macaroons: add IP lock macaroon constraint

2017-09-02 03:46:27 +03:00 · 2017-09-02 03:46:27 +03:00 · 679e86174f
parent a6b9155150
commit 679e86174f
2 changed files with 20 additions and 0 deletions
--- a/cmd/lncli/main.go
+++ b/cmd/lncli/main.go
@ -85,6 +85,9 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
 			// TODO(aakselrod): add better anti-replay protection.
 			macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),

+			// Lock macaroon down to a specific IP address.
+			macaroons.IPLockConstraint(ctx.GlobalString("macaroonip")),
+
 			// ... Add more constraints if needed.
 		}

@ -134,6 +137,10 @@ func main() {
 			Value: 60,
 			Usage: "anti-replay macaroon validity time in seconds",
 		},
+		cli.StringFlag{
+			Name:  "macaroonip",
+			Usage: "if set, lock macaroon to specific IP address",
+		},
 	}
 	app.Commands = []cli.Command{
 		newAddressCommand,
--- a/macaroons/auth.go
+++ b/macaroons/auth.go
@ -3,9 +3,11 @@ package macaroons
 import (
 	"encoding/hex"
 	"fmt"
+	"net"

 	"golang.org/x/net/context"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/peer"

 	"gopkg.in/macaroon-bakery.v1/bakery"
 	"gopkg.in/macaroon-bakery.v1/bakery/checkers"
@ -67,6 +69,16 @@ func ValidateMacaroon(ctx context.Context, method string,
 			len(md["macaroon"]))
 	}

+	// Get peer info and extract IP address from it for macaroon check
+	pr, ok := peer.FromContext(ctx)
+	if !ok {
+		return fmt.Errorf("unable to get peer info from context")
+	}
+	peerAddr, _, err := net.SplitHostPort(pr.Addr.String())
+	if err != nil {
+		return fmt.Errorf("unable to parse peer address")
+	}
+
 	// With the macaroon obtained, we'll now decode the hex-string
 	// encoding, then unmarshal it from binary into its concrete struct
 	// representation.
@ -87,5 +99,6 @@ func ValidateMacaroon(ctx context.Context, method string,
 	return svc.Check(macaroon.Slice{mac}, checkers.New(
 		PermissionsChecker(method),
 		TimeoutChecker(),
+		IPLockChecker(peerAddr),
 	))
 }