Merge pull request #292 from ellemouton/adminSuperMac

multi: readonly and admin macaroon session

Author: guggero

cmd/litcli/sessions.go

@@ -50,6 +50,14 @@ var addSessionCommand = cli.Command{
 			Usage: "set to true to skip verification of the " +
 				"server's tls cert.",
 		},
+		cli.StringFlag{
+			Name: "type",
+			Usage: "session type to be created which will " +
+				"determine the permissions a user has when " +
+				"connecting with the session. Options " +
+				"include readonly|admin",
+			Value: "readonly",
+		},
 	},
 }
 
@@ -65,13 +73,19 @@ func addSession(ctx *cli.Context) error {
 		return fmt.Errorf("must set a label for the session")
 	}
 
+	sessTypeStr := ctx.String("type")
+	sessType, err := parseSessionType(sessTypeStr)
+	if err != nil {
+		return err
+	}
+
 	sessionLength := time.Second * time.Duration(ctx.Uint64("expiry"))
 	sessionExpiry := time.Now().Add(sessionLength).Unix()
 
 	resp, err := client.AddSession(
 		getAuthContext(ctx), &litrpc.AddSessionRequest{
 			Label:                  label,
-			SessionType:            litrpc.SessionType_TYPE_UI_PASSWORD,
+			SessionType:            sessType,
 			ExpiryTimestampSeconds: uint64(sessionExpiry),
 			MailboxServerAddr:      ctx.String("mailboxserveraddr"),
 			DevServer:              ctx.Bool("devserver"),
@@ -86,6 +100,17 @@ func addSession(ctx *cli.Context) error {
 	return nil
 }
 
+func parseSessionType(sessionType string) (litrpc.SessionType, error) {
+	switch sessionType {
+	case "admin":
+		return litrpc.SessionType_TYPE_MACAROON_ADMIN, nil
+	case "readonly":
+		return litrpc.SessionType_TYPE_MACAROON_READONLY, nil
+	default:
+		return 0, fmt.Errorf("unsupported session type %s", sessionType)
+	}
+}
+
 var listSessionCommand = cli.Command{
 	Name:        "list",
 	ShortName:   "l",

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/improbable-eng/grpc-web v0.12.0
 	github.com/jessevdk/go-flags v1.4.0
 	github.com/lightninglabs/faraday v0.2.7-alpha
-	github.com/lightninglabs/lightning-node-connect v0.1.5-alpha
+	github.com/lightninglabs/lightning-node-connect v0.1.7-alpha
 	github.com/lightninglabs/lndclient v0.14.0-7
 	github.com/lightninglabs/loop v0.15.1-beta
 	github.com/lightninglabs/pool v0.5.4-alpha.0.20220114202858-525fe156d240
@@ -25,6 +25,7 @@ require (
 	github.com/urfave/cli v1.22.4
 	go.etcd.io/bbolt v1.3.6
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+	golang.org/x/net v0.0.0-20210913180222-943fd674d43e
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1
 	google.golang.org/grpc v1.39.0

go.sum

@@ -105,6 +105,7 @@ github.com/btcsuite/btcutil/psbt v1.0.3-0.20210527170813-e2ba6805a890 h1:0xUNvvw
 github.com/btcsuite/btcutil/psbt v1.0.3-0.20210527170813-e2ba6805a890/go.mod h1:LVveMu4VaNSkIRTZu2+ut0HDBRuYjqGocxDMNS1KuGQ=
 github.com/btcsuite/btcwallet v0.11.1-0.20200814001439-1d31f4ea6fc5/go.mod h1:YkEbJaCyN6yncq5gEp2xG0OKDwus2QxGCEXTNF27w5I=
 github.com/btcsuite/btcwallet v0.11.1-0.20200904022754-2c5947a45222/go.mod h1:owv9oZqM0HnUW+ByF7VqOgfs2eb0ooiePW/+Tl/i/Nk=
+github.com/btcsuite/btcwallet v0.11.1-0.20201207233335-415f37ff11a1/go.mod h1:P1U4LKSB/bhFQdOM7ab1XqNoBGFyFAe7eKObEBD9mIo=
 github.com/btcsuite/btcwallet v0.12.1-0.20210519225359-6ab9b615576f/go.mod h1:f1HuBGov5+OTp40Gh1vA+tvF6d7bbuLFTceJMRB7fXw=
 github.com/btcsuite/btcwallet v0.13.0/go.mod h1:iLN1lG1MW0eREm+SikmPO8AZPz5NglBTEK/ErqkjGpo=
 github.com/btcsuite/btcwallet v0.13.1-0.20211201210108-79de92f527dc h1:lAbAEAp4eWvsSwJfcpdHXpKz78X2sVF9aDK4nJveXmY=
@@ -323,7 +324,6 @@ github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4er
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
 github.com/golang/mock v1.0.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -603,24 +603,27 @@ github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.3 h1:v9QZf2Sn6AmjXtQeFpdoq/eaNtYP6IN+7lcrygsIAtg=
 github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lightninglabs/aperture v0.1.6-beta h1:bhpK4O9xa0YUBFQfkfg/h/3sMAY+AOMxi9YUjg6/l/E=
 github.com/lightninglabs/aperture v0.1.6-beta/go.mod h1:9xl4mx778ZAzrB87nLHMqk+XQcSz8Dx/DypjWzGN1xo=
+github.com/lightninglabs/aperture v0.1.11-beta h1:GRnQxvDn3ZPIqC8DV1T81LCxJO33anoAAbOFxyGbUyU=
+github.com/lightninglabs/aperture v0.1.11-beta/go.mod h1:pl4sIilhVW6RH7FIYCugPHEPl0pmj3UE1I83Oqpj9VY=
 github.com/lightninglabs/faraday v0.2.7-alpha h1:lpSUk3RFfgr4/OCx1OdJ2AMHCAiTObK+5o54ml8ceHs=
 github.com/lightninglabs/faraday v0.2.7-alpha/go.mod h1:77P9EctYhneIXLvm9a6ylV9LCht/rj7j8mLwXpBgxB8=
 github.com/lightninglabs/gozmq v0.0.0-20191113021534-d20a764486bf h1:HZKvJUHlcXI/f/O0Avg7t8sqkPo78HFzjmeYFl6DPnc=
 github.com/lightninglabs/gozmq v0.0.0-20191113021534-d20a764486bf/go.mod h1:vxmQPeIQxPf6Jf9rM8R+B4rKBqLA2AjttNxkFBL2Plk=
-github.com/lightninglabs/lightning-node-connect v0.1.5-alpha h1:6Jguz6wXSaV2KVs+mvEDATQdNMvKiTmuQeRGMzvarTw=
-github.com/lightninglabs/lightning-node-connect v0.1.5-alpha/go.mod h1:xsDBDnSzHalal3K4gbnVSrbWVbV25sHrm96p3+lASt0=
+github.com/lightninglabs/lightning-node-connect v0.1.7-alpha h1:M2g8Il/DWhRvwZIEBER1QVDeIj9OTM0+DE7fXrLqc10=
+github.com/lightninglabs/lightning-node-connect v0.1.7-alpha/go.mod h1:jxSnezQYIvhNXqjyyiMEmdpOURrdVaujPZV6zGCVi8o=
 github.com/lightninglabs/lightning-node-connect/hashmailrpc v1.0.2 h1:Er1miPZD2XZwcfE4xoS5AILqP1mj7kqnhbBSxW9BDxY=
 github.com/lightninglabs/lightning-node-connect/hashmailrpc v1.0.2/go.mod h1:antQGRDRJiuyQF6l+k6NECCSImgCpwaZapATth2Chv4=
 github.com/lightninglabs/lndclient v0.11.0-4/go.mod h1:8/cTKNwgL87NX123gmlv3Xh6p1a7pvzu+40Un3PhHiI=
+github.com/lightninglabs/lndclient v0.12.0-9/go.mod h1:L0R2VOaLxMylGbxgnfiZGc0hMDIIgj91cfgwGuFz9kU=
 github.com/lightninglabs/lndclient v0.14.0-5/go.mod h1:2kH9vNoc29ghIkfMjxwSeK8yCxsYfR80XAJ9PU/QWWk=
 github.com/lightninglabs/lndclient v0.14.0-7 h1:muqPju9ixBtQNcO0SkvbZ2b2oORUMRqQ4e+aC077Qa8=
 github.com/lightninglabs/lndclient v0.14.0-7/go.mod h1:2kH9vNoc29ghIkfMjxwSeK8yCxsYfR80XAJ9PU/QWWk=
 github.com/lightninglabs/loop v0.15.1-beta h1:X4qth5qAdpgKarmcltO85HxMze3Wrk8FzI46Cwt9H4A=
 github.com/lightninglabs/loop v0.15.1-beta/go.mod h1:9TawqLzvjDP4pswZ8QkvTcBqH+wGKBffP+r6mFGBVi4=
 github.com/lightninglabs/neutrino v0.11.0/go.mod h1:CuhF0iuzg9Sp2HO6ZgXgayviFTn1QHdSTJlMncK80wg=
 github.com/lightninglabs/neutrino v0.11.1-0.20200316235139-bffc52e8f200/go.mod h1:MlZmoKa7CJP3eR1s5yB7Rm5aSyadpKkxqAwLQmog7N0=
+github.com/lightninglabs/neutrino v0.11.1-0.20201210023533-e1978372d15e/go.mod h1:KDWfQDKp+CFBxO1t2NRmWuagTY2sYIjpHB1k5vrojTI=
 github.com/lightninglabs/neutrino v0.12.1/go.mod h1:GlKninWpRBbL7b8G0oQ36/8downfnFwKsr0hbRA6E/E=
 github.com/lightninglabs/neutrino v0.13.0 h1:j3PKWEJCwqwMn/qLASz2j0IuCF6AumS9DaM0i0pM/nY=
 github.com/lightninglabs/neutrino v0.13.0/go.mod h1:GlKninWpRBbL7b8G0oQ36/8downfnFwKsr0hbRA6E/E=
@@ -636,13 +639,13 @@ github.com/lightningnetwork/lightning-onion v1.0.2-0.20210520211913-522b799e65b1
 github.com/lightningnetwork/lightning-onion v1.0.2-0.20210520211913-522b799e65b1/go.mod h1:rigfi6Af/KqsF7Za0hOgcyq2PNH4AN70AaMRxcJkff4=
 github.com/lightningnetwork/lnd v0.11.0-beta/go.mod h1:CzArvT7NFDLhVyW06+NJWSuWFmE6Ea+AjjA3txUBqTM=
 github.com/lightningnetwork/lnd v0.11.1-beta/go.mod h1:PGIgxy8aH70Li33YVYkHSaCM8m8LjEevk5h1Dpldrr4=
+github.com/lightningnetwork/lnd v0.12.0-beta/go.mod h1:2GyP1IG1kXV5Af/LOCxnXfux1OP3fAGr8zptS5PB2YI=
 github.com/lightningnetwork/lnd v0.13.0-beta.rc5.0.20210728112744-ebabda671786/go.mod h1:3cmukt9wR4PX1va9Q78gmqSPYd6yhV1wcFemM5F+kT8=
 github.com/lightningnetwork/lnd v0.14.0-beta/go.mod h1:qqOImM4QBKeIXsmUUsJznAbAaEF9iAPHAwfBZf9ld4Y=
 github.com/lightningnetwork/lnd v0.14.1-beta/go.mod h1:o7zDwjZXm/bPP48qjwsqnZvvITyQl+fUv6UVoV4o+J8=
 github.com/lightningnetwork/lnd v0.14.2-beta h1:v5Xgf0HjgA+umoinNrihMSoAuy52tYQnxCzX0wFaRwQ=
 github.com/lightningnetwork/lnd v0.14.2-beta/go.mod h1:BKTR+jbfcyFwsOPb3m8HaM09YmZF/SsbWd5UTCgDZlo=
 github.com/lightningnetwork/lnd/cert v1.0.2/go.mod h1:fmtemlSMf5t4hsQmcprSoOykypAPp+9c+0d0iqTScMo=
-github.com/lightningnetwork/lnd/cert v1.0.2/go.mod h1:fmtemlSMf5t4hsQmcprSoOykypAPp+9c+0d0iqTScMo=
 github.com/lightningnetwork/lnd/cert v1.0.3/go.mod h1:3MWXVLLPI0Mg0XETm9fT4N9Vyy/8qQLmaM5589bEggM=
 github.com/lightningnetwork/lnd/cert v1.1.0 h1:Vgmse23SOB/ODIj+I5Utq1yuKLPbWQ34gUoNKfDs4pk=
 github.com/lightningnetwork/lnd/cert v1.1.0/go.mod h1:3MWXVLLPI0Mg0XETm9fT4N9Vyy/8qQLmaM5589bEggM=
@@ -960,19 +963,16 @@ go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
@@ -989,7 +989,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
@@ -1051,7 +1050,6 @@ golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -1315,7 +1313,6 @@ google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=

session/interface.go

@@ -1,12 +1,12 @@
 package session
 
 import (
-	"encoding/binary"
 	"fmt"
 	"time"
 
 	"github.com/btcsuite/btcd/btcec"
 	"github.com/lightninglabs/lightning-node-connect/mailbox"
+	"gopkg.in/macaroon-bakery.v2/bakery"
 	"gopkg.in/macaroon.v2"
 )
 
@@ -30,6 +30,13 @@ const (
 	StateExpired State = 3
 )
 
+// MacaroonRecipe defines the permissions and caveats that should be used
+// to bake a macaroon.
+type MacaroonRecipe struct {
+	Permissions []bakery.Op
+	Caveats     []macaroon.Caveat
+}
+
 // Session is a struct representing a long-term Terminal Connect session.
 type Session struct {
 	Label           string
@@ -39,7 +46,7 @@ type Session struct {
 	ServerAddr      string
 	DevServer       bool
 	MacaroonRootKey uint64
-	Macaroon        *macaroon.Macaroon
+	MacaroonRecipe  *MacaroonRecipe
 	PairingSecret   [mailbox.NumPasswordBytes]byte
 	LocalPrivateKey *btcec.PrivateKey
 	LocalPublicKey  *btcec.PublicKey
@@ -48,7 +55,8 @@ type Session struct {
 
 // NewSession creates a new session with the given user-defined parameters.
 func NewSession(label string, typ Type, expiry time.Time, serverAddr string,
-	devServer bool) (*Session, error) {
+	devServer bool, perms []bakery.Op, caveats []macaroon.Caveat) (*Session,
+	error) {
 
 	_, pairingSecret, err := mailbox.NewPassword()
 	if err != nil {
@@ -60,9 +68,12 @@ func NewSession(label string, typ Type, expiry time.Time, serverAddr string,
 		return nil, fmt.Errorf("error deriving private key: %v", err)
 	}
 	pubKey := privateKey.PubKey()
-	macRootKey := binary.BigEndian.Uint64(pubKey.SerializeCompressed()[0:8])
 
-	return &Session{
+	var macRootKeyBase [4]byte
+	copy(macRootKeyBase[:], pubKey.SerializeCompressed())
+	macRootKey := NewSuperMacaroonRootKeyID(macRootKeyBase)
+
+	sess := &Session{
 		Label:           label,
 		State:           StateCreated,
 		Type:            typ,
@@ -74,7 +85,16 @@ func NewSession(label string, typ Type, expiry time.Time, serverAddr string,
 		LocalPrivateKey: privateKey,
 		LocalPublicKey:  pubKey,
 		RemotePublicKey: nil,
-	}, nil
+	}
+
+	if perms != nil || caveats != nil {
+		sess.MacaroonRecipe = &MacaroonRecipe{
+			Permissions: perms,
+			Caveats:     caveats,
+		}
+	}
+
+	return sess, nil
 }
 
 // Store is the interface a persistent storage must implement for storing and

session/macaroon.go

@@ -0,0 +1,80 @@
+package session
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/hex"
+	"strconv"
+
+	"github.com/lightningnetwork/lnd/lnrpc"
+	"google.golang.org/protobuf/proto"
+	"gopkg.in/macaroon-bakery.v2/bakery"
+	"gopkg.in/macaroon.v2"
+)
+
+var (
+	// SuperMacaroonRootKeyPrefix is the prefix we set on a super macaroon's
+	// root key to clearly mark it as such.
+	SuperMacaroonRootKeyPrefix = [4]byte{0xFF, 0xEE, 0xDD, 0xCC}
+)
+
+// NewSuperMacaroonRootKeyID returns a new macaroon root key ID that has the
+// prefix to mark it as a super macaroon root key.
+func NewSuperMacaroonRootKeyID(id [4]byte) uint64 {
+	rootKeyBytes := make([]byte, 8)
+	copy(rootKeyBytes[:], SuperMacaroonRootKeyPrefix[:])
+	copy(rootKeyBytes[4:], id[:])
+	return binary.BigEndian.Uint64(rootKeyBytes)
+}
+
+// ParseMacaroon parses a hex encoded macaroon into its native struct.
+func ParseMacaroon(macHex string) (*macaroon.Macaroon, error) {
+	macBytes, err := hex.DecodeString(macHex)
+	if err != nil {
+		return nil, err
+	}
+
+	mac := &macaroon.Macaroon{}
+	if err := mac.UnmarshalBinary(macBytes); err != nil {
+		return nil, err
+	}
+
+	return mac, nil
+}
+
+// IsSuperMacaroon returns true if the given hex encoded macaroon is a super
+// macaroon baked by LiT which can be identified by its root key ID.
+func IsSuperMacaroon(macHex string) bool {
+	mac, err := ParseMacaroon(macHex)
+	if err != nil {
+		return false
+	}
+
+	rawID := mac.Id()
+	if rawID[0] != byte(bakery.LatestVersion) {
+		return false
+	}
+	decodedID := &lnrpc.MacaroonId{}
+	idProto := rawID[1:]
+	err = proto.Unmarshal(idProto, decodedID)
+	if err != nil {
+		return false
+	}
+
+	// The storage ID is a string representation of a 64bit unsigned number.
+	rootKeyID, err := strconv.ParseUint(string(decodedID.StorageId), 10, 64)
+	if err != nil {
+		return false
+	}
+
+	return isSuperMacaroonRootKeyID(rootKeyID)
+}
+
+// isSuperMacaroonRootKeyID returns true if the given macaroon root key ID (also
+// known as storage ID) is a super macaroon, which can be identified by its
+// first 4 bytes.
+func isSuperMacaroonRootKeyID(rootKeyID uint64) bool {
+	rootKeyBytes := make([]byte, 8)
+	binary.BigEndian.PutUint64(rootKeyBytes, rootKeyID)
+	return bytes.HasPrefix(rootKeyBytes, SuperMacaroonRootKeyPrefix[:])
+}

session/macaroon_test.go

@@ -0,0 +1,37 @@
+package session
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	// testMacHex is a read-only supermacaroon.
+	testMacHex = "0201036c6e6402f802030a1011540404373b4d0b3682b15ea7af60c" +
+		"c121431383434313932313339323432393138343738341a0f0a076163636" +
+		"f756e741204726561641a0f0a0761756374696f6e1204726561641a0d0a0" +
+		"561756469741204726561641a0c0a04617574681204726561641a0c0a046" +
+		"96e666f1204726561641a100a08696e7369676874731204726561641a100" +
+		"a08696e766f696365731204726561641a0f0a046c6f6f701202696e12036" +
+		"f75741a100a086d616361726f6f6e1204726561641a0f0a076d657373616" +
+		"7651204726561641a100a086f6666636861696e1204726561641a0f0a076" +
+		"f6e636861696e1204726561641a0d0a056f726465721204726561641a0d0" +
+		"a0570656572731204726561641a0d0a0572617465731204726561641a160" +
+		"a0e7265636f6d6d656e646174696f6e1204726561641a0e0a067265706f7" +
+		"2741204726561641a130a0b73756767657374696f6e731204726561641a0" +
+		"c0a04737761701204726561641a0d0a057465726d7312047265616400000" +
+		"6202362c91888e95dfbbf1eb995bd0fef2b549e2de7f4e9fa11aff445273" +
+		"60a6caf"
+)
+
+func TestSuperMacaroonRootKeyID(t *testing.T) {
+	someBytes := [4]byte{02, 03, 44, 88}
+	rootKeyID := NewSuperMacaroonRootKeyID(someBytes)
+	require.True(t, isSuperMacaroonRootKeyID(rootKeyID))
+	require.False(t, isSuperMacaroonRootKeyID(123))
+}
+
+func TestIsSuperMacaroon(t *testing.T) {
+	require.True(t, IsSuperMacaroon(testMacHex))
+}