17190810624

Committed 24 Aug 2025 03:58PM UTC coverage: 66.74% (+9.4%) from 57.321%

Build # 17190810624

Build Type

Pull #10167

github

Committed by

web-flow

Commit Message

Merge 33cec4f6a into 0c2f045f5

Pull Request Pull Request #10167: multi: bump Go to 1.24.6

Run Details

6 of 40 new or added lines in 10 files covered. (15.0%)

12 existing lines in 6 files now uncovered.

135947 of 203696 relevant lines covered (66.74%)

21470.9 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

75.43

/macaroons/constraints.go

package macaroons

import (
        "bytes"
        "context"
        "errors"
        "fmt"
        "net"
        "strings"
        "time"

        "google.golang.org/grpc/peer"
        "gopkg.in/macaroon-bakery.v2/bakery/checkers"
        macaroon "gopkg.in/macaroon.v2"
)

const (
        // CondLndCustom is the first party caveat condition name that is used
        // for all custom caveats in lnd. Every custom caveat entry will be
        // encoded as the string
        // "lnd-custom <custom-caveat-name> <custom-caveat-condition>"
        // in the serialized macaroon. We choose a single space as the delimiter
        // between the because that is also used by the macaroon bakery library.
        CondLndCustom = "lnd-custom"

        // CondIPRange is the caveat condition name that is used for tying an IP
        // range to a macaroon.
        CondIPRange = "iprange"
)

// CustomCaveatAcceptor is an interface that contains a single method for
// checking whether a macaroon with the given custom caveat name should be
// accepted or not.
type CustomCaveatAcceptor interface {
        // CustomCaveatSupported returns nil if a macaroon with the given custom
        // caveat name can be validated by any component in lnd (for example an
        // RPC middleware). If no component is registered to handle the given
        // custom caveat then an error must be returned. This method only checks
        // the availability of a validating component, not the validity of the
        // macaroon itself.
        CustomCaveatSupported(customCaveatName string) error
}

// Constraint type adds a layer of indirection over macaroon caveats.
type Constraint func(*macaroon.Macaroon) error

// Checker type adds a layer of indirection over macaroon checkers. A Checker
// returns the name of the checker and the checker function; these are used to
// register the function with the bakery service's compound checker.
type Checker func() (string, checkers.Func)

// AddConstraints returns new derived macaroon by applying every passed
// constraint and tightening its restrictions.
func AddConstraints(mac *macaroon.Macaroon,
        cs ...Constraint) (*macaroon.Macaroon, error) {

        // The macaroon library's Clone() method has a subtle bug that doesn't
        // correctly clone all caveats. We need to use our own, safe clone
        // function instead.
        newMac, err := SafeCopyMacaroon(mac)
        if err != nil {
                return nil, err
        }

        for _, constraint := range cs {
                if err := constraint(newMac); err != nil {
                        return nil, err
                }
        }
        return newMac, nil
}

// Each *Constraint function is a functional option, which takes a pointer
// to the macaroon and adds another restriction to it. For each *Constraint,
// the corresponding *Checker is provided if not provided by default.

// TimeoutConstraint restricts the lifetime of the macaroon
// to the amount of seconds given.
func TimeoutConstraint(seconds int64) func(*macaroon.Macaroon) error {
        return func(mac *macaroon.Macaroon) error {
                macaroonTimeout := time.Duration(seconds)
                requestTimeout := time.Now().Add(time.Second * macaroonTimeout)
                caveat := checkers.TimeBeforeCaveat(requestTimeout)
                return mac.AddFirstPartyCaveat([]byte(caveat.Condition))
        }
}

// IPLockConstraint locks a macaroon to a specific IP address. If ipAddr is an
// empty string, this constraint does nothing to accommodate  default value's
// desired behavior.
func IPLockConstraint(ipAddr string) func(*macaroon.Macaroon) error {
        return func(mac *macaroon.Macaroon) error {
                if ipAddr != "" {
                        macaroonIPAddr := net.ParseIP(ipAddr)
                        if macaroonIPAddr == nil {
                                return fmt.Errorf("incorrect macaroon IP-" +
                                        "lock address")
                        }
                        caveat := checkers.Condition("ipaddr",
                                macaroonIPAddr.String())

                        return mac.AddFirstPartyCaveat([]byte(caveat))
                }

                return nil
        }
}

// IPRangeLockConstraint locks a macaroon to a specific IP address range. If
// ipRange is an empty string, this constraint does nothing to accommodate
// default value's desired behavior.
func IPRangeLockConstraint(ipRange string) func(*macaroon.Macaroon) error {
        return func(mac *macaroon.Macaroon) error {
                if ipRange != "" {
                        _, parsedNet, err := net.ParseCIDR(ipRange)
                        if err != nil {
                                return fmt.Errorf("incorrect macaroon IP "+
                                        "range: %w", err)
                        }
                        caveat := checkers.Condition(
                                CondIPRange, parsedNet.String(),
                        )

                        return mac.AddFirstPartyCaveat([]byte(caveat))
                }

                return nil
        }
}

// IPLockChecker accepts client IP from the validation context and compares it
// with IP locked in the macaroon. It is of the `Checker` type.
func IPLockChecker() (string, checkers.Func) {
        return "ipaddr", func(ctx context.Context, cond, arg string) error {
                // Get peer info and extract IP address from it for macaroon
                // check.
                pr, ok := peer.FromContext(ctx)
                if !ok {
                        return fmt.Errorf("unable to get peer info from " +
                                "context")
                }
                peerAddr, _, err := net.SplitHostPort(pr.Addr.String())
                if err != nil {
                        return fmt.Errorf("unable to parse peer address")
                }

                if !net.ParseIP(arg).Equal(net.ParseIP(peerAddr)) {
                        return fmt.Errorf("macaroon locked to different IP " +
                                "address")
                }
                return nil
        }
}

// IPRangeLockChecker accepts client IP range from the validation context and
// compares it with the IP range locked in the macaroon. It is of the `Checker`
// type.
func IPRangeLockChecker() (string, checkers.Func) {
        return CondIPRange, func(ctx context.Context, cond, arg string) error {
                // Get peer info and extract IP range from it for macaroon
                // check.
                pr, ok := peer.FromContext(ctx)
                if !ok {
                        return errors.New("unable to get peer info from " +
                                "context")
                }
                peerAddr, _, err := net.SplitHostPort(pr.Addr.String())
                if err != nil {
                        return fmt.Errorf("unable to parse peer address: %w",
                                err)
                }

                _, ipNet, err := net.ParseCIDR(arg)
                if err != nil {
                        return fmt.Errorf("unable to parse macaroon IP "+
                                "range: %w", err)
                }

                if !ipNet.Contains(net.ParseIP(peerAddr)) {
                        return errors.New("macaroon locked to different " +
                                "IP range")
                }

                return nil
        }
}

// CustomConstraint returns a function that adds a custom caveat condition to
// a macaroon.
func CustomConstraint(name, condition string) func(*macaroon.Macaroon) error {
        return func(mac *macaroon.Macaroon) error {
                // We rely on a name being set for the interception, so don't
                // allow creating a caveat without a name in the first place.
                if name == "" {
                        return fmt.Errorf("name cannot be empty")
                }

                // The inner (custom) condition is optional.
                outerCondition := fmt.Sprintf("%s %s", name, condition)
                if condition == "" {
                        outerCondition = name
                }

                caveat := checkers.Condition(CondLndCustom, outerCondition)
                return mac.AddFirstPartyCaveat([]byte(caveat))
        }
}

// CustomChecker returns a Checker function that is used by the macaroon bakery
// library to check whether a custom caveat is supported by lnd in general or
// not. Support in this context means: An additional gRPC interceptor was set up
// that validates the content (=condition) of the custom caveat. If such an
// interceptor is in place then the acceptor should return a nil error. If no
// interceptor exists for the custom caveat in the macaroon of a request context
// then a non-nil error should be returned and the macaroon is rejected as a
// whole.
func CustomChecker(acceptor CustomCaveatAcceptor) Checker {
        // We return the general name of all lnd custom macaroons and a function
        // that splits the outer condition to extract the name of the custom
        // condition and the condition itself. In the bakery library that's used
        // here, a caveat always has the following form:
        //
        // <condition-name> <condition-value>
        //
        // Because a checker function needs to be bound to the condition name we
        // have to choose a static name for the first part ("lnd-custom", see
        // CondLndCustom. Otherwise we'd need to register a new Checker function
        // for each custom caveat that's registered. To allow for a generic
        // custom caveat handling, we just add another layer and expand the
        // initial <condition-value> into
        //
        // "<custom-condition-name> <custom-condition-value>"
        //
        // The full caveat string entry of a macaroon that uses this generic
        // mechanism would therefore look like this:
        //
        // "lnd-custom <custom-condition-name> <custom-condition-value>"
        checker := func(_ context.Context, _, outerCondition string) error {
                if outerCondition != strings.TrimSpace(outerCondition) {
                        return fmt.Errorf("unexpected white space found in " +
                                "caveat condition")
                }
                if outerCondition == "" {
                        return fmt.Errorf("expected custom caveat, got empty " +
                                "string")
                }

                // The condition part of the original caveat is now name and
                // condition of the custom caveat (we add a layer of conditions
                // to allow one custom checker to work for all custom lnd
                // conditions that implement arbitrary business logic).
                parts := strings.Split(outerCondition, " ")
                customCaveatName := parts[0]

                return acceptor.CustomCaveatSupported(customCaveatName)
        }

        return func() (string, checkers.Func) {
                return CondLndCustom, checker
        }
}

// HasCustomCaveat tests if the given macaroon has a custom caveat with the
// given custom caveat name.
func HasCustomCaveat(mac *macaroon.Macaroon, customCaveatName string) bool {
        if mac == nil {
                return false
        }

        caveatPrefix := []byte(fmt.Sprintf(
                "%s %s", CondLndCustom, customCaveatName,
        ))
        for _, caveat := range mac.Caveats() {
                if bytes.HasPrefix(caveat.Id, caveatPrefix) {
                        return true
                }
        }

        return false
}

// GetCustomCaveatCondition returns the custom caveat condition for the given
// custom caveat name from the given macaroon.
func GetCustomCaveatCondition(mac *macaroon.Macaroon,
        customCaveatName string) string {

        if mac == nil {
                return ""
        }

        caveatPrefix := []byte(fmt.Sprintf(
                "%s %s ", CondLndCustom, customCaveatName,
        ))
        for _, caveat := range mac.Caveats() {
                // The caveat id has a format of
                // "lnd-custom [custom-caveat-name] [custom-caveat-condition]"
                // and we only want the condition part. If we match the prefix
                // part we return the condition that comes after the prefix.
                if bytes.HasPrefix(caveat.Id, caveatPrefix) {
                        caveatSplit := strings.SplitN(
                                string(caveat.Id),
                                string(caveatPrefix),
                                2,
                        )
                        if len(caveatSplit) == 2 {
                                return caveatSplit[1]
                        }
                }
        }

        // We didn't find a condition for the given custom caveat name.
        return ""
}

1	package macaroons
2
3	import (
4	"bytes"
5	"context"
6	"errors"
7	"fmt"
8	"net"
9	"strings"
10	"time"
11
12	"google.golang.org/grpc/peer"
13	"gopkg.in/macaroon-bakery.v2/bakery/checkers"
14	macaroon "gopkg.in/macaroon.v2"
15	)
16
17	const (
18	// CondLndCustom is the first party caveat condition name that is used
19	// for all custom caveats in lnd. Every custom caveat entry will be
20	// encoded as the string
21	// "lnd-custom <custom-caveat-name> <custom-caveat-condition>"
22	// in the serialized macaroon. We choose a single space as the delimiter
23	// between the because that is also used by the macaroon bakery library.
24	CondLndCustom = "lnd-custom"
25
26	// CondIPRange is the caveat condition name that is used for tying an IP
27	// range to a macaroon.
28	CondIPRange = "iprange"
29	)
30
31	// CustomCaveatAcceptor is an interface that contains a single method for
32	// checking whether a macaroon with the given custom caveat name should be
33	// accepted or not.
34	type CustomCaveatAcceptor interface {
35	// CustomCaveatSupported returns nil if a macaroon with the given custom
36	// caveat name can be validated by any component in lnd (for example an
37	// RPC middleware). If no component is registered to handle the given
38	// custom caveat then an error must be returned. This method only checks
39	// the availability of a validating component, not the validity of the
40	// macaroon itself.
41	CustomCaveatSupported(customCaveatName string) error
42	}
43
44	// Constraint type adds a layer of indirection over macaroon caveats.
45	type Constraint func(*macaroon.Macaroon) error
46
47	// Checker type adds a layer of indirection over macaroon checkers. A Checker
48	// returns the name of the checker and the checker function; these are used to
49	// register the function with the bakery service's compound checker.
50	type Checker func() (string, checkers.Func)
51
52	// AddConstraints returns new derived macaroon by applying every passed
53	// constraint and tightening its restrictions.
54	func AddConstraints(mac *macaroon.Macaroon,
55	cs ...Constraint) (*macaroon.Macaroon, error) {	1✔
56		1✔
57	// The macaroon library's Clone() method has a subtle bug that doesn't	1✔
58	// correctly clone all caveats. We need to use our own, safe clone	1✔
59	// function instead.	1✔
60	newMac, err := SafeCopyMacaroon(mac)	1✔
61	if err != nil {	1✔
62	return nil, err	×
63	}	×
64
65	for _, constraint := range cs {	2✔
66	if err := constraint(newMac); err != nil {	1✔
67	return nil, err	×
68	}	×
69	}
70	return newMac, nil	1✔
71	}
72
73	// Each *Constraint function is a functional option, which takes a pointer
74	// to the macaroon and adds another restriction to it. For each *Constraint,
75	// the corresponding *Checker is provided if not provided by default.
76
77	// TimeoutConstraint restricts the lifetime of the macaroon
78	// to the amount of seconds given.
79	func TimeoutConstraint(seconds int64) func(*macaroon.Macaroon) error {	3✔
80	return func(mac *macaroon.Macaroon) error {	6✔
81	macaroonTimeout := time.Duration(seconds)	3✔
82	requestTimeout := time.Now().Add(time.Second * macaroonTimeout)	3✔
83	caveat := checkers.TimeBeforeCaveat(requestTimeout)	3✔
84	return mac.AddFirstPartyCaveat([]byte(caveat.Condition))	3✔
85	}	3✔
86	}
87
88	// IPLockConstraint locks a macaroon to a specific IP address. If ipAddr is an
89	// empty string, this constraint does nothing to accommodate default value's
90	// desired behavior.
91	func IPLockConstraint(ipAddr string) func(*macaroon.Macaroon) error {	2✔
92	return func(mac *macaroon.Macaroon) error {	4✔
93	if ipAddr != "" {	4✔
94	macaroonIPAddr := net.ParseIP(ipAddr)	2✔
95	if macaroonIPAddr == nil {	3✔
96	return fmt.Errorf("incorrect macaroon IP-" +	1✔
97	"lock address")	1✔
98	}	1✔
99	caveat := checkers.Condition("ipaddr",	1✔
100	macaroonIPAddr.String())	1✔
101		1✔
102	return mac.AddFirstPartyCaveat([]byte(caveat))	1✔
103	}
104
105	return nil	×
106	}
107	}
108
109	// IPRangeLockConstraint locks a macaroon to a specific IP address range. If
110	// ipRange is an empty string, this constraint does nothing to accommodate
111	// default value's desired behavior.
112	func IPRangeLockConstraint(ipRange string) func(*macaroon.Macaroon) error {	×
113	return func(mac *macaroon.Macaroon) error {	×
114	if ipRange != "" {	×
115	_, parsedNet, err := net.ParseCIDR(ipRange)	×
116	if err != nil {	×
117	return fmt.Errorf("incorrect macaroon IP "+	×
118	"range: %w", err)	×
119	}	×
120	caveat := checkers.Condition(	×
121	CondIPRange, parsedNet.String(),	×
122	)	×
123		×
124	return mac.AddFirstPartyCaveat([]byte(caveat))	×
125	}
126
127	return nil	×
128	}
129	}
130
131	// IPLockChecker accepts client IP from the validation context and compares it
132	// with IP locked in the macaroon. It is of the `Checker` type.
133	func IPLockChecker() (string, checkers.Func) {	240✔
134	return "ipaddr", func(ctx context.Context, cond, arg string) error {	243✔
135	// Get peer info and extract IP address from it for macaroon	3✔
136	// check.	3✔
137	pr, ok := peer.FromContext(ctx)	3✔
138	if !ok {	3✔
NEW 139	return fmt.Errorf("unable to get peer info from " +	×
NEW 140	"context")	×
UNCOV 141	}	×
142	peerAddr, _, err := net.SplitHostPort(pr.Addr.String())	3✔
143	if err != nil {	3✔
144	return fmt.Errorf("unable to parse peer address")	×
145	}	×
146
147	if !net.ParseIP(arg).Equal(net.ParseIP(peerAddr)) {	6✔
148	return fmt.Errorf("macaroon locked to different IP " +	3✔
149	"address")	3✔
150	}	3✔
151	return nil	3✔
152	}
153	}
154
155	// IPRangeLockChecker accepts client IP range from the validation context and
156	// compares it with the IP range locked in the macaroon. It is of the `Checker`
157	// type.
158	func IPRangeLockChecker() (string, checkers.Func) {	3✔
159	return CondIPRange, func(ctx context.Context, cond, arg string) error {	6✔
160	// Get peer info and extract IP range from it for macaroon	3✔
161	// check.	3✔
162	pr, ok := peer.FromContext(ctx)	3✔
163	if !ok {	3✔
164	return errors.New("unable to get peer info from " +	×
165	"context")	×
166	}	×
167	peerAddr, _, err := net.SplitHostPort(pr.Addr.String())	3✔
168	if err != nil {	3✔
169	return fmt.Errorf("unable to parse peer address: %w",	×
170	err)	×
171	}	×
172
173	_, ipNet, err := net.ParseCIDR(arg)	3✔
174	if err != nil {	3✔
175	return fmt.Errorf("unable to parse macaroon IP "+	×
176	"range: %w", err)	×
177	}	×
178
179	if !ipNet.Contains(net.ParseIP(peerAddr)) {	6✔
180	return errors.New("macaroon locked to different " +	3✔
181	"IP range")	3✔
182	}	3✔
183
184	return nil	3✔
185	}
186	}
187
188	// CustomConstraint returns a function that adds a custom caveat condition to
189	// a macaroon.
190	func CustomConstraint(name, condition string) func(*macaroon.Macaroon) error {	2✔
191	return func(mac *macaroon.Macaroon) error {	4✔
192	// We rely on a name being set for the interception, so don't	2✔
193	// allow creating a caveat without a name in the first place.	2✔
194	if name == "" {	2✔
195	return fmt.Errorf("name cannot be empty")	×
196	}	×
197
198	// The inner (custom) condition is optional.
199	outerCondition := fmt.Sprintf("%s %s", name, condition)	2✔
200	if condition == "" {	3✔
201	outerCondition = name	1✔
202	}	1✔
203
204	caveat := checkers.Condition(CondLndCustom, outerCondition)	2✔
205	return mac.AddFirstPartyCaveat([]byte(caveat))	2✔
206	}
207	}
208
209	// CustomChecker returns a Checker function that is used by the macaroon bakery
210	// library to check whether a custom caveat is supported by lnd in general or
211	// not. Support in this context means: An additional gRPC interceptor was set up
212	// that validates the content (=condition) of the custom caveat. If such an
213	// interceptor is in place then the acceptor should return a nil error. If no
214	// interceptor exists for the custom caveat in the macaroon of a request context
215	// then a non-nil error should be returned and the macaroon is rejected as a
216	// whole.
217	func CustomChecker(acceptor CustomCaveatAcceptor) Checker {	3✔
218	// We return the general name of all lnd custom macaroons and a function	3✔
219	// that splits the outer condition to extract the name of the custom	3✔
220	// condition and the condition itself. In the bakery library that's used	3✔
221	// here, a caveat always has the following form:	3✔
222	//	3✔
223	// <condition-name> <condition-value>	3✔
224	//	3✔
225	// Because a checker function needs to be bound to the condition name we	3✔
226	// have to choose a static name for the first part ("lnd-custom", see	3✔
227	// CondLndCustom. Otherwise we'd need to register a new Checker function	3✔
228	// for each custom caveat that's registered. To allow for a generic	3✔
229	// custom caveat handling, we just add another layer and expand the	3✔
230	// initial <condition-value> into	3✔
231	//	3✔
232	// "<custom-condition-name> <custom-condition-value>"	3✔
233	//	3✔
234	// The full caveat string entry of a macaroon that uses this generic	3✔
235	// mechanism would therefore look like this:	3✔
236	//	3✔
237	// "lnd-custom <custom-condition-name> <custom-condition-value>"	3✔
238	checker := func(_ context.Context, _, outerCondition string) error {	6✔
239	if outerCondition != strings.TrimSpace(outerCondition) {	3✔
240	return fmt.Errorf("unexpected white space found in " +	×
241	"caveat condition")	×
242	}	×
243	if outerCondition == "" {	3✔
244	return fmt.Errorf("expected custom caveat, got empty " +	×
245	"string")	×
246	}	×
247
248	// The condition part of the original caveat is now name and
249	// condition of the custom caveat (we add a layer of conditions
250	// to allow one custom checker to work for all custom lnd
251	// conditions that implement arbitrary business logic).
252	parts := strings.Split(outerCondition, " ")	3✔
253	customCaveatName := parts[0]	3✔
254		3✔
255	return acceptor.CustomCaveatSupported(customCaveatName)	3✔
256	}
257
258	return func() (string, checkers.Func) {	6✔
259	return CondLndCustom, checker	3✔
260	}	3✔
261	}
262
263	// HasCustomCaveat tests if the given macaroon has a custom caveat with the
264	// given custom caveat name.
265	func HasCustomCaveat(mac *macaroon.Macaroon, customCaveatName string) bool {	10✔
266	if mac == nil {	11✔
267	return false	1✔
268	}	1✔
269
270	caveatPrefix := []byte(fmt.Sprintf(	9✔
271	"%s %s", CondLndCustom, customCaveatName,	9✔
272	))	9✔
273	for _, caveat := range mac.Caveats() {	18✔
274	if bytes.HasPrefix(caveat.Id, caveatPrefix) {	14✔
275	return true	5✔
276	}	5✔
277	}
278
279	return false	7✔
280	}
281
282	// GetCustomCaveatCondition returns the custom caveat condition for the given
283	// custom caveat name from the given macaroon.
284	func GetCustomCaveatCondition(mac *macaroon.Macaroon,
285	customCaveatName string) string {	5✔
286		5✔
287	if mac == nil {	5✔
288	return ""	×
289	}	×
290
291	caveatPrefix := []byte(fmt.Sprintf(	5✔
292	"%s %s ", CondLndCustom, customCaveatName,	5✔
293	))	5✔
294	for _, caveat := range mac.Caveats() {	10✔
295	// The caveat id has a format of	5✔
296	// "lnd-custom [custom-caveat-name] [custom-caveat-condition]"	5✔
297	// and we only want the condition part. If we match the prefix	5✔
298	// part we return the condition that comes after the prefix.	5✔
299	if bytes.HasPrefix(caveat.Id, caveatPrefix) {	9✔
300	caveatSplit := strings.SplitN(	4✔
301	string(caveat.Id),	4✔
302	string(caveatPrefix),	4✔
303	2,	4✔
304	)	4✔
305	if len(caveatSplit) == 2 {	8✔
306	return caveatSplit[1]	4✔
307	}	4✔
308	}
309	}
310
311	// We didn't find a condition for the given custom caveat name.
312	return ""	4✔
313	}

lightningnetwork / lnd / 17190810624

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous