multi: bake super macaroon in integrated mode

In integrated mode we hook directly into lnd's bufconn listener for any
connections to it. So we don't need any TLS setup and can bake a single
super macaroon that is used for all RPC calls.

Author: orbitalturtle

config.go

@@ -177,6 +177,11 @@ type Config struct {
 	faradayRemote bool
 	loopRemote    bool
 	poolRemote    bool
+
+	// lndAdminMacaroon is the admin macaroon that is given to us by lnd
+	// over an in-memory connection on startup. This is only set in
+	// integrated lnd mode.
+	lndAdminMacaroon []byte
 }
 
 // RemoteConfig holds the configuration parameters that are needed when running
@@ -219,15 +224,16 @@ type RemoteDaemonConfig struct {
 // lndConnectParams returns the connection parameters to connect to the local
 // lnd instance.
 func (c *Config) lndConnectParams() (string, lndclient.Network, string,
-	string) {
+	string, []byte) {
 
 	// In remote lnd mode, we just pass along what was configured in the
 	// remote section of the lnd config.
 	if c.LndMode == ModeRemote {
 		return c.Remote.Lnd.RPCServer,
 			lndclient.Network(c.Network),
 			lncfg.CleanAndExpandPath(c.Remote.Lnd.TLSCertPath),
-			lncfg.CleanAndExpandPath(c.Remote.Lnd.MacaroonPath)
+			lncfg.CleanAndExpandPath(c.Remote.Lnd.MacaroonPath),
+			nil
 	}
 
 	// When we start lnd internally, we take the listen address as
@@ -248,8 +254,8 @@ func (c *Config) lndConnectParams() (string, lndclient.Network, string,
 		)
 	}
 
-	return lndDialAddr, lndclient.Network(c.Network),
-		c.Lnd.TLSCertPath, c.Lnd.AdminMacPath
+	return lndDialAddr, lndclient.Network(c.Network), "", "",
+		c.lndAdminMacaroon
 }
 
 // defaultConfig returns a configuration struct with all default values set.

rpc_proxy.go

@@ -2,10 +2,12 @@ package terminal
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"strings"
 	"time"
@@ -18,6 +20,7 @@ import (
 	"google.golang.org/grpc/backoff"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/test/bufconn"
 	"gopkg.in/macaroon-bakery.v2/bakery"
 	"gopkg.in/macaroon.v2"
 )
@@ -34,7 +37,8 @@ const (
 // or REST request and delegate (and convert if necessary) it to the correct
 // component.
 func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
-	permissionMap map[string][]bakery.Op) *rpcProxy {
+	permissionMap map[string][]bakery.Op,
+	bufListener *bufconn.Listener) *rpcProxy {
 
 	// The gRPC web calls are protected by HTTP basic auth which is defined
 	// by base64(username:password). Because we only have a password, we
@@ -52,6 +56,7 @@ func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
 		cfg:          cfg,
 		basicAuth:    basicAuth,
 		macValidator: validator,
+		bufListener:  bufListener,
 	}
 	p.grpcServer = grpc.NewServer(
 		// From the grpxProxy doc: This codec is *crucial* to the
@@ -125,6 +130,9 @@ type rpcProxy struct {
 	basicAuth string
 
 	macValidator macaroons.MacaroonValidator
+	bufListener  *bufconn.Listener
+
+	superMacaroon string
 
 	lndConn     *grpc.ClientConn
 	faradayConn *grpc.ClientConn
@@ -140,8 +148,14 @@ func (p *rpcProxy) Start() error {
 	var err error
 
 	// Setup the connection to lnd.
-	host, _, tlsPath, _ := p.cfg.lndConnectParams()
-	p.lndConn, err = dialBackend("lnd", host, tlsPath)
+	host, _, tlsPath, _, _ := p.cfg.lndConnectParams()
+
+	// We use a bufconn to connect to lnd in integrated mode.
+	if p.cfg.LndMode == ModeIntegrated {
+		p.lndConn, err = dialBufConnBackend(p.bufListener)
+	} else {
+		p.lndConn, err = dialBackend("lnd", host, tlsPath)
+	}
 	if err != nil {
 		return fmt.Errorf("could not dial lnd: %v", err)
 	}
@@ -390,10 +404,13 @@ func (p *rpcProxy) basicAuthToMacaroon(ctx context.Context,
 		return ctx, nil
 	}
 
-	var macPath string
+	var (
+		macPath string
+		macData []byte
+	)
 	switch {
 	case isLndURI(requestURI):
-		_, _, _, macPath = p.cfg.lndConnectParams()
+		_, _, _, macPath, macData = p.cfg.lndConnectParams()
 
 	case isFaradayURI(requestURI):
 		if p.cfg.faradayRemote {
@@ -421,16 +438,64 @@ func (p *rpcProxy) basicAuthToMacaroon(ctx context.Context,
 			requestURI)
 	}
 
-	// Now that we know which macaroon to load, do it and attach it to the
-	// request context.
-	macBytes, err := readMacaroon(lncfg.CleanAndExpandPath(macPath))
-	if err != nil {
-		return ctx, fmt.Errorf("error reading macaroon: %v", err)
+	switch {
+	// If we have a super macaroon, we can use that one directly since it
+	// will contain all permissions we need.
+	case len(p.superMacaroon) > 0:
+		md.Set(HeaderMacaroon, p.superMacaroon)
+
+	// If we have macaroon data directly, just encode them. This could be
+	// for initial requests to lnd while we don't have the super macaroon
+	// just yet (or are actually calling to bake the super macaroon).
+	case len(macData) > 0:
+		md.Set(HeaderMacaroon, hex.EncodeToString(macData))
+
+	// The fall back is to read the macaroon from a path. This is in remote
+	// mode.
+	case len(macPath) > 0:
+		// Now that we know which macaroon to load, do it and attach it
+		// to the request context.
+		macBytes, err := readMacaroon(lncfg.CleanAndExpandPath(macPath))
+		if err != nil {
+			return ctx, fmt.Errorf("error reading macaroon %s: %v",
+				lncfg.CleanAndExpandPath(macPath), err)
+		}
+
+		md.Set(HeaderMacaroon, hex.EncodeToString(macBytes))
 	}
-	md.Set(HeaderMacaroon, hex.EncodeToString(macBytes))
+
 	return metadata.NewIncomingContext(ctx, md), nil
 }
 
+// dialBufConnBackend dials an in-memory connection to an RPC listener and
+// ignores any TLS certificate mismatches.
+func dialBufConnBackend(listener *bufconn.Listener) (*grpc.ClientConn, error) {
+	tlsConfig := credentials.NewTLS(&tls.Config{
+		InsecureSkipVerify: true,
+	})
+	conn, err := grpc.Dial(
+		"",
+		grpc.WithContextDialer(
+			func(context.Context, string) (net.Conn, error) {
+				return listener.Dial()
+			},
+		),
+		grpc.WithTransportCredentials(tlsConfig),
+
+		// From the grpcProxy doc: This codec is *crucial* to the
+		// functioning of the proxy.
+		grpc.WithCodec(grpcProxy.Codec()), // nolint
+		grpc.WithTransportCredentials(tlsConfig),
+		grpc.WithDefaultCallOptions(maxMsgRecvSize),
+		grpc.WithConnectParams(grpc.ConnectParams{
+			Backoff:           backoff.DefaultConfig,
+			MinConnectTimeout: defaultConnectTimeout,
+		}),
+	)
+
+	return conn, err
+}
+
 // dialBackend connects to a gRPC backend through the given address and uses the
 // given TLS certificate to authenticate the connection.
 func dialBackend(name, dialAddr, tlsCertPath string) (*grpc.ClientConn, error) {
@@ -470,12 +535,12 @@ func readMacaroon(macPath string) ([]byte, error) {
 	// Load the specified macaroon file.
 	macBytes, err := ioutil.ReadFile(macPath)
 	if err != nil {
-		return nil, fmt.Errorf("unable to read macaroon path : %v", err)
+		return nil, fmt.Errorf("unable to read macaroon path: %v", err)
 	}
 
 	// Make sure it actually is a macaroon by parsing it.
 	mac := &macaroon.Macaroon{}
-	if err = mac.UnmarshalBinary(macBytes); err != nil {
+	if err := mac.UnmarshalBinary(macBytes); err != nil {
 		return nil, fmt.Errorf("unable to decode macaroon: %v", err)
 	}
 

subserver_permissions.go

@@ -26,9 +26,9 @@ func getSubserverPermissions() map[string][]bakery.Op {
 	return result
 }
 
-// getAllPermissions returns a merged map of lnd's and all subservers' macaroon
-// permissions.
-func getAllPermissions() map[string][]bakery.Op {
+// getAllMethodPermissions returns a merged map of lnd's and all subservers'
+// method macaroon permissions.
+func getAllMethodPermissions() map[string][]bakery.Op {
 	subserverPermissions := getSubserverPermissions()
 	lndPermissions := lnd.MainRPCServerPermissions()
 	mapSize := len(subserverPermissions) + len(lndPermissions)
@@ -42,6 +42,35 @@ func getAllPermissions() map[string][]bakery.Op {
 	return result
 }
 
+// getAllPermissions retrieves all the permissions needed to bake a super
+// macaroon.
+func getAllPermissions() []bakery.Op {
+	dedupMap := make(map[string]map[string]bool)
+
+	for _, methodPerms := range getAllMethodPermissions() {
+		for _, methodPerm := range methodPerms {
+			if dedupMap[methodPerm.Entity] == nil {
+				dedupMap[methodPerm.Entity] = make(
+					map[string]bool,
+				)
+			}
+			dedupMap[methodPerm.Entity][methodPerm.Action] = true
+		}
+	}
+
+	result := make([]bakery.Op, 0, len(dedupMap))
+	for entity, actions := range dedupMap {
+		for action := range actions {
+			result = append(result, bakery.Op{
+				Entity: entity,
+				Action: action,
+			})
+		}
+	}
+
+	return result
+}
+
 // isLndURI returns true if the given URI belongs to an RPC of lnd.
 func isLndURI(uri string) bool {
 	_, ok := lnd.MainRPCServerPermissions()[uri]