itest: add gRPC certificate and auth tests

guggero · guggero · commit 2ada1f16fa84 · 2022-02-08T15:33:17.000+01:00
diff --git a/itest/litd_mode_integrated_test.go b/itest/litd_mode_integrated_test.go
@@ -2,10 +2,125 @@ package itest
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/hex"
+	"fmt"
+	"io/ioutil"
+	"testing"
 
 	"github.com/btcsuite/btcutil"
+	"github.com/lightninglabs/faraday/frdrpc"
+	"github.com/lightninglabs/loop/looprpc"
+	"github.com/lightninglabs/pool/poolrpc"
 	"github.com/lightningnetwork/lnd/lnrpc"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/net/http2"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
+	"gopkg.in/macaroon.v2"
+)
+
+// requestFn is a function type for a helper function that makes a daemon
+// specific request and returns the response and error for it. This is used to
+// abstract away the lnd/faraday/loop/pool specific gRPC code from the actual
+// test code.
+type requestFn func(ctx context.Context,
+	c grpc.ClientConnInterface) (proto.Message, error)
+
+// macaroonFn is a function that returns the correct macaroon path for each of
+// the integrated daemons.
+type macaroonFn func(cfg *LitNodeConfig) string
+
+var (
+	dummyMac      = makeMac()
+	dummyMacBytes = serializeMac(dummyMac)
+
+	marshalOptions = &protojson.MarshalOptions{
+		UseProtoNames:   true,
+		EmitUnpopulated: true,
+	}
+
+	transport = &http2.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+
+	lndRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		lndConn := lnrpc.NewLightningClient(c)
+		return lndConn.GetInfo(
+			ctx, &lnrpc.GetInfoRequest{},
+		)
+	}
+	lndMacaroonFn = func(cfg *LitNodeConfig) string {
+		return cfg.AdminMacPath
+	}
+	faradayRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		frdConn := frdrpc.NewFaradayServerClient(c)
+		return frdConn.RevenueReport(
+			ctx, &frdrpc.RevenueReportRequest{},
+		)
+	}
+	faradayMacaroonFn = func(cfg *LitNodeConfig) string {
+		return cfg.FaradayMacPath
+	}
+	loopRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		loopConn := looprpc.NewSwapClientClient(c)
+		return loopConn.ListSwaps(
+			ctx, &looprpc.ListSwapsRequest{},
+		)
+	}
+	loopMacaroonFn = func(cfg *LitNodeConfig) string {
+		return cfg.LoopMacPath
+	}
+	poolRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		poolConn := poolrpc.NewTraderClient(c)
+		return poolConn.GetInfo(
+			ctx, &poolrpc.GetInfoRequest{},
+		)
+	}
+	poolMacaroonFn = func(cfg *LitNodeConfig) string {
+		return cfg.PoolMacPath
+	}
+
+	endpoints = []struct {
+		name           string
+		macaroonFn     macaroonFn
+		requestFn      requestFn
+		successPattern string
+	}{{
+		name:           "lnrpc",
+		macaroonFn:     lndMacaroonFn,
+		requestFn:      lndRequestFn,
+		successPattern: "\"identity_pubkey\":\"0",
+	}, {
+		name:           "frdrpc",
+		macaroonFn:     faradayMacaroonFn,
+		requestFn:      faradayRequestFn,
+		successPattern: "\"reports\":[]",
+	}, {
+		name:           "looprpc",
+		macaroonFn:     loopMacaroonFn,
+		requestFn:      loopRequestFn,
+		successPattern: "\"swaps\":[]",
+	}, {
+		name:           "poolrpc",
+		macaroonFn:     poolMacaroonFn,
+		requestFn:      poolRequestFn,
+		successPattern: "\"accounts_active\":0",
+	}}
 )
 
 // testModeIntegrated makes sure that in integrated mode all daemons work
@@ -21,4 +136,157 @@ func testModeIntegrated(net *NetworkHarness, t *harnessTest) {
 	resp, err := net.Alice.GetInfo(ctx, &lnrpc.GetInfoRequest{})
 	require.NoError(t.t, err)
 	require.NotEmpty(t.t, resp.Alias)
+	require.Contains(t.t, resp.Alias, "0")
+
+	t.t.Run("certificate check", func(tt *testing.T) {
+		runCertificateCheck(tt, net.Alice)
+	})
+	t.t.Run("gRPC macaroon auth check", func(tt *testing.T) {
+		cfg := net.Alice.Cfg
+
+		for _, endpoint := range endpoints {
+			endpoint := endpoint
+			tt.Run(endpoint.name+" lnd port", func(ttt *testing.T) {
+				runGRPCAuthTest(
+					ttt, cfg.RPCAddr(), cfg.TLSCertPath,
+					endpoint.macaroonFn(cfg),
+					endpoint.requestFn,
+					endpoint.successPattern,
+				)
+			})
+
+			tt.Run(endpoint.name+" lit port", func(ttt *testing.T) {
+				runGRPCAuthTest(
+					ttt, cfg.LitAddr(), cfg.TLSCertPath,
+					endpoint.macaroonFn(cfg),
+					endpoint.requestFn,
+					endpoint.successPattern,
+				)
+			})
+		}
+	})
+}
+
+// runCertificateCheck checks that the TLS certificates presented to clients are
+// what we expect them to be.
+func runCertificateCheck(t *testing.T, node *HarnessNode) {
+	// In integrated mode we expect the LiT HTTPS port (8443 by default) and
+	// lnd's RPC port to present the same certificate, namely lnd's TLS
+	// cert.
+	litCerts, err := getServerCertificates(node.Cfg.LitAddr())
+	require.NoError(t, err)
+	require.Len(t, litCerts, 1)
+	require.Equal(
+		t, "lnd autogenerated cert", litCerts[0].Issuer.Organization[0],
+	)
+
+	lndCerts, err := getServerCertificates(node.Cfg.RPCAddr())
+	require.NoError(t, err)
+	require.Len(t, lndCerts, 1)
+	require.Equal(
+		t, "lnd autogenerated cert", lndCerts[0].Issuer.Organization[0],
+	)
+
+	require.Equal(t, litCerts[0].Raw, lndCerts[0].Raw)
+}
+
+// runGRPCAuthTest tests authentication of the given gRPC interface.
+func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
+	makeRequest requestFn, successContent string) {
+
+	ctxb := context.Background()
+	ctxt, cancel := context.WithTimeout(ctxb, defaultTimeout)
+	defer cancel()
+
+	rawConn, err := connectRPC(ctxt, hostPort, tlsCertPath)
+	require.NoError(t, err)
+
+	// We have a connection without any macaroon. A call should fail.
+	_, err = makeRequest(ctxt, rawConn)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "expected 1 macaroon, got 0")
+
+	// Add dummy data as the macaroon, that should fail as well.
+	ctxm := macaroonContext(ctxt, []byte("dummy"))
+	_, err = makeRequest(ctxm, rawConn)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "packet too short")
+
+	// Add a macaroon that can be parsed but that's not issued by lnd, which
+	// should also fail.
+	ctxm = macaroonContext(ctxt, dummyMacBytes)
+	_, err = makeRequest(ctxm, rawConn)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "cannot get macaroon: root key with")
+
+	// Then finally we try with the correct macaroon which should now
+	// succeed.
+	macBytes, err := ioutil.ReadFile(macPath)
+	require.NoError(t, err)
+	ctxm = macaroonContext(ctxt, macBytes)
+	resp, err := makeRequest(ctxm, rawConn)
+	require.NoError(t, err)
+
+	json, err := marshalOptions.Marshal(resp)
+	require.NoError(t, err)
+	require.Contains(t, string(json), successContent)
+}
+
+// getServerCertificates returns the TLS certificates that a server presents to
+// clients.
+func getServerCertificates(hostPort string) ([]*x509.Certificate, error) {
+	// We don't care about the validity of the certificate, we just want to
+	// download it.
+	conn, err := tls.Dial("tcp", hostPort, transport.TLSClientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("error dialing %s: %v", hostPort, err)
+	}
+	defer func() {
+		_ = conn.Close()
+	}()
+
+	return conn.ConnectionState().PeerCertificates, nil
+}
+
+func macaroonContext(ctx context.Context, macBytes []byte) context.Context {
+	md := metadata.MD{}
+	if len(macBytes) > 0 {
+		md["macaroon"] = []string{hex.EncodeToString(macBytes)}
+	}
+	return metadata.NewOutgoingContext(ctx, md)
+}
+
+func makeMac() *macaroon.Macaroon {
+	dummyMac, err := macaroon.New(
+		[]byte("aabbccddeeff00112233445566778899"), []byte("AA=="),
+		"LSAT", macaroon.LatestVersion,
+	)
+	if err != nil {
+		panic(fmt.Errorf("unable to create macaroon: %v", err))
+	}
+	return dummyMac
+}
+
+func serializeMac(mac *macaroon.Macaroon) []byte {
+	macBytes, err := mac.MarshalBinary()
+	if err != nil {
+		panic(fmt.Errorf("unable to serialize macaroon: %v", err))
+	}
+	return macBytes
+}
+
+func connectRPC(ctx context.Context, hostPort,
+	tlsCertPath string) (*grpc.ClientConn, error) {
+
+	tlsCreds, err := credentials.NewClientTLSFromFile(tlsCertPath, "")
+	if err != nil {
+		return nil, err
+	}
+
+	opts := []grpc.DialOption{
+		grpc.WithBlock(),
+		grpc.WithTransportCredentials(tlsCreds),
+	}
+
+	return grpc.DialContext(ctx, hostPort, opts...)
 }
