multi: let request logger persist Actions

Author: ellemouton

firewall/request_logger.go

@@ -3,8 +3,14 @@ package firewall
 import (
 	"context"
 	"fmt"
+	"sync"
+	"time"
 
+	"github.com/golang/protobuf/proto"
+	"github.com/lightninglabs/lightning-terminal/firewalldb"
 	mid "github.com/lightninglabs/lightning-terminal/rpcmiddleware"
+	"github.com/lightninglabs/lightning-terminal/session"
+	"github.com/lightninglabs/protobuf-hex-display/jsonpb"
 	"github.com/lightningnetwork/lnd/lnrpc"
 )
 
@@ -13,18 +19,40 @@ const (
 	RequestLoggerName = "lit-macaroon-firewall-logger"
 )
 
-// A compile-time assertion that RuleEnforcer is a
-// rpcmiddleware.RequestInterceptor.
-var _ mid.RequestInterceptor = (*RequestLogger)(nil)
+var (
+	// uriSkipList is a map of URIs that we don't want to log or persist
+	// actions for.
+	uriSkipList = map[string]bool{
+		// We skip the CheckMacaroonPermissions uri since this method is
+		// called each time a call to a non-Litd endpoint needs to be
+		// validated and persisting the macaroon each time bloats the
+		// DB.
+		"/lnrpc.Lightning/CheckMacaroonPermissions": true,
+	}
+
+	// A compile-time assertion that RuleEnforcer is a
+	// rpcmiddleware.RequestInterceptor.
+	_ mid.RequestInterceptor = (*RequestLogger)(nil)
+)
 
 // RequestLogger is a RequestInterceptor that just logs incoming RPC requests.
 type RequestLogger struct {
-	// ObservedRequests is a list of all requests that were observed because
-	// they contained additional meta information about their intent.
-	//
-	// TODO(guggero): Replace by persistent storage to keep a history for
-	// the user.
-	ObservedRequests []*RequestInfo
+	actionsDB firewalldb.ActionsWriteDB
+
+	// reqIDToAction is a map from request ID to an ActionLocator that can
+	// be used to find the corresponding action. This is used so that
+	// requests and responses can be easily linked. The mu mutex must be
+	// used when accessing this map.
+	reqIDToAction map[uint64]*firewalldb.ActionLocator
+	mu            sync.Mutex
+}
+
+// NewRequestLogger creates a new RequestLogger.
+func NewRequestLogger(actionsDB firewalldb.ActionsWriteDB) *RequestLogger {
+	return &RequestLogger{
+		actionsDB:     actionsDB,
+		reqIDToAction: make(map[uint64]*firewalldb.ActionLocator),
+	}
 }
 
 // Name returns the name of the interceptor.
@@ -55,14 +83,113 @@ func (r *RequestLogger) Intercept(_ context.Context,
 			"interception request: %v", err)
 	}
 
-	log.Infof("RequestLogger: Intercepting %v", ri)
+	// If this request is for any URI in the uriSkipList map, then we do not
+	// log or persist it.
+	if uriSkipList[ri.URI] {
+		return mid.RPCOk(req)
+	}
+
+	log.Tracef("RequestLogger: Intercepting %v", ri)
+
+	switch ri.MWRequestType {
+	case MWRequestTypeStreamAuth:
+		return mid.RPCOk(req)
+
+	// Parse incoming requests and act on them.
+	case MWRequestTypeRequest:
+		return mid.RPCErr(req, r.addNewAction(ri))
+
+	// Parse and possibly manipulate outgoing responses.
+	case MWRequestTypeResponse:
+		var (
+			state     = firewalldb.ActionStateDone
+			errReason string
+		)
+		if ri.IsError {
+			state = firewalldb.ActionStateError
+			errReason = mid.ParseResponseErr(ri.Serialized).Error()
+		}
+
+		return mid.RPCErr(
+			req, r.MarkAction(ri.RequestID, state, errReason),
+		)
+
+	default:
+		return mid.RPCErrString(req, "invalid intercept type: %v", r)
+	}
+}
+
+// addNewAction persists the new action to the db.
+func (r *RequestLogger) addNewAction(ri *RequestInfo) error {
+	// If no macaroon is provided, then an empty 4-byte array is used as the
+	// session ID. Otherwise, the macaroon is used to derive a session ID.
+	var sessionID [4]byte
+	if ri.Macaroon != nil {
+		var err error
+		sessionID, err = session.IDFromMacaroon(ri.Macaroon)
+		if err != nil {
+			return fmt.Errorf("could not extract ID from macaroon")
+		}
+	}
+
+	msg, err := mid.ParseProtobuf(ri.GRPCMessageType, ri.Serialized)
+	if err != nil {
+		return err
+	}
+
+	jsonMarshaler := &jsonpb.Marshaler{
+		EmitDefaults: true,
+		OrigName:     true,
+	}
+
+	jsonStr, err := jsonMarshaler.MarshalToString(proto.MessageV1(msg))
+	if err != nil {
+		return fmt.Errorf("unable to decode response: %v", err)
+	}
+
+	action := &firewalldb.Action{
+		RPCMethod:     ri.URI,
+		RPCParamsJson: []byte(jsonStr),
+		AttemptedAt:   time.Now(),
+		State:         firewalldb.ActionStateInit,
+	}
 
-	// Persist the observed request if it is tagged with specific meta
-	// information.
 	if ri.MetaInfo != nil {
-		r.ObservedRequests = append(r.ObservedRequests, ri)
+		action.ActorName = ri.MetaInfo.ActorName
+		action.FeatureName = ri.MetaInfo.Feature
+		action.Trigger = ri.MetaInfo.Trigger
+		action.Intent = ri.MetaInfo.Intent
+		action.StructuredJsonData = ri.MetaInfo.StructuredJsonData
+	}
+
+	id, err := r.actionsDB.AddAction(sessionID, action)
+	if err != nil {
+		return err
+	}
+
+	r.mu.Lock()
+	r.reqIDToAction[ri.RequestID] = &firewalldb.ActionLocator{
+		SessionID: sessionID,
+		ActionID:  id,
+	}
+	r.mu.Unlock()
+
+	return nil
+}
+
+// MarkAction can be used to set the state of an action identified by the given
+// requestID.
+func (r *RequestLogger) MarkAction(reqID uint64,
+	state firewalldb.ActionState, errReason string) error {
+
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	actionLocator, ok := r.reqIDToAction[reqID]
+	if !ok {
+		return nil
 	}
+	delete(r.reqIDToAction, reqID)
 
-	// Send empty response, accepting the request.
-	return mid.RPCOk(req)
+	return r.actionsDB.SetActionState(actionLocator, state, errReason)
 }

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f
 	github.com/btcsuite/btcwallet/walletdb v1.4.0
 	github.com/go-errors/errors v1.0.1
+	github.com/golang/protobuf v1.5.2
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.5.0
 	github.com/improbable-eng/grpc-web v0.12.0
 	github.com/jessevdk/go-flags v1.4.0
@@ -73,7 +74,6 @@ require (
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/mock v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/gorilla/websocket v1.4.2 // indirect

session/macaroon.go

@@ -60,19 +60,7 @@ func IsSuperMacaroon(macHex string) bool {
 		return false
 	}
 
-	rawID := mac.Id()
-	if rawID[0] != byte(bakery.LatestVersion) {
-		return false
-	}
-	decodedID := &lnrpc.MacaroonId{}
-	idProto := rawID[1:]
-	err = proto.Unmarshal(idProto, decodedID)
-	if err != nil {
-		return false
-	}
-
-	// The storage ID is a string representation of a 64bit unsigned number.
-	rootKeyID, err := strconv.ParseUint(string(decodedID.StorageId), 10, 64)
+	rootKeyID, err := RootKeyIDFromMacaroon(mac)
 	if err != nil {
 		return false
 	}

terminal.go

@@ -673,13 +673,15 @@ func (g *LightningTerminal) startSubservers() error {
 	}
 	g.accountServiceStarted = true
 
+	requestLogger := firewall.NewRequestLogger(g.firewallDB)
+
 	// Start the middleware manager.
 	log.Infof("Starting LiT middleware manager")
 	g.middleware = mid.NewManager(
 		g.cfg.RPCMiddleware.InterceptTimeout,
 		g.lndClient.Client, g.errQueue.ChanIn(),
 		g.accountService,
-		&firewall.RequestLogger{},
+		requestLogger,
 		&firewall.RuleEnforcer{},
 	)