multi: custom URI sessions #438
Conversation
session_rpcserver.go
Outdated
| "readonly and custom macaroon types supported in LiT") | ||
| } | ||
|
|
||
| var perms []bakery.Op |
There was a problem hiding this comment.
Can we refactor this into a switch so it'll be easier to add the account session type, please? See 9b24a18.
session_rpcserver.go
Outdated
| @@ -203,10 +231,17 @@ func (s *sessionRpcServer) resumeSession(sess *session.Session) error { | |||
| Id: []byte(macExpiry.Condition), | |||
| }) | |||
|
|
|||
| if sess.Type == session.TypeMacaroonCustom { | |||
litrpc/lit-sessions.proto
Outdated
| @@ -76,6 +76,8 @@ message Session { | |||
| bytes remote_public_key = 10; | |||
|
|
|||
| uint64 created_at = 11 [jstype = JS_STRING]; | |||
|
|
|||
| repeated MacaroonPermission macaroon_custom_permissions = 12; | |||
There was a problem hiding this comment.
Should we show the full recipe here? So including the caveats?
There was a problem hiding this comment.
hmmm do we also want to add a custom-caveats option to the AddSessionRequest message then?
There was a problem hiding this comment.
if we were to add the custom-caveats option to the request, then would it be fine just to let the user specify strings that we will use for the caveat ID? ie, is it fine to leave the location & verification ID empty ?
session_rpcserver.go
Outdated
| }, nil | ||
| } | ||
|
|
||
| // marshalRPCCustomPerms converts a list of macaroon permissions into their RPC | ||
| // counterpart. | ||
| func marshalRPCCustomPerms(ops []bakery.Op) []*litrpc.MacaroonPermission { |
There was a problem hiding this comment.
See previous comment about adding the full recipe to the session RPC, then this could marshal the whole recipe (and we could skip the nil check on L419 and do that here.
cmd/litcli/sessions.go
Outdated
| "this list will only be used if the 'type' " + | ||
| "flag is set to 'custom'. If multiple URIs " + | ||
| "are specified, they should be separated by " + | ||
| "commas (eg. 'uri1,uri2,uri3')", |
There was a problem hiding this comment.
Should we use a StringSlice flag instead and just mention "can be specified multiple times" here?
ellemouton
requested review from
itsrachelfish
and removed request for
jamaljsr
ellemouton
force-pushed
the
fine-grained-perms
branch
from
5ea2931 to
cf5233c
Compare
There was a problem hiding this comment.
Thanks for the review @guggero!!
Updated as per suggestion. Added 2 more commits. The first makes the run of the existing LNC auth itests more efficient and the second adds new tests for the custom macaroon perms.
Also left one question about custom caveats
litrpc/lit-sessions.proto
Outdated
| @@ -76,6 +76,8 @@ message Session { | |||
| bytes remote_public_key = 10; | |||
|
|
|||
| uint64 created_at = 11 [jstype = JS_STRING]; | |||
|
|
|||
| repeated MacaroonPermission macaroon_custom_permissions = 12; | |||
session_rpcserver.go
Outdated
| "readonly and custom macaroon types supported in LiT") | ||
| } | ||
|
|
||
| var perms []bakery.Op |
cmd/litcli/sessions.go
Outdated
| "this list will only be used if the 'type' " + | ||
| "flag is set to 'custom'. If multiple URIs " + | ||
| "are specified, they should be separated by " + | ||
| "commas (eg. 'uri1,uri2,uri3')", |
To speed up the existing LNC auth tests, this commit creates a single LNC session & connection and does all the tests over the single connection rather than spinning up one per test. This imporves the time taken to run the tests drastically.
ellemouton
force-pushed
the
fine-grained-perms
branch
from
cf5233c to
b38acfa
Compare
There was a problem hiding this comment.
tACK LGTM 🔥
Works as advertised. I just have a question. I am testing this along with lightninglabs/lightning-node-connect#59. I was able to add a custom session successfully.
$ rt run zanelit sessions add --label mycustom --type=custom --uri=/lnrpc.Lightning/GetInfo --uri=/routerrpc.Router/GetMissionControlConfig
{
"session": {
"label": "mycustom",
"session_state": "STATE_CREATED",
"session_type": "TYPE_MACAROON_CUSTOM",
"expiry_timestamp_seconds": "1674590241",
"mailbox_server_addr": "mailbox.terminal.lightning.today:443",
"dev_server": false,
"pairing_secret": "43a472e678984e803ac31e4cba80",
"pairing_secret_mnemonic": "dry castle ridge van lumber divorce twelve glow erosion staff",
"local_public_key": "03e728a7ab09810c97b98d47cc792686ab294d139091bfdcca9dcca5bac1628afd",
"remote_public_key": null,
"created_at": "1666814241",
"macaroon_recipe": {
"permissions": [
{
"entity": "uri",
"action": "/lnrpc.Lightning/GetInfo"
},
{
"entity": "uri",
"action": "/routerrpc.Router/GetMissionControlConfig"
}
],
"caveats": [
]
}
}
}
When I connected with the LNC example-server, the lnrpc.State.GetState RPC was still available. is this intentional? If so, why is that?
|
@jamaljsr , yes that is expected because |
With this PR, you can now create a
customsession where on creation, you can specify the exact list of URIs that can be called with the session.Can create a new custom session as follows:
Can test this with lightninglabs/lightning-node-connect#59