[bisq-network/bisq] Enable rpc TLS and macaroon authentication (#4129)
notifications at github.com
Tue Apr 7 14:39:09 UTC 2020
This change adds the simplest macaroon authentication scheme
with no caveats (analog to ACLs). A macaroon is created in the
app data dir by BisqSetup, if needed, and all :cli calls include
that hex encoded macaroon to the server for authentication.
To enable TLS, a temporary certificate and pkcs8 key were manually
generated by a bash script in new temp folder (cert). The cert &
key are installed in the same temporary folder. The server depends
on both the cert and key, the client on the cert.
More specific code changes to support tls/auth:
* Added macaroons dependency to :core and :cli.
* Build grpc server instance with useTransportSecurity(cert,key).
* Inject Config into CoreApi so it can pass the appDataDir to
the grpc AuthenticationInterceptor.
* Bakes new macaroon in a new MacaroonOven during server startup
(if not present).
* Daemon resources folder was moved to the expected location under
* Added -XX:MaxRAM=4g jvm option to bisq-daemon and bisq-cli startup
scripts. This cuts :daemon's resident memory consumption by 4 GB.
(This option should probably be added to all startup scripts.)
A few comments not included in commit...
In general, I am attempting to imitate the way Lightning Network's lnd project uses macaroons. For an intro, see
* original ldn [issue](https://github.com/lightningnetwork/lnd/issues/20) describing the problem and solution
* lnd [INSTALL.md](https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md#macaroons) doc
* [macaroons.md](https://github.com/lightningnetwork/lnd/blob/master/docs/macaroons.md) doc
Some of the next problems to solve are
* The appDataDir is not available to :cli, as Config is not in the classpath. There is
a temporary hack to find the default appDataDir (where the macaroon lives) on
OSX and Linux, but not Windows.
* The end-user needs to be informed that his TLS certificate and macaroon need
to be copied to his :cli host, if different than :daemon host.
* A hard coded macaroon secretKey is passed from BisqSetup to the MacaroonOven
* Not sure about proper way to create certificate and key for TLS,
currently using the bash script in cert folder to generate cert & key
* The certificate+key and macaroon need to be created for correct hostname(s),
for now only works for 'localhost'.
* GrpcServer has hard coded paths to temporary cert & pkcs8 key:
server = ServerBuilder.forPort(port).useTransportSecurity(
* Need to find a TLS cert encryption algo "thought" not to be broken
by the NSA & Co., and choices are limited by what Netty supports.
You can view, comment on, or merge this pull request online at:
-- Commit Summary --
* Enable rpc TLS and macaroon authentication
-- File Changes --
M build.gradle (8)
A cert/aes256/generate-aes256.sh (58)
A cert/aes256/pkcs8_key.pem (52)
A cert/aes256/server.crt (30)
A cert/des3/generate-des3.sh (57)
M cli/src/main/java/bisq/cli/app/BisqCliMain.java (71)
M cli/src/main/java/bisq/cli/app/CliCommand.java (10)
A cli/src/main/java/bisq/cli/app/MacaroonCallCredential.java (41)
M core/src/main/java/bisq/core/app/BisqSetup.java (14)
A core/src/main/java/bisq/core/grpc/AuthenticationInterceptor.java (90)
M core/src/main/java/bisq/core/grpc/BisqGrpcServer.java (9)
M core/src/main/java/bisq/core/grpc/CoreApi.java (10)
A core/src/main/java/bisq/core/grpc/MacaroonOven.java (57)
R daemon/src/main/resources/logback.xml (4)
-- Patch Links --
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bisq-github