Archives
/
lntop
mirror of https://github.com/edouardparis/lntop
2
0
Fork 0
Code Issues Releases Wiki Activity

refac lnd conn

Browse Source
pull/1/head
Edouard Paris 5 years ago
parent c0f4352a84
commit 14d334ea85
1 changed files with 3 additions and 35 deletions
Show Stats Download Patch File Download Diff File

38
network/backend/lnd/conn.go
Unescape Escape View File

@ -1,10 +1,7 @@
package lnd package lnd
import ( import (
"crypto/tls" "io/ioutil"
"crypto/x509"
"encoding/hex"
"fmt"
"net/url" "net/url"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -19,7 +16,7 @@ import (
) )
func newClientConn(c *config.Network) (*grpc.ClientConn, error) { func newClientConn(c *config.Network) (*grpc.ClientConn, error) {
macaroonBytes, err := hex.DecodeString(c.Macaroon) macaroonBytes, err := ioutil.ReadFile(c.Macaroon)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -31,31 +28,16 @@ func newClientConn(c *config.Network) (*grpc.ClientConn, error) {
} }
macConstraints := []macaroons.Constraint{ macConstraints := []macaroons.Constraint{
// We add a time-based constraint to prevent replay of the
// macaroon. It's good for 60 seconds by default to make up for
// any discrepancy between client and server clocks, but leaking
// the macaroon before it becomes invalid makes it possible for
// an attacker to reuse the macaroon. In addition, the validity
// time of the macaroon is extended by the time the server clock
// is behind the client clock, or shortened by the time the
// server clock is ahead of the client clock (or invalid
// altogether if, in the latter case, this time is more than 60
// seconds).
macaroons.TimeoutConstraint(c.MacaroonTimeOut), macaroons.TimeoutConstraint(c.MacaroonTimeOut),
// Lock macaroon down to a specific IP address.
macaroons.IPLockConstraint(c.MacaroonIP), macaroons.IPLockConstraint(c.MacaroonIP),
// ... Add more constraints if needed.
} }
// Apply constraints to the macaroon.
constrainedMac, err := macaroons.AddConstraints(mac, macConstraints...) constrainedMac, err := macaroons.AddConstraints(mac, macConstraints...)
if err != nil { if err != nil {
return nil, errors.WithStack(err) return nil, errors.WithStack(err)
} }
cred, err := newCredentialsFromCert(c.Cert) cred, err := credentials.NewClientTLSFromFile(c.Cert, "")
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -68,8 +50,6 @@ func newClientConn(c *config.Network) (*grpc.ClientConn, error) {
opts := []grpc.DialOption{ opts := []grpc.DialOption{
grpc.WithTransportCredentials(cred), grpc.WithTransportCredentials(cred),
grpc.WithPerRPCCredentials(macaroons.NewMacaroonCredential(constrainedMac)), grpc.WithPerRPCCredentials(macaroons.NewMacaroonCredential(constrainedMac)),
// We need to use a custom dialer so we can also connect to unix sockets
// and not just TCP addresses.
grpc.WithDialer(lncfg.ClientAddressDialer(u.Port())), grpc.WithDialer(lncfg.ClientAddressDialer(u.Port())),
grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(c.MaxMsgRecvSize)), grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(c.MaxMsgRecvSize)),
} }
@ -81,15 +61,3 @@ func newClientConn(c *config.Network) (*grpc.ClientConn, error) {
return conn, nil return conn, nil
} }
func newCredentialsFromCert(cert string) (credentials.TransportCredentials, error) {
b, err := hex.DecodeString(cert)
if err != nil {
return nil, err
}
cp := x509.NewCertPool()
if !cp.AppendCertsFromPEM(b) {
return nil, fmt.Errorf("credentials: failed to append certificates")
}
return credentials.NewTLS(&tls.Config{ServerName: "", RootCAs: cp}), nil
}

Write Preview
Loading…
Cancel
Save