Skip to content

Commit 36c524d

Browse files
guggeroguggero
committed
terminal: extract validateSuperMacaroon
1 parent 43ed7ed commit 36c524d

File tree

1 file changed

+41
-26
lines changed

1 file changed

+41
-26
lines changed

terminal.go

Lines changed: 41 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -659,33 +659,9 @@ func (g *LightningTerminal) ValidateMacaroon(ctx context.Context,
659659
return err
660660
}
661661

662-
// If we haven't connected to lnd yet, we can't check the super
663-
// macaroon. The user will need to wait a bit.
664-
if g.lndClient == nil {
665-
return fmt.Errorf("cannot validate macaroon, not yet " +
666-
"connected to lnd, please wait")
667-
}
668-
669-
// Convert permissions to the form that lndClient will accept.
670-
permissions := make(
671-
[]lndclient.MacaroonPermission, len(requiredPermissions),
662+
return g.validateSuperMacaroon(
663+
ctx, macBytes, requiredPermissions, fullMethod,
672664
)
673-
for idx, perm := range requiredPermissions {
674-
permissions[idx] = lndclient.MacaroonPermission{
675-
Entity: perm.Entity,
676-
Action: perm.Action,
677-
}
678-
}
679-
680-
res, err := g.lndClient.Client.CheckMacaroonPermissions(
681-
ctx, macBytes, permissions, fullMethod,
682-
)
683-
if !res {
684-
return fmt.Errorf("macaroon is not valid, returned %v",
685-
res)
686-
}
687-
688-
return err
689665
}
690666

691667
// Validate all macaroons for services that are running in the local
@@ -1129,6 +1105,45 @@ func (g *LightningTerminal) createRESTProxy() error {
11291105
return nil
11301106
}
11311107

1108+
// validateSuperMacaroon makes sure the given macaroon is a valid super macaroon
1109+
// that was issued by lnd and contains all the required permissions, even if
1110+
// the actual RPC method isn't a lnd request.
1111+
func (g *LightningTerminal) validateSuperMacaroon(ctx context.Context,
1112+
superMacaroon []byte, requiredPermissions []bakery.Op,
1113+
fullMethod string) error {
1114+
1115+
// If we haven't connected to lnd yet, we can't check the super
1116+
// macaroon. The user will need to wait a bit.
1117+
if g.lndClient == nil {
1118+
return fmt.Errorf("cannot validate macaroon, not yet " +
1119+
"connected to lnd, please wait")
1120+
}
1121+
1122+
// Convert permissions to the form that lndClient will accept.
1123+
permissions := make(
1124+
[]lndclient.MacaroonPermission, len(requiredPermissions),
1125+
)
1126+
for idx, perm := range requiredPermissions {
1127+
permissions[idx] = lndclient.MacaroonPermission{
1128+
Entity: perm.Entity,
1129+
Action: perm.Action,
1130+
}
1131+
}
1132+
1133+
res, err := g.lndClient.Client.CheckMacaroonPermissions(
1134+
ctx, superMacaroon, permissions, fullMethod,
1135+
)
1136+
if err != nil {
1137+
return fmt.Errorf("lnd macaroon validation failed: %v",
1138+
err)
1139+
}
1140+
if !res {
1141+
return fmt.Errorf("macaroon is not valid")
1142+
}
1143+
1144+
return nil
1145+
}
1146+
11321147
// BakeSuperMacaroon uses the lnd client to bake a macaroon that can include
11331148
// permissions for multiple daemons.
11341149
func BakeSuperMacaroon(ctx context.Context, lnd lnrpc.LightningClient,

0 commit comments

Comments
 (0)