rpcperms

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 5, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrWaitingToStart is returned if LND is still waiting to start,
	// possibly blocked until elected as the leader.
	ErrWaitingToStart = fmt.Errorf("waiting to start, RPC services not " +
		"available")

	// ErrRPCStarting is returned if the wallet has been unlocked but the
	// RPC server is not yet ready to accept calls.
	ErrRPCStarting = fmt.Errorf("the RPC server is in the process of " +
		"starting up, but not yet ready to accept calls")
)

Functions

This section is empty.

Types

type BakeRequest added in v0.8.0

type BakeRequest struct {
	// Permissions is the list of permissions for the baked macaroon.
	Permissions []Permission

	// RootKeyID is the root key identifier used for baking.
	RootKeyID uint64

	// AllowExternalPermissions allows permissions that are not in the
	// registered permission map.
	AllowExternalPermissions bool
}

BakeRequest contains the permissions and options for a new macaroon.

type InterceptorChain

type InterceptorChain struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

InterceptorChain is a struct that can be added to the running GRPC server, intercepting API calls. This is useful for logging, enforcing permissions, supporting middleware etc. The following diagram shows the order of each interceptor in the chain and when exactly requests/responses are intercepted and forwarded to external middleware for approval/modification. Middleware in general can only intercept gRPC requests/responses that are sent by the client with a macaroon that contains a custom caveat that is supported by one of the registered middlewares.

    |
    | gRPC request from client
    |
+---v--------------------------------+
|   InterceptorChain                 |
+-+----------------------------------+
  | Log Interceptor                  |
  +----------------------------------+
  | RPC State Interceptor            |
  +----------------------------------+
  | Macaroon Interceptor             |
  +----------------------------------+
  | Prometheus Interceptor           |
  +-+--------------------------------+
    | validated gRPC request from client
+---v--------------------------------+
|   main gRPC server                 |
+---+--------------------------------+
    |
    | original gRPC request to client
    |
    v

func NewInterceptorChain

func NewInterceptorChain(log btclog.Logger, noMacaroons bool,
	mandatoryMiddleware []string,
	macaroonWhitelist map[string]struct{}) *InterceptorChain

NewInterceptorChain creates a new InterceptorChain.

func (*InterceptorChain) AddMacaroonService

func (r *InterceptorChain) AddMacaroonService(svc *macaroons.Service)

AddMacaroonService adds a macaroon service to the interceptor. After this is done every RPC call made will have to pass a valid macaroon to be accepted.

func (*InterceptorChain) AddPermission

func (r *InterceptorChain) AddPermission(method string, ops []bakery.Op) error

AddPermission adds a new macaroon rule for the given method.

func (*InterceptorChain) CreateServerOpts

func (r *InterceptorChain) CreateServerOpts(
	opts *InterceptorsOpts) []grpc.ServerOption

CreateServerOpts creates the GRPC server options that can be added to a GRPC server in order to add this InterceptorChain.

func (*InterceptorChain) MacaroonService

func (r *InterceptorChain) MacaroonService() *macaroons.Service

MacaroonService returns the currently registered macaroon service. This might be nil if none was registered (yet).

func (*InterceptorChain) MacaroonStreamServerInterceptor

func (r *InterceptorChain) MacaroonStreamServerInterceptor() grpc.StreamServerInterceptor

MacaroonStreamServerInterceptor is a GRPC interceptor that checks whether the request is authorized by the included macaroons.

func (*InterceptorChain) MacaroonUnaryServerInterceptor

func (r *InterceptorChain) MacaroonUnaryServerInterceptor() grpc.UnaryServerInterceptor

MacaroonUnaryServerInterceptor is a GRPC interceptor that checks whether the request is authorized by the included macaroons.

func (*InterceptorChain) Permissions

func (r *InterceptorChain) Permissions() map[string][]bakery.Op

Permissions returns the current set of macaroon permissions.

func (*InterceptorChain) SetRPCActive

func (r *InterceptorChain) SetRPCActive()

SetRPCActive moves the RPC state from walletUnlocked to rpcActive.

func (*InterceptorChain) SetServerActive

func (r *InterceptorChain) SetServerActive()

SetServerActive moves the RPC state from walletUnlocked to rpcActive.

func (*InterceptorChain) Start

func (r *InterceptorChain) Start() error

Start starts the InterceptorChain, which is needed to start the state subscription server it powers.

func (*InterceptorChain) Stop

func (r *InterceptorChain) Stop() error

Stop stops the InterceptorChain and its internal state subscription server.

type InterceptorsOpts added in v0.3.0

type InterceptorsOpts struct {
	Prometheus *monitoring.PrometheusConfig
}

InterceptorsOpts holds the options that need to be set in some server interceptors.

type MacBaker added in v0.8.0

type MacBaker struct {
	// contains filtered or unexported fields
}

MacBaker is a macaroon baker implementation.

func (*MacBaker) BakeMacaroon added in v0.8.0

func (b *MacBaker) BakeMacaroon(ctx context.Context,
	req BakeRequest) (macaroon.Macaroon, error)

BakeMacaroon allows the creation of a new macaroon with custom permissions. No first-party caveats are added since this can be done offline.

type MacBakerConfig added in v0.8.0

type MacBakerConfig struct {
	// MacaroonService is the macaroon service used to mint new macaroons.
	MacaroonService *lndclient.MacaroonService

	// RequiredPermissions holds the known RPC permission map for URI
	// checks.
	RequiredPermissions map[string][]bakery.Op
}

MacBakerConfig contains the configuration for the macaroon baker.

type MacaroonBaker added in v0.8.0

type MacaroonBaker interface {
	// BakeMacaroon creates a new macaroon with the given permissions.
	BakeMacaroon(ctx context.Context, req BakeRequest) (macaroon.Macaroon,
		error)
}

MacaroonBaker validates bake requests and mints new macaroons.

func NewMacaroonBaker added in v0.8.0

func NewMacaroonBaker(macaroonService *lndclient.MacaroonService,
	requiredPermissions map[string][]bakery.Op) MacaroonBaker

NewMacaroonBaker returns a MacaroonBaker backed by tapd's macaroon service and permission map.

type Permission added in v0.8.0

type Permission struct {
	// Entity is the permission entity to bake.
	Entity string

	// Action is the permission action to bake.
	Action string
}

Permission is an entity/action pair that can be baked into a macaroon.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL