Merge pull request #398 from ffranr/no-auth-cli-flag

Add CLI flag to skip authentication for stats related RPC endpoints
lightninglabs · Jul 13, 2023 · 2c5c88a · 2c5c88a
2 parents 9c8d7b1 + 1258569
commit 2c5c88a
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 7 deletions.
diff --git a/config.go b/config.go
@@ -43,6 +43,8 @@ type RPCConfig struct {
 
 	MacaroonPath string
 
+	AllowPublicStats bool
+
 	LetsEncryptDir string
 
 	LetsEncryptListen string

diff --git a/perms/perms.go b/perms/perms.go
@@ -182,21 +182,37 @@ var (
 		}},
 	}
 
-	// MacaroonWhitelist defines methods that we don't require macaroons to
-	// access.
+	// defaultMacaroonWhitelist defines a default set of RPC endpoints that
+	// don't require macaroons authentication.
 	//
 	// For now, these are the Universe related read/write methods. We permit
 	// InsertProof as a valid proof requires an on-chain transaction, so we
 	// gain a layer of DoS defense.
-	MacaroonWhitelist = map[string]struct{}{
+	defaultMacaroonWhitelist = map[string]struct{}{
 		"/universerpc.Universe/AssetRoots":      {},
 		"/universerpc.Universe/QueryAssetRoots": {},
-		"/universerpc.Universe/QueryAssetStats": {},
 		"/universerpc.Universe/AssetLeafKeys":   {},
 		"/universerpc.Universe/AssetLeaves":     {},
 		"/universerpc.Universe/QueryProof":      {},
 		"/universerpc.Universe/InsertProof":     {},
 		"/universerpc.Universe/Info":            {},
-		"/universerpc.Universe/UniverseStats":   {},
 	}
 )
+
+// MacaroonWhitelist returns the set of RPC endpoints that don't require
+// macaroon authentication.
+func MacaroonWhitelist(allowPublicStats bool) map[string]struct{} {
+	// Make a copy of the default whitelist.
+	whitelist := make(map[string]struct{})
+	for k, v := range defaultMacaroonWhitelist {
+		whitelist[k] = v
+	}
+
+	// Conditionally add public stats RPC endpoints to the whitelist.
+	if allowPublicStats {
+		whitelist["/universerpc.Universe/QueryAssetStats"] = struct{}{}
+		whitelist["/universerpc.Universe/UniverseStats"] = struct{}{}
+	}
+
+	return whitelist
+}
diff --git a/server.go b/server.go
@@ -221,11 +221,15 @@ func (s *Server) RunUntilShutdown(mainErrChan <-chan error) error {
 
 	serverOpts := s.cfg.GrpcServerOpts
 
+	// Get RPC endpoints which don't require macaroons.
+	macaroonWhitelist := perms.MacaroonWhitelist(
+		s.cfg.RPCConfig.AllowPublicStats,
+	)
+
 	// Create a new RPC interceptor that we'll add to the GRPC server. This
 	// will be used to log the API calls invoked on the GRPC server.
 	interceptorChain := rpcperms.NewInterceptorChain(
-		rpcsLog, s.cfg.RPCConfig.NoMacaroons, nil,
-		perms.MacaroonWhitelist,
+		rpcsLog, s.cfg.RPCConfig.NoMacaroons, nil, macaroonWhitelist,
 	)
 	if err := interceptorChain.Start(); err != nil {
 		return mkErr("error starting interceptor chain: %v", err)

diff --git a/tapcfg/config.go b/tapcfg/config.go
@@ -196,6 +196,8 @@ type RpcConfig struct {
 	MacaroonPath string `long:"macaroonpath" description:"Path to write the admin macaroon for tapd's RPC and REST services if it doesn't exist"`
 	NoMacaroons  bool   `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."`
 
+	AllowPublicStats bool `long:"allow-public-stats" description:"Disable macaroon authentication for stats RPC endpoints."`
+
 	RestCORS []string `long:"restcors" description:"Add an ip:port/hostname to allow cross origin access from. To allow all origins, set as \"*\"."`
 
 	LetsEncryptDir    string `long:"letsencryptdir" description:"The directory to store Let's Encrypt certificates within"`

diff --git a/tapcfg/server.go b/tapcfg/server.go
@@ -339,6 +339,7 @@ func CreateServerFromConfig(cfg *Config, cfgLogger btclog.Logger,
 		RestCORS:          cfg.RpcConf.RestCORS,
 		NoMacaroons:       cfg.RpcConf.NoMacaroons,
 		MacaroonPath:      cfg.RpcConf.MacaroonPath,
+		AllowPublicStats:  cfg.RpcConf.AllowPublicStats,
 		LetsEncryptDir:    cfg.RpcConf.LetsEncryptDir,
 		LetsEncryptListen: cfg.RpcConf.LetsEncryptListen,
 		LetsEncryptEmail:  cfg.RpcConf.LetsEncryptEmail,