balanceofsatoshis 11.2.1 → 11.3.0

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Versions
 
+## Version 11.3.0
+
+- `credentials`: Allow specifying specific methods to allow in a credential
+
 ## Version 11.2.1
 
 - Improve support for LND v0.13.3

package/bos

@@ -420,6 +420,7 @@ prog
   .help('Output encrypted remote access credentials. Use with "nodes --add"')
   .option('--cleartext', 'Output remote access credentials without encryption')
   .option('--days <days>', 'Expiration days for credentials', INT, 365)
+  .option('--method <method_name>', 'White-list specific method', REPEATABLE)
   .option('--node <node_name>', 'Get credentials for a saved node')
   .option('--nospend', 'Credentials do not include spending privileges')
   .option('--readonly', 'Credentials only include read permissions')
@@ -432,6 +433,7 @@ prog
         is_cleartext: options.cleartext,
         is_nospend: options.nospend,
         is_readonly: options.readonly,
+        methods: flatten([options.method].filter(n => !!n)),
         node: options.node,
       },
       responses.returnObject({logger, reject, resolve}));

package/lnd/credential_restrictions.js

@@ -0,0 +1,41 @@
+const {noSpendPerms} = require('./constants');
+const {permissionEntities} = require('./constants');
+
+const readPerms = permissionEntities.map(entity => `${entity}:read`);
+
+/** Derive restrictions for macaroon
+
+  {
+    [is_nospend]: <Restrict Credentials To Non-Spending Permissions Bool>
+    [is_readonly]: <Restrict Credentials To Read-Only Permissions Bool>
+    [methods]: [<Allow Specific Method String>]
+  }
+
+  @returns
+  {
+    [allow]: {
+      methods: [<Allow Specific Method String>]
+      permissions: [<Entity:Action String>]
+    }
+  }
+*/
+module.exports = args => {
+  const methods = args.methods || [];
+
+  // Exit early when specific credentials are not requested
+  if (!args.is_readonly && !args.is_nospend && !methods.length) {
+    return {};
+  }
+
+  const permissions = [];
+
+  if (!!args.is_readonly) {
+    readPerms.forEach(n => permissions.push(n));
+  }
+
+  if (!!args.is_nospend) {
+    noSpendPerms.forEach(n => permissions.push(n));
+  }
+
+  return {allow: {methods, permissions}};
+};

package/lnd/get_credentials.js

@@ -16,6 +16,7 @@ const {pemAsDer} = require('./../encryption');
     is_nospend: <Restrict Credentials To Non-Spending Permissions Bool>
     is_readonly: <Restrict Credentials To Read-Only Permissions Bool>
     logger: <Winston Logger Object> ({info}) => ()
+    [methods]: [<Allow Specific Method String>]
     [node]: <Node Name String>
   }
 
@@ -81,6 +82,7 @@ module.exports = (args, cbk) => {
           is_nospend: args.is_nospend,
           is_readonly: args.is_readonly,
           logger: args.logger,
+          methods: args.methods,
           node: args.node,
         },
         cbk);

package/lnd/lnd_credentials.js

@@ -12,6 +12,7 @@ const {grantAccess} = require('ln-service');
 const {restrictMacaroon} = require('ln-service');
 const {returnResult} = require('asyncjs-util');
 
+const credentialRestrictions = require('./credential_restrictions');
 const {decryptCiphertext} = require('./../encryption');
 const {derAsPem} = require('./../encryption');
 const getCert = require('./get_cert');
@@ -38,6 +39,7 @@ const socket = 'localhost:10009';
     [is_readonly]: <Restrict Credentials To Read-Only Permissions Bool>
     [key]: <Encrypt to Public Key DER Hex String>
     [logger]: <Winston Logger Object>
+    [methods]: [<Allow Specific Method String>]
     [node]: <Node Name String> // Defaults to default local mainnet node creds
   }
 
@@ -199,8 +201,14 @@ module.exports = (args, cbk) => {
         'macaroon',
         ({credentials, macaroon}, cbk) =>
       {
+        const {allow} = credentialRestrictions({
+          is_nospend: args.is_nospend,
+          is_readonly: args.is_readonly,
+          methods: args.methods,
+        });
+
         // Exit early when readonly credentials are not requested
-        if (!args.is_readonly && !args.is_nospend) {
+        if (!allow) {
           return cbk(null, {macaroon});
         }
 
@@ -210,9 +218,12 @@ module.exports = (args, cbk) => {
           socket: credentials.socket,
         });
 
-        const permissions = !!args.is_readonly ? readPerms : noSpendPerms;
-
-        return grantAccess({lnd, permissions}, cbk);
+        return grantAccess({
+          lnd,
+          methods: allow.methods,
+          permissions: allow.permissions,
+        },
+        cbk);
       }],
 
       // Final credentials with encryption applied

package/package.json

@@ -35,7 +35,7 @@
     "inquirer": "8.1.5",
     "invoices": "2.0.0",
     "ln-accounting": "5.0.3",
-    "ln-service": "52.10.1",
+    "ln-service": "52.10.2",
     "ln-sync": "2.0.2",
     "ln-telegram": "3.3.0",
     "moment": "2.29.1",
@@ -80,5 +80,5 @@
     "postpublish": "docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 -t alexbosworth/balanceofsatoshis --push .",
     "test": "tap --branches=1 --functions=1 --lines=1 --statements=1 -t 60 test/arrays/*.js test/balances/*.js test/chain/*.js test/display/*.js test/encryption/*.js test/fiat/*.js test/lnd/*.js test/network/*.js test/nodes/*.js test/peers/*.js test/responses/*.js test/routing/*.js test/services/*.js test/swaps/*.js test/tags/*.js test/wallets/*.js"
   },
-  "version": "11.2.1"
+  "version": "11.3.0"
 }

package/test/lnd/test_credential_restrictions.js

@@ -0,0 +1,74 @@
+const {test} = require('@alexbosworth/tap');
+
+const method = require('./../../lnd/credential_restrictions');
+
+const tests = [
+  {
+    args: {},
+    description: 'No restrictions results in no allow elements',
+    expected: {},
+  },
+  {
+    args: {is_nospend: true},
+    description: 'No spend results in nospend permissions',
+    expected: {
+      allow: {
+        methods: [],
+        permissions: [
+          'address:read',
+          'address:write',
+          'info:read',
+          'info:write',
+          'invoices:read',
+          'invoices:write',
+          'macaroon:read',
+          'message:read',
+          'offchain:read',
+          'onchain:read',
+          'peers:read',
+          'peers:write',
+          'signer:read',
+        ],
+      },
+    },
+  },
+  {
+    args: {is_readonly: true},
+    description: 'Readonly results in read permissions',
+    expected: {
+      allow: {
+        methods: [],
+        permissions: [
+          'address:read',
+          'info:read',
+          'invoices:read',
+          'macaroon:read',
+          'message:read',
+          'offchain:read',
+          'onchain:read',
+          'peers:read',
+          'signer:read',
+        ],
+      },
+    },
+  },
+  {
+    args: {methods: ['getWalletInfo']},
+    description: 'Readonly results in read permissions',
+    expected: {allow: {methods: ['getWalletInfo'], permissions: []}},
+  },
+];
+
+tests.forEach(({args, description, error, expected}) => {
+  return test(description, async ({end, strictSame, throws}) => {
+    if (!!error) {
+      throws(() => method(args), new Error(error), 'Got expected error');
+    } else {
+      const res = method(args);
+
+      strictSame(res, expected, 'Got expected result');
+    }
+
+    return end();
+  });
+});