Add option accept or reject channel requests

Add new new config flag, which when set to true allows the node operator
to accept or reject new channel requests.

Author: ViktorTigerstrom

lightning/src/ln/channel.rs

@@ -536,6 +536,17 @@ pub(super) struct Channel<Signer: Sign> {
 	#[cfg(not(test))]
 	closing_fee_limits: Option<(u64, u64)>,
 
+	/// Flag that ensures that the `get_accept_channel` function must be called before the
+	/// `funding_created` function is executed successfully. The reason for this flag is that
+	/// when the util::config::UserConfig.manually_accept_inbound_channels is set to true,
+	/// inbound channels are required to be manually accepted by the node operator before the
+	/// `SendAcceptChannel` message is created and sent out. The `get_accept_channel` function is
+	/// called during that process.
+	/// A counterparty node could theoretically send a `FundingCreated` message before the node
+	/// operator has accepted the inbound channel. That would would execute the `funding_created`
+	/// function before the `get_accept_channel` function, and should therefore be rejected.
+	inbound_awaiting_accept: bool,
+
 	/// The hash of the block in which the funding transaction was included.
 	funding_tx_confirmed_in: Option<BlockHash>,
 	funding_tx_confirmation_height: u32,
@@ -833,6 +844,8 @@ impl<Signer: Sign> Channel<Signer> {
 			closing_fee_limits: None,
 			target_closing_feerate_sats_per_kw: None,
 
+			inbound_awaiting_accept: false,
+
 			funding_tx_confirmed_in: None,
 			funding_tx_confirmation_height: 0,
 			short_channel_id: None,
@@ -1130,6 +1143,8 @@ impl<Signer: Sign> Channel<Signer> {
 			closing_fee_limits: None,
 			target_closing_feerate_sats_per_kw: None,
 
+			inbound_awaiting_accept: true,
+
 			funding_tx_confirmed_in: None,
 			funding_tx_confirmation_height: 0,
 			short_channel_id: None,
@@ -1918,6 +1933,9 @@ impl<Signer: Sign> Channel<Signer> {
 			// channel.
 			return Err(ChannelError::Close("Received funding_created after we got the channel!".to_owned()));
 		}
+		if self.inbound_awaiting_accept {
+			return Err(ChannelError::Close("FundingCreated message received before the channel was accepted".to_owned()));
+		}
 		if self.commitment_secrets.get_min_seen_secret() != (1 << 48) ||
 				self.cur_counterparty_commitment_transaction_number != INITIAL_COMMITMENT_NUMBER ||
 				self.cur_holder_commitment_transaction_number != INITIAL_COMMITMENT_NUMBER {
@@ -4504,7 +4522,11 @@ impl<Signer: Sign> Channel<Signer> {
 		}
 	}
 
-	pub fn get_accept_channel(&self) -> msgs::AcceptChannel {
+	pub fn inbound_is_awaiting_accept(&self) -> bool {
+		self.inbound_awaiting_accept
+	}
+
+	pub fn get_accept_channel(&mut self) -> msgs::AcceptChannel {
 		if self.is_outbound() {
 			panic!("Tried to send accept_channel for an outbound channel?");
 		}
@@ -4515,6 +4537,8 @@ impl<Signer: Sign> Channel<Signer> {
 			panic!("Tried to send an accept_channel for a channel that has already advanced");
 		}
 
+		self.inbound_awaiting_accept = false;
+
 		let first_per_commitment_point = self.holder_signer.get_per_commitment_point(self.cur_holder_commitment_transaction_number, &self.secp_ctx);
 		let keys = self.get_holder_pubkeys();
 
@@ -5840,6 +5864,8 @@ impl<'a, Signer: Sign, K: Deref> ReadableArgs<(&'a K, u32)> for Channel<Signer>
 			closing_fee_limits: None,
 			target_closing_feerate_sats_per_kw,
 
+			inbound_awaiting_accept: false,
+
 			funding_tx_confirmed_in,
 			funding_tx_confirmation_height,
 			short_channel_id,
@@ -6050,7 +6076,7 @@ mod tests {
 		// Make sure A's dust limit is as we expect.
 		let open_channel_msg = node_a_chan.get_open_channel(genesis_block(network).header.block_hash());
 		let node_b_node_id = PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[7; 32]).unwrap());
-		let node_b_chan = Channel::<EnforcingSigner>::new_from_req(&&feeest, &&keys_provider, node_b_node_id, &InitFeatures::known(), &open_channel_msg, 7, &config, 0, &&logger).unwrap();
+		let mut node_b_chan = Channel::<EnforcingSigner>::new_from_req(&&feeest, &&keys_provider, node_b_node_id, &InitFeatures::known(), &open_channel_msg, 7, &config, 0, &&logger).unwrap();
 
 		// Node B --> Node A: accept channel, explicitly setting B's dust limit.
 		let mut accept_channel_msg = node_b_chan.get_accept_channel();

lightning/src/ln/channelmanager.rs

@@ -4101,6 +4101,34 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 		}
 	}
 
+	/// Called to accept a request to open a channel after the
+	/// [`events::Event::OpenChannelRequest`] has been triggered.
+	///
+	/// The `temporary_channel_id` parameter indicates which inbound channel should be accepted.
+	///
+	/// [`events::Event::OpenChannelRequest`]: crate::util::events::Event::OpenChannelRequest
+	pub fn accept_inbound_channel(&self, temporary_channel_id: &[u8; 32]) -> Result<(), APIError> {
+		let _persistence_guard = PersistenceNotifierGuard::notify_on_drop(&self.total_consistency_lock, &self.persistence_notifier);
+
+		let mut channel_state_lock = self.channel_state.lock().unwrap();
+		let channel_state = &mut *channel_state_lock;
+		match channel_state.by_id.entry(temporary_channel_id.clone()) {
+			hash_map::Entry::Occupied(mut channel) => {
+				if !channel.get().inbound_is_awaiting_accept() {
+					return Err(APIError::APIMisuseError { err: "The channel isn't currently awaiting to be accepted.".to_owned() });
+				}
+				channel_state.pending_msg_events.push(events::MessageSendEvent::SendAcceptChannel {
+					node_id: channel.get().get_counterparty_node_id(),
+					msg: channel.get_mut().get_accept_channel(),
+				});
+			}
+			hash_map::Entry::Vacant(_) => {
+				return Err(APIError::ChannelUnavailable { err: "Can't accept a channel that doesn't exist".to_owned() });
+			}
+		}
+		Ok(())
+	}
+
 	fn internal_open_channel(&self, counterparty_node_id: &PublicKey, their_features: InitFeatures, msg: &msgs::OpenChannel) -> Result<(), MsgHandleErrInternal> {
 		if msg.chain_hash != self.genesis_hash {
 			return Err(MsgHandleErrInternal::send_err_msg_no_close("Unknown genesis block hash".to_owned(), msg.temporary_channel_id.clone()));
@@ -4110,18 +4138,31 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			return Err(MsgHandleErrInternal::send_err_msg_no_close("No inbound channels accepted".to_owned(), msg.temporary_channel_id.clone()));
 		}
 
-		let channel = Channel::new_from_req(&self.fee_estimator, &self.keys_manager, counterparty_node_id.clone(),
+		let mut channel = Channel::new_from_req(&self.fee_estimator, &self.keys_manager, counterparty_node_id.clone(),
 				&their_features, msg, 0, &self.default_configuration, self.best_block.read().unwrap().height(), &self.logger)
 			.map_err(|e| MsgHandleErrInternal::from_chan_no_close(e, msg.temporary_channel_id))?;
 		let mut channel_state_lock = self.channel_state.lock().unwrap();
 		let channel_state = &mut *channel_state_lock;
 		match channel_state.by_id.entry(channel.channel_id()) {
 			hash_map::Entry::Occupied(_) => return Err(MsgHandleErrInternal::send_err_msg_no_close("temporary_channel_id collision!".to_owned(), msg.temporary_channel_id.clone())),
 			hash_map::Entry::Vacant(entry) => {
-				channel_state.pending_msg_events.push(events::MessageSendEvent::SendAcceptChannel {
-					node_id: counterparty_node_id.clone(),
-					msg: channel.get_accept_channel(),
-				});
+				if !self.default_configuration.manually_accept_inbound_channels {
+					channel_state.pending_msg_events.push(events::MessageSendEvent::SendAcceptChannel {
+						node_id: counterparty_node_id.clone(),
+						msg: channel.get_accept_channel(),
+					});
+				} else {
+					let mut pending_events = self.pending_events.lock().unwrap();
+					pending_events.push(
+						events::Event::OpenChannelRequest {
+							temporary_channel_id: msg.temporary_channel_id.clone(),
+							counterparty_node_id: counterparty_node_id.clone(),
+							funding_satoshis: msg.funding_satoshis,
+							push_msat: msg.push_msat,
+						}
+					);
+				}
+
 				entry.insert(channel);
 			}
 		}

lightning/src/util/config.rs

@@ -305,6 +305,20 @@ pub struct UserConfig {
 	/// If this is set to false, we do not accept inbound requests to open a new channel.
 	/// Default value: true.
 	pub accept_inbound_channels: bool,
+	/// If this is set to true, the user needs to manually accept inbound requests to open a new
+	/// channel.
+	///
+	/// When set to true, the [`Event::OpenChannelRequest`] event will be triggered once a request
+	/// to open a new inbound channel is received through a [`msgs::OpenChannel`] message. In that
+	/// case, a [`msgs::AcceptChannel`] message will not be sent back to the counterparty node
+	/// unless the user explicitly chooses to accept the request.
+	///
+	/// Default value: false.
+	///
+	/// [`Event::OpenChannelRequest`]: crate::util::events::Event::OpenChannelRequest
+	/// [`msgs::OpenChannel`]: crate::ln::msgs::OpenChannel
+	/// [`msgs::AcceptChannel`]: crate::ln::msgs::AcceptChannel
+	pub manually_accept_inbound_channels: bool,
 }
 
 impl Default for UserConfig {
@@ -315,6 +329,7 @@ impl Default for UserConfig {
 			channel_options: ChannelConfig::default(),
 			accept_forwards_to_priv_channels: false,
 			accept_inbound_channels: true,
+			manually_accept_inbound_channels: false,
 		}
 	}
 }

lightning/src/util/events.rs

@@ -29,7 +29,6 @@ use bitcoin::blockdata::script::Script;
 use bitcoin::hashes::Hash;
 use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::secp256k1::key::PublicKey;
-
 use io;
 use prelude::*;
 use core::time::Duration;
@@ -403,6 +402,35 @@ pub enum Event {
 		/// May contain a closed channel if the HTLC sent along the path was fulfilled on chain.
 		path: Vec<RouteHop>,
 	},
+	/// Indicates a request to open a new channel by a peer.
+	///
+	/// The [`ChannelManager::accept_inbound_channel`] function should be called to accept the
+	/// request. To reject the request, the [`ChannelManager::force_close_channel`] function should
+	/// be called.
+	///
+	/// The event is only triggered when a new open channel request is received and the
+	/// [`UserConfig::manually_accept_inbound_channels`] config flag is set to true.
+	///
+	/// [`ChannelManager::accept_inbound_channel`]: crate::ln::channelmanager::ChannelManager::accept_inbound_channel
+	/// [`ChannelManager::force_close_channel`]: crate::ln::channelmanager::ChannelManager::force_close_channel
+	/// [`UserConfig::manually_accept_inbound_channels`]: crate::util::config::UserConfig::manually_accept_inbound_channels
+	OpenChannelRequest {
+		/// The temporary channel ID of the channel requested to be opened.
+		///
+		/// When responding to the request, the `temporary_channel_id` should be passed
+		/// back to the ChannelManager with [`ChannelManager::accept_inbound_channel`] to accept,
+		/// or to [`ChannelManager::force_close_channel`] to reject.
+		///
+		/// [`ChannelManager::accept_inbound_channel`]: crate::ln::channelmanager::ChannelManager::accept_inbound_channel
+		/// [`ChannelManager::force_close_channel`]: crate::ln::channelmanager::ChannelManager::force_close_channel
+		temporary_channel_id: [u8; 32],
+		/// The node_id of the counterparty requesting to open the channel.
+		counterparty_node_id: PublicKey,
+		/// The channel value of the requested channel.
+		funding_satoshis: u64,
+		/// Our starting balance in the channel if the request is accepted, in milli-satoshi.
+		push_msat: u64,
+	},
 }
 
 impl Writeable for Event {
@@ -515,6 +543,11 @@ impl Writeable for Event {
 					(2, payment_hash, required),
 				})
 			},
+			&Event::OpenChannelRequest { .. } => {
+				17u8.write(writer)?;
+				// We never write the OpenChannelRequest events as, upon disconnection, peers
+				// drop any channels which have not yet exchanged funding_signed.
+			},
 			// Note that, going forward, all new events must only write data inside of
 			// `write_tlv_fields`. Versions 0.0.101+ will ignore odd-numbered events that write
 			// data via `write_tlv_fields`.
@@ -707,6 +740,10 @@ impl MaybeReadable for Event {
 				};
 				f()
 			},
+			17u8 => {
+				// Value 17 is used for `Event::OpenChannelRequest`.
+				Ok(None)
+			},
 			// Versions prior to 0.0.100 did not ignore odd types, instead returning InvalidValue.
 			// Version 0.0.100 failed to properly ignore odd types, possibly resulting in corrupt
 			// reads.