26
26
}},
27
27
}
28
28
29
- // whiteListedMethods is a map of all lnd RPC methods that don't require
30
- // any macaroon authentication.
31
- whiteListedMethods = map [string ][]bakery.Op {
29
+ // whiteListedLNDMethods is a map of all lnd RPC methods that don't
30
+ // require any macaroon authentication.
31
+ whiteListedLNDMethods = map [string ][]bakery.Op {
32
32
"/lnrpc.WalletUnlocker/GenSeed" : {},
33
33
"/lnrpc.WalletUnlocker/InitWallet" : {},
34
34
"/lnrpc.WalletUnlocker/UnlockWallet" : {},
@@ -41,53 +41,71 @@ var (
41
41
}
42
42
)
43
43
44
- // getSubserverPermissions returns a merged map of all subserver macaroon
45
- // permissions.
46
- func getSubserverPermissions () map [string ][]bakery.Op {
47
- mapSize := len (faraday .RequiredPermissions ) +
48
- len (loop .RequiredPermissions ) + len (pool .RequiredPermissions )
49
- result := make (map [string ][]bakery.Op , mapSize )
50
- for key , value := range faraday .RequiredPermissions {
51
- result [key ] = value
52
- }
53
- for key , value := range loop .RequiredPermissions {
54
- result [key ] = value
55
- }
56
- for key , value := range pool .RequiredPermissions {
57
- result [key ] = value
58
- }
59
- for key , value := range litPermissions {
60
- result [key ] = value
61
- }
62
- return result
44
+ // subServerName is a name used to identify a particular Lit sub-server.
45
+ type subServerName string
46
+
47
+ const (
48
+ poolPerms subServerName = "pool"
49
+ loopPerms subServerName = "loop"
50
+ faradayPerms subServerName = "faraday"
51
+ litPerms subServerName = "lit"
52
+ lndPerms subServerName = "lnd"
53
+ )
54
+
55
+ // PermissionsManager manages the permission lists that Lit requires.
56
+ type PermissionsManager struct {
57
+ // fixedPerms is constructed once on creation of the PermissionsManager.
58
+ // It contains all the permissions that will not change throughout the
59
+ // lifetime of the manager. It maps sub-server name to uri to permission
60
+ // operations.
61
+ fixedPerms map [subServerName ]map [string ][]bakery.Op
62
+
63
+ // perms is a map containing all permissions that the manager knows
64
+ // are available for use.
65
+ perms map [string ][]bakery.Op
63
66
}
64
67
65
- // getAllMethodPermissions returns a merged map of lnd's and all subservers'
66
- // method macaroon permissions.
67
- func getAllMethodPermissions () map [string ][]bakery.Op {
68
- subserverPermissions := getSubserverPermissions ()
69
- lndPermissions := lnd .MainRPCServerPermissions ()
70
- mapSize := len (subserverPermissions ) + len (lndPermissions ) +
71
- len (whiteListedMethods )
72
- result := make (map [string ][]bakery.Op , mapSize )
73
- for key , value := range lndPermissions {
74
- result [key ] = value
68
+ // NewPermissionsManager constructs a new PermissionsManager instance and
69
+ // collects any of the fixed permissions.
70
+ func NewPermissionsManager () (* PermissionsManager , error ) {
71
+ permissions := make (map [subServerName ]map [string ][]bakery.Op )
72
+ permissions [faradayPerms ] = faraday .RequiredPermissions
73
+ permissions [loopPerms ] = loop .RequiredPermissions
74
+ permissions [poolPerms ] = pool .RequiredPermissions
75
+ permissions [litPerms ] = litPermissions
76
+ permissions [lndPerms ] = lnd .MainRPCServerPermissions ()
77
+ for k , v := range whiteListedLNDMethods {
78
+ permissions [lndPerms ][k ] = v
75
79
}
76
- for key , value := range subserverPermissions {
77
- result [key ] = value
78
- }
79
- for key , value := range whiteListedMethods {
80
- result [key ] = value
80
+
81
+ allPerms := make (map [string ][]bakery.Op )
82
+ for _ , perms := range permissions {
83
+ for k , v := range perms {
84
+ allPerms [k ] = v
85
+ }
81
86
}
82
- return result
87
+
88
+ return & PermissionsManager {
89
+ fixedPerms : permissions ,
90
+ perms : allPerms ,
91
+ }, nil
83
92
}
84
93
85
- // GetAllPermissions retrieves all the permissions needed to bake a super
86
- // macaroon.
87
- func GetAllPermissions (readOnly bool ) []bakery.Op {
88
- dedupMap := make (map [string ]map [string ]bool )
94
+ // URIPermissions returns a list of permission operations for the given URI if
95
+ // the uri is known to the manager. The second return parameter will be false
96
+ // if the URI is unknown to the manager.
97
+ func (pm * PermissionsManager ) URIPermissions (uri string ) ([]bakery.Op , bool ) {
98
+ ops , ok := pm .perms [uri ]
99
+ return ops , ok
100
+ }
89
101
90
- for _ , methodPerms := range getAllMethodPermissions () {
102
+ // ActivePermissions returns all the available active permissions that the
103
+ // manager is aware of. Optionally, readOnly can be set to true if only the
104
+ // read-only permissions should be returned.
105
+ func (pm * PermissionsManager ) ActivePermissions (readOnly bool ) []bakery.Op {
106
+ // De-dup the permissions and optionally apply the read-only filter.
107
+ dedupMap := make (map [string ]map [string ]bool )
108
+ for _ , methodPerms := range pm .perms {
91
109
for _ , methodPerm := range methodPerms {
92
110
if methodPerm .Action == "" || methodPerm .Entity == "" {
93
111
continue
@@ -119,32 +137,56 @@ func GetAllPermissions(readOnly bool) []bakery.Op {
119
137
return result
120
138
}
121
139
122
- // isLndURI returns true if the given URI belongs to an RPC of lnd.
123
- func isLndURI (uri string ) bool {
124
- _ , ok := lnd .MainRPCServerPermissions ()[uri ]
125
- return ok
140
+ // GetLitPerms returns a map of all permissions that the manager is aware of
141
+ // _except_ for any LND permissions. In other words, this returns permissions
142
+ // for which the external validator of Lit is responsible.
143
+ func (pm * PermissionsManager ) GetLitPerms () map [string ][]bakery.Op {
144
+ mapSize := len (pm .fixedPerms [litPerms ]) +
145
+ len (pm .fixedPerms [faradayPerms ]) +
146
+ len (pm .fixedPerms [loopPerms ]) + len (pm .fixedPerms [poolPerms ])
147
+
148
+ result := make (map [string ][]bakery.Op , mapSize )
149
+ for key , value := range pm .fixedPerms [faradayPerms ] {
150
+ result [key ] = value
151
+ }
152
+ for key , value := range pm .fixedPerms [loopPerms ] {
153
+ result [key ] = value
154
+ }
155
+ for key , value := range pm .fixedPerms [poolPerms ] {
156
+ result [key ] = value
157
+ }
158
+ for key , value := range pm .fixedPerms [litPerms ] {
159
+ result [key ] = value
160
+ }
161
+ return result
162
+ }
163
+
164
+ // IsLndURI returns true if the given URI belongs to an RPC of lnd.
165
+ func (pm * PermissionsManager ) IsLndURI (uri string ) bool {
166
+ _ , lndCall := pm.fixedPerms [lndPerms ][uri ]
167
+ return lndCall
126
168
}
127
169
128
- // isLoopURI returns true if the given URI belongs to an RPC of loopd.
129
- func isLoopURI (uri string ) bool {
130
- _ , ok := loop . RequiredPermissions [uri ]
170
+ // IsLoopURI returns true if the given URI belongs to an RPC of loopd.
171
+ func ( pm * PermissionsManager ) IsLoopURI (uri string ) bool {
172
+ _ , ok := pm. fixedPerms [ loopPerms ] [uri ]
131
173
return ok
132
174
}
133
175
134
- // isFaradayURI returns true if the given URI belongs to an RPC of faraday.
135
- func isFaradayURI (uri string ) bool {
136
- _ , ok := faraday . RequiredPermissions [uri ]
176
+ // IsFaradayURI returns true if the given URI belongs to an RPC of faraday.
177
+ func ( pm * PermissionsManager ) IsFaradayURI (uri string ) bool {
178
+ _ , ok := pm. fixedPerms [ faradayPerms ] [uri ]
137
179
return ok
138
180
}
139
181
140
- // isPoolURI returns true if the given URI belongs to an RPC of poold.
141
- func isPoolURI (uri string ) bool {
142
- _ , ok := pool . RequiredPermissions [uri ]
182
+ // IsPoolURI returns true if the given URI belongs to an RPC of poold.
183
+ func ( pm * PermissionsManager ) IsPoolURI (uri string ) bool {
184
+ _ , ok := pm. fixedPerms [ poolPerms ] [uri ]
143
185
return ok
144
186
}
145
187
146
- // isLitURI returns true if the given URI belongs to an RPC of LiT.
147
- func isLitURI (uri string ) bool {
148
- _ , ok := litPermissions [uri ]
188
+ // IsLitURI returns true if the given URI belongs to an RPC of LiT.
189
+ func ( pm * PermissionsManager ) IsLitURI (uri string ) bool {
190
+ _ , ok := pm. fixedPerms [ litPerms ] [uri ]
149
191
return ok
150
192
}
0 commit comments