Merge pull request #9546 from hieblmi/macaroon-ip-cidr-constraint

guggero · web-flow · commit 053d63e11002 · 2025-03-14T10:22:43.000-06:00
macaroons: ip range constraint
diff --git a/cmd/commands/cmd_macaroon.go b/cmd/commands/cmd_macaroon.go
@@ -30,6 +30,10 @@ var (
 		Name:  "ip_address",
 		Usage: "the IP address the macaroon will be bound to",
 	}
+	macIPRangeFlag = cli.StringFlag{
+		Name:  "ip_range",
+		Usage: "the IP range the macaroon will be bound to",
+	}
 	macCustomCaveatNameFlag = cli.StringFlag{
 		Name:  "custom_caveat_name",
 		Usage: "the name of the custom caveat to add",
@@ -557,6 +561,19 @@ func applyMacaroonConstraints(ctx *cli.Context,
 		)
 	}
 
+	if ctx.IsSet(macIPRangeFlag.Name) {
+		_, net, err := net.ParseCIDR(ctx.String(macIPRangeFlag.Name))
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse ip_range "+
+				"%s: %w", ctx.String("ip_range"), err)
+		}
+
+		macConstraints = append(
+			macConstraints,
+			macaroons.IPLockConstraint(net.String()),
+		)
+	}
+
 	if ctx.IsSet(macCustomCaveatNameFlag.Name) {
 		customCaveatName := ctx.String(macCustomCaveatNameFlag.Name)
 		if containsWhiteSpace(customCaveatName) {
diff --git a/config_builder.go b/config_builder.go
@@ -472,7 +472,7 @@ func (d *DefaultWalletImpl) BuildWalletConfig(ctx context.Context,
 		}
 		macaroonService, err = macaroons.NewService(
 			rootKeyStore, "lnd", walletInitParams.StatelessInit,
-			macaroons.IPLockChecker,
+			macaroons.IPLockChecker, macaroons.IPRangeLockChecker,
 			macaroons.CustomChecker(interceptorChain),
 		)
 		if err != nil {
diff --git a/docs/release-notes/release-notes-0.19.0.md b/docs/release-notes/release-notes-0.19.0.md
@@ -166,6 +166,10 @@
   on the channel. LND will disable the channel for new HTLCs and kick off the
   cooperative close flow automatically when the channel has no HTLCs left.
 
+* [A new macaroon constraint](https://github.com/lightningnetwork/lnd/pull/9546)
+  to allow for restriction of access based on an IP range. Prior to this only
+  specific IPs could be allowed or denied.
+
 # Improvements
 ## Functional Updates
 
diff --git a/itest/lnd_macaroons_test.go b/itest/lnd_macaroons_test.go
@@ -37,9 +37,8 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 		name string
 		run  func(ctxt context.Context, t *testing.T)
 	}{{
-		// First test: Make sure we get an error if we use no macaroons
-		// but try to connect to a node that has macaroon authentication
-		// enabled.
+		// Make sure we get an error if we use no macaroons but try to
+		// connect to a node that has macaroon authentication enabled.
 		name: "no macaroon",
 		run: func(ctxt context.Context, t *testing.T) {
 			conn, err := testNode.ConnectRPCWithMacaroon(nil)
@@ -51,8 +50,7 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			require.Contains(t, err.Error(), "expected 1 macaroon")
 		},
 	}, {
-		// Second test: Ensure that an invalid macaroon also triggers an
-		// error.
+		// Ensure that an invalid macaroon also triggers an error.
 		name: "invalid macaroon",
 		run: func(ctxt context.Context, t *testing.T) {
 			invalidMac, _ := macaroon.New(
@@ -68,8 +66,7 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			require.Contains(t, err.Error(), "invalid ID")
 		},
 	}, {
-		// Third test: Try to access a write method with read-only
-		// macaroon.
+		// Try to access a write method with read-only macaroon.
 		name: "read only macaroon",
 		run: func(ctxt context.Context, t *testing.T) {
 			readonlyMac, err := testNode.ReadMacaroon(
@@ -85,8 +82,8 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			require.Contains(t, err.Error(), "permission denied")
 		},
 	}, {
-		// Fourth test: Check first-party caveat with timeout that
-		// expired 30 seconds ago.
+		// Check first-party caveat with timeout that expired 30 seconds
+		// ago.
 		name: "expired macaroon",
 		run: func(ctxt context.Context, t *testing.T) {
 			readonlyMac, err := testNode.ReadMacaroon(
@@ -106,7 +103,7 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			require.Contains(t, err.Error(), "macaroon has expired")
 		},
 	}, {
-		// Fifth test: Check first-party caveat with invalid IP address.
+		// Check first-party caveat with invalid IP address.
 		name: "invalid IP macaroon",
 		run: func(ctxt context.Context, t *testing.T) {
 			readonlyMac, err := testNode.ReadMacaroon(
@@ -128,7 +125,7 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			require.Contains(t, err.Error(), "different IP address")
 		},
 	}, {
-		// Sixth test: Make sure that if we do everything correct and
+		// Make sure that if we do everything correct and
 		// send the admin macaroon with first-party caveats that we can
 		// satisfy, we get a correct answer.
 		name: "correct macaroon",
@@ -149,8 +146,51 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			assert.Contains(t, res.Address, "bcrt1")
 		},
 	}, {
-		// Seventh test: Bake a macaroon that can only access exactly
-		// two RPCs and make sure it works as expected.
+		// Check first-party caveat with invalid IP range.
+		name: "invalid IP range macaroon",
+		run: func(ctxt context.Context, t *testing.T) {
+			readonlyMac, err := testNode.ReadMacaroon(
+				testNode.Cfg.ReadMacPath, defaultTimeout,
+			)
+			require.NoError(t, err)
+			invalidIPRangeMac, err := macaroons.AddConstraints(
+				readonlyMac, macaroons.IPRangeLockConstraint(
+					"1.1.1.1/32",
+				),
+			)
+			require.NoError(t, err)
+			cleanup, client := macaroonClient(
+				t, testNode, invalidIPRangeMac,
+			)
+			defer cleanup()
+			_, err = client.GetInfo(ctxt, infoReq)
+			require.Error(t, err)
+			require.Contains(t, err.Error(), "different IP range")
+		},
+	}, {
+		// Make sure that if we do everything correct and send the admin
+		// macaroon with first-party caveats that we can satisfy, we get
+		// a correct answer.
+		name: "correct macaroon",
+		run: func(ctxt context.Context, t *testing.T) {
+			adminMac, err := testNode.ReadMacaroon(
+				testNode.Cfg.AdminMacPath, defaultTimeout,
+			)
+			require.NoError(t, err)
+			adminMac, err = macaroons.AddConstraints(
+				adminMac, macaroons.TimeoutConstraint(30),
+				macaroons.IPRangeLockConstraint("127.0.0.0/8"),
+			)
+			require.NoError(t, err)
+			cleanup, client := macaroonClient(t, testNode, adminMac)
+			defer cleanup()
+			res, err := client.NewAddress(ctxt, newAddrReq)
+			require.NoError(t, err, "get new address")
+			assert.Contains(t, res.Address, "bcrt1")
+		},
+	}, {
+		// Bake a macaroon that can only access exactly two RPCs and
+		// make sure it works as expected.
 		name: "custom URI permissions",
 		run: func(ctxt context.Context, t *testing.T) {
 			entity := macaroons.PermissionEntityCustomURI
@@ -199,9 +239,9 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			require.Contains(t, err.Error(), "permission denied")
 		},
 	}, {
-		// Eighth test: check that with the CheckMacaroonPermissions
-		// RPC, we can check that a macaroon follows (or doesn't)
-		// permissions and constraints.
+		// Check that with the CheckMacaroonPermissions RPC, we can
+		// check that a macaroon follows (or doesn't) permissions and
+		// constraints.
 		name: "unknown permissions",
 		run: func(ctxt context.Context, t *testing.T) {
 			// A test macaroon created with permissions from pool,
diff --git a/macaroons/constraints.go b/macaroons/constraints.go
@@ -3,6 +3,7 @@ package macaroons
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"strings"
@@ -21,6 +22,10 @@ const (
 	// in the serialized macaroon. We choose a single space as the delimiter
 	// between the because that is also used by the macaroon bakery library.
 	CondLndCustom = "lnd-custom"
+
+	// CondIPRange is the caveat condition name that is used for tying an IP
+	// range to a macaroon.
+	CondIPRange = "iprange"
 )
 
 // CustomCaveatAcceptor is an interface that contains a single method for
@@ -80,9 +85,9 @@ func TimeoutConstraint(seconds int64) func(*macaroon.Macaroon) error {
 	}
 }
 
-// IPLockConstraint locks macaroon to a specific IP address.
-// If address is an empty string, this constraint does nothing to
-// accommodate default value's desired behavior.
+// IPLockConstraint locks a macaroon to a specific IP address. If ipAddr is an
+// empty string, this constraint does nothing to accommodate  default value's
+// desired behavior.
 func IPLockConstraint(ipAddr string) func(*macaroon.Macaroon) error {
 	return func(mac *macaroon.Macaroon) error {
 		if ipAddr != "" {
@@ -93,8 +98,32 @@ func IPLockConstraint(ipAddr string) func(*macaroon.Macaroon) error {
 			}
 			caveat := checkers.Condition("ipaddr",
 				macaroonIPAddr.String())
+
+			return mac.AddFirstPartyCaveat([]byte(caveat))
+		}
+
+		return nil
+	}
+}
+
+// IPRangeLockConstraint locks a macaroon to a specific IP address range. If
+// ipRange is an empty string, this constraint does nothing to accommodate
+// default value's desired behavior.
+func IPRangeLockConstraint(ipRange string) func(*macaroon.Macaroon) error {
+	return func(mac *macaroon.Macaroon) error {
+		if ipRange != "" {
+			_, parsedNet, err := net.ParseCIDR(ipRange)
+			if err != nil {
+				return fmt.Errorf("incorrect macaroon IP "+
+					"range: %w", err)
+			}
+			caveat := checkers.Condition(
+				CondIPRange, parsedNet.String(),
+			)
+
 			return mac.AddFirstPartyCaveat([]byte(caveat))
 		}
+
 		return nil
 	}
 }
@@ -122,6 +151,39 @@ func IPLockChecker() (string, checkers.Func) {
 	}
 }
 
+// IPRangeLockChecker accepts client IP range from the validation context and
+// compares it with the IP range locked in the macaroon. It is of the `Checker`
+// type.
+func IPRangeLockChecker() (string, checkers.Func) {
+	return CondIPRange, func(ctx context.Context, cond, arg string) error {
+		// Get peer info and extract IP range from it for macaroon
+		// check.
+		pr, ok := peer.FromContext(ctx)
+		if !ok {
+			return errors.New("unable to get peer info from " +
+				"context")
+		}
+		peerAddr, _, err := net.SplitHostPort(pr.Addr.String())
+		if err != nil {
+			return fmt.Errorf("unable to parse peer address: %w",
+				err)
+		}
+
+		_, ipNet, err := net.ParseCIDR(arg)
+		if err != nil {
+			return fmt.Errorf("unable to parse macaroon IP "+
+				"range: %w", err)
+		}
+
+		if !ipNet.Contains(net.ParseIP(peerAddr)) {
+			return errors.New("macaroon locked to different " +
+				"IP range")
+		}
+
+		return nil
+	}
+}
+
 // CustomConstraint returns a function that adds a custom caveat condition to
 // a macaroon.
 func CustomConstraint(name, condition string) func(*macaroon.Macaroon) error {

Original file line number	Diff line number	Diff line change
`@@ -472,7 +472,7 @@ func (d *DefaultWalletImpl) BuildWalletConfig(ctx context.Context,`
`472`	`472`	`}`
`473`	`473`	`macaroonService, err = macaroons.NewService(`
`474`	`474`	`rootKeyStore, "lnd", walletInitParams.StatelessInit,`
`475`		`- macaroons.IPLockChecker,`
	`475`	`+ macaroons.IPLockChecker, macaroons.IPRangeLockChecker,`
`476`	`476`	`macaroons.CustomChecker(interceptorChain),`
`477`	`477`	`)`
`478`	`478`	`if err != nil {`