From bfb7e869fb20c06ee52caadd1f19db292fa9a3c6 Mon Sep 17 00:00:00 2001 From: Anthony Ronning Date: Fri, 2 Oct 2020 20:11:59 -0500 Subject: [PATCH 1/3] services+aperture: export StaticServiceLimiter --- aperture.go | 2 +- services.go | 30 +++++++++++++++--------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/aperture.go b/aperture.go index 2463eb5..605a84b 100644 --- a/aperture.go +++ b/aperture.go @@ -452,7 +452,7 @@ func createProxy(cfg *config, challenger *LndChallenger, minter := mint.New(&mint.Config{ Challenger: challenger, Secrets: newSecretStore(etcdClient), - ServiceLimiter: newStaticServiceLimiter(cfg.Services), + ServiceLimiter: NewStaticServiceLimiter(cfg.Services), }) authenticator := auth.NewLsatAuthenticator(minter, challenger) return proxy.New( diff --git a/services.go b/services.go index 0f5a51d..7701b06 100644 --- a/services.go +++ b/services.go @@ -8,21 +8,21 @@ import ( "github.com/lightninglabs/aperture/proxy" ) -// staticServiceLimiter provides static restrictions for services. +// StaticServiceLimiter provides static restrictions for services. // // TODO(wilmer): use etcd instead. -type staticServiceLimiter struct { - capabilities map[lsat.Service]lsat.Caveat - constraints map[lsat.Service][]lsat.Caveat +type StaticServiceLimiter struct { + Capabilities map[lsat.Service]lsat.Caveat + Constraints map[lsat.Service][]lsat.Caveat } -// A compile-time constraint to ensure staticServiceLimiter implements +// A compile-time constraint to ensure StaticServiceLimiter implements // mint.ServiceLimiter. -var _ mint.ServiceLimiter = (*staticServiceLimiter)(nil) +var _ mint.ServiceLimiter = (*StaticServiceLimiter)(nil) -// newStaticServiceLimiter instantiates a new static service limiter backed by +// NewStaticServiceLimiter instantiates a new static service limiter backed by // the given restrictions. -func newStaticServiceLimiter(proxyServices []*proxy.Service) *staticServiceLimiter { +func NewStaticServiceLimiter(proxyServices []*proxy.Service) *StaticServiceLimiter { capabilities := make(map[lsat.Service]lsat.Caveat) constraints := make(map[lsat.Service][]lsat.Caveat) @@ -41,20 +41,20 @@ func newStaticServiceLimiter(proxyServices []*proxy.Service) *staticServiceLimit } } - return &staticServiceLimiter{ - capabilities: capabilities, - constraints: constraints, + return &StaticServiceLimiter{ + Capabilities: capabilities, + Constraints: constraints, } } // ServiceCapabilities returns the capabilities caveats for each service. This // determines which capabilities of each service can be accessed. -func (l *staticServiceLimiter) ServiceCapabilities(ctx context.Context, +func (l *StaticServiceLimiter) ServiceCapabilities(ctx context.Context, services ...lsat.Service) ([]lsat.Caveat, error) { res := make([]lsat.Caveat, 0, len(services)) for _, service := range services { - capabilities, ok := l.capabilities[service] + capabilities, ok := l.Capabilities[service] if !ok { continue } @@ -66,12 +66,12 @@ func (l *staticServiceLimiter) ServiceCapabilities(ctx context.Context, // ServiceConstraints returns the constraints for each service. This enforces // additional constraints on a particular service/service capability. -func (l *staticServiceLimiter) ServiceConstraints(ctx context.Context, +func (l *StaticServiceLimiter) ServiceConstraints(ctx context.Context, services ...lsat.Service) ([]lsat.Caveat, error) { res := make([]lsat.Caveat, 0, len(services)) for _, service := range services { - constraints, ok := l.constraints[service] + constraints, ok := l.Constraints[service] if !ok { continue } From 5ea5555049db727af91bab8243961d36d294af46 Mon Sep 17 00:00:00 2001 From: Anthony Ronning Date: Fri, 2 Oct 2020 20:19:29 -0500 Subject: [PATCH 2/3] challenger: export Client & GenInvoiceReq --- challenger.go | 16 ++++++++-------- challenger_test.go | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/challenger.go b/challenger.go index f35a6ad..7cc5eba 100644 --- a/challenger.go +++ b/challenger.go @@ -41,8 +41,8 @@ type InvoiceClient interface { // LndChallenger is a challenger that uses an lnd backend to create new LSAT // payment challenges. type LndChallenger struct { - client InvoiceClient - genInvoiceReq InvoiceRequestGenerator + Client InvoiceClient + GenInvoiceReq InvoiceRequestGenerator invoiceStates map[lntypes.Hash]lnrpc.Invoice_InvoiceState invoicesMtx *sync.Mutex @@ -85,8 +85,8 @@ func NewLndChallenger(cfg *authConfig, genInvoiceReq InvoiceRequestGenerator, invoicesMtx := &sync.Mutex{} return &LndChallenger{ - client: client, - genInvoiceReq: genInvoiceReq, + Client: client, + GenInvoiceReq: genInvoiceReq, invoiceStates: make(map[lntypes.Hash]lnrpc.Invoice_InvoiceState), invoicesMtx: invoicesMtx, invoicesCond: sync.NewCond(invoicesMtx), @@ -111,7 +111,7 @@ func (l *LndChallenger) Start() error { // cache. We need to keep track of all invoices, even quite old ones to // make sure tokens are valid. But to save space we only keep track of // an invoice's state. - invoiceResp, err := l.client.ListInvoices( + invoiceResp, err := l.Client.ListInvoices( context.Background(), &lnrpc.ListInvoiceRequest{ NumMaxInvoices: math.MaxUint64, }, @@ -148,7 +148,7 @@ func (l *LndChallenger) Start() error { ctxc, cancel := context.WithCancel(context.Background()) l.invoicesCancel = cancel - subscriptionResp, err := l.client.SubscribeInvoices( + subscriptionResp, err := l.Client.SubscribeInvoices( ctxc, &lnrpc.InvoiceSubscription{ AddIndex: addIndex, SettleIndex: settleIndex, @@ -264,13 +264,13 @@ func (l *LndChallenger) Stop() { func (l *LndChallenger) NewChallenge(price int64) (string, lntypes.Hash, error) { // Obtain a new invoice from lnd first. We need to know the payment hash // so we can add it as a caveat to the macaroon. - invoice, err := l.genInvoiceReq(price) + invoice, err := l.GenInvoiceReq(price) if err != nil { log.Errorf("Error generating invoice request: %v", err) return "", lntypes.ZeroHash, err } ctx := context.Background() - response, err := l.client.AddInvoice(ctx, invoice) + response, err := l.Client.AddInvoice(ctx, invoice) if err != nil { log.Errorf("Error adding invoice: %v", err) return "", lntypes.ZeroHash, err diff --git a/challenger_test.go b/challenger_test.go index f0bf7e0..b07b024 100644 --- a/challenger_test.go +++ b/challenger_test.go @@ -101,8 +101,8 @@ func newChallenger() (*LndChallenger, *mockInvoiceClient, chan error) { invoicesMtx := &sync.Mutex{} mainErrChan := make(chan error) return &LndChallenger{ - client: mockClient, - genInvoiceReq: genInvoiceReq, + Client: mockClient, + GenInvoiceReq: genInvoiceReq, invoiceStates: make(map[lntypes.Hash]lnrpc.Invoice_InvoiceState), quit: make(chan struct{}), invoicesMtx: invoicesMtx, From d8cf01593edae67869eac891a3aabbc4b937c887 Mon Sep 17 00:00:00 2001 From: Anthony Ronning Date: Fri, 2 Oct 2020 20:22:58 -0500 Subject: [PATCH 3/3] challenger+aperture: optional InvoiceStatusFunc --- aperture.go | 2 +- challenger.go | 31 +++++++++++++++++++++++++------ challenger_test.go | 9 ++++++--- 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/aperture.go b/aperture.go index 605a84b..6878ea7 100644 --- a/aperture.go +++ b/aperture.go @@ -112,7 +112,7 @@ func run() error { } errChan := make(chan error) challenger, err := NewLndChallenger( - cfg.Authenticator, genInvoiceReq, errChan, + cfg.Authenticator, genInvoiceReq, nil, errChan, ) if err != nil { return err diff --git a/challenger.go b/challenger.go index 7cc5eba..9c4ecd6 100644 --- a/challenger.go +++ b/challenger.go @@ -21,6 +21,9 @@ import ( // lnrpc.AddInvoice call. type InvoiceRequestGenerator func(price int64) (*lnrpc.Invoice, error) +type VerifyInvoiceStatusFunc func(hash lntypes.Hash, + state lnrpc.Invoice_InvoiceState, timeout time.Duration) error + // InvoiceClient is an interface that only implements part of a full lnd client, // namely the part around the invoices we need for the challenger to work. type InvoiceClient interface { @@ -43,6 +46,7 @@ type InvoiceClient interface { type LndChallenger struct { Client InvoiceClient GenInvoiceReq InvoiceRequestGenerator + VerifyInvoiceStatusFunc VerifyInvoiceStatusFunc invoiceStates map[lntypes.Hash]lnrpc.Invoice_InvoiceState invoicesMtx *sync.Mutex @@ -69,7 +73,7 @@ const ( // NewLndChallenger creates a new challenger that uses the given connection // details to connect to an lnd backend to create payment challenges. func NewLndChallenger(cfg *authConfig, genInvoiceReq InvoiceRequestGenerator, - errChan chan<- error) (*LndChallenger, error) { + verifyInvoiceStatus VerifyInvoiceStatusFunc, errChan chan<- error) (*LndChallenger, error) { if genInvoiceReq == nil { return nil, fmt.Errorf("genInvoiceReq cannot be nil") @@ -84,7 +88,7 @@ func NewLndChallenger(cfg *authConfig, genInvoiceReq InvoiceRequestGenerator, } invoicesMtx := &sync.Mutex{} - return &LndChallenger{ + c := &LndChallenger{ Client: client, GenInvoiceReq: genInvoiceReq, invoiceStates: make(map[lntypes.Hash]lnrpc.Invoice_InvoiceState), @@ -92,7 +96,12 @@ func NewLndChallenger(cfg *authConfig, genInvoiceReq InvoiceRequestGenerator, invoicesCond: sync.NewCond(invoicesMtx), quit: make(chan struct{}), errChan: errChan, - }, nil + } + if verifyInvoiceStatus == nil { + c.VerifyInvoiceStatusFunc = c.DefaultVerifyInvoiceStatus + } + + return c, nil } // Start starts the challenger's main work which is to keep track of all @@ -285,14 +294,24 @@ func (l *LndChallenger) NewChallenge(price int64) (string, lntypes.Hash, error) } // VerifyInvoiceStatus checks that an invoice identified by a payment -// hash has the desired status. To make sure we don't fail while the -// invoice update is still on its way, we try several times until either -// the desired status is set or the given timeout is reached. +// hash has the desired status. An optional invoice checker which could +// be customized by implementer or using the default implementation +// `DefaultVerifyInvoiceStatus`. // // NOTE: This is part of the auth.InvoiceChecker interface. func (l *LndChallenger) VerifyInvoiceStatus(hash lntypes.Hash, state lnrpc.Invoice_InvoiceState, timeout time.Duration) error { + return l.VerifyInvoiceStatusFunc(hash, state, timeout) +} + +// DefaultVerifyInvoiceStatus checks that an invoice identified by a payment +// hash has the desired status. To make sure we don't fail while the +// invoice update is still on its way, we try several times until either +// the desired status is set or the given timeout is reached. +func (l *LndChallenger) DefaultVerifyInvoiceStatus(hash lntypes.Hash, + state lnrpc.Invoice_InvoiceState, timeout time.Duration) error { + // Prevent the challenger to be shut down while we're still waiting for // status updates. l.wg.Add(1) diff --git a/challenger_test.go b/challenger_test.go index b07b024..49ee57f 100644 --- a/challenger_test.go +++ b/challenger_test.go @@ -100,7 +100,7 @@ func newChallenger() (*LndChallenger, *mockInvoiceClient, chan error) { } invoicesMtx := &sync.Mutex{} mainErrChan := make(chan error) - return &LndChallenger{ + c := &LndChallenger{ Client: mockClient, GenInvoiceReq: genInvoiceReq, invoiceStates: make(map[lntypes.Hash]lnrpc.Invoice_InvoiceState), @@ -108,7 +108,10 @@ func newChallenger() (*LndChallenger, *mockInvoiceClient, chan error) { invoicesMtx: invoicesMtx, invoicesCond: sync.NewCond(invoicesMtx), errChan: mainErrChan, - }, mockClient, mainErrChan + } + c.VerifyInvoiceStatusFunc = c.DefaultVerifyInvoiceStatus + + return c, mockClient, mainErrChan } func newInvoice(hash lntypes.Hash, addIndex uint64, @@ -130,7 +133,7 @@ func TestLndChallenger(t *testing.T) { // First of all, test that the NewLndChallenger doesn't allow a nil // invoice generator function. errChan := make(chan error) - _, err := NewLndChallenger(nil, nil, errChan) + _, err := NewLndChallenger(nil, nil, nil, errChan) require.Error(t, err) // Now mock the lnd backend and create a challenger instance that we can