multi: only use admin mac or allow single mac

With the new lndclient version we can specify a single, custom macaroon.
We use the admin macaroon as the custom macaroon in the remote
connection case which removes the need to copy all subserver macaroons
to the host where LiT is running. Users baking custom non-admin
macaroons can also specify that directly with a new configuration
option.

Author: guggero

config.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 
@@ -171,7 +172,14 @@ type RemoteDaemonConfig struct {
 
 	// MacaroonDir is the directory that contains all the macaroon files
 	// required for the remote connection.
-	MacaroonDir string `long:"macaroondir" description:"The directory containing all lnd macaroons to use for the remote connection."`
+	MacaroonDir string `long:"macaroondir" description:"DEPRECATED: Use macaroonpath. The directory containing all lnd macaroons to use for the remote connection."`
+
+	// MacaroonPath is the path to the single macaroon that should be used
+	// instead of needing to specify the macaroon directory that contains
+	// all of lnd's macaroons. The specified macaroon MUST have all
+	// permissions that all the subservers use, otherwise permission errors
+	// will occur.
+	MacaroonPath string `long:"macaroonpath" description:"The full path to the single macaroon to use, either the admin.macaroon or a custom baked one. Cannot be specified at the same time as macaroondir. A custom macaroon must contain ALL permissions required for all subservers to work, otherwise permission errors will occur."`
 
 	// TLSCertPath is the path to the tls cert of the remote daemon that
 	// should be used to verify the TLS identity of the remote RPC server.
@@ -186,10 +194,24 @@ func (c *Config) lndConnectParams() (string, lndclient.Network, string, string,
 	// In remote lnd mode, we just pass along what was configured in the
 	// remote section of the lnd config.
 	if c.LndMode == ModeRemote {
+		// Because we now have the option to specify a single, custom
+		// macaroon to the lndclient, we either use the single macaroon
+		// indicated by the user or the admin macaroon from the mac dir
+		// that was specified.
+		macPath := path.Join(
+			lncfg.CleanAndExpandPath(c.Remote.Lnd.MacaroonDir),
+			defaultLndMacaroon,
+		)
+		if c.Remote.Lnd.MacaroonPath != "" {
+			macPath = lncfg.CleanAndExpandPath(
+				c.Remote.Lnd.MacaroonPath,
+			)
+		}
+
 		return c.Remote.Lnd.RPCServer,
 			lndclient.Network(c.network),
 			lncfg.CleanAndExpandPath(c.Remote.Lnd.TLSCertPath),
-			lncfg.CleanAndExpandPath(c.Remote.Lnd.MacaroonDir), nil
+			macPath, nil
 	}
 
 	// When we start lnd internally, we take the listen address as
@@ -211,7 +233,7 @@ func (c *Config) lndConnectParams() (string, lndclient.Network, string, string,
 	}
 
 	return lndDialAddr, lndclient.Network(c.network),
-		c.Lnd.TLSCertPath, filepath.Dir(c.Lnd.AdminMacPath), nil
+		c.Lnd.TLSCertPath, c.Lnd.AdminMacPath, nil
 }
 
 // defaultConfig returns a configuration struct with all default values set.
@@ -442,6 +464,15 @@ func validateRemoteModeConfig(cfg *Config) error {
 	}
 	cfg.network = r.Lnd.Network
 
+	// Users can either specify the macaroon directory or the custom
+	// macaroon to use, but not both.
+	if r.Lnd.MacaroonDir != defaultRemoteLndMacDir &&
+		r.Lnd.MacaroonPath != "" {
+
+		return fmt.Errorf("cannot set both macaroon dir and macaroon " +
+			"path")
+	}
+
 	// If the remote lnd's network isn't the default, we also check if we
 	// need to adjust the default macaroon directory so the user can only
 	// specify --network=testnet for example if everything else is using

doc/config-lnd-remote.md

@@ -19,12 +19,9 @@ directory on your remote machine to `/some/folder/with/lnd/data/` on your local
 
 - tls.cert
 - admin.macaroon
-- chainnotifier.macaroon
-- invoices.macaroon
-- readonly.macaroon
-- router.macaroon
-- signer.macaroon
-- walletkit.macaroon
+
+(Note that with LiT prior to `v0.3.5-alpha` all `*.macaroon` files need to be
+copied from the lnd machine.)
 
 Create a `lit.conf` file. The default location LiT will look for the configuration file
 depends on your operating system:
@@ -38,7 +35,7 @@ creating `lit.conf` populate it with the following configuration settings:
 
 ```text
 remote.lnd.rpcserver=<externally-reachable-ip-address>:10009
-remote.lnd.macaroondir=/some/folder/with/lnd/data
+remote.lnd.macaroonpath=/some/folder/with/lnd/data/admin.macaroon
 remote.lnd.tlscertpath=/some/folder/with/lnd/data/tls.cert
 ```
 
@@ -95,7 +92,7 @@ and `faraday` (optional):
   --remote.lit-debuglevel=debug \
   --remote.lnd.network=testnet \
   --remote.lnd.rpcserver=some-other-host:10009 \
-  --remote.lnd.macaroondir=/some/folder/with/lnd/data \
+  --remote.lnd.macaroonpath=/some/folder/with/lnd/data/admin.macaroon \
   --remote.lnd.tlscertpath=/some/folder/with/lnd/data/tls.cert \
   --loop.loopoutmaxparts=5 \
   --pool.newnodesonly=true \
@@ -106,12 +103,6 @@ and `faraday` (optional):
   --faraday.bitcoin.password=testnetpw
 ```
 
-NOTE: Even though LiT itself only needs `lnd`'s `admin.macaroon`, the `loop`,
-`pool`, and `faraday` daemons will require other macaroons and will look for
-them in the folder specified with `--remote.lnd.macaroondir`. It is advised to
-copy all `*.macaroon` files and the `tls.cert` file from the remote host to the
-host that is running `litd`.
-
 ## Use a configuration file
 
 You can also store the configuration in a persistent `~/.lit/lit.conf` file, so you do not
@@ -151,7 +142,7 @@ remote.lit-debuglevel=debug
 # Remote lnd options
 remote.lnd.network=testnet
 remote.lnd.rpcserver=some-other-host:10009
-remote.lnd.macaroondir=/some/folder/with/lnd/data
+remote.lnd.macaroonpath=/some/folder/with/lnd/data/admin.macaroon
 remote.lnd.tlscertpath=/some/folder/with/lnd/data/tls.cert
 
 # Loop
@@ -192,7 +183,7 @@ lit-dir=~/.lit
 
 remote.lnd.network=testnet
 remote.lnd.rpcserver=some-other-host:10009
-remote.lnd.macaroondir=/some/folder/with/lnd/data
+remote.lnd.macaroonpath=/some/folder/with/lnd/data/admin.macaroon
 remote.lnd.tlscertpath=/some/folder/with/lnd/data/tls.cert
 ```
 

rpc_proxy.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"path"
 	"strings"
 	"time"
 
@@ -316,7 +315,6 @@ func (p *rpcProxy) basicAuthToMacaroon(ctx context.Context,
 	switch {
 	case isLndURI(requestURI):
 		_, _, _, macPath, err = p.cfg.lndConnectParams()
-		macPath = path.Join(macPath, defaultLndMacaroon)
 
 	case isLoopURI(requestURI):
 		macPath = p.cfg.Loop.MacaroonPath

terminal.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -249,7 +250,7 @@ func (g *LightningTerminal) Run() error {
 func (g *LightningTerminal) startSubservers() error {
 	var basicClient lnrpc.LightningClient
 
-	host, network, tlsPath, macDir, err := g.cfg.lndConnectParams()
+	host, network, tlsPath, macPath, err := g.cfg.lndConnectParams()
 	if err != nil {
 		return err
 	}
@@ -265,8 +266,8 @@ func (g *LightningTerminal) startSubservers() error {
 		// subservers have the same requirements.
 		var err error
 		basicClient, err = lndclient.NewBasicClient(
-			host, tlsPath, macDir, string(network),
-			lndclient.MacFilename(defaultLndMacaroon),
+			host, tlsPath, path.Dir(macPath), string(network),
+			lndclient.MacFilename(path.Base(macPath)),
 		)
 		return err
 	}, defaultStartupTimeout)
@@ -301,8 +302,8 @@ func (g *LightningTerminal) startSubservers() error {
 		&lndclient.LndServicesConfig{
 			LndAddress:            host,
 			Network:               network,
-			MacaroonDir:           macDir,
 			TLSPath:               tlsPath,
+			CustomMacaroonPath:    macPath,
 			BlockUntilChainSynced: true,
 			BlockUntilUnlocked:    true,
 			CallerCtx:             ctxc,
@@ -643,10 +644,10 @@ func (g *LightningTerminal) showStartupInfo() error {
 	if g.cfg.LndMode == ModeRemote {
 		// We try to query GetInfo on the remote node to find out the
 		// alias. But the wallet might be locked.
-		host, network, tlsPath, macDir, _ := g.cfg.lndConnectParams()
+		host, network, tlsPath, macPath, _ := g.cfg.lndConnectParams()
 		basicClient, err := lndclient.NewBasicClient(
-			host, tlsPath, macDir, string(network),
-			lndclient.MacFilename(defaultLndMacaroon),
+			host, tlsPath, path.Dir(macPath), string(network),
+			lndclient.MacFilename(path.Base(macPath)),
 		)
 		if err != nil {
 			return fmt.Errorf("error querying remote node: %v", err)