perms: construct RPC macaroon whitelist based on cli flag

lightninglabs · Jul 13, 2023 · 3cb5e0c · 3cb5e0c
1 parent 7b806a3
commit 3cb5e0c
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 7 deletions.
diff --git a/perms/perms.go b/perms/perms.go
@@ -182,21 +182,37 @@ var (
 		}},
 	}
 
-	// MacaroonWhitelist defines methods that we don't require macaroons to
-	// access.
+	// defaultMacaroonWhitelist defines a default set of RPC endpoints that
+	// don't require macaroons authentication.
 	//
 	// For now, these are the Universe related read/write methods. We permit
 	// InsertProof as a valid proof requires an on-chain transaction, so we
 	// gain a layer of DoS defense.
-	MacaroonWhitelist = map[string]struct{}{
+	defaultMacaroonWhitelist = map[string]struct{}{
 		"/universerpc.Universe/AssetRoots":      {},
 		"/universerpc.Universe/QueryAssetRoots": {},
-		"/universerpc.Universe/QueryAssetStats": {},
 		"/universerpc.Universe/AssetLeafKeys":   {},
 		"/universerpc.Universe/AssetLeaves":     {},
 		"/universerpc.Universe/QueryProof":      {},
 		"/universerpc.Universe/InsertProof":     {},
 		"/universerpc.Universe/Info":            {},
-		"/universerpc.Universe/UniverseStats":   {},
 	}
 )
+
+// MacaroonWhitelist returns the set of RPC endpoints that don't require
+// macaroon authentication.
+func MacaroonWhitelist(allowPublicStats bool) map[string]struct{} {
+	// Make a copy of the default whitelist.
+	whitelist := make(map[string]struct{})
+	for k, v := range defaultMacaroonWhitelist {
+		whitelist[k] = v
+	}
+
+	// Conditionally add public stats RPC endpoints to the whitelist.
+	if allowPublicStats {
+		whitelist["/universerpc.Universe/QueryAssetStats"] = struct{}{}
+		whitelist["/universerpc.Universe/UniverseStats"] = struct{}{}
+	}
+
+	return whitelist
+}
diff --git a/server.go b/server.go
@@ -221,11 +221,15 @@ func (s *Server) RunUntilShutdown(mainErrChan <-chan error) error {
 
 	serverOpts := s.cfg.GrpcServerOpts
 
+	// Get RPC endpoints which don't require macaroons.
+	macaroonWhitelist := perms.MacaroonWhitelist(
+		s.cfg.RPCConfig.AllowPublicStats,
+	)
+
 	// Create a new RPC interceptor that we'll add to the GRPC server. This
 	// will be used to log the API calls invoked on the GRPC server.
 	interceptorChain := rpcperms.NewInterceptorChain(
-		rpcsLog, s.cfg.RPCConfig.NoMacaroons, nil,
-		perms.MacaroonWhitelist,
+		rpcsLog, s.cfg.RPCConfig.NoMacaroons, nil, macaroonWhitelist,
 	)
 	if err := interceptorChain.Start(); err != nil {
 		return mkErr("error starting interceptor chain: %v", err)