multi: allow only specifying one lnd macaroon

Fixes #196 by allowing only one macaroon to be specified in the --lnd.macaroonpath config option.
lightninglabs · Jan 28, 2021 · 0df7102 · 0df7102
1 parent 88baec8
commit 0df7102
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 9 deletions.
diff --git a/config.go b/config.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"path"
 	"path/filepath"
 	"time"
 
@@ -51,6 +52,10 @@ var (
 
 	defaultSelfSignedOrganization = "pool autogenerated cert"
 
+	// defaultLndMacaroon is the default macaroon file we use if the old,
+	// deprecated --lnd.macaroondir config option is used.
+	defaultLndMacaroon = "admin.macaroon"
+
 	// DefaultTLSCertPath is the default full path of the autogenerated TLS
 	// certificate.
 	DefaultTLSCertPath = filepath.Join(
@@ -75,9 +80,20 @@ var (
 )
 
 type LndConfig struct {
-	Host        string `long:"host" description:"lnd instance rpc address"`
-	MacaroonDir string `long:"macaroondir" description:"Path to the directory containing all the required lnd macaroons"`
-	TLSPath     string `long:"tlspath" description:"Path to lnd tls certificate"`
+	Host string `long:"host" description:"lnd instance rpc address"`
+
+	// MacaroonDir is the directory that contains all the macaroon files
+	// required for the remote connection.
+	MacaroonDir string `long:"macaroondir" description:"DEPRECATED: Use macaroonpath."`
+
+	// MacaroonPath is the path to the single macaroon that should be used
+	// instead of needing to specify the macaroon directory that contains
+	// all of lnd's macaroons. The specified macaroon MUST have all
+	// permissions that all the subservers use, otherwise permission errors
+	// will occur.
+	MacaroonPath string `long:"macaroonpath" description:"The full path to the single macaroon to use, either the admin.macaroon or a custom baked one. Cannot be specified at the same time as macaroondir. A custom macaroon must contain ALL permissions required for all subservers to work, otherwise permission errors will occur."`
+
+	TLSPath string `long:"tlspath" description:"Path to lnd tls certificate"`
 }
 
 type Config struct {
@@ -239,6 +255,30 @@ func Validate(cfg *Config) error {
 		return err
 	}
 
+	// Make sure only one of the macaroon options is used.
+	switch {
+	case cfg.Lnd.MacaroonPath != "" && cfg.Lnd.MacaroonDir != "":
+		return fmt.Errorf("use --lnd.macaroonpath only")
+
+	case cfg.Lnd.MacaroonDir != "":
+		// With the new version of lndclient we can only specify a
+		// single macaroon instead of all of them. If the old
+		// macaroondir is used, we use the admin macaroon located in
+		// that directory.
+		cfg.Lnd.MacaroonPath = path.Join(
+			lncfg.CleanAndExpandPath(cfg.Lnd.MacaroonDir),
+			defaultLndMacaroon,
+		)
+
+	case cfg.Lnd.MacaroonPath != "":
+		cfg.Lnd.MacaroonPath = lncfg.CleanAndExpandPath(
+			cfg.Lnd.MacaroonPath,
+		)
+
+	default:
+		return fmt.Errorf("must specify --lnd.macaroonpath")
+	}
+
 	return nil
 }
 

diff --git a/docs/install.md b/docs/install.md
@@ -54,13 +54,13 @@ $ poold &
 $ poold --network=testnet
 ```
 
-In the case that `lnd` is running on a remote node, the `tls.cert` and all `*.macaroon` files from the `lnd` data directory need to be copied to the machine where `poold` is running.
+In the case that `lnd` is running on a remote node, the `tls.cert` and the `admin.macaroon` files from the `lnd` data directory need to be copied to the machine where `poold` is running.
 
 The daemon can then be configured to connect to the remote `lnd` node by using the following command line flags:
 
 ```text
 $ poold --lnd.host=<the_remote_host_IP_address>:10009 \
-        --lnd.macaroondir=/some/directory/with/lnd/data/macaroons \
+        --lnd.macaroonpath=/some/directory/with/lnd/data/macaroons/admin.macaroon \
         --lnd.tlspath=/some/directory/with/lnd/data/tls.cert
 ```
 
@@ -70,7 +70,7 @@ To persist this configuration, these values can also be written to a configurati
 >
 > ```text
 > lnd.host=<the_remote_host_IP_address>:10009
-> lnd.macaroondir=/some/directory/with/lnd/data/macaroons
+> lnd.macaroonpath=/some/directory/with/lnd/data/macaroons/admin.macaroon
 > lnd.tlspath=/some/directory/with/lnd/data/tls.cert
 > ```
 

diff --git a/server.go b/server.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"path"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -127,8 +128,9 @@ func (s *Server) Start() error {
 	// TODO(roasbeef): more granular macaroons, can ask user to make just
 	// what we need
 	s.lndClient, err = lndclient.NewBasicClient(
-		s.cfg.Lnd.Host, s.cfg.Lnd.TLSPath, s.cfg.Lnd.MacaroonDir,
-		s.cfg.Network,
+		s.cfg.Lnd.Host, s.cfg.Lnd.TLSPath,
+		path.Dir(s.cfg.Lnd.MacaroonPath), s.cfg.Network,
+		lndclient.MacFilename(path.Base(s.cfg.Lnd.MacaroonPath)),
 	)
 	if err != nil {
 		return err
@@ -556,7 +558,7 @@ func getLnd(network string, cfg *LndConfig) (*lndclient.GrpcLndServices, error)
 	return lndclient.NewLndServices(&lndclient.LndServicesConfig{
 		LndAddress:            cfg.Host,
 		Network:               lndclient.Network(network),
-		MacaroonDir:           cfg.MacaroonDir,
+		CustomMacaroonPath:    cfg.MacaroonPath,
 		TLSPath:               cfg.TLSPath,
 		CheckVersion:          minimalCompatibleVersion,
 		BlockUntilChainSynced: true,