Skip to content

session_rpcserver+litrpc: allow custom session with all read-only perms #457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 1, 2022
Merged

session_rpcserver+litrpc: allow custom session with all read-only perms #457

merged 3 commits into from
Dec 1, 2022

Conversation

ellemouton
Copy link
Member

@ellemouton ellemouton commented Nov 29, 2022
edited
Loading

A special case is added to the creation of a custom session to
allow the user to specify custom URIs as well as the permissions
for all read-only endpoints. To use this option when creating a
custom session, a user should set the entity of the macaroon
permission to "uri" and the action to "***readonly***"
The reason for the using the three '*'s in the string is to ensure
that the string never collides with a valid URI or a valid regex.

litcli example:

litcli  s a --label=test --type=custom --uri=/lnrpc.Lightning/ListChannels --uri="/lnrpc.State/.*" --uri="***readonly***"

Fixes #456

@ellemouton ellemouton force-pushed the customPlusReadOnlyPerms branch from 8a344a6 to 1b7f1ca Compare November 29, 2022 10:34
@ellemouton
multi: allow custom session with all read-only perms
beb2546 
In this commit, a special case is added to the creation of a custom
session to allow the user to specify custom URIs as well as the
permissions for all read-only endpoints.
@ellemouton ellemouton force-pushed the customPlusReadOnlyPerms branch from 1b7f1ca to b9d1208 Compare November 29, 2022 10:45
ellemouton
ellemouton commented Nov 29, 2022
View reviewed changes
guggero
guggero approved these changes Nov 29, 2022
View reviewed changes
Copy link
Member

@guggero guggero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, LGTM 🎉

litrpc/lit-sessions.proto Outdated
// - a URI regex, in which case access will be granted to each URI that
// matches the regex.
// - the "***readonly***" keyword. This will result in the access being
// granted all read-only endpoints.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: granted to all read-only endpoints?

session_rpcserver.go Outdated
true,
)

permissions = append(permissions, readPerms...)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we do a de-duplication somewhere? Because maybe the ***readonly*** overlaps with URIs matched by a regex?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea re adding de-dupping. I actually though we already did that somewhere but turns out not! So added it in a new commit here :)

I dont actually think the perms from ***readonly*** will ever clash with the regex URIs since those will all be using the special case "uri" entity. But yeah - good to have the dedup stuff for future!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(added in the last commit so that the first 2 commits dont need to be re-reviewed. Hope that that is ok)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking forward to when we'd convert all permissions into URIs anyway, then I can imagine there would be some overlap possible. Additional commit looks good 👍

@ellemouton
litrpc: update MacaroonPermissions comments
22a0aac 
The proto comments are updated to reflect the special case behaviour of
the entity-action pairs.
@ellemouton ellemouton force-pushed the customPlusReadOnlyPerms branch from b9d1208 to 9360087 Compare December 1, 2022 11:04
@ellemouton ellemouton force-pushed the customPlusReadOnlyPerms branch from 9360087 to 00357fd Compare December 1, 2022 11:08
@ellemouton
Copy link
Member Author

Thanks for the review @guggero ! Added one more commit to address your comment about de-duplicating the perms.

guggero
guggero approved these changes Dec 1, 2022
View reviewed changes
Copy link
Member

@guggero guggero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉

@itsrachelfish itsrachelfish mentioned this pull request Dec 1, 2022
Merged
itsrachelfish
itsrachelfish approved these changes Dec 1, 2022
View reviewed changes
Copy link
Contributor

@itsrachelfish itsrachelfish left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tACK. I rebased my pr #451 using this branch and was able to create a custom session using the new ***readonly*** flag

@ellemouton ellemouton merged commit b9cc180 into lightninglabs:master Dec 1, 2022
@ellemouton ellemouton deleted the customPlusReadOnlyPerms branch December 1, 2022 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guggero guggero guggero approved these changes

@itsrachelfish itsrachelfish itsrachelfish approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow all read-only endpoints for custom macaroons
3 participants
@ellemouton @guggero @itsrachelfish