12986279612

Committed 27 Jan 2025 09:51AM UTC coverage: 57.652% (-1.1%) from 58.788%

Build # 12986279612

Build Type

Pull #9447

github

Committed by

yyforyongyu

Commit Message

sweep: rename methods for clarity

We now rename "third party" to "unknown" as the inputs can be spent via
an older sweeping tx, a third party (anchor), or a remote party (pin).
In fee bumper we don't have the info to distinguish the above cases, and
leave them to be further handled by the sweeper as it has more context.

Pull Request Pull Request #9447: sweep: start tracking input spending status in the fee bumper

Run Details

83 of 87 new or added lines in 2 files covered. (95.4%)

19578 existing lines in 256 files now uncovered.

103448 of 179434 relevant lines covered (57.65%)

24884.58 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

73.33

/macaroons/service.go

package macaroons

import (
        "context"
        "encoding/hex"
        "fmt"

        "google.golang.org/grpc/metadata"
        "gopkg.in/macaroon-bakery.v2/bakery"
        "gopkg.in/macaroon-bakery.v2/bakery/checkers"
        macaroon "gopkg.in/macaroon.v2"
)

var (
        // ErrMissingRootKeyID specifies the root key ID is missing.
        ErrMissingRootKeyID = fmt.Errorf("missing root key ID")

        // ErrDeletionForbidden is used when attempting to delete the
        // DefaultRootKeyID or the encryptedKeyID.
        ErrDeletionForbidden = fmt.Errorf("the specified ID cannot be deleted")

        // PermissionEntityCustomURI is a special entity name for a permission
        // that does not describe an entity:action pair but instead specifies a
        // specific URI that needs to be granted access to. This can be used for
        // more fine-grained permissions where a macaroon only grants access to
        // certain methods instead of a whole list of methods that define the
        // same entity:action pairs. For example: uri:/lnrpc.Lightning/GetInfo
        // only gives access to the GetInfo call.
        PermissionEntityCustomURI = "uri"

        // ErrUnknownVersion is returned when a macaroon is of an unknown
        // is presented.
        ErrUnknownVersion = fmt.Errorf("unknown macaroon version")

        // ErrInvalidID is returned when a macaroon ID is invalid.
        ErrInvalidID = fmt.Errorf("invalid ID")
)

// MacaroonValidator is an interface type that can check if macaroons are valid.
type MacaroonValidator interface {
        // ValidateMacaroon extracts the macaroon from the context's gRPC
        // metadata, checks its signature, makes sure all specified permissions
        // for the called method are contained within and finally ensures all
        // caveat conditions are met. A non-nil error is returned if any of the
        // checks fail.
        ValidateMacaroon(ctx context.Context,
                requiredPermissions []bakery.Op, fullMethod string) error
}

// ExtendedRootKeyStore is an interface augments the existing
// macaroons.RootKeyStorage interface by adding a number of additional utility
// methods such as encrypting and decrypting the root key given a password.
type ExtendedRootKeyStore interface {
        bakery.RootKeyStore

        // Close closes the RKS and zeros out any in-memory encryption keys.
        Close() error

        // CreateUnlock calls the underlying root key store's CreateUnlock and
        // returns the result.
        CreateUnlock(password *[]byte) error

        // ListMacaroonIDs returns all the root key ID values except the value
        // of encryptedKeyID.
        ListMacaroonIDs(ctxt context.Context) ([][]byte, error)

        // DeleteMacaroonID removes one specific root key ID. If the root key
        // ID is found and deleted, it will be returned.
        DeleteMacaroonID(ctxt context.Context, rootKeyID []byte) ([]byte, error)

        // ChangePassword calls the underlying root key store's ChangePassword
        // and returns the result.
        ChangePassword(oldPw, newPw []byte) error

        // GenerateNewRootKey calls the underlying root key store's
        // GenerateNewRootKey and returns the result.
        GenerateNewRootKey() error

        // SetRootKey calls the underlying root key store's SetRootKey and
        // returns the result.
        SetRootKey(rootKey []byte) error
}

// Service encapsulates bakery.Bakery and adds a Close() method that zeroes the
// root key service encryption keys, as well as utility methods to validate a
// macaroon against the bakery and gRPC middleware for macaroon-based auth.
type Service struct {
        bakery.Bakery

        rks bakery.RootKeyStore

        // ExternalValidators is a map between an absolute gRPC URIs and the
        // corresponding external macaroon validator to be used for that URI.
        // If no external validator for an URI is specified, the service will
        // use the internal validator.
        ExternalValidators map[string]MacaroonValidator

        // StatelessInit denotes if the service was initialized in the stateless
        // mode where no macaroon files should be created on disk.
        StatelessInit bool
}

// NewService returns a service backed by the macaroon DB backend. The `checks`
// argument can be any of the `Checker` type functions defined in this package,
// or a custom checker if desired. This constructor prevents double-registration
// of checkers to prevent panics, so listing the same checker more than once is
// not harmful. Default checkers, such as those for `allow`, `time-before`,
// `declared`, and `error` caveats are registered automatically and don't need
// to be added.
func NewService(keyStore bakery.RootKeyStore, location string,
        statelessInit bool, checks ...Checker) (*Service, error) {

        macaroonParams := bakery.BakeryParams{
                Location:     location,
                RootKeyStore: keyStore,
                // No third-party caveat support for now.
                // TODO(aakselrod): Add third-party caveat support.
                Locator: nil,
                Key:     nil,
        }

        svc := bakery.New(macaroonParams)

        // Register all custom caveat checkers with the bakery's checker.
        // TODO(aakselrod): Add more checks as required.
        checker := svc.Checker.FirstPartyCaveatChecker.(*checkers.Checker)
        for _, check := range checks {
                cond, fun := check()
                if !isRegistered(checker, cond) {
                        checker.Register(cond, "std", fun)
                }
        }

        return &Service{
                Bakery:             *svc,
                rks:                keyStore,
                ExternalValidators: make(map[string]MacaroonValidator),
                StatelessInit:      statelessInit,
        }, nil
}

// isRegistered checks to see if the required checker has already been
// registered in order to avoid a panic caused by double registration.
func isRegistered(c *checkers.Checker, name string) bool {
        if c == nil {
                return false
        }

        for _, info := range c.Info() {
                if info.Name == name &&
                        info.Prefix == "" &&
                        info.Namespace == "std" {
                        return true
                }
        }

        return false
}

// RegisterExternalValidator registers a custom, external macaroon validator for
// the specified absolute gRPC URI. That validator is then fully responsible to
// make sure any macaroon passed for a request to that URI is valid and
// satisfies all conditions.
func (svc *Service) RegisterExternalValidator(fullMethod string,
        validator MacaroonValidator) error {

        if validator == nil {
                return fmt.Errorf("validator cannot be nil")
        }

        _, ok := svc.ExternalValidators[fullMethod]
        if ok {
                return fmt.Errorf("external validator for method %s already "+
                        "registered", fullMethod)
        }

        svc.ExternalValidators[fullMethod] = validator
        return nil
}

// ValidateMacaroon validates the capabilities of a given request given a
// bakery service, context, and uri. Within the passed context.Context, we
// expect a macaroon to be encoded as request metadata using the key
// "macaroon".
func (svc *Service) ValidateMacaroon(ctx context.Context,
        requiredPermissions []bakery.Op, fullMethod string) error {

        // Get macaroon bytes from context and unmarshal into macaroon.
        macHex, err := RawMacaroonFromContext(ctx)
        if err != nil {
                return err
        }

        // With the macaroon obtained, we'll now decode the hex-string encoding.
        macBytes, err := hex.DecodeString(macHex)
        if err != nil {
                return err
        }

        return svc.CheckMacAuth(
                ctx, macBytes, requiredPermissions, fullMethod,
        )
}

// CheckMacAuth checks that the macaroon is not disobeying any caveats and is
// authorized to perform the operation the user wants to perform.
func (svc *Service) CheckMacAuth(ctx context.Context, macBytes []byte,
        requiredPermissions []bakery.Op, fullMethod string) error {

        // With the macaroon obtained, we'll now unmarshal it from binary into
        // its concrete struct representation.
        mac := &macaroon.Macaroon{}
        err := mac.UnmarshalBinary(macBytes)
        if err != nil {
                return err
        }

        // Ensure that the macaroon is using the exact same version as we
        // expect. In the future, we can relax this check to phase in new
        // versions.
        if mac.Version() != macaroon.V2 {
                return fmt.Errorf("%w: %v", ErrUnknownVersion,
                        mac.Version())
        }

        // Run a similar version check on the ID used for the macaroon as well.
        const minIDLength = 1
        if len(mac.Id()) < minIDLength {
                return ErrInvalidID
        }
        if mac.Id()[0] != byte(bakery.Version3) {
                return ErrInvalidID
        }

        // Check the method being called against the permitted operation, the
        // expiration time and IP address and return the result.
        authChecker := svc.Checker.Auth(macaroon.Slice{mac})
        _, err = authChecker.Allow(ctx, requiredPermissions...)

        // If the macaroon contains broad permissions and checks out, we're
        // done.
        if err == nil {
                return nil
        }

        // To also allow the special permission of "uri:<FullMethod>" to be a
        // valid permission, we need to check it manually in case there is no
        // broader scope permission defined.
        _, err = authChecker.Allow(ctx, bakery.Op{
                Entity: PermissionEntityCustomURI,
                Action: fullMethod,
        })
        return err
}

// Close closes the database that underlies the RootKeyStore and zeroes the
// encryption keys.
func (svc *Service) Close() error {
        if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {
                return boltRKS.Close()
        }

        return nil
}

// CreateUnlock calls the underlying root key store's CreateUnlock and returns
// the result.
func (svc *Service) CreateUnlock(password *[]byte) error {
        if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {
                return boltRKS.CreateUnlock(password)
        }

        return nil
}

// NewMacaroon wraps around the function Oven.NewMacaroon with the defaults,
//   - version is always bakery.LatestVersion;
//   - caveats is always nil.
//
// In addition, it takes a rootKeyID parameter, and puts it into the context.
// The context is passed through Oven.NewMacaroon(), in which calls the function
// RootKey(), that reads the context for rootKeyID.
func (svc *Service) NewMacaroon(
        ctx context.Context, rootKeyID []byte,
        ops ...bakery.Op) (*bakery.Macaroon, error) {

        // Check rootKeyID is not called with nil or empty bytes. We want the
        // caller to be aware the value of root key ID used, so we won't replace
        // it with the DefaultRootKeyID if not specified.
        if len(rootKeyID) == 0 {
                return nil, ErrMissingRootKeyID
        }

        // Pass the root key ID to context.
        ctx = ContextWithRootKeyID(ctx, rootKeyID)

        return svc.Oven.NewMacaroon(ctx, bakery.LatestVersion, nil, ops...)
}

// ListMacaroonIDs returns all the root key ID values except the value of
// encryptedKeyID.
func (svc *Service) ListMacaroonIDs(ctxt context.Context) ([][]byte, error) {
        if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {
                return boltRKS.ListMacaroonIDs(ctxt)
        }

        return nil, nil
}

// DeleteMacaroonID removes one specific root key ID. If the root key ID is
// found and deleted, it will be returned.
func (svc *Service) DeleteMacaroonID(ctxt context.Context,
        rootKeyID []byte) ([]byte, error) {

        if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {
                return boltRKS.DeleteMacaroonID(ctxt, rootKeyID)
        }

        return nil, nil
}

// GenerateNewRootKey calls the underlying root key store's GenerateNewRootKey
// and returns the result.
func (svc *Service) GenerateNewRootKey() error {
        if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {
                return boltRKS.GenerateNewRootKey()
        }

        return nil
}

// SetRootKey calls the underlying root key store's SetRootKey and returns the
// result.
func (svc *Service) SetRootKey(rootKey []byte) error {
        if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {
                return boltRKS.SetRootKey(rootKey)
        }

        return nil
}

// ChangePassword calls the underlying root key store's ChangePassword and
// returns the result.
func (svc *Service) ChangePassword(oldPw, newPw []byte) error {
        if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {
                return boltRKS.ChangePassword(oldPw, newPw)
        }

        return nil
}

// RawMacaroonFromContext is a helper function that extracts a raw macaroon
// from the given incoming gRPC request context.
func RawMacaroonFromContext(ctx context.Context) (string, error) {
        // Get macaroon bytes from context and unmarshal into macaroon.
        md, ok := metadata.FromIncomingContext(ctx)
        if !ok {
                return "", fmt.Errorf("unable to get metadata from context")
        }
        if len(md["macaroon"]) != 1 {
                return "", fmt.Errorf("expected 1 macaroon, got %d",
                        len(md["macaroon"]))
        }

        return md["macaroon"][0], nil
}

// SafeCopyMacaroon creates a copy of a macaroon that is safe to be used and
// modified. This is necessary because the macaroon library's own Clone() method
// is unsafe for certain edge cases, resulting in both the cloned and the
// original macaroons to be modified.
func SafeCopyMacaroon(mac *macaroon.Macaroon) (*macaroon.Macaroon, error) {
        macBytes, err := mac.MarshalBinary()
        if err != nil {
                return nil, err
        }

        newMac := &macaroon.Macaroon{}
        if err := newMac.UnmarshalBinary(macBytes); err != nil {
                return nil, err
        }

        return newMac, nil
}

1	package macaroons
2
3	import (
4	"context"
5	"encoding/hex"
6	"fmt"
7
8	"google.golang.org/grpc/metadata"
9	"gopkg.in/macaroon-bakery.v2/bakery"
10	"gopkg.in/macaroon-bakery.v2/bakery/checkers"
11	macaroon "gopkg.in/macaroon.v2"
12	)
13
14	var (
15	// ErrMissingRootKeyID specifies the root key ID is missing.
16	ErrMissingRootKeyID = fmt.Errorf("missing root key ID")
17
18	// ErrDeletionForbidden is used when attempting to delete the
19	// DefaultRootKeyID or the encryptedKeyID.
20	ErrDeletionForbidden = fmt.Errorf("the specified ID cannot be deleted")
21
22	// PermissionEntityCustomURI is a special entity name for a permission
23	// that does not describe an entity:action pair but instead specifies a
24	// specific URI that needs to be granted access to. This can be used for
25	// more fine-grained permissions where a macaroon only grants access to
26	// certain methods instead of a whole list of methods that define the
27	// same entity:action pairs. For example: uri:/lnrpc.Lightning/GetInfo
28	// only gives access to the GetInfo call.
29	PermissionEntityCustomURI = "uri"
30
31	// ErrUnknownVersion is returned when a macaroon is of an unknown
32	// is presented.
33	ErrUnknownVersion = fmt.Errorf("unknown macaroon version")
34
35	// ErrInvalidID is returned when a macaroon ID is invalid.
36	ErrInvalidID = fmt.Errorf("invalid ID")
37	)
38
39	// MacaroonValidator is an interface type that can check if macaroons are valid.
40	type MacaroonValidator interface {
41	// ValidateMacaroon extracts the macaroon from the context's gRPC
42	// metadata, checks its signature, makes sure all specified permissions
43	// for the called method are contained within and finally ensures all
44	// caveat conditions are met. A non-nil error is returned if any of the
45	// checks fail.
46	ValidateMacaroon(ctx context.Context,
47	requiredPermissions []bakery.Op, fullMethod string) error
48	}
49
50	// ExtendedRootKeyStore is an interface augments the existing
51	// macaroons.RootKeyStorage interface by adding a number of additional utility
52	// methods such as encrypting and decrypting the root key given a password.
53	type ExtendedRootKeyStore interface {
54	bakery.RootKeyStore
55
56	// Close closes the RKS and zeros out any in-memory encryption keys.
57	Close() error
58
59	// CreateUnlock calls the underlying root key store's CreateUnlock and
60	// returns the result.
61	CreateUnlock(password *[]byte) error
62
63	// ListMacaroonIDs returns all the root key ID values except the value
64	// of encryptedKeyID.
65	ListMacaroonIDs(ctxt context.Context) ([][]byte, error)
66
67	// DeleteMacaroonID removes one specific root key ID. If the root key
68	// ID is found and deleted, it will be returned.
69	DeleteMacaroonID(ctxt context.Context, rootKeyID []byte) ([]byte, error)
70
71	// ChangePassword calls the underlying root key store's ChangePassword
72	// and returns the result.
73	ChangePassword(oldPw, newPw []byte) error
74
75	// GenerateNewRootKey calls the underlying root key store's
76	// GenerateNewRootKey and returns the result.
77	GenerateNewRootKey() error
78
79	// SetRootKey calls the underlying root key store's SetRootKey and
80	// returns the result.
81	SetRootKey(rootKey []byte) error
82	}
83
84	// Service encapsulates bakery.Bakery and adds a Close() method that zeroes the
85	// root key service encryption keys, as well as utility methods to validate a
86	// macaroon against the bakery and gRPC middleware for macaroon-based auth.
87	type Service struct {
88	bakery.Bakery
89
90	rks bakery.RootKeyStore
91
92	// ExternalValidators is a map between an absolute gRPC URIs and the
93	// corresponding external macaroon validator to be used for that URI.
94	// If no external validator for an URI is specified, the service will
95	// use the internal validator.
96	ExternalValidators map[string]MacaroonValidator
97
98	// StatelessInit denotes if the service was initialized in the stateless
99	// mode where no macaroon files should be created on disk.
100	StatelessInit bool
101	}
102
103	// NewService returns a service backed by the macaroon DB backend. The `checks`
104	// argument can be any of the `Checker` type functions defined in this package,
105	// or a custom checker if desired. This constructor prevents double-registration
106	// of checkers to prevent panics, so listing the same checker more than once is
107	// not harmful. Default checkers, such as those for `allow`, `time-before`,
108	// `declared`, and `error` caveats are registered automatically and don't need
109	// to be added.
110	func NewService(keyStore bakery.RootKeyStore, location string,
111	statelessInit bool, checks ...Checker) (*Service, error) {	9✔
112		9✔
113	macaroonParams := bakery.BakeryParams{	9✔
114	Location: location,	9✔
115	RootKeyStore: keyStore,	9✔
116	// No third-party caveat support for now.	9✔
117	// TODO(aakselrod): Add third-party caveat support.	9✔
118	Locator: nil,	9✔
119	Key: nil,	9✔
120	}	9✔
121		9✔
122	svc := bakery.New(macaroonParams)	9✔
123		9✔
124	// Register all custom caveat checkers with the bakery's checker.	9✔
125	// TODO(aakselrod): Add more checks as required.	9✔
126	checker := svc.Checker.FirstPartyCaveatChecker.(*checkers.Checker)	9✔
127	for _, check := range checks {	14✔
128	cond, fun := check()	5✔
129	if !isRegistered(checker, cond) {	10✔
130	checker.Register(cond, "std", fun)	5✔
131	}	5✔
132	}
133
134	return &Service{	9✔
135	Bakery: *svc,	9✔
136	rks: keyStore,	9✔
137	ExternalValidators: make(map[string]MacaroonValidator),	9✔
138	StatelessInit: statelessInit,	9✔
139	}, nil	9✔
140	}
141
142	// isRegistered checks to see if the required checker has already been
143	// registered in order to avoid a panic caused by double registration.
144	func isRegistered(c *checkers.Checker, name string) bool {	5✔
145	if c == nil {	5✔
146	return false	×
147	}	×
148
149	for _, info := range c.Info() {	20✔
150	if info.Name == name &&	15✔
151	info.Prefix == "" &&	15✔
152	info.Namespace == "std" {	15✔
153	return true	×
154	}	×
155	}
156
157	return false	5✔
158	}
159
160	// RegisterExternalValidator registers a custom, external macaroon validator for
161	// the specified absolute gRPC URI. That validator is then fully responsible to
162	// make sure any macaroon passed for a request to that URI is valid and
163	// satisfies all conditions.
164	func (svc *Service) RegisterExternalValidator(fullMethod string,
165	validator MacaroonValidator) error {	×
166		×
167	if validator == nil {	×
168	return fmt.Errorf("validator cannot be nil")	×
169	}	×
170
171	_, ok := svc.ExternalValidators[fullMethod]	×
172	if ok {	×
173	return fmt.Errorf("external validator for method %s already "+	×
174	"registered", fullMethod)	×
175	}	×
176
177	svc.ExternalValidators[fullMethod] = validator	×
178	return nil	×
179	}
180
181	// ValidateMacaroon validates the capabilities of a given request given a
182	// bakery service, context, and uri. Within the passed context.Context, we
183	// expect a macaroon to be encoded as request metadata using the key
184	// "macaroon".
185	func (svc *Service) ValidateMacaroon(ctx context.Context,
186	requiredPermissions []bakery.Op, fullMethod string) error {	3✔
187		3✔
188	// Get macaroon bytes from context and unmarshal into macaroon.	3✔
189	macHex, err := RawMacaroonFromContext(ctx)	3✔
190	if err != nil {	3✔
UNCOV 191	return err	×
UNCOV 192	}	×
193
194	// With the macaroon obtained, we'll now decode the hex-string encoding.
195	macBytes, err := hex.DecodeString(macHex)	3✔
196	if err != nil {	3✔
197	return err	×
198	}	×
199
200	return svc.CheckMacAuth(	3✔
201	ctx, macBytes, requiredPermissions, fullMethod,	3✔
202	)	3✔
203	}
204
205	// CheckMacAuth checks that the macaroon is not disobeying any caveats and is
206	// authorized to perform the operation the user wants to perform.
207	func (svc *Service) CheckMacAuth(ctx context.Context, macBytes []byte,
208	requiredPermissions []bakery.Op, fullMethod string) error {	5✔
209		5✔
210	// With the macaroon obtained, we'll now unmarshal it from binary into	5✔
211	// its concrete struct representation.	5✔
212	mac := &macaroon.Macaroon{}	5✔
213	err := mac.UnmarshalBinary(macBytes)	5✔
214	if err != nil {	5✔
215	return err	×
216	}	×
217
218	// Ensure that the macaroon is using the exact same version as we
219	// expect. In the future, we can relax this check to phase in new
220	// versions.
221	if mac.Version() != macaroon.V2 {	6✔
222	return fmt.Errorf("%w: %v", ErrUnknownVersion,	1✔
223	mac.Version())	1✔
224	}	1✔
225
226	// Run a similar version check on the ID used for the macaroon as well.
227	const minIDLength = 1	4✔
228	if len(mac.Id()) < minIDLength {	5✔
229	return ErrInvalidID	1✔
230	}	1✔
231	if mac.Id()[0] != byte(bakery.Version3) {	3✔
UNCOV 232	return ErrInvalidID	×
UNCOV 233	}	×
234
235	// Check the method being called against the permitted operation, the
236	// expiration time and IP address and return the result.
237	authChecker := svc.Checker.Auth(macaroon.Slice{mac})	3✔
238	_, err = authChecker.Allow(ctx, requiredPermissions...)	3✔
239		3✔
240	// If the macaroon contains broad permissions and checks out, we're	3✔
241	// done.	3✔
242	if err == nil {	5✔
243	return nil	2✔
244	}	2✔
245
246	// To also allow the special permission of "uri:<FullMethod>" to be a
247	// valid permission, we need to check it manually in case there is no
248	// broader scope permission defined.
249	_, err = authChecker.Allow(ctx, bakery.Op{	1✔
250	Entity: PermissionEntityCustomURI,	1✔
251	Action: fullMethod,	1✔
252	})	1✔
253	return err	1✔
254	}
255
256	// Close closes the database that underlies the RootKeyStore and zeroes the
257	// encryption keys.
258	func (svc *Service) Close() error {	8✔
259	if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {	16✔
260	return boltRKS.Close()	8✔
261	}	8✔
262
263	return nil	×
264	}
265
266	// CreateUnlock calls the underlying root key store's CreateUnlock and returns
267	// the result.
268	func (svc Service) CreateUnlock(password []byte) error {	6✔
269	if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {	12✔
270	return boltRKS.CreateUnlock(password)	6✔
271	}	6✔
272
273	return nil	×
274	}
275
276	// NewMacaroon wraps around the function Oven.NewMacaroon with the defaults,
277	// - version is always bakery.LatestVersion;
278	// - caveats is always nil.
279	//
280	// In addition, it takes a rootKeyID parameter, and puts it into the context.
281	// The context is passed through Oven.NewMacaroon(), in which calls the function
282	// RootKey(), that reads the context for rootKeyID.
283	func (svc *Service) NewMacaroon(
284	ctx context.Context, rootKeyID []byte,
285	ops ...bakery.Op) (*bakery.Macaroon, error) {	10✔
286		10✔
287	// Check rootKeyID is not called with nil or empty bytes. We want the	10✔
288	// caller to be aware the value of root key ID used, so we won't replace	10✔
289	// it with the DefaultRootKeyID if not specified.	10✔
290	if len(rootKeyID) == 0 {	11✔
291	return nil, ErrMissingRootKeyID	1✔
292	}	1✔
293
294	// Pass the root key ID to context.
295	ctx = ContextWithRootKeyID(ctx, rootKeyID)	9✔
296		9✔
297	return svc.Oven.NewMacaroon(ctx, bakery.LatestVersion, nil, ops...)	9✔
298	}
299
300	// ListMacaroonIDs returns all the root key ID values except the value of
301	// encryptedKeyID.
302	func (svc *Service) ListMacaroonIDs(ctxt context.Context) ([][]byte, error) {	2✔
303	if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {	4✔
304	return boltRKS.ListMacaroonIDs(ctxt)	2✔
305	}	2✔
306
307	return nil, nil	×
308	}
309
310	// DeleteMacaroonID removes one specific root key ID. If the root key ID is
311	// found and deleted, it will be returned.
312	func (svc *Service) DeleteMacaroonID(ctxt context.Context,
313	rootKeyID []byte) ([]byte, error) {	5✔
314		5✔
315	if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {	10✔
316	return boltRKS.DeleteMacaroonID(ctxt, rootKeyID)	5✔
317	}	5✔
318
319	return nil, nil	×
320	}
321
322	// GenerateNewRootKey calls the underlying root key store's GenerateNewRootKey
323	// and returns the result.
324	func (svc *Service) GenerateNewRootKey() error {	2✔
325	if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {	4✔
326	return boltRKS.GenerateNewRootKey()	2✔
327	}	2✔
328
329	return nil	×
330	}
331
332	// SetRootKey calls the underlying root key store's SetRootKey and returns the
333	// result.
334	func (svc *Service) SetRootKey(rootKey []byte) error {	×
335	if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {	×
336	return boltRKS.SetRootKey(rootKey)	×
337	}	×
338
339	return nil	×
340	}
341
342	// ChangePassword calls the underlying root key store's ChangePassword and
343	// returns the result.
344	func (svc *Service) ChangePassword(oldPw, newPw []byte) error {	2✔
345	if boltRKS, ok := svc.rks.(ExtendedRootKeyStore); ok {	4✔
346	return boltRKS.ChangePassword(oldPw, newPw)	2✔
347	}	2✔
348
349	return nil	×
350	}
351
352	// RawMacaroonFromContext is a helper function that extracts a raw macaroon
353	// from the given incoming gRPC request context.
354	func RawMacaroonFromContext(ctx context.Context) (string, error) {	3✔
355	// Get macaroon bytes from context and unmarshal into macaroon.	3✔
356	md, ok := metadata.FromIncomingContext(ctx)	3✔
357	if !ok {	3✔
358	return "", fmt.Errorf("unable to get metadata from context")	×
359	}	×
360	if len(md["macaroon"]) != 1 {	3✔
UNCOV 361	return "", fmt.Errorf("expected 1 macaroon, got %d",	×
UNCOV 362	len(md["macaroon"]))	×
UNCOV 363	}	×
364
365	return md["macaroon"][0], nil	3✔
366	}
367
368	// SafeCopyMacaroon creates a copy of a macaroon that is safe to be used and
369	// modified. This is necessary because the macaroon library's own Clone() method
370	// is unsafe for certain edge cases, resulting in both the cloned and the
371	// original macaroons to be modified.
372	func SafeCopyMacaroon(mac macaroon.Macaroon) (macaroon.Macaroon, error) {	2✔
373	macBytes, err := mac.MarshalBinary()	2✔
374	if err != nil {	2✔
375	return nil, err	×
376	}	×
377
378	newMac := &macaroon.Macaroon{}	2✔
379	if err := newMac.UnmarshalBinary(macBytes); err != nil {	2✔
380	return nil, err	×
381	}	×
382
383	return newMac, nil	2✔
384	}

lightningnetwork / lnd / 12986279612

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous