proxy: implement basic proxy functionality

Author: guggero

auth/config.go

@@ -0,0 +1,50 @@
+package auth
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+type Config struct {
+	// LndHost is the hostname of the LND instance to connect to.
+	LndHost string `long:"lndhost" description:"Hostname of the LND instance to connect to"`
+
+	TlsPath string `long:"tlspath"`
+
+	MacDir string `long:"macdir"`
+
+	Network string `long:"network"`
+}
+
+type Level string
+
+func (l Level) lower() string {
+	return strings.ToLower(string(l))
+}
+
+func (l Level) IsOn() bool {
+	lower := l.lower()
+	return lower == "" || lower == "on" || lower == "true"
+}
+
+func (l Level) IsFreebie() bool {
+	return strings.HasPrefix(l.lower(), "freebie")
+}
+
+func (l Level) FreebieCount() uint8 {
+	parts := strings.Split(l.lower(), " ")
+	if len(parts) != 2 {
+		panic(fmt.Errorf("invalid auth value: %s", l.lower()))
+	}
+	count, err := strconv.Atoi(parts[1])
+	if err != nil {
+		panic(err)
+	}
+	return uint8(count)
+}
+
+func (l Level) IsOff() bool {
+	lower := l.lower()
+	return lower == "off" || lower == "false"
+}

auth/lnd_authenticator.go

@@ -0,0 +1,137 @@
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"net/http"
+	"regexp"
+
+	"github.com/lightninglabs/kirin/macaroons"
+	"github.com/lightninglabs/loop/lndclient"
+	"github.com/lightningnetwork/lnd/lnrpc"
+	"gopkg.in/macaroon-bakery.v2/bakery"
+	"gopkg.in/macaroon-bakery.v2/bakery/checkers"
+)
+
+var (
+	authRegex  = regexp.MustCompile("LSAT (.*?):([a-f0-9]{64})")
+	opWildcard = "*"
+)
+
+type LndAuthenticator struct {
+	client     lnrpc.LightningClient
+	macService *macaroons.Service
+}
+
+// A compile time flag to ensure the LndAuthenticator satisfies the
+// Authenticator interface.
+var _ Authenticator = (*LndAuthenticator)(nil)
+
+// NewLndAuthenticator creates a new authenticator that is connected to an lnd
+// backend and can create new invoices if required.
+func NewLndAuthenticator(cfg *Config) (*LndAuthenticator, error) {
+	client, err := lndclient.NewBasicClient(
+		cfg.LndHost, cfg.TlsPath, cfg.MacDir, cfg.Network,
+	)
+	if err != nil {
+		return nil, err
+	}
+	macService, err := macaroons.NewService()
+	if err != nil {
+		return nil, err
+	}
+
+	return &LndAuthenticator{
+		client:     client,
+		macService: macService,
+	}, nil
+}
+
+// Accept returns whether or not the header successfully authenticates the user
+// to a given backend service.
+//
+// NOTE: This is part of the Authenticator interface.
+func (l *LndAuthenticator) Accept(header *http.Header) bool {
+	authHeader := header.Get("Authorization")
+	if authHeader == "" {
+		return false
+	}
+
+	if !authRegex.MatchString(authHeader) {
+		return false
+	}
+
+	matches := authRegex.FindStringSubmatch(authHeader)
+	if len(matches) != 3 {
+		return false
+	}
+
+	macBase64, preimageHex := matches[1], matches[2]
+	macBytes, err := base64.StdEncoding.DecodeString(macBase64)
+	if err != nil {
+		return false
+	}
+
+	preimageBytes, err := hex.DecodeString(preimageHex)
+	if err != nil {
+		return false
+	}
+
+	// TODO(guggero): check preimage against payment hash caveat in the
+	//  macaroon.
+	if len(preimageBytes) != 32 {
+		return false
+	}
+
+	err = l.macService.ValidateMacaroon(macBytes, []bakery.Op{})
+	if err != nil {
+		return false
+	}
+	return true
+}
+
+// FreshChallengeHeader returns a header containing a challenge for the user to
+// complete.
+//
+// NOTE: This is part of the Authenticator interface.
+func (l *LndAuthenticator) FreshChallengeHeader(r *http.Request) (
+	http.Header, error) {
+
+	// Obtain a new invoice from lnd first. We need to know the payment hash
+	// so we can add it as a caveat to the macaroon.
+	ctx := context.Background()
+	invoice := &lnrpc.Invoice{
+		Memo:  "LSAT",
+		Value: 1,
+	}
+	response, err := l.client.AddInvoice(ctx, invoice)
+	if err != nil {
+		fmt.Printf("error adding invoice: %v\n", err)
+		return nil, err
+	}
+	paymentHashHex := hex.EncodeToString(response.RHash)
+
+	// Create a new macaroon and add the payment hash as a caveat.
+	// The bakery requires at least one operation so we add an "allow all"
+	// permission set for now.
+	mac, err := l.macService.NewMacaroon(
+		[]bakery.Op{{Entity: opWildcard, Action: opWildcard}}, []string{
+			checkers.Condition(macaroons.CondRHash, paymentHashHex),
+		},
+	)
+	if err != nil {
+		fmt.Printf("error creating macaroon: %v\n", err)
+		return nil, err
+	}
+
+	str := "LSAT macaroon='%s' invoice='%s'"
+	str = fmt.Sprintf(
+		str, base64.StdEncoding.EncodeToString(mac),
+		response.GetPaymentRequest(),
+	)
+	header := r.Header
+	header.Set("WWW-Authenticate", str)
+	return header, nil
+}

config.go

@@ -2,6 +2,7 @@ package kirin
 
 import (
 	"github.com/btcsuite/btcutil"
+	"github.com/lightninglabs/kirin/auth"
 	"github.com/lightninglabs/kirin/proxy"
 )
 
@@ -17,7 +18,9 @@ type config struct {
 	// to listen for requests.
 	ListenAddr string `long:"listenaddr" description:"The interface we should listen on for client requests"`
 
+	Authenticator *auth.Config `long:"authenticator" description:"Configuration for the authenticator."`
+
 	// Services is a list of JSON objects in string format, which specify
 	// each backend service to Kirin.
-	Services []*proxy.Service `long:"service" description:"JSON configurations for each Kirin backend service."`
+	Services []*proxy.Service `long:"service" description:"Configurations for each Kirin backend service."`
 }

go.mod

@@ -3,11 +3,10 @@ module github.com/lightninglabs/kirin
 go 1.13
 
 require (
-	github.com/btcsuite/btcd v0.0.0-20190629003639-c26ffa870fd8 // indirect
 	github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/kr/pretty v0.1.0 // indirect
-	golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5 // indirect
-	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
+	github.com/lightninglabs/loop v0.2.3-alpha
+	github.com/lightningnetwork/lnd v0.8.0-beta-rc3.0.20191029004703-c069bdd4c7c1
+	gopkg.in/macaroon-bakery.v2 v2.1.0
+	gopkg.in/macaroon.v2 v2.1.0
 	gopkg.in/yaml.v2 v2.2.2
 )