Documentation
¶
Index ¶
- Constants
- Variables
- func CryptoRandIntn(n int) (int, error)
- func IsPrivacyCaveat(caveat string) bool
- func RulesToCaveat(rules *InterceptRules) (string, error)
- func UseLogger(logger btclog.Logger)
- type Config
- type InterceptMetaInfo
- type InterceptRules
- type PrivacyMapper
- type RequestInfo
- type RequestLogger
- func (r *RequestLogger) CustomCaveatName() string
- func (r *RequestLogger) Intercept(_ context.Context, req *lnrpc.RPCMiddlewareRequest) (*lnrpc.RPCMiddlewareResponse, error)
- func (r *RequestLogger) MarkAction(reqID uint64, state firewalldb.ActionState, errReason string) error
- func (r *RequestLogger) Name() string
- func (r *RequestLogger) ReadOnly() bool
- type RequestLoggerConfig
- type RequestLoggerLevel
- type RuleEnforcer
Constants ¶
const ( // RuleEnforcerCaveat is the name of the custom caveat that contains all // the rules that need to be enforced in the firewall. RuleEnforcerCaveat = "lit-mac-fw" // MetaInfoValuePrefix is the static prefix a macaroon caveat value has // to mark the beginning of the meta information JSON data. MetaInfoValuePrefix = "meta" // MetaRulesValuePrefix is the static prefix a macaroon caveat value has // to mark the beginning of the rules list JSON data. MetaRulesValuePrefix = "rules" // CondPrivacy is the name of the custom caveat that will // instruct lnd to send all requests with this caveat to this // interceptor. CondPrivacy = "privacy" )
const ( // MWRequestTypeStreamAuth represents the type name for a stream // authentication interception message. MWRequestTypeStreamAuth = "stream_auth" // MWRequestTypeRequest represents the type name for a request // interception message. MWRequestTypeRequest = "request" // MWRequestTypeResponse represents the type name for a response // interception message. MWRequestTypeResponse = "response" )
const ( RequestLoggerLevelInterceptor = "interceptor" RequestLoggerLevelAll = "all" RequestLoggerLevelFull = "full" )
const (
// RequestLoggerName is the name of the RequestLogger interceptor.
RequestLoggerName = "lit-macaroon-firewall-logger"
)
const (
// RuleEnforcerName is the name of the RuleEnforcer interceptor.
RuleEnforcerName = "lit-macaroon-firewall"
)
const Subsystem = "FIRE"
Variables ¶
var ( // MetaInfoFullCaveatPrefix is the full prefix a caveat needs to have to // be recognized as a meta information caveat. MetaInfoFullCaveatPrefix = fmt.Sprintf("%s %s %s", macaroons.CondLndCustom, RuleEnforcerCaveat, MetaInfoValuePrefix) // MetaRulesFullCaveatPrefix is the full prefix a caveat needs to have // to be recognized as a rules list caveat. MetaRulesFullCaveatPrefix = fmt.Sprintf("%s %s %s", macaroons.CondLndCustom, RuleEnforcerCaveat, MetaRulesValuePrefix) // MetaPrivacyCaveatPrefix is the caveat prefix that will be used to // identify the privacy mapper caveat. MetaPrivacyCaveatPrefix = fmt.Sprintf("%s %s", macaroons.CondLndCustom, CondPrivacy) // MetaPrivacyCaveat is the caveat required to ensure that the // privacy mapper is activated as an interceptor for a request. MetaPrivacyCaveat = macaroon.Caveat{Id: []byte(MetaPrivacyCaveatPrefix)} // ErrNoMetaInfoCaveat is the error that is returned if a caveat doesn't // have the prefix to be recognized as a meta information caveat. ErrNoMetaInfoCaveat = fmt.Errorf("not a meta info caveat") // ErrNoRulesCaveat is the error that is returned if a caveat doesn't // have the prefix to be recognized as a rules list caveat. ErrNoRulesCaveat = fmt.Errorf("not a rules list caveat") )
var ( // ErrNotSupportedByPrivacyMapper indicates that the invoked RPC method // is not supported by the privacy mapper. ErrNotSupportedByPrivacyMapper = errors.New("this RPC call is not " + "supported by the privacy mapper interceptor") )
Functions ¶
func CryptoRandIntn ¶
CryptoRandIntn generates a random number between [0, n).
func IsPrivacyCaveat ¶
IsPrivacyCaveat returns true if the given caveat string is a privacy mapper caveat.
func RulesToCaveat ¶
func RulesToCaveat(rules *InterceptRules) (string, error)
RulesToCaveat encodes a list of rules as a full custom caveat string representation in this format:
lnd-custom lit-mac-fw rules:[<array_of_JSON_encoded_rules>]
Types ¶
type Config ¶
type Config struct {
RequestLogger *RequestLoggerConfig `group:"request-logger" namespace:"request-logger" description:"request logger settings"`
}
Config holds all config options for the firewall.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig constructs the default firewall Config struct.
type InterceptMetaInfo ¶
type InterceptMetaInfo struct {
// ActorName is the name of the actor service (=management software)
// that is issuing this request.
ActorName string `json:"actor_name"`
// Feature is the feature that caused the actor to execute this action.
Feature string `json:"feature"`
// Trigger is the action or condition that triggered this intercepted
// request to be made.
Trigger string `json:"trigger"`
// Intent is the desired outcome or end condition this request aims to
// arrive at.
Intent string `json:"intent"`
// StructuredJsonData is extra, structured, info that the Autopilot can
// send to Lit. It is a json serialised string.
StructuredJsonData string `json:"structured_json_data"`
}
InterceptMetaInfo is the JSON serializable struct containing meta information about a request made by an automated node management software against LiT. The meta information is added as a macaroon caveat.
func ParseMetaInfoCaveat ¶
func ParseMetaInfoCaveat(caveat string) (*InterceptMetaInfo, error)
ParseMetaInfoCaveat tries to parse the given caveat string as a meta information struct.
func (*InterceptMetaInfo) ToCaveat ¶
func (i *InterceptMetaInfo) ToCaveat() (string, error)
ToCaveat returns the full custom caveat string representation of the interception meta information in this format:
lnd-custom lit-mac-fw meta:<JSON_encoded_meta_information>
type InterceptRules ¶
type InterceptRules struct {
// SessionRules are rules that apply session wide. The map is rule
// name to rule value.
SessionRules map[string]string `json:"session_rules"`
// Feature rules are rules that apply to a specific feature. The map is
// feature name to a map of rule name to rule value.
FeatureRules map[string]map[string]string `json:"feature_rules"`
}
InterceptRules is the JSON serializable struct containing all the rules and their limits/settings that need to be enforced on a request made by an automated node management software against LiT. The rule information is added as a custom macaroon caveat.
func ParseRuleCaveat ¶
func ParseRuleCaveat(caveat string) (*InterceptRules, error)
ParseRuleCaveat tries to parse the given caveat string as a rule struct.
type PrivacyMapper ¶
type PrivacyMapper struct {
// contains filtered or unexported fields
}
PrivacyMapper is a RequestInterceptor that maps any pseudo names in certain requests to their real values and vice versa for responses.
func NewPrivacyMapper ¶
func NewPrivacyMapper(newDB firewalldb.NewPrivacyMapDB, randIntn func(int) (int, error)) *PrivacyMapper
NewPrivacyMapper returns a new instance of PrivacyMapper. The randIntn function is used to draw randomness for request field obfuscation.
func (*PrivacyMapper) CustomCaveatName ¶
func (p *PrivacyMapper) CustomCaveatName() string
CustomCaveatName returns the name of the custom caveat that is expected to be handled by this interceptor. Cannot be specified in read-only mode.
func (*PrivacyMapper) Intercept ¶
func (p *PrivacyMapper) Intercept(ctx context.Context, req *lnrpc.RPCMiddlewareRequest) (*lnrpc.RPCMiddlewareResponse, error)
Intercept processes an RPC middleware interception request and returns the interception result which either accepts or rejects the intercepted message.
func (*PrivacyMapper) Name ¶
func (p *PrivacyMapper) Name() string
Name returns the name of the interceptor.
func (*PrivacyMapper) ReadOnly ¶
func (p *PrivacyMapper) ReadOnly() bool
ReadOnly returns true if this interceptor should be registered in read-only mode. In read-only mode no custom caveat name can be specified.
type RequestInfo ¶
type RequestInfo struct {
MsgID uint64
RequestID uint64
MWRequestType string
URI string
GRPCMessageType string
IsError bool
Serialized []byte
Streaming bool
Macaroon *macaroon.Macaroon
Caveats []string
MetaInfo *InterceptMetaInfo
Rules *InterceptRules
WithPrivacy bool
}
RequestInfo stores the parsed representation of an incoming RPC middleware request.
func NewInfoFromRequest ¶
func NewInfoFromRequest(req *lnrpc.RPCMiddlewareRequest) (*RequestInfo, error)
NewInfoFromRequest parses the given RPC middleware interception request and returns a RequestInfo struct.
func (*RequestInfo) String ¶
func (ri *RequestInfo) String() string
String returns the string representation of the request info struct.
type RequestLogger ¶
type RequestLogger struct {
// contains filtered or unexported fields
}
RequestLogger is a RequestInterceptor that just logs incoming RPC requests.
func NewRequestLogger ¶
func NewRequestLogger(cfg *RequestLoggerConfig, actionsDB firewalldb.ActionsWriteDB) (*RequestLogger, error)
NewRequestLogger creates a new RequestLogger.
func (*RequestLogger) CustomCaveatName ¶
func (r *RequestLogger) CustomCaveatName() string
CustomCaveatName returns the name of the custom caveat that is expected to be handled by this interceptor. Cannot be specified in read-only mode.
func (*RequestLogger) Intercept ¶
func (r *RequestLogger) Intercept(_ context.Context, req *lnrpc.RPCMiddlewareRequest) (*lnrpc.RPCMiddlewareResponse, error)
Intercept processes an RPC middleware interception request and returns the interception result which either accepts or rejects the intercepted message.
func (*RequestLogger) MarkAction ¶
func (r *RequestLogger) MarkAction(reqID uint64, state firewalldb.ActionState, errReason string) error
MarkAction can be used to set the state of an action identified by the given requestID.
func (*RequestLogger) Name ¶
func (r *RequestLogger) Name() string
Name returns the name of the interceptor.
func (*RequestLogger) ReadOnly ¶
func (r *RequestLogger) ReadOnly() bool
ReadOnly returns true if this interceptor should be registered in read-only mode. In read-only mode no custom caveat name can be specified.
type RequestLoggerConfig ¶
type RequestLoggerConfig struct {
RequestLoggerLevel RequestLoggerLevel `long:"level" description:"Set the request logger level. Options include 'all', 'full' and 'interceptor''"`
}
RequestLoggerConfig holds all the config options for the request logger.
type RequestLoggerLevel ¶
type RequestLoggerLevel string
type RuleEnforcer ¶
type RuleEnforcer struct {
// contains filtered or unexported fields
}
RuleEnforcer is a RequestInterceptor that makes sure all firewall related custom caveats in a macaroon are properly enforced.
func NewRuleEnforcer ¶
func NewRuleEnforcer(ruleDB firewalldb.RulesDB, actionsDB firewalldb.ActionReadDBGetter, getFeaturePerms featurePerms, permsMgr *perms.Manager, nodeID [33]byte, routerClient lndclient.RouterClient, lndClient lndclient.LightningClient, ruleMgrs rules.ManagerSet, markActionErrored func(reqID uint64, reason string) error, privMap firewalldb.NewPrivacyMapDB) *RuleEnforcer
NewRuleEnforcer constructs a new RuleEnforcer instance.
func (*RuleEnforcer) CustomCaveatName ¶
func (r *RuleEnforcer) CustomCaveatName() string
CustomCaveatName returns the name of the custom caveat that is expected to be handled by this interceptor. Cannot be specified in read-only mode.
func (*RuleEnforcer) Intercept ¶
func (r *RuleEnforcer) Intercept(ctx context.Context, req *lnrpc.RPCMiddlewareRequest) (*lnrpc.RPCMiddlewareResponse, error)
Intercept processes an RPC middleware interception request and returns the interception result which either accepts or rejects the intercepted message.
func (*RuleEnforcer) Name ¶
func (r *RuleEnforcer) Name() string
Name returns the name of the interceptor.
func (*RuleEnforcer) ReadOnly ¶
func (r *RuleEnforcer) ReadOnly() bool
ReadOnly returns true if this interceptor should be registered in read-only mode. In read-only mode no custom caveat name can be specified.
Source Files