firewall: extract SessionID from gRPC metadata

In this commit, we update our various firewall interceptors so that they
rely on the session ID passed via gRPC metadata to extract a session ID.
For the PrivacyMapper and RuleEnforcer, these _MUST_ always contain a
session ID and so we error out if one was not found. For the request
logger, the session ID is optional and so we pass it to the new
SessionID field in the AddActionReq - our bbolt actions DB will not make
use of this field on persistence (but our incoming SQL version will).

Author: ellemouton

firewall/privacy_mapper.go

@@ -106,9 +106,11 @@ func (p *PrivacyMapper) Intercept(ctx context.Context,
 			"interception request: %v", err)
 	}
 
-	sessionID, err := session.IDFromMacaroon(ri.Macaroon)
+	sessionID, err := ri.SessionID.UnwrapOrErr(
+		fmt.Errorf("no session ID found in macaroon"),
+	)
 	if err != nil {
-		return nil, fmt.Errorf("could not extract ID from macaroon")
+		return nil, err
 	}
 
 	log.Tracef("PrivacyMapper: Intercepting %v", ri)

firewall/request_info.go

@@ -4,7 +4,10 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/lightninglabs/lightning-terminal/session"
+	"github.com/lightningnetwork/lnd/fn"
 	"github.com/lightningnetwork/lnd/lnrpc"
+	"google.golang.org/grpc/metadata"
 	"gopkg.in/macaroon.v2"
 )
 
@@ -25,6 +28,7 @@ const (
 // RequestInfo stores the parsed representation of an incoming RPC middleware
 // request.
 type RequestInfo struct {
+	SessionID       fn.Option[session.ID]
 	MsgID           uint64
 	RequestID       uint64
 	MWRequestType   string
@@ -43,13 +47,27 @@ type RequestInfo struct {
 // NewInfoFromRequest parses the given RPC middleware interception request and
 // returns a RequestInfo struct.
 func NewInfoFromRequest(req *lnrpc.RPCMiddlewareRequest) (*RequestInfo, error) {
+	md := make(metadata.MD)
+	for k, vs := range req.MetadataPairs {
+		for _, v := range vs.Values {
+			md.Append(k, v)
+		}
+	}
+
+	sessionID, err := session.FromGRPCMetadata(md)
+	if err != nil {
+		return nil, fmt.Errorf("error extracting session ID "+
+			"from request: %v", err)
+	}
+
 	var ri *RequestInfo
 	switch t := req.InterceptType.(type) {
 	case *lnrpc.RPCMiddlewareRequest_StreamAuth:
 		ri = &RequestInfo{
 			MWRequestType: MWRequestTypeStreamAuth,
 			URI:           t.StreamAuth.MethodFullUri,
 			Streaming:     true,
+			SessionID:     sessionID,
 		}
 
 	case *lnrpc.RPCMiddlewareRequest_Request:
@@ -60,6 +78,7 @@ func NewInfoFromRequest(req *lnrpc.RPCMiddlewareRequest) (*RequestInfo, error) {
 			IsError:         t.Request.IsError,
 			Serialized:      t.Request.Serialized,
 			Streaming:       t.Request.StreamRpc,
+			SessionID:       sessionID,
 		}
 
 	case *lnrpc.RPCMiddlewareRequest_Response:
@@ -70,6 +89,7 @@ func NewInfoFromRequest(req *lnrpc.RPCMiddlewareRequest) (*RequestInfo, error) {
 			IsError:         t.Response.IsError,
 			Serialized:      t.Response.Serialized,
 			Streaming:       t.Response.StreamRpc,
+			SessionID:       sessionID,
 		}
 
 	default:

firewall/request_logger.go

@@ -194,6 +194,7 @@ func (r *RequestLogger) addNewAction(ctx context.Context, ri *RequestInfo,
 	}
 
 	actionReq := &firewalldb.AddActionReq{
+		SessionID:          ri.SessionID,
 		MacaroonIdentifier: macaroonID,
 		RPCMethod:          ri.URI,
 	}

firewall/rule_enforcer.go

@@ -237,9 +237,11 @@ func (r *RuleEnforcer) Intercept(ctx context.Context,
 func (r *RuleEnforcer) handleRequest(ctx context.Context,
 	ri *RequestInfo) (proto.Message, error) {
 
-	sessionID, err := session.IDFromMacaroon(ri.Macaroon)
+	sessionID, err := ri.SessionID.UnwrapOrErr(
+		fmt.Errorf("no session ID found in macaroon"),
+	)
 	if err != nil {
-		return nil, fmt.Errorf("could not extract ID from macaroon")
+		return nil, err
 	}
 
 	rules, err := r.collectEnforcers(ctx, ri, sessionID)