multi: create a read-only perms list

Add a bool parameter to the `getAllPermissions` function to indicate
whether or not the permission list should be read only. If so, the list
will only include permissions with the "read" action.

Author: ellemouton

session_rpcserver.go

@@ -120,7 +120,7 @@ func (s *sessionRpcServer) resumeSession(sess *session.Session) error {
 		ctx := context.Background()
 		mac, err := s.superMacBaker(
 			ctx, sess.MacaroonRootKey, &session.MacaroonRecipe{
-				Permissions: getAllPermissions(),
+				Permissions: getAllPermissions(false),
 			},
 		)
 		if err != nil {

subserver_permissions.go

@@ -75,11 +75,15 @@ func getAllMethodPermissions() map[string][]bakery.Op {
 
 // getAllPermissions retrieves all the permissions needed to bake a super
 // macaroon.
-func getAllPermissions() []bakery.Op {
+func getAllPermissions(readOnly bool) []bakery.Op {
 	dedupMap := make(map[string]map[string]bool)
 
 	for _, methodPerms := range getAllMethodPermissions() {
 		for _, methodPerm := range methodPerms {
+			if readOnly && methodPerm.Action != "read" {
+				continue
+			}
+
 			if dedupMap[methodPerm.Entity] == nil {
 				dedupMap[methodPerm.Entity] = make(
 					map[string]bool,

terminal.go

@@ -509,7 +509,7 @@ func (g *LightningTerminal) startSubservers() error {
 		// faraday, loop, and pool, all at the same time.
 		ctx := context.Background()
 		superMacaroon, err := bakeSuperMacaroon(
-			ctx, g.basicClient, 0, getAllPermissions(), nil,
+			ctx, g.basicClient, 0, getAllPermissions(false), nil,
 		)
 		if err != nil {
 			return err