looprpc: require loop:out for instant out

InstantOut can now accept a caller-provided destination address and use it as the on-chain sweep target for reservation funds. That makes it an externally directed loop-out spend path, so a swap:execute-only macaroon should not be sufficient.

Require the same loop:out authority used by LoopOut and add a regression test so the method cannot drift back to swap:execute-only authorization.

Author: hieblmi

looprpc/perms.go

@@ -181,6 +181,9 @@ var RequiredPermissions = map[string][]bakery.Op{
 	"/looprpc.SwapClient/InstantOut": {{
 		Entity: "swap",
 		Action: "execute",
+	}, {
+		Entity: "loop",
+		Action: "out",
 	}},
 	"/looprpc.SwapClient/InstantOutQuote": {{
 		Entity: "swap",

looprpc/perms_test.go

@@ -0,0 +1,35 @@
+package looprpc
+
+import (
+	"testing"
+
+	"gopkg.in/macaroon-bakery.v2/bakery"
+)
+
+func TestInstantOutRequiresLoopOutPermission(t *testing.T) {
+	requiredPerms, ok := RequiredPermissions["/looprpc.SwapClient/InstantOut"]
+	if !ok {
+		t.Fatalf("InstantOut permission entry missing")
+	}
+
+	assertPermission := func(want bakery.Op) {
+		t.Helper()
+
+		for _, perm := range requiredPerms {
+			if perm == want {
+				return
+			}
+		}
+
+		t.Fatalf("InstantOut permission entry missing %v", want)
+	}
+
+	assertPermission(bakery.Op{
+		Entity: "swap",
+		Action: "execute",
+	})
+	assertPermission(bakery.Op{
+		Entity: "loop",
+		Action: "out",
+	})
+}