terminal: register interceptors and RPC server to LNC

guggero · guggero · commit 6104d9ed1fba · 2022-02-17T16:35:55.000+01:00
When a connection is tunneled through LNC the requests that go to the
daemons running in-process with LiT need to be registered correctly. To
make sure they are also authenticated, the RPC proxy's interceptors also
need to be registered on the LNC gRPC server instance.
But we don't want to allow calls to the LiT session server through LNC
until we have proper macaroon permissions set up for that server.
diff --git a/rpc_proxy.go b/rpc_proxy.go
@@ -19,8 +19,10 @@ import (
 	grpcProxy "github.com/mwitkow/grpc-proxy/proxy"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
 	"google.golang.org/grpc/test/bufconn"
 	"gopkg.in/macaroon-bakery.v2/bakery"
 	"gopkg.in/macaroon.v2"
@@ -96,7 +98,7 @@ func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
 		grpc.ChainStreamInterceptor(p.StreamServerInterceptor),
 		grpc.ChainUnaryInterceptor(p.UnaryServerInterceptor),
 		grpc.UnknownServiceHandler(
-			grpcProxy.TransparentHandler(p.director),
+			grpcProxy.TransparentHandler(p.makeDirector(true)),
 		),
 	)
 
@@ -292,70 +294,86 @@ func (p *rpcProxy) isHandling(resp http.ResponseWriter,
 	return false
 }
 
-// director is a function that directs an incoming request to the correct
-// backend, depending on what kind of authentication information is attached to
-// the request.
-func (p *rpcProxy) director(ctx context.Context,
+// makeDirector is a function that returns a director that directs an incoming
+// request to the correct backend, depending on what kind of authentication
+// information is attached to the request.
+func (p *rpcProxy) makeDirector(allowLitRPC bool) func(ctx context.Context,
 	requestURI string) (context.Context, *grpc.ClientConn, error) {
 
-	// If this header is present in the request from the web client,
-	// the actual connection to the backend will not be established.
-	// https://github.com/improbable-eng/grpc-web/issues/568
-	md, _ := metadata.FromIncomingContext(ctx)
-	mdCopy := md.Copy()
-	delete(mdCopy, "connection")
-
-	outCtx := metadata.NewOutgoingContext(ctx, mdCopy)
+	return func(ctx context.Context, requestURI string) (context.Context,
+		*grpc.ClientConn, error) {
+
+		// If this header is present in the request from the web client,
+		// the actual connection to the backend will not be established.
+		// https://github.com/improbable-eng/grpc-web/issues/568
+		md, _ := metadata.FromIncomingContext(ctx)
+		mdCopy := md.Copy()
+		delete(mdCopy, "connection")
+
+		outCtx := metadata.NewOutgoingContext(ctx, mdCopy)
+
+		// Is there a basic auth or super macaroon set?
+		authHeaders := md.Get("authorization")
+		macHeader := md.Get(HeaderMacaroon)
+		switch {
+		case len(authHeaders) == 1:
+			macBytes, err := p.basicAuthToMacaroon(
+				authHeaders[0], requestURI, nil,
+			)
+			if err != nil {
+				return outCtx, nil, err
+			}
+			if len(macBytes) > 0 {
+				mdCopy.Set(HeaderMacaroon, hex.EncodeToString(
+					macBytes,
+				))
+			}
 
-	// Is there a basic auth or super macaroon set?
-	authHeaders := md.Get("authorization")
-	macHeader := md.Get(HeaderMacaroon)
-	switch {
-	case len(authHeaders) == 1:
-		macBytes, err := p.basicAuthToMacaroon(
-			authHeaders[0], requestURI, nil,
-		)
-		if err != nil {
-			return outCtx, nil, err
-		}
-		if len(macBytes) > 0 {
-			mdCopy.Set(HeaderMacaroon, hex.EncodeToString(macBytes))
+		case len(macHeader) == 1 && session.IsSuperMacaroon(macHeader[0]):
+			// If we have a macaroon, and it's a super macaroon,
+			// then we need to convert it into the actual daemon
+			// macaroon if they're running in remote mode.
+			macBytes, err := p.convertSuperMacaroon(
+				ctx, macHeader[0], requestURI,
+			)
+			if err != nil {
+				return outCtx, nil, err
+			}
+			if len(macBytes) > 0 {
+				mdCopy.Set(HeaderMacaroon, hex.EncodeToString(
+					macBytes,
+				))
+			}
 		}
 
-	case len(macHeader) == 1 && session.IsSuperMacaroon(macHeader[0]):
-		// If we have a macaroon, and it's a super macaroon, then we
-		// need to convert it into the actual daemon macaroon if they're
-		// running in remote mode.
-		macBytes, err := p.convertSuperMacaroon(
-			ctx, macHeader[0], requestURI,
-		)
-		if err != nil {
-			return outCtx, nil, err
-		}
-		if len(macBytes) > 0 {
-			mdCopy.Set(HeaderMacaroon, hex.EncodeToString(macBytes))
+		// Direct the call to the correct backend. All gRPC calls end up
+		// here since our gRPC server instance doesn't have any handlers
+		// registered itself. So all daemon calls that are remote are
+		// forwarded to them directly. Everything else will go to lnd
+		// since it must either be an lnd call or something that'll be
+		// handled by the integrated daemons that are hooking into lnd's
+		// gRPC server.
+		switch {
+		case isFaradayURI(requestURI) && p.cfg.faradayRemote:
+			return outCtx, p.faradayConn, nil
+
+		case isLoopURI(requestURI) && p.cfg.loopRemote:
+			return outCtx, p.loopConn, nil
+
+		case isPoolURI(requestURI) && p.cfg.poolRemote:
+			return outCtx, p.poolConn, nil
+
+		// Calls to LiT session RPC aren't allowed in some cases.
+		case isLitURI(requestURI) && !allowLitRPC:
+			return outCtx, nil, status.Errorf(
+				codes.Unimplemented, "unknown service %s",
+				requestURI,
+			)
+
+		default:
+			return outCtx, p.lndConn, nil
 		}
 	}
-
-	// Direct the call to the correct backend. All gRPC calls end up here
-	// since our gRPC server instance doesn't have any handlers registered
-	// itself. So all daemon calls that are remote are forwarded to them
-	// directly. Everything else will go to lnd since it must either be an
-	// lnd call or something that'll be handled by the integrated daemons
-	// that are hooking into lnd's gRPC server.
-	switch {
-	case isFaradayURI(requestURI) && p.cfg.faradayRemote:
-		return outCtx, p.faradayConn, nil
-
-	case isLoopURI(requestURI) && p.cfg.loopRemote:
-		return outCtx, p.loopConn, nil
-
-	case isPoolURI(requestURI) && p.cfg.poolRemote:
-		return outCtx, p.poolConn, nil
-
-	default:
-		return outCtx, p.lndConn, nil
-	}
 }
 
 // UnaryServerInterceptor is a gRPC interceptor that checks whether the
diff --git a/terminal.go b/terminal.go
@@ -212,14 +212,24 @@ func (g *LightningTerminal) Run() error {
 		func(opts ...grpc.ServerOption) *grpc.Server {
 			allOpts := []grpc.ServerOption{
 				grpc.CustomCodec(grpcProxy.Codec()), // nolint: staticcheck,
+				grpc.ChainStreamInterceptor(
+					g.rpcProxy.StreamServerInterceptor,
+				),
+				grpc.ChainUnaryInterceptor(
+					g.rpcProxy.UnaryServerInterceptor,
+				),
 				grpc.UnknownServiceHandler(
 					grpcProxy.TransparentHandler(
-						g.rpcProxy.director,
+						// Don't allow calls to litrpc.
+						g.rpcProxy.makeDirector(false),
 					),
 				),
 			}
 			allOpts = append(allOpts, opts...)
-			return grpc.NewServer(allOpts...)
+			grpcServer := grpc.NewServer(allOpts...)
+			g.registerSubDaemonGrpcServers(grpcServer, false)
+
+			return grpcServer
 		},
 	)
 	g.sessionRpcServer = &sessionRpcServer{
@@ -579,6 +589,21 @@ func (g *LightningTerminal) RegisterGrpcSubserver(server *grpc.Server) error {
 		return err
 	}
 
+	// Register all other daemon RPC servers that are running in-process.
+	// The LiT session server should be enabled on the main interface.
+	g.registerSubDaemonGrpcServers(server, true)
+
+	return nil
+}
+
+// registerSubDaemonGrpcServers registers the sub daemon (Faraday, Loop, Pool
+// and LiT session) servers to a given gRPC server, given they are running in
+// the local process. The lit session server is gated by its own boolean because
+// we don't necessarily want to expose it on all listeners, given its security
+// implications.
+func (g *LightningTerminal) registerSubDaemonGrpcServers(server *grpc.Server,
+	withLitRPC bool) {
+
 	// In remote mode the "director" of the RPC proxy will act as a catch-
 	// all for any gRPC request that isn't known because we didn't register
 	// any server for it. The director will then forward the request to the
@@ -595,9 +620,9 @@ func (g *LightningTerminal) RegisterGrpcSubserver(server *grpc.Server) error {
 		poolrpc.RegisterTraderServer(server, g.poolServer)
 	}
 
-	litrpc.RegisterSessionsServer(server, g.sessionRpcServer)
-
-	return nil
+	if withLitRPC {
+		litrpc.RegisterSessionsServer(server, g.sessionRpcServer)
+	}
 }
 
 // RegisterRestSubserver is a callback on the lnd.SubserverConfig struct that is
