[bisq-network/bisq] Enable rpc TLS and macaroon authentication (#4129)

Tue Apr 7 14:39:09 UTC 2020

This change adds the simplest macaroon authentication scheme
with no caveats (analog to ACLs).  A macaroon is created in the
app data dir by BisqSetup, if needed, and all :cli calls include
that hex encoded macaroon to the server for authentication.

To enable TLS, a temporary certificate and pkcs8 key were manually
generated by a bash script in new temp folder (cert).  The cert &
key are installed in the same temporary folder.  The server depends
on both the cert and key, the client on the cert.

More specific code changes to support tls/auth:

 * Added macaroons dependency to :core and :cli.

 * Build grpc server instance with useTransportSecurity(cert,key).

 * Inject Config into CoreApi so it can pass the appDataDir to
  the grpc AuthenticationInterceptor.

 * Bakes new macaroon in a new MacaroonOven during server startup
  (if not present).

Other changes:

 * Daemon resources folder was moved to the expected location under
   src/main.

 * Added -XX:MaxRAM=4g jvm option to bisq-daemon and bisq-cli startup
   scripts.  This cuts :daemon's resident memory consumption by 4 GB.
   (This option should probably be added to all startup scripts.)

A few comments not included in commit...

In general, I am attempting to imitate the way Lightning Network's lnd project uses macaroons.  For an intro, see 
* original ldn [issue](https://github.com/lightningnetwork/lnd/issues/20)  describing the problem and solution
* lnd [INSTALL.md](https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md#macaroons) doc
* [macaroons.md](https://github.com/lightningnetwork/lnd/blob/master/docs/macaroons.md) doc

Some of the next problems to solve are

 * The appDataDir is not available to :cli, as Config is not in the classpath.  There is
   a temporary hack to find the default appDataDir (where the macaroon lives) on
   OSX and Linux, but not Windows.

 * The end-user needs to be informed that his TLS certificate and macaroon need 
   to be copied to his :cli host, if different than :daemon host.

 * A hard coded macaroon secretKey is passed from BisqSetup to the MacaroonOven
   in maybeCreateMacaroon().   

 * Not sure about proper way to create certificate and key for TLS, 
   currently using the bash script in cert folder to generate cert & key
   for development.

 * The certificate+key and macaroon need to be created for correct hostname(s), 
   for now only works for 'localhost'.

 * GrpcServer has hard coded paths to temporary cert & pkcs8 key:
	```
    server = ServerBuilder.forPort(port).useTransportSecurity(
        new File("cert/aes256/server.crt"),
            new File("cert/aes256/pkcs8_key.pem"))

 * Need to find a TLS cert encryption algo "thought" not to be broken
   by the NSA & Co., and choices are limited by what Netty supports.

You can view, comment on, or merge this pull request online at:

  https://github.com/bisq-network/bisq/pull/4129

-- Commit Summary --

  * Enable rpc TLS and macaroon authentication

-- File Changes --

    M build.gradle (8)
    A cert/aes256/generate-aes256.sh (58)
    A cert/aes256/pkcs8_key.pem (52)
    A cert/aes256/server.crt (30)
    A cert/des3/generate-des3.sh (57)
    M cli/src/main/java/bisq/cli/app/BisqCliMain.java (71)
    M cli/src/main/java/bisq/cli/app/CliCommand.java (10)
    A cli/src/main/java/bisq/cli/app/MacaroonCallCredential.java (41)
    M core/src/main/java/bisq/core/app/BisqSetup.java (14)
    A core/src/main/java/bisq/core/grpc/AuthenticationInterceptor.java (90)
    M core/src/main/java/bisq/core/grpc/BisqGrpcServer.java (9)
    M core/src/main/java/bisq/core/grpc/CoreApi.java (10)
    A core/src/main/java/bisq/core/grpc/MacaroonOven.java (57)
    R daemon/src/main/resources/logback.xml (4)

-- Patch Links --

https://github.com/bisq-network/bisq/pull/4129.patch
https://github.com/bisq-network/bisq/pull/4129.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4129
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20200407/85a23429/attachment.html>