multi: autopilot firewall and privacy map interceptors #487
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds an ID to the Session struct. The ID is not persisted but is instead derived from the macaroon used for the session.
In this commit we add all the proto methods and messages that we will need for the initial autopilot implementation.
This commit adds a new Action type to the firewalldb package along with Serialization and Deserialization methods for it. It also adds ListAction and ListSessionAction methods to the DB which can be used to paginate through the actions. Various interfaces are also added that will be used by `rules` to access certain RuleActions.
This commit adds a Lit grpc service and uses it to expose a ListActions method. Litcli is also updated to make use of this method.
Add a client for the autopilot server along with a mock server that can be used in tests.
Adds helper functions to randomize amounts, timestamps, and booleans. Amounts are randomized based on a percentage and timestamps based on an absolute scale.
Adds amount, timestamp, and channel initiator obfuscation to the two response handlers `handleFwdHistoryResponse` and `handleListChannelsResponse`. In order to preserve privacy and still ensure functioning of algorithms that rely on the randomized data, a trade-off between randomization and accuracy needs to be found. We choose ten minutes for forwarding timestamps as this breaks time correlation of payments. The amount obfuscation is chosen to be 5% and applies to the forwarding amount and channel details to hide balances. We also remove details of pending HTLCs in channels. Random obfuscation for amounts is chosen here instead of rounding to have non-deterministic alteration of amounts, which is especially important for forwardings to also break amount correlation. Randomly varying around a certain value will statistically skew averages less than rounding for algorithms that rely on aggregation of individual data. The privacy mapper is chosen to accept a randomness input in order to ensure deterministic testing even when other handlers are changed in the future.
Also includes an itest to assert that sessions work with very large headers.
In this commit, in the response handlers of the privacy mapper, we construct new response messages instead of overwriting existing messages in order to minimize the chances of private data slipping through accidentally.
Bump the tlv version to the version that supports uncapped tlv streams.
Create LNC account sessions through litcli
ellemouton
force-pushed
the
autopilotFirewall
branch
from
f3241cc to
0dfc77e
Compare
ellemouton
force-pushed
the
autopilotFirewall
branch
from
0dfc77e to
378a91f
Compare
guggero
approved these changes
Feb 13, 2023
jamaljsr
approved these changes
Feb 14, 2023
There was a problem hiding this comment.
tACK. Did a test run just to sanity check. Everything still works as expected. Awesome job on this feature @ellemouton 🔥
bitromortac
approved these changes
Feb 15, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR makes extensive use of LNDs RPC middleware interceptors in order to implement a macaroon firewall.
Calls made with a macaroon containing the
lnd-custom privacycaveat will be intercepted and any private info (such as pub keys, outpoints etc) will be mapped out to random values for requests and mapped back to real values for responses.Calls made with a macaroon containing the
lnd-custom lit-mac-fwcaveat will be intercepted and the call will be validated agains various rules that the caveat specifies. The current set of defined rules are: Channel restrictions, peer restrictions, channel policy bounds, history limit, rate limit.An Autopilot client is also added which handles registering an LNC session with the Autopilot server. The access given to the autopilot server is restricted using the above mentioned macaroon caveats.