firewall: obfuscate BatchOpenChannel

We obfuscate fields from the batch channel open requests and
responses.

Author: bitromortac

firewall/privacy_mapper.go

@@ -296,6 +296,13 @@ func (p *PrivacyMapper) checkers(db firewalldb.PrivacyMapDB,
 			handleClosedChannelsResponse(db, flags, p.randIntn),
 			mid.PassThroughErrorHandler,
 		),
+		"/lnrpc.Lightning/BatchOpenChannel": mid.NewFullRewriter(
+			&lnrpc.BatchOpenChannelRequest{},
+			&lnrpc.BatchOpenChannelResponse{},
+			handleBatchOpenChannelRequest(db, flags, p.randIntn),
+			handleBatchOpenChannelResponse(db, flags, p.randIntn),
+			mid.PassThroughErrorHandler,
+		),
 	}
 }
 
@@ -1087,6 +1094,80 @@ func handleClosedChannelsResponse(db firewalldb.PrivacyMapDB,
 	}
 }
 
+func handleBatchOpenChannelRequest(db firewalldb.PrivacyMapDB,
+	flags session.PrivacyFlags,
+	_ func(int) (int, error)) func(ctx context.Context,
+	r *lnrpc.BatchOpenChannelRequest) (proto.Message, error) {
+
+	return func(_ context.Context, r *lnrpc.BatchOpenChannelRequest) (
+		proto.Message, error) {
+
+		err := db.Update(func(tx firewalldb.PrivacyMapTx) error {
+			// Modify channels in place.
+			for _, c := range r.Channels {
+				var err error
+
+				// Note, this only works if the pubkey alias was
+				// already created via other calls, e.g. via
+				// ListChannels or GetInfo or the like.
+				if !flags.Contains(session.ClearPubkeys) {
+					c.NodePubkey, err = firewalldb.RevealBytes(
+						tx, c.NodePubkey,
+					)
+					if err != nil {
+						return err
+					}
+				}
+			}
+
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		return r, nil
+	}
+}
+
+func handleBatchOpenChannelResponse(db firewalldb.PrivacyMapDB,
+	flags session.PrivacyFlags,
+	randIntn func(int) (int, error)) func(ctx context.Context,
+	r *lnrpc.BatchOpenChannelResponse) (proto.Message, error) {
+
+	return func(_ context.Context, r *lnrpc.BatchOpenChannelResponse) (
+		proto.Message, error) {
+
+		err := db.Update(func(tx firewalldb.PrivacyMapTx) error {
+			for _, p := range r.PendingChannels {
+				if !flags.Contains(session.ClearChanIDs) {
+					txIDStr := hex.EncodeToString(p.Txid)
+					txID, hOut, err := firewalldb.HideChanPoint(
+						tx, txIDStr, p.OutputIndex,
+					)
+					if err != nil {
+						return err
+					}
+
+					p.OutputIndex = hOut
+					txIDBytes, err := hex.DecodeString(txID)
+					if err != nil {
+						return err
+					}
+					p.Txid = txIDBytes
+				}
+			}
+
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		return r, nil
+	}
+}
+
 // maybeHideAmount hides an amount if the privacy flag is not set.
 func maybeHideAmount(flags session.PrivacyFlags, randIntn func(int) (int, error),
 	a int64) (int64, error) {

firewall/privacy_mapper_test.go

@@ -2,6 +2,7 @@ package firewall
 
 import (
 	"context"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"testing"
@@ -27,8 +28,12 @@ func TestPrivacyMapper(t *testing.T) {
 
 	// Define some transaction outpoints used for mapping.
 	clearTxID := "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd"
+	clearTxIDBytes, err := hex.DecodeString(clearTxID)
+	require.NoError(t, err)
 
 	obfusTxID0 := "097ef666a61919ff3413b3b701eae3a5cbac08f70c0ca567806e1fa6acbfe384"
+	obfusTxID0Bytes, err := hex.DecodeString(obfusTxID0)
+	require.NoError(t, err)
 	obfusOut0 := uint32(2161781494)
 	obfusTxID0Reversed, err := chainhash.NewHashFromStr(obfusTxID0)
 	require.NoError(t, err)
@@ -468,6 +473,59 @@ func TestPrivacyMapper(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:    "BatchOpenChannel Request",
+			uri:     "/lnrpc.Lightning/BatchOpenChannel",
+			msgType: rpcperms.TypeRequest,
+			msg: &lnrpc.BatchOpenChannelRequest{
+				TargetConf: 6,
+				Channels: []*lnrpc.BatchOpenChannel{
+					{
+						NodePubkey: []byte{
+							200, 19, 68, 149,
+						},
+						LocalFundingAmount: 1_000_000,
+						PushSat:            1_000_000,
+						MinHtlcMsat:        100,
+					},
+				},
+			},
+			expectedReplacement: &lnrpc.BatchOpenChannelRequest{
+				TargetConf: 6,
+				Channels: []*lnrpc.BatchOpenChannel{
+					{
+						NodePubkey: []byte{
+							1, 2, 3, 4,
+						},
+						LocalFundingAmount: 1_000_000,
+						PushSat:            1_000_000,
+						MinHtlcMsat:        100,
+					},
+				},
+			},
+		},
+		{
+			name:    "BatchOpenChannel Response",
+			uri:     "/lnrpc.Lightning/BatchOpenChannel",
+			msgType: rpcperms.TypeResponse,
+			msg: &lnrpc.BatchOpenChannelResponse{
+				PendingChannels: []*lnrpc.PendingUpdate{
+					{
+
+						Txid:        clearTxIDBytes,
+						OutputIndex: 0,
+					},
+				},
+			},
+			expectedReplacement: &lnrpc.BatchOpenChannelResponse{
+				PendingChannels: []*lnrpc.PendingUpdate{
+					{
+						Txid:        obfusTxID0Bytes,
+						OutputIndex: obfusOut0,
+					},
+				},
+			},
+		},
 	}
 
 	decodedID := &lnrpc.MacaroonId{