<p>This change adds the simplest macaroon authentication scheme<br>
with no caveats (analog to ACLs).  A macaroon is created in the<br>
app data dir by BisqSetup, if needed, and all :cli calls include<br>
that hex encoded macaroon to the server for authentication.</p>
<p>To enable TLS, a temporary certificate and pkcs8 key were manually<br>
generated by a bash script in new temp folder (cert).  The cert &<br>
key are installed in the same temporary folder.  The server depends<br>
on both the cert and key, the client on the cert.</p>
<p>More specific code changes to support tls/auth:</p>
<ul>
<li>
<p>Added macaroons dependency to :core and :cli.</p>
</li>
<li>
<p>Build grpc server instance with useTransportSecurity(cert,key).</p>
</li>
<li>
<p>Inject Config into CoreApi so it can pass the appDataDir to<br>
the grpc AuthenticationInterceptor.</p>
</li>
<li>
<p>Bakes new macaroon in a new MacaroonOven during server startup<br>
(if not present).</p>
</li>
</ul>
<p>Other changes:</p>
<ul>
<li>
<p>Daemon resources folder was moved to the expected location under<br>
src/main.</p>
</li>
<li>
<p>Added -XX:MaxRAM=4g jvm option to bisq-daemon and bisq-cli startup<br>
scripts.  This cuts :daemon's resident memory consumption by 4 GB.<br>
(This option should probably be added to all startup scripts.)</p>
</li>
</ul>
<p>A few comments not included in commit...</p>
<p>In general, I am attempting to imitate the way Lightning Network's lnd project uses macaroons.  For an intro, see</p>
<ul>
<li>original ldn <a href="https://github.com/lightningnetwork/lnd/issues/20" data-hovercard-type="issue" data-hovercard-url="/lightningnetwork/lnd/issues/20/hovercard">issue</a>  describing the problem and solution</li>
<li>lnd <a href="https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md#macaroons">INSTALL.md</a> doc</li>
<li><a href="https://github.com/lightningnetwork/lnd/blob/master/docs/macaroons.md">macaroons.md</a> doc</li>
</ul>
<p>Some of the next problems to solve are</p>
<ul>
<li>
<p>The appDataDir is not available to :cli, as Config is not in the classpath.  There is<br>
a temporary hack to find the default appDataDir (where the macaroon lives) on<br>
OSX and Linux, but not Windows.</p>
</li>
<li>
<p>The end-user needs to be informed that his TLS certificate and macaroon need<br>
to be copied to his :cli host, if different than :daemon host.</p>
</li>
<li>
<p>A hard coded macaroon secretKey is passed from BisqSetup to the MacaroonOven<br>
in maybeCreateMacaroon().</p>
</li>
<li>
<p>Not sure about proper way to create certificate and key for TLS,<br>
currently using the bash script in cert folder to generate cert & key<br>
for development.</p>
</li>
<li>
<p>The certificate+key and macaroon need to be created for correct hostname(s),<br>
for now only works for 'localhost'.</p>
</li>
<li>
<p>GrpcServer has hard coded paths to temporary cert & pkcs8 key:</p>
<pre><code>server = ServerBuilder.forPort(port).useTransportSecurity(
    new File("cert/aes256/server.crt"),
        new File("cert/aes256/pkcs8_key.pem"))

</code></pre>
</li>
<li>
<p>Need to find a TLS cert encryption algo "thought" not to be broken<br>
by the NSA & Co., and choices are limited by what Netty supports.</p>
</li>
</ul>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/bisq-network/bisq/pull/4129'>https://github.com/bisq-network/bisq/pull/4129</a></p>

<h4>Commit Summary</h4>
<ul>
  <li>Enable rpc TLS and macaroon authentication</li>
</ul>

<h4>File Changes</h4>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-c197962302397baf3a4cc36463dce5ea">build.gradle</a>
    (8)
  </li>
  <li>
    <strong>A</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-2215ad0fa8427cd4db0aaf5b29eccb2e">cert/aes256/generate-aes256.sh</a>
    (58)
  </li>
  <li>
    <strong>A</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-0dc77bf45ce7821696342ad38e9ea94e">cert/aes256/pkcs8_key.pem</a>
    (52)
  </li>
  <li>
    <strong>A</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-2cb71cf836041825945fd871c6f3aa0d">cert/aes256/server.crt</a>
    (30)
  </li>
  <li>
    <strong>A</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-e2901dc0f8905111bcfbb0b5cac2a4ac">cert/des3/generate-des3.sh</a>
    (57)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-a8578edbbfb64f313f4df527913010c8">cli/src/main/java/bisq/cli/app/BisqCliMain.java</a>
    (71)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-d9177b9a1771e1dea288527a141be530">cli/src/main/java/bisq/cli/app/CliCommand.java</a>
    (10)
  </li>
  <li>
    <strong>A</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-95cb55946e172f53c9259a0369af7e92">cli/src/main/java/bisq/cli/app/MacaroonCallCredential.java</a>
    (41)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-e5c845c57dc70b70babcf8032d5b0e32">core/src/main/java/bisq/core/app/BisqSetup.java</a>
    (14)
  </li>
  <li>
    <strong>A</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-b47329ea1e26f18da37b44f1777b8c99">core/src/main/java/bisq/core/grpc/AuthenticationInterceptor.java</a>
    (90)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-1e668cbee2d15f677b1eef37b71ba74f">core/src/main/java/bisq/core/grpc/BisqGrpcServer.java</a>
    (9)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-6fd3a1bb17b4e9d1355ef9a5afc364e9">core/src/main/java/bisq/core/grpc/CoreApi.java</a>
    (10)
  </li>
  <li>
    <strong>A</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-7c168bf659f57f3e73841f48e5e2c7f0">core/src/main/java/bisq/core/grpc/MacaroonOven.java</a>
    (57)
  </li>
  <li>
    <strong>R</strong>
    <a href="https://github.com/bisq-network/bisq/pull/4129/files#diff-02df959c4a3b8bca0e324fc4430dfb94">daemon/src/main/resources/logback.xml</a>
    (4)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/bisq-network/bisq/pull/4129.patch'>https://github.com/bisq-network/bisq/pull/4129.patch</a></li>
  <li><a href='https://github.com/bisq-network/bisq/pull/4129.diff'>https://github.com/bisq-network/bisq/pull/4129.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/bisq-network/bisq/pull/4129">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AJFFTNSY3JWU5XTDSOYDBKLRLM3I3ANCNFSM4MDFMG7A">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AJFFTNT4PZLPNR6YVLWLUHTRLM3I3A5CNFSM4MDFMG7KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4I4FADNQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/bisq-network/bisq/pull/4129",
"url": "https://github.com/bisq-network/bisq/pull/4129",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>