Skip to content

Commit 3c837a9

Browse files
ellemoutonellemouton
committed
firewall: map session ID to group ID
1 parent 9218746 commit 3c837a9

File tree

2 files changed

+31
-13
lines changed

2 files changed

+31
-13
lines changed

firewall/rule_enforcer.go

Lines changed: 30 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ var _ mid.RequestInterceptor = (*RuleEnforcer)(nil)
3030
type RuleEnforcer struct {
3131
ruleDB firewalldb.RulesDB
3232
actionsDB firewalldb.ActionReadDBGetter
33+
sessionIDIndexDB session.IDToGroupIndex
3334
markActionErrored func(reqID uint64, reason string) error
3435
newPrivMap firewalldb.NewPrivacyMapDB
3536

@@ -50,8 +51,9 @@ type featurePerms func(ctx context.Context) (map[string]map[string]bool, error)
5051

5152
// NewRuleEnforcer constructs a new RuleEnforcer instance.
5253
func NewRuleEnforcer(ruleDB firewalldb.RulesDB,
53-
actionsDB firewalldb.ActionReadDBGetter, getFeaturePerms featurePerms,
54-
permsMgr *perms.Manager, nodeID [33]byte,
54+
actionsDB firewalldb.ActionReadDBGetter,
55+
sessionIDIndex session.IDToGroupIndex,
56+
getFeaturePerms featurePerms, permsMgr *perms.Manager, nodeID [33]byte,
5557
routerClient lndclient.RouterClient,
5658
lndClient lndclient.LightningClient, ruleMgrs rules.ManagerSet,
5759
markActionErrored func(reqID uint64, reason string) error,
@@ -68,6 +70,7 @@ func NewRuleEnforcer(ruleDB firewalldb.RulesDB,
6870
ruleMgrs: ruleMgrs,
6971
markActionErrored: markActionErrored,
7072
newPrivMap: privMap,
73+
sessionIDIndexDB: sessionIDIndex,
7174
}
7275
}
7376

@@ -221,7 +224,12 @@ func (r *RuleEnforcer) handleRequest(ctx context.Context,
221224
return nil, fmt.Errorf("could not extract ID from macaroon")
222225
}
223226

224-
rules, err := r.collectEnforcers(ri, sessionID)
227+
groupID, err := r.sessionIDIndexDB.GetGroupID(sessionID)
228+
if err != nil {
229+
return nil, err
230+
}
231+
232+
rules, err := r.collectEnforcers(ri, groupID)
225233
if err != nil {
226234
return nil, fmt.Errorf("error parsing rules: %v", err)
227235
}
@@ -261,7 +269,12 @@ func (r *RuleEnforcer) handleResponse(ctx context.Context,
261269
return nil, fmt.Errorf("could not extract ID from macaroon")
262270
}
263271

264-
enforcers, err := r.collectEnforcers(ri, sessionID)
272+
groupID, err := r.sessionIDIndexDB.GetGroupID(sessionID)
273+
if err != nil {
274+
return nil, err
275+
}
276+
277+
enforcers, err := r.collectEnforcers(ri, groupID)
265278
if err != nil {
266279
return nil, fmt.Errorf("error parsing rules: %v", err)
267280
}
@@ -295,7 +308,12 @@ func (r *RuleEnforcer) handleErrorResponse(ctx context.Context,
295308
return nil, fmt.Errorf("could not extract ID from macaroon")
296309
}
297310

298-
enforcers, err := r.collectEnforcers(ri, sessionID)
311+
groupID, err := r.sessionIDIndexDB.GetGroupID(sessionID)
312+
if err != nil {
313+
return nil, err
314+
}
315+
316+
enforcers, err := r.collectEnforcers(ri, groupID)
299317
if err != nil {
300318
return nil, fmt.Errorf("error parsing rules: %v", err)
301319
}
@@ -320,7 +338,7 @@ func (r *RuleEnforcer) handleErrorResponse(ctx context.Context,
320338

321339
// collectRule initialises and returns all the Rules that need to be enforced
322340
// for the given request.
323-
func (r *RuleEnforcer) collectEnforcers(ri *RequestInfo, sessionID session.ID) (
341+
func (r *RuleEnforcer) collectEnforcers(ri *RequestInfo, groupID session.ID) (
324342
[]rules.Enforcer, error) {
325343

326344
ruleEnforcers := make(
@@ -331,7 +349,7 @@ func (r *RuleEnforcer) collectEnforcers(ri *RequestInfo, sessionID session.ID) (
331349
for rule, value := range ri.Rules.FeatureRules[ri.MetaInfo.Feature] {
332350
r, err := r.initRule(
333351
ri.RequestID, rule, []byte(value), ri.MetaInfo.Feature,
334-
sessionID, false, ri.WithPrivacy,
352+
groupID, false, ri.WithPrivacy,
335353
)
336354
if err != nil {
337355
return nil, err
@@ -345,7 +363,7 @@ func (r *RuleEnforcer) collectEnforcers(ri *RequestInfo, sessionID session.ID) (
345363

346364
// initRule initialises a rule.Rule with any required config values.
347365
func (r *RuleEnforcer) initRule(reqID uint64, name string, value []byte,
348-
featureName string, sessionID session.ID, sessionRule,
366+
featureName string, groupID session.ID, sessionRule,
349367
privacy bool) (rules.Enforcer, error) {
350368

351369
ruleValues, err := r.ruleMgrs.InitRuleValues(name, value)
@@ -354,21 +372,21 @@ func (r *RuleEnforcer) initRule(reqID uint64, name string, value []byte,
354372
}
355373

356374
if privacy {
357-
privMap := r.newPrivMap(sessionID)
375+
privMap := r.newPrivMap(groupID)
358376
ruleValues, err = ruleValues.PseudoToReal(privMap)
359377
if err != nil {
360378
return nil, fmt.Errorf("could not prepare rule "+
361379
"value: %v", err)
362380
}
363381
}
364382

365-
allActionsDB := r.actionsDB.GetActionsReadDB(sessionID, featureName)
383+
allActionsDB := r.actionsDB.GetActionsReadDB(groupID, featureName)
366384
actionsDB := allActionsDB.GroupFeatureActionsDB()
367-
rulesDB := r.ruleDB.GetKVStores(name, sessionID, featureName)
385+
rulesDB := r.ruleDB.GetKVStores(name, groupID, featureName)
368386

369387
if sessionRule {
370388
actionsDB = allActionsDB.GroupActionsDB()
371-
rulesDB = r.ruleDB.GetKVStores(name, sessionID, "")
389+
rulesDB = r.ruleDB.GetKVStores(name, groupID, "")
372390
}
373391

374392
cfg := &rules.ConfigImpl{

terminal.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -824,7 +824,7 @@ func (g *LightningTerminal) startInternalSubServers(
824824

825825
if !g.cfg.Autopilot.Disable {
826826
ruleEnforcer := firewall.NewRuleEnforcer(
827-
g.firewallDB, g.firewallDB,
827+
g.firewallDB, g.firewallDB, g.sessionDB,
828828
g.autopilotClient.ListFeaturePerms,
829829
g.permsMgr, g.lndClient.NodePubkey,
830830
g.lndClient.Router,

0 commit comments

Comments
 (0)