@@ -28,6 +28,7 @@ import (
2828 "github.com/lightningnetwork/lnd/lnrpc"
2929 "github.com/lightningnetwork/lnd/lnrpc/routerrpc"
3030 "github.com/lightningnetwork/lnd/lnrpc/walletrpc"
31+ "github.com/lightningnetwork/lnd/macaroons"
3132 "github.com/stretchr/testify/require"
3233 "golang.org/x/net/http2"
3334 "google.golang.org/grpc"
@@ -224,6 +225,13 @@ var (
224225 allowedThroughLNC : false ,
225226 grpcWebURI : "/litrpc.Sessions/ListSessions" ,
226227 }}
228+
229+ // customURIs is a map of endpoint URIs that we want to allow via a
230+ // custom-macaroon session type.
231+ customURIs = map [string ]bool {
232+ "/lnrpc.Lightning/GetInfo" : true ,
233+ "/frdrpc.FaradayServer/RevenueReport" : true ,
234+ }
227235)
228236
229237// testModeIntegrated makes sure that in integrated mode all daemons work
@@ -374,6 +382,7 @@ func testModeIntegrated(net *NetworkHarness, t *harnessTest) {
374382 rawLNCConn := setUpLNCConn (
375383 ctxt , t .t , cfg .LitAddr (), cfg .TLSCertPath ,
376384 cfg .LitMacPath ,
385+ litrpc .SessionType_TYPE_MACAROON_READONLY , nil ,
377386 )
378387 defer rawLNCConn .Close ()
379388
@@ -384,6 +393,48 @@ func testModeIntegrated(net *NetworkHarness, t *harnessTest) {
384393 ttt , rawLNCConn , endpoint .requestFn ,
385394 endpoint .successPattern ,
386395 endpoint .allowedThroughLNC ,
396+ "unknown service" ,
397+ )
398+ })
399+ }
400+ })
401+
402+ t .t .Run ("lnc auth custom mac perms" , func (tt * testing.T ) {
403+ cfg := net .Alice .Cfg
404+
405+ ctx := context .Background ()
406+ ctxt , cancel := context .WithTimeout (ctx , defaultTimeout )
407+ defer cancel ()
408+
409+ customPerms := make (
410+ []* litrpc.MacaroonPermission , 0 , len (customURIs ),
411+ )
412+
413+ customURIKeyword := macaroons .PermissionEntityCustomURI
414+ for uri := range customURIs {
415+ customPerms = append (
416+ customPerms , & litrpc.MacaroonPermission {
417+ Entity : customURIKeyword ,
418+ Action : uri ,
419+ },
420+ )
421+ }
422+
423+ rawLNCConn := setUpLNCConn (
424+ ctxt , t .t , cfg .LitAddr (), cfg .TLSCertPath ,
425+ cfg .LitMacPath ,
426+ litrpc .SessionType_TYPE_MACAROON_CUSTOM , customPerms ,
427+ )
428+ defer rawLNCConn .Close ()
429+
430+ for _ , endpoint := range endpoints {
431+ endpoint := endpoint
432+ tt .Run (endpoint .name + " lit port" , func (ttt * testing.T ) {
433+ allowed := customURIs [endpoint .grpcWebURI ]
434+ runLNCAuthTest (
435+ ttt , rawLNCConn , endpoint .requestFn ,
436+ endpoint .successPattern ,
437+ allowed , "permission denied" ,
387438 )
388439 })
389440 }
@@ -393,7 +444,8 @@ func testModeIntegrated(net *NetworkHarness, t *harnessTest) {
393444// setUpLNCConn creates a new LNC session and then creates a connection to that
394445// session via the mailbox that the session was created with.
395446func setUpLNCConn (ctx context.Context , t * testing.T , hostPort , tlsCertPath ,
396- macPath string ) * grpc.ClientConn {
447+ macPath string , sessType litrpc.SessionType ,
448+ customMacPerms []* litrpc.MacaroonPermission ) * grpc.ClientConn {
397449
398450 rawConn , err := connectRPC (ctx , hostPort , tlsCertPath )
399451 require .NoError (t , err )
@@ -406,11 +458,12 @@ func setUpLNCConn(ctx context.Context, t *testing.T, hostPort, tlsCertPath,
406458 litClient := litrpc .NewSessionsClient (rawConn )
407459 sessResp , err := litClient .AddSession (ctxm , & litrpc.AddSessionRequest {
408460 Label : "integration-test" ,
409- SessionType : litrpc . SessionType_TYPE_MACAROON_READONLY ,
461+ SessionType : sessType ,
410462 ExpiryTimestampSeconds : uint64 (
411463 time .Now ().Add (5 * time .Minute ).Unix (),
412464 ),
413- MailboxServerAddr : mailboxServerAddr ,
465+ MailboxServerAddr : mailboxServerAddr ,
466+ MacaroonCustomPermissions : customMacPerms ,
414467 })
415468 require .NoError (t , err )
416469
@@ -669,7 +722,8 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
669722// runLNCAuthTest tests authentication of the given interface when connecting
670723// through Lightning Node Connect.
671724func runLNCAuthTest (t * testing.T , rawLNCConn grpc.ClientConnInterface ,
672- makeRequest requestFn , successContent string , callAllowed bool ) {
725+ makeRequest requestFn , successContent string , callAllowed bool ,
726+ expectErrContains string ) {
673727
674728 ctxt , cancel := context .WithTimeout (
675729 context .Background (), defaultTimeout ,
@@ -685,7 +739,7 @@ func runLNCAuthTest(t *testing.T, rawLNCConn grpc.ClientConnInterface,
685739 // Is this a disallowed call?
686740 if ! callAllowed {
687741 require .Error (t , err )
688- require .Contains (t , err .Error (), "unknown service" )
742+ require .Contains (t , err .Error (), expectErrContains )
689743
690744 return
691745 }
0 commit comments