multi: persist full mac root key in sql actions db

When migrating the actions store from kvdb to sql, we will update the
existing actions to include the full mac root key, instead of just the
last 4 bytes (currently called `MacaroonIdentifier`). In order to do so,
we change the sql implementation of the `actions` store to persist the
full mac root key, instead of just the last 4 bytes. As no production
data in the sql actions store exists for users yet, it's fine for us to
change this without having to address old sql actions which only stored
the last 4 bytes.

Note though that we do not update the kvdb implementation, and the full
macaroon root key will be ignored by the kvdb store even if set.
Therefore, the rest of `litd` will still have to just expect the last 4
bytes of the mac root key when accessing an `Action`'s
MacaroonIdentifier. Therefore, we we currently never expose the rest of
the mac root key outside of the sql actions store.

Once the kvdb store has been fully deprecated and removed, we can then
update the rest of `litd` to also use the full mac root key, and change
the `Action` struct's field to reflect this.

Author: ViktorTigerstrom

firewall/request_logger.go

@@ -7,6 +7,7 @@ import (
 	"sync"
 
 	"github.com/lightninglabs/lightning-terminal/firewalldb"
+	litd_macaroons "github.com/lightninglabs/lightning-terminal/macaroons"
 	mid "github.com/lightninglabs/lightning-terminal/rpcmiddleware"
 	"github.com/lightninglabs/lightning-terminal/session"
 	"github.com/lightningnetwork/lnd/fn"
@@ -182,21 +183,33 @@ func (r *RequestLogger) Intercept(ctx context.Context,
 func (r *RequestLogger) addNewAction(ctx context.Context, ri *RequestInfo,
 	withPayloadData bool) error {
 
-	var macaroonID fn.Option[[4]byte]
+	var (
+		rootKeyID  fn.Option[uint64]
+		macaroonID fn.Option[[4]byte]
+	)
+
 	if ri.Macaroon != nil {
 		var err error
-		macID, err := session.IDFromMacaroon(ri.Macaroon)
+
+		fullRootKeyID, err := litd_macaroons.RootKeyIDFromMacaroon(
+			ri.Macaroon,
+		)
 		if err != nil {
-			return fmt.Errorf("could not extract ID from macaroon")
+			return fmt.Errorf("could not extract root key ID from "+
+				"macaroon: %w", err)
 		}
 
+		macID := session.IDFromMacRootKeyID(fullRootKeyID)
+
+		rootKeyID = fn.Some(fullRootKeyID)
 		macaroonID = fn.Some([4]byte(macID))
 	}
 
 	actionReq := &firewalldb.AddActionReq{
 		SessionID:          ri.SessionID,
 		AccountID:          ri.AccountID,
 		MacaroonIdentifier: macaroonID,
+		MacaroonRootKeyID:  rootKeyID,
 		RPCMethod:          ri.URI,
 	}
 

firewalldb/actions.go

@@ -39,6 +39,11 @@ type AddActionReq struct {
 	// If no macaroon was used for the action, then this will not be set.
 	MacaroonIdentifier fn.Option[[4]byte]
 
+	// MacaroonRootKeyID is the uint64 / full 8 bytes of the root key ID of
+	// the macaroon used to perform the action.
+	// If no macaroon was used for the action, then this will not be set.
+	MacaroonRootKeyID fn.Option[uint64]
+
 	// SessionID holds the optional session ID of the session that this
 	// action was performed with.
 	//

firewalldb/actions_sql.go

@@ -3,6 +3,7 @@ package firewalldb
 import (
 	"context"
 	"database/sql"
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"math"
@@ -140,8 +141,11 @@ func (s *SQLDB) AddAction(ctx context.Context,
 		}
 
 		var macID []byte
-		req.MacaroonIdentifier.WhenSome(func(id [4]byte) {
-			macID = id[:]
+		req.MacaroonRootKeyID.WhenSome(func(rootKeyID uint64) {
+			rootKeyBytes := make([]byte, 8)
+			binary.BigEndian.PutUint64(rootKeyBytes[:], rootKeyID)
+
+			macID = rootKeyBytes
 		})
 
 		id, err := db.InsertAction(ctx, sqlc.InsertActionParams{
@@ -393,6 +397,13 @@ func unmarshalAction(ctx context.Context, db SQLActionQueries,
 		legacyAcctID = fn.Some(acctID)
 	}
 
+	// While we store the full 8 byte macaroon root key ID in the sql
+	// actions DB, the kvdb version only stored the last 4 bytes. So
+	// we'll only return that here to maintain compatibility with any
+	// existing callers.
+	//
+	// TODO(viktor): Remove this when we no longer need to be compatible
+	// with the kvdb version.
 	var macID fn.Option[[4]byte]
 	if len(dbAction.MacaroonIdentifier) > 0 {
 		macID = fn.Some([4]byte(dbAction.MacaroonIdentifier))

firewalldb/actions_test.go

@@ -2,6 +2,7 @@ package firewalldb
 
 import (
 	"context"
+	"encoding/binary"
 	"fmt"
 	"testing"
 	"time"
@@ -60,10 +61,17 @@ func TestActionStorage(t *testing.T) {
 	acct1, err := accountsDB.NewAccount(ctx, 0, time.Time{}, "foo")
 	require.NoError(t, err)
 
+	sess1MacaroonIdentifier := [4]byte(sess1.ID)
+	sess1MacRootKeyIDBytes := make([]byte, 8)
+	copy(sess1MacRootKeyIDBytes[4:], sess1MacaroonIdentifier[:])
+
+	sess1RootKeyID := binary.BigEndian.Uint64(sess1MacRootKeyIDBytes[:])
+
 	action1Req := &AddActionReq{
 		SessionID:          fn.Some(sess1.ID),
 		AccountID:          fn.Some(acct1.ID),
-		MacaroonIdentifier: fn.Some([4]byte(sess1.ID)),
+		MacaroonIdentifier: fn.Some(sess1MacaroonIdentifier),
+		MacaroonRootKeyID:  fn.Some(sess1RootKeyID),
 		ActorName:          "Autopilot",
 		FeatureName:        "auto-fees",
 		Trigger:            "fee too low",
@@ -79,9 +87,16 @@ func TestActionStorage(t *testing.T) {
 		State:        ActionStateDone,
 	}
 
+	sess2MacaroonIdentifier := [4]byte(sess2.ID)
+	sess2MacRootKeyIDBytes := make([]byte, 8)
+	copy(sess2MacRootKeyIDBytes[4:], sess2MacaroonIdentifier[:])
+
+	sess2RootKeyID := binary.BigEndian.Uint64(sess2MacRootKeyIDBytes[:])
+
 	action2Req := &AddActionReq{
 		SessionID:          fn.Some(sess2.ID),
-		MacaroonIdentifier: fn.Some([4]byte(sess2.ID)),
+		MacaroonIdentifier: fn.Some(sess2MacaroonIdentifier),
+		MacaroonRootKeyID:  fn.Some(sess2RootKeyID),
 		ActorName:          "Autopilot",
 		FeatureName:        "rebalancer",
 		Trigger:            "channels not balanced",
@@ -213,8 +228,16 @@ func TestListActions(t *testing.T) {
 	addAction := func(sessionID [4]byte) {
 		actionIds++
 
+		sessMacRootKeyIDBytes := make([]byte, 8)
+		copy(sessMacRootKeyIDBytes[4:], sessionID[:])
+
+		sessRootKeyID := binary.BigEndian.Uint64(
+			sessMacRootKeyIDBytes[:],
+		)
+
 		actionReq := &AddActionReq{
 			MacaroonIdentifier: fn.Some(sessionID),
+			MacaroonRootKeyID:  fn.Some(sessRootKeyID),
 			ActorName:          "Autopilot",
 			FeatureName:        fmt.Sprintf("%d", actionIds),
 			Trigger:            "fee too low",
@@ -424,9 +447,16 @@ func TestListGroupActions(t *testing.T) {
 	)
 	require.NoError(t, err)
 
+	sess1MacaroonIdentifier := [4]byte(sess1.ID)
+	sess1MacRootKeyIDBytes := make([]byte, 8)
+	copy(sess1MacRootKeyIDBytes[4:], sess1MacaroonIdentifier[:])
+
+	sess1RootKeyID := binary.BigEndian.Uint64(sess1MacRootKeyIDBytes[:])
+
 	action1Req := &AddActionReq{
 		SessionID:          fn.Some(sess1.ID),
-		MacaroonIdentifier: fn.Some([4]byte(sess1.ID)),
+		MacaroonIdentifier: fn.Some(sess1MacaroonIdentifier),
+		MacaroonRootKeyID:  fn.Some(sess1RootKeyID),
 		ActorName:          "Autopilot",
 		FeatureName:        "auto-fees",
 		Trigger:            "fee too low",
@@ -442,9 +472,16 @@ func TestListGroupActions(t *testing.T) {
 		State:        ActionStateDone,
 	}
 
+	sess2MacaroonIdentifier := [4]byte(sess2.ID)
+	sess2MacRootKeyIDBytes := make([]byte, 8)
+	copy(sess2MacRootKeyIDBytes[4:], sess2MacaroonIdentifier[:])
+
+	sess2RootKeyID := binary.BigEndian.Uint64(sess2MacRootKeyIDBytes[:])
+
 	action2Req := &AddActionReq{
 		SessionID:          fn.Some(sess2.ID),
-		MacaroonIdentifier: fn.Some([4]byte(sess2.ID)),
+		MacaroonIdentifier: fn.Some(sess2MacaroonIdentifier),
+		MacaroonRootKeyID:  fn.Some(sess2RootKeyID),
 		ActorName:          "Autopilot",
 		FeatureName:        "rebalancer",
 		Trigger:            "channels not balanced",

firewalldb/test_kvdb.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/lightninglabs/lightning-terminal/session"
 	"github.com/lightningnetwork/lnd/clock"
+	"github.com/lightningnetwork/lnd/fn"
 	"github.com/stretchr/testify/require"
 )
 
@@ -59,7 +60,14 @@ func assertEqualActions(t *testing.T, expected, got *Action) {
 	// Accounts are not explicitly linked in our bbolt DB implementation.
 	actualAccountID := got.AccountID
 	got.AccountID = expected.AccountID
+
+	// As the kvdb implementation doesn't store the Macaroon Root Key ID,
+	// we clear the expected value before comparison, and restore it after.
+	expectedMacRootKey := expected.MacaroonRootKeyID
+	expected.MacaroonRootKeyID = fn.None[uint64]()
+
 	require.Equal(t, expected, got)
 
 	got.AccountID = actualAccountID
+	expected.MacaroonRootKeyID = expectedMacRootKey
 }

firewalldb/test_sql.go

@@ -10,6 +10,7 @@ import (
 	"github.com/lightninglabs/lightning-terminal/db"
 	"github.com/lightninglabs/lightning-terminal/session"
 	"github.com/lightningnetwork/lnd/clock"
+	"github.com/lightningnetwork/lnd/fn"
 	"github.com/stretchr/testify/require"
 )
 
@@ -46,11 +47,20 @@ func assertEqualActions(t *testing.T, expected, got *Action) {
 	expected.AttemptedAt = time.Time{}
 	got.AttemptedAt = time.Time{}
 
+	// As the kvdb implementation doesn't store the Macaroon Root Key ID,
+	// we don't yet expose this for the sql version, until the kvdb version
+	// has been deprecated and removed. Therefore, we ignore this field in
+	// our comparison here, and clear the expected value before comparison,
+	// and restore it after.
+	expectedMacRootKey := expected.MacaroonRootKeyID
+	expected.MacaroonRootKeyID = fn.None[uint64]()
+
 	require.Equal(t, expected, got)
 	require.Equal(t, expectedAttemptedAt.Unix(), actualAttemptedAt.Unix())
 
 	expected.AttemptedAt = expectedAttemptedAt
 	got.AttemptedAt = actualAttemptedAt
+	expected.MacaroonRootKeyID = expectedMacRootKey
 }
 
 // createStore is a helper function that creates a new SQLDB and ensure that