}
 
 	// whiteListedLNDMethods is a map of all lnd RPC methods that don't

rpc_proxy.go

@@ -157,6 +157,8 @@ type rpcProxy struct {
 	permsMgr     *perms.Manager
 	subServerMgr *subservers.Manager
 
+	bakeSuperMac bakeSuperMac
+
 	macValidator      macaroons.MacaroonValidator
 	superMacValidator session.SuperMacaroonValidator
 
@@ -168,9 +170,15 @@ type rpcProxy struct {
 	grpcWebProxy *grpcweb.WrappedGrpcServer
 }
 
+// bakeSuperMac can be used to bake a new super macaroon.
+type bakeSuperMac func(ctx context.Context, rootKeyID uint32) (string, error)
+
 // Start creates initial connection to lnd.
-func (p *rpcProxy) Start(lndConn *grpc.ClientConn) error {
+func (p *rpcProxy) Start(lndConn *grpc.ClientConn,
+	bakeSuperMac bakeSuperMac) error {
+
 	p.lndConn = lndConn
+	p.bakeSuperMac = bakeSuperMac
 
 	atomic.CompareAndSwapInt32(&p.started, 0, 1)
 
@@ -215,6 +223,28 @@ func (p *rpcProxy) GetInfo(_ context.Context, _ *litrpc.GetInfoRequest) (
 	}, nil
 }
 
+// BakeSuperMacaroon bakes a new macaroon that includes permissions for
+// all the active daemons that LiT is connected to.
+//
+// NOTE: this is part of the litrpc.ProxyServiceServer interface.
+func (p *rpcProxy) BakeSuperMacaroon(ctx context.Context,
+	req *litrpc.BakeSuperMacaroonRequest) (
+	*litrpc.BakeSuperMacaroonResponse, error) {
+
+	if !p.hasStarted() {
+		return nil, ErrWaitingToStart
+	}
+
+	superMac, err := p.bakeSuperMac(ctx, req.RootKeyIdSuffix)
+	if err != nil {
+		return nil, err
+	}
+
+	return &litrpc.BakeSuperMacaroonResponse{
+		Macaroon: superMac,
+	}, nil
+}
+
 // isHandling checks if the specified request is something to be handled by lnd
 // or any of the attached sub daemons. If true is returned, the call was handled
 // by the RPC proxy and the caller MUST NOT handle it again. If false is

terminal.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"embed"
+	"encoding/binary"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -496,9 +497,25 @@ func (g *LightningTerminal) start() error {
 			err)
 	}
 
+	// bakeSuperMac is a closure that can be used to bake a new super
+	// macaroon that contains all active permissions.
+	bakeSuperMac := func(ctx context.Context, rootKeyIDSuffix uint32) (
+		string, error) {
+
+		var suffixBytes [4]byte
+		binary.BigEndian.PutUint32(suffixBytes[:], rootKeyIDSuffix)
+
+		rootKeyID := session.NewSuperMacaroonRootKeyID(suffixBytes)
+
+		return BakeSuperMacaroon(
+			ctx, g.basicClient, rootKeyID,
+			g.permsMgr.ActivePermissions(false), nil,
+		)
+	}
+
 	// Now start the RPC proxy that will handle all incoming gRPC, grpc-web
 	// and REST requests.
-	if err := g.rpcProxy.Start(g.lndConn); err != nil {
+	if err := g.rpcProxy.Start(g.lndConn, bakeSuperMac); err != nil {
 		return fmt.Errorf("error starting lnd gRPC proxy server: %v",
 			err)
 	}