Nostr Web Client

Replying to

tanakei

・ThunderHubで焼いたマカロンがlncli printmacaroonでどう見えるか確認した。

ThunderHub macaroon permissions

---------------------------------------------------------------

get invoices invoices:read

create invoices invoices:write

get payments offchain:read

pay invoices offchain:write

get chain transactions onchain:read

send to chain address onchain:write

create chain address address:write

get wallet info info:read

stop daemon info:write

この結果によれば、offchain:wirteとonchain:writeの権限がなければそのマカロンを使うクライアントは勝手にBTCを送金することができない。

info:writeがなければ勝手にLNDを止めたりすることができない。

・lncli printmacaroonでデフォルトで作られるmacaroonのpermissionsを調べてみた。

admin.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"address:read",

"address:write",

"info:read",

"info:write",

"invoices:read",

"invoices:write",

"macaroon:generate",

"macaroon:read",

"macaroon:write",

"message:read",

"message:write",

"offchain:read",

"offchain:write",

"onchain:read",

"onchain:write",

"peers:read",

"peers:write",

"signer:generate",

"signer:read"

"caveats": null

}

```

chainnotifier.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"onchain:read"

"caveats": null

}

```

invoice.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"address:read",

"address:write",

"invoices:read",

"invoices:write",

"onchain:read"

"caveats": null

}

```

invoices.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"invoices:read",

"invoices:write"

"caveats": null

}

```

readonly.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"address:read",

"info:read",

"invoices:read",

"macaroon:read",

"message:read",

"offchain:read",

"onchain:read",

"peers:read",

"signer:read"

"caveats": null

}

```

router.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"offchain:read",

"offchain:write"

"caveats": null

}

```

signer.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"signer:generate",

"signer:read"

"caveats": null

}

```

walletkit.macaroon

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"address:read",

"address:write",

"onchain:read",

"onchain:write"

"caveats": null

}

```

・lncli listpermissions コマンドですべての RPC メソッド URI と、それらを呼び出すために必要なマカロン権限を一覧表示できる。

LND v0.18.5-betaでやると1344行ほどのJSONができる。

AddInvoiceだとinvoice:writeのpermissionを持つmacaroonを使えばインボイスを作れるようだ。

```

"/lnrpc.Lightning/AddInvoice": {

"permissions": [

{

"entity": "invoices",

"action": "write"

}

]

```

lncli listpermissionsからentityとactionを抜き出してみた。

```

"entity": "address",

"entity": "info",

"entity": "invoices",

"entity": "macaroon",

"entity": "message",

"entity": "offchain",

"entity": "onchain",

"entity": "peers",

"entity": "signer",

"action": "generate"

"action": "read"

"action": "write"

```

lncli とjqを組み合わせると例えば以下コマンドでinvoices:writeを必要とするRPCの一覧を表示できる。

invoices:writeだとAddInvoiceの他にホドルインボイス作成でも使ってるようだ

```

lncli listpermissions | jq -r '.method_permissions | to_entries[]

| select(.value.permissions[] | select(.entity == "invoices" and .action == "write")) | .key'

```

/invoicesrpc.Invoices/AddHoldInvoice

/invoicesrpc.Invoices/CancelInvoice

/invoicesrpc.Invoices/HtlcModifier

/invoicesrpc.Invoices/LookupInvoiceV2

/invoicesrpc.Invoices/SettleInvoice

/lnrpc.Lightning/AddInvoice

```

invoices:readだと以下となる。

```

/invoicesrpc.Invoices/SubscribeSingleInvoice

/lnrpc.Lightning/ListInvoices

/lnrpc.Lightning/LookupInvoice

/lnrpc.Lightning/SubscribeInvoices

```

LNの主だった機能のRPCはoffchainが必要ぽいので抜き出してみた。

offchain:write

チャネルの開閉、ペイメントの送信までやってるみたい。

デフォルトのmacaroonでoffchain:writeを持ってるのはadminとrouterの2つだけ。openchannel,closechannelはonchain:writeのpermissionも必要なようだ。

```

/autopilotrpc.Autopilot/ModifyStatus

/autopilotrpc.Autopilot/SetScores

/lnrpc.Lightning/AbandonChannel

/lnrpc.Lightning/BatchOpenChannel

/lnrpc.Lightning/ChannelAcceptor

/lnrpc.Lightning/CloseChannel

/lnrpc.Lightning/DeleteAllPayments

/lnrpc.Lightning/DeletePayment

/lnrpc.Lightning/FundingStateStep

/lnrpc.Lightning/OpenChannel

/lnrpc.Lightning/OpenChannelSync

/lnrpc.Lightning/RestoreChannelBackups

/lnrpc.Lightning/SendCustomMessage

/lnrpc.Lightning/SendPayment

/lnrpc.Lightning/SendPaymentSync

/lnrpc.Lightning/SendToRoute

/lnrpc.Lightning/SendToRouteSync

/lnrpc.Lightning/UpdateChannelPolicy

/routerrpc.Router/HtlcInterceptor

/routerrpc.Router/ResetMissionControl

/routerrpc.Router/SendPayment

/routerrpc.Router/SendPaymentV2

/routerrpc.Router/SendToRoute

/routerrpc.Router/SendToRouteV2

/routerrpc.Router/SetMissionControlConfig

/routerrpc.Router/UpdateChanStatus

/routerrpc.Router/XAddLocalChanAliases

/routerrpc.Router/XDeleteLocalChanAliases

/routerrpc.Router/XImportMissionControl

/wtclientrpc.WatchtowerClient/AddTower

/wtclientrpc.WatchtowerClient/DeactivateTower

/wtclientrpc.WatchtowerClient/RemoveTower

/wtclientrpc.WatchtowerClient/TerminateSession

```

"/lnrpc.Lightning/OpenChannel": {

"permissions": [

{

"entity": "onchain",

"action": "write"

{

"entity": "offchain",

"action": "write"

}

]

```

offchain:read

readの方はチャネルやインボイスの状態を確認するためのpermissionのようだ。

```

/lnrpc.Lightning/ChannelBalance

/lnrpc.Lightning/ClosedChannels

/lnrpc.Lightning/DecodePayReq

/lnrpc.Lightning/ExportAllChannelBackups

/lnrpc.Lightning/ExportChannelBackup

/lnrpc.Lightning/FeeReport

/lnrpc.Lightning/ForwardingHistory

/lnrpc.Lightning/GetDebugInfo

/lnrpc.Lightning/ListAliases

/lnrpc.Lightning/ListChannels

/lnrpc.Lightning/ListPayments

/lnrpc.Lightning/LookupHtlcResolution

/lnrpc.Lightning/PendingChannels

/lnrpc.Lightning/SubscribeChannelBackups

/lnrpc.Lightning/SubscribeChannelEvents

/lnrpc.Lightning/SubscribeCustomMessages

/lnrpc.Lightning/VerifyChanBackup

/routerrpc.Router/BuildRoute

/routerrpc.Router/EstimateRouteFee

/routerrpc.Router/GetMissionControlConfig

/routerrpc.Router/QueryMissionControl

/routerrpc.Router/QueryProbability

/routerrpc.Router/SubscribeHtlcEvents

/routerrpc.Router/TrackPayment

/routerrpc.Router/TrackPaymentV2

/routerrpc.Router/TrackPayments

/wtclientrpc.WatchtowerClient/GetTowerInfo

/wtclientrpc.WatchtowerClient/ListTowers

/wtclientrpc.WatchtowerClient/Policy

/wtclientrpc.WatchtowerClient/Stats

```

・おまけ1

RPCメソッド名にopenを含む要素を抽出するコマンド

```

lncli listpermissions | jq '.method_permissions | to_entries[] | select(.key | test("open"; "i"))'

```

{

"key": "/lnrpc.Lightning/BatchOpenChannel",

"value": {

"permissions": [

{

"entity": "onchain",

"action": "write"

{

"entity": "offchain",

"action": "write"

}

]

}

{

"key": "/lnrpc.Lightning/OpenChannel",

"value": {

"permissions": [

{

"entity": "onchain",

"action": "write"

{

"entity": "offchain",

"action": "write"

}

]

}

{

"key": "/lnrpc.Lightning/OpenChannelSync",

"value": {

"permissions": [

{

"entity": "onchain",

"action": "write"

{

"entity": "offchain",

"action": "write"

}

]

}

```

・おまけ２

thunderhubで作ったmacaroonはテキストで出力されコピペして使うもので、macaroonファイルになってない。

HEXをmacaroonファイルにするには以下コマンドでできる。HEXをコピペして置換する。またYOURSの箇所を自分でわかりやすい名称に置換すると良い。

```

echo -n "HEX" | xxd -r -p > YOURS.macaroon

```

thunderhubで"Create Invoices, Get Invoices, Get Wallet Info, Get Payments, Pay Invoices"をチェックして作ったmacaroonのpermissionsは以下となる。

```

{

"version": 2,

"location": "lnd",

"root_key_id": "0",

"permissions": [

"info:read",

"invoices:read",

"invoices:write",

"offchain:read",

"offchain:write"

"caveats": null

}

```

offchain:writeはあるがonchain:writeがないのでチャネル開閉はできないはず。

Shigeru Minami⚡️🇯🇵 8mo ago

まいくてすと

カスタムsignetの投稿にはDamusから

マカロンの投稿にはYakihonneから⚡️したんですが、

私から見るとYakihonneの方は反映されてなくて

tanakeiさん視点だと来てますか？

❤️は反映されてるのですが

Reply to this note

Please Login to reply.

Discussion

tanakei 8mo ago

Yakihonneだと通知に21satsが3回きてます。うち2回をクリックするとマカロンの記事にジャンプしますが、記事最下のzapには表示されてません。

残りの1回についてはクリックするとサポートされていない種類と表示されます。

Amethystで確認すると、通知にマカロンに2回、signetに1回それぞれ21satsがあります。

Shigeru Minami⚡️🇯🇵 8mo ago

あっ

通知が来ているのですね

私視点でYakihonneを見るといまだに反映されていないのですが

とりあえず送れているということは分かりました

ありがとうございます