loopd: all only specifying one lnd macaroon

Fixes #299 by allowing only one macaroon to be specified in the
--lnd.macaroonpath config option/command line flag.

Author: guggero

loopd/config.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 	"time"
 
@@ -46,6 +47,10 @@ var (
 
 	defaultSelfSignedOrganization = "loop autogenerated cert"
 
+	// defaultLndMacaroon is the default macaroon file we use if the old,
+	// deprecated --lnd.macaroondir config option is used.
+	defaultLndMacaroon = "admin.macaroon"
+
 	// DefaultTLSCertPath is the default full path of the autogenerated TLS
 	// certificate.
 	DefaultTLSCertPath = filepath.Join(
@@ -70,9 +75,20 @@ var (
 )
 
 type lndConfig struct {
-	Host        string `long:"host" description:"lnd instance rpc address"`
-	MacaroonDir string `long:"macaroondir" description:"Path to the directory containing all the required lnd macaroons"`
-	TLSPath     string `long:"tlspath" description:"Path to lnd tls certificate"`
+	Host string `long:"host" description:"lnd instance rpc address"`
+
+	// MacaroonDir is the directory that contains all the macaroon files
+	// required for the remote connection.
+	MacaroonDir string `long:"macaroondir" description:"DEPRECATED: Use macaroonpath."`
+
+	// MacaroonPath is the path to the single macaroon that should be used
+	// instead of needing to specify the macaroon directory that contains
+	// all of lnd's macaroons. The specified macaroon MUST have all
+	// permissions that all the subservers use, otherwise permission errors
+	// will occur.
+	MacaroonPath string `long:"macaroonpath" description:"The full path to the single macaroon to use, either the admin.macaroon or a custom baked one. Cannot be specified at the same time as macaroondir. A custom macaroon must contain ALL permissions required for all subservers to work, otherwise permission errors will occur."`
+
+	TLSPath string `long:"tlspath" description:"Path to lnd tls certificate"`
 }
 
 type loopServerConfig struct {
@@ -235,6 +251,30 @@ func Validate(cfg *Config) error {
 		return err
 	}
 
+	// Make sure only one of the macaroon options is used.
+	switch {
+	case cfg.Lnd.MacaroonPath != "" && cfg.Lnd.MacaroonDir != "":
+		return fmt.Errorf("use --lnd.macaroonpath only")
+
+	case cfg.Lnd.MacaroonDir != "":
+		// With the new version of lndclient we can only specify a
+		// single macaroon instead of all of them. If the old
+		// macaroondir is used, we use the admin macaroon located in
+		// that directory.
+		cfg.Lnd.MacaroonPath = path.Join(
+			lncfg.CleanAndExpandPath(cfg.Lnd.MacaroonDir),
+			defaultLndMacaroon,
+		)
+
+	case cfg.Lnd.MacaroonPath != "":
+		cfg.Lnd.MacaroonPath = lncfg.CleanAndExpandPath(
+			cfg.Lnd.MacaroonPath,
+		)
+
+	default:
+		return fmt.Errorf("must specify --lnd.macaroonpath")
+	}
+
 	return nil
 }
 

loopd/run.go

@@ -90,7 +90,7 @@ func newListenerCfg(config *Config, rpcCfg RPCConfig) *listenerCfg {
 			svcCfg := &lndclient.LndServicesConfig{
 				LndAddress:            cfg.Host,
 				Network:               network,
-				MacaroonDir:           cfg.MacaroonDir,
+				CustomMacaroonPath:    cfg.MacaroonPath,
 				TLSPath:               cfg.TLSPath,
 				CheckVersion:          LoopMinRequiredLndVersion,
 				BlockUntilChainSynced: true,

release_notes.md

@@ -17,7 +17,13 @@ This file tracks release notes for the loop client.
 
 #### New Features
 * If lnd is locked when the loop client starts up, it will wait for lnd to be 
-  unlocked. Previous versions would exit with an error. 
+  unlocked. Previous versions would exit with an error.
+* Loop will no longer need all `lnd` subserver macaroons to be present in the
+  `--lnd.macaroondir`. Instead the new `--lnd.macaroonpath` option can be
+  pointed to a single macaroon, for example the `admin.macaroon` or a custom
+  baked one with the exact permissions needed for Loop. If the now deprecated
+  flag/option `--lnd.macaroondir` is used, it will fall back to use only the
+  `admin.macaroon` from that directory.
 
 #### Breaking Changes
 * The `AutoOut`, `AutoOutBudgetSat` and `AutoOutBudgetStartSec` fields in the