firewall: implement firewall

Author: guggero

firewall/request_info.go

@@ -0,0 +1,114 @@
+package firewall
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/lightningnetwork/lnd/lnrpc"
+	"gopkg.in/macaroon.v2"
+)
+
+const (
+	// MWRequestTypeStreamAuth represents the type name for a stream
+	// authentication interception message.
+	MWRequestTypeStreamAuth = "stream_auth"
+
+	// MWRequestTypeRequest represents the type name for a request
+	// interception message.
+	MWRequestTypeRequest = "request"
+
+	// MWRequestTypeResponse represents the type name for a response
+	// interception message.
+	MWRequestTypeResponse = "response"
+)
+
+// RequestInfo stores the parsed representation of an incoming RPC middleware
+// request.
+type RequestInfo struct {
+	MsgID           uint64
+	RequestID       uint64
+	MWRequestType   string
+	URI             string
+	GRPCMessageType string
+	Streaming       bool
+	Macaroon        *macaroon.Macaroon
+	Caveats         []string
+	MetaInfo        *InterceptMetaInfo
+	Rules           []*InterceptRule
+}
+
+// NewInfoFromRequest parses the given RPC middleware interception request and
+// returns a RequestInfo struct.
+func NewInfoFromRequest(req *lnrpc.RPCMiddlewareRequest) (*RequestInfo, error) {
+	var ri *RequestInfo
+	switch t := req.InterceptType.(type) {
+	case *lnrpc.RPCMiddlewareRequest_StreamAuth:
+		ri = &RequestInfo{
+			MWRequestType: MWRequestTypeStreamAuth,
+			URI:           t.StreamAuth.MethodFullUri,
+			Streaming:     true,
+		}
+
+	case *lnrpc.RPCMiddlewareRequest_Request:
+		ri = &RequestInfo{
+			MWRequestType:   MWRequestTypeRequest,
+			URI:             t.Request.MethodFullUri,
+			GRPCMessageType: t.Request.TypeName,
+			Streaming:       t.Request.StreamRpc,
+		}
+
+	case *lnrpc.RPCMiddlewareRequest_Response:
+		ri = &RequestInfo{
+			MWRequestType:   MWRequestTypeResponse,
+			URI:             t.Response.MethodFullUri,
+			GRPCMessageType: t.Response.TypeName,
+			Streaming:       t.Response.StreamRpc,
+		}
+
+	default:
+		return nil, fmt.Errorf("invalid request type: %T", t)
+	}
+
+	ri.MsgID = req.MsgId
+	ri.RequestID = req.RequestId
+
+	ri.Macaroon = &macaroon.Macaroon{}
+	if err := ri.Macaroon.UnmarshalBinary(req.RawMacaroon); err != nil {
+		return nil, fmt.Errorf("error parsing macaroon: %v", err)
+	}
+
+	ri.Caveats = make([]string, len(ri.Macaroon.Caveats()))
+	for idx, cav := range ri.Macaroon.Caveats() {
+		ri.Caveats[idx] = string(cav.Id)
+
+		// Apply any meta information sent as a custom caveat. Only the
+		// last one will be considered if there are multiple caveats.
+		metaInfo, err := ParseMetaInfoCaveat(ri.Caveats[idx])
+		if err == nil {
+			ri.MetaInfo = metaInfo
+
+			// The same caveat can't be a meta info and rule list.
+			continue
+		}
+
+		// Also apply the rule list sent as a custom caveat. Only the
+		// last set of rules will be considered if there are multiple
+		// caveats.
+		rules, err := ParseRuleCaveat(ri.Caveats[idx])
+		if err == nil {
+			ri.Rules = rules
+		}
+	}
+
+	return ri, nil
+}
+
+// String returns the string representation of the request info struct.
+func (ri *RequestInfo) String() string {
+	return fmt.Sprintf("Request={msg_id=%d, request_id=%d, type=%v, "+
+		"uri=%v, grpc_message_type=%v, streaming=%v, caveats=[%v], "+
+		"meta_info=%v, rules=[%v]}",
+		ri.MsgID, ri.RequestID, ri.MWRequestType, ri.URI,
+		ri.GRPCMessageType, ri.Streaming, strings.Join(ri.Caveats, ","),
+		ri.MetaInfo, ri.Rules)
+}

firewall/request_logger.go

@@ -0,0 +1,68 @@
+package firewall
+
+import (
+	"context"
+	"fmt"
+
+	mid "github.com/lightninglabs/lightning-terminal/rpcmiddleware"
+	"github.com/lightningnetwork/lnd/lnrpc"
+)
+
+const (
+	// RequestLoggerName is the name of the RequestLogger interceptor.
+	RequestLoggerName = "lit-macaroon-firewall-logger"
+)
+
+// A compile-time assertion that RuleEnforcer is a
+// rpcmiddleware.RequestInterceptor.
+var _ mid.RequestInterceptor = (*RequestLogger)(nil)
+
+// RequestLogger is a RequestInterceptor that just logs incoming RPC requests.
+type RequestLogger struct {
+	// ObservedRequests is a list of all requests that were observed because
+	// they contained additional meta information about their intent.
+	//
+	// TODO(guggero): Replace by persistent storage to keep a history for
+	// the user.
+	ObservedRequests []*RequestInfo
+}
+
+// Name returns the name of the interceptor.
+func (r *RequestLogger) Name() string {
+	return RequestLoggerName
+}
+
+// ReadOnly returns true if this interceptor should be registered in read-only
+// mode. In read-only mode no custom caveat name can be specified.
+func (r *RequestLogger) ReadOnly() bool {
+	return true
+}
+
+// CustomCaveatName returns the name of the custom caveat that is expected to be
+// handled by this interceptor. Cannot be specified in read-only mode.
+func (r *RequestLogger) CustomCaveatName() string {
+	return ""
+}
+
+// Intercept processes an RPC middleware interception request and returns the
+// interception result which either accepts or rejects the intercepted message.
+func (r *RequestLogger) Intercept(_ context.Context,
+	req *lnrpc.RPCMiddlewareRequest) (*lnrpc.RPCMiddlewareResponse, error) {
+
+	ri, err := NewInfoFromRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing incoming RPC middleware "+
+			"interception request: %v", err)
+	}
+
+	log.Infof("RequestLogger: Intercepting %v", ri)
+
+	// Persist the observed request if it is tagged with specific meta
+	// information.
+	if ri.MetaInfo != nil {
+		r.ObservedRequests = append(r.ObservedRequests, ri)
+	}
+
+	// Send empty response, accepting the request.
+	return mid.RPCOk(req)
+}

firewall/rule_enforcer.go

@@ -0,0 +1,63 @@
+package firewall
+
+import (
+	"context"
+	"fmt"
+
+	mid "github.com/lightninglabs/lightning-terminal/rpcmiddleware"
+	"github.com/lightningnetwork/lnd/lnrpc"
+)
+
+const (
+	// RuleEnforcerName is the name of the RuleEnforcer interceptor.
+	RuleEnforcerName = "lit-macaroon-firewall"
+)
+
+// A compile-time assertion that RuleEnforcer is a
+// rpcmiddleware.RequestInterceptor.
+var _ mid.RequestInterceptor = (*RuleEnforcer)(nil)
+
+// RuleEnforcer is a RequestInterceptor that makes sure all firewall related
+// custom caveats in a macaroon are properly enforced.
+type RuleEnforcer struct {
+}
+
+// Name returns the name of the interceptor.
+func (r *RuleEnforcer) Name() string {
+	return RuleEnforcerName
+}
+
+// ReadOnly returns true if this interceptor should be registered in read-only
+// mode. In read-only mode no custom caveat name can be specified.
+func (r *RuleEnforcer) ReadOnly() bool {
+	return false
+}
+
+// CustomCaveatName returns the name of the custom caveat that is expected to be
+// handled by this interceptor. Cannot be specified in read-only mode.
+func (r *RuleEnforcer) CustomCaveatName() string {
+	return RuleEnforcerCaveat
+}
+
+// Intercept processes an RPC middleware interception request and returns the
+// interception result which either accepts or rejects the intercepted message.
+func (r *RuleEnforcer) Intercept(_ context.Context,
+	req *lnrpc.RPCMiddlewareRequest) (*lnrpc.RPCMiddlewareResponse, error) {
+
+	ri, err := NewInfoFromRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing incoming RPC middleware "+
+			"interception request: %v", err)
+	}
+
+	log.Infof("Enforcing rule %v", ri)
+
+	// Enforce actual rules.
+	if len(ri.Rules) > 0 {
+		// TODO(guggero): Implement rules and their enforcement.
+		log.Debugf("There are %d rules to enforce", len(ri.Rules))
+	}
+
+	// Send empty response, accepting the request.
+	return mid.RPCOk(req)
+}