gnunet-svn
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-sandcastle-ng] 01/03: generate and use proper credentials


From: gnunet
Subject: [taler-sandcastle-ng] 01/03: generate and use proper credentials
Date: Tue, 03 Sep 2024 17:32:22 +0200

This is an automated email from the git hooks/post-receive script.

dold pushed a commit to branch master
in repository sandcastle-ng.

commit 917d79505812d9f93c68957464dc8ed8f93dab27
Author: Florian Dold <florian@dold.me>
AuthorDate: Tue Sep 3 17:25:09 2024 +0200

    generate and use proper credentials
---
 Dockerfile                       |   3 +-
 buildconfig/challenger.tag       |   2 +-
 buildconfig/exchange.tag         |   2 +-
 buildconfig/gnunet.tag           |   2 +-
 buildconfig/libeufin.tag         |   2 +-
 buildconfig/merchant-demos.tag   |   2 +-
 buildconfig/merchant.tag         |   2 +-
 buildconfig/sync.tag             |   2 +-
 buildconfig/wallet.tag           |   2 +-
 sandcastle-run                   |  14 +++--
 scripts/demo/setup-sandcastle.sh | 118 +++++++++++++++++++++++++--------------
 11 files changed, 96 insertions(+), 55 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index bb7c386..14260c9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -255,7 +255,8 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && 
apt-get -y upgrade && apt-g
   less \
   caddy \
   systemd-coredump \
-  libnss3-tools
+  libnss3-tools \
+  uuid-runtime
 
 RUN mkdir -p /packages
 COPY --from=gnunet /packages/gnunet/* /packages/
diff --git a/buildconfig/challenger.tag b/buildconfig/challenger.tag
index a008516..6345c21 100644
--- a/buildconfig/challenger.tag
+++ b/buildconfig/challenger.tag
@@ -1 +1 @@
-v0.12.1-dev.10
+v0.13.0
diff --git a/buildconfig/exchange.tag b/buildconfig/exchange.tag
index c4484e0..6345c21 100644
--- a/buildconfig/exchange.tag
+++ b/buildconfig/exchange.tag
@@ -1 +1 @@
-v0.12.1-dev.23
+v0.13.0
diff --git a/buildconfig/gnunet.tag b/buildconfig/gnunet.tag
index abffe2f..4f27943 100644
--- a/buildconfig/gnunet.tag
+++ b/buildconfig/gnunet.tag
@@ -1 +1 @@
-v0.21.3-talerdev.1
+v0.22.0
diff --git a/buildconfig/libeufin.tag b/buildconfig/libeufin.tag
index 87a1cf5..6345c21 100644
--- a/buildconfig/libeufin.tag
+++ b/buildconfig/libeufin.tag
@@ -1 +1 @@
-v0.12.0
+v0.13.0
diff --git a/buildconfig/merchant-demos.tag b/buildconfig/merchant-demos.tag
index c91125d..3db4e00 100644
--- a/buildconfig/merchant-demos.tag
+++ b/buildconfig/merchant-demos.tag
@@ -1 +1 @@
-v0.10.1
+v0.13.0-dev.2
diff --git a/buildconfig/merchant.tag b/buildconfig/merchant.tag
index 5bfb0e8..6345c21 100644
--- a/buildconfig/merchant.tag
+++ b/buildconfig/merchant.tag
@@ -1 +1 @@
-v0.12.1-dev.2
+v0.13.0
diff --git a/buildconfig/sync.tag b/buildconfig/sync.tag
index 4f7638f..b561134 100644
--- a/buildconfig/sync.tag
+++ b/buildconfig/sync.tag
@@ -1 +1 @@
-v0.11.1
+v0.13.1
diff --git a/buildconfig/wallet.tag b/buildconfig/wallet.tag
index 272066c..b561134 100644
--- a/buildconfig/wallet.tag
+++ b/buildconfig/wallet.tag
@@ -1 +1 @@
-v0.12.9
+v0.13.1
diff --git a/sandcastle-run b/sandcastle-run
index 7331115..9f0a99f 100755
--- a/sandcastle-run
+++ b/sandcastle-run
@@ -25,12 +25,12 @@ PORT_INTERNAL_BANK_SPA=8505
 PORT_INTERNAL_CHALLENGER=8506
 PORT_INTERNAL_AUDITOR=8507
 
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
 cd $SCRIPT_DIR
 
 existing_id=$(podman ps -q -a -f=name=taler-sandcastle)
 
-if [[ ! -z "$existing_id" ]]; then
+if [[ -n $existing_id ]]; then
   echo "removing existing taler-sandcastle container $existing_id"
   podman rm "$existing_id"
 fi
@@ -38,12 +38,15 @@ fi
 # We need to be careful with SELinux when using volume mounts, relabel!
 
 SETUP_NAME=${SANDCASTLE_SETUP_NAME:-demo}
-if [[ ! -z "${SANDCASTLE_OVERRIDE_NAME:-}" ]]; then
-       OVERRIDES="-v $PWD/overrides/${SANDCASTLE_OVERRIDE_NAME}:/overrides:Z"
+if [[ -n ${SANDCASTLE_OVERRIDE_NAME:-} ]]; then
+  OVERRIDES="-v $PWD/overrides/${SANDCASTLE_OVERRIDE_NAME}:/overrides:Z"
 else
-       OVERRIDES=""
+  OVERRIDES=""
 fi
 
+# Will be mounted inside the container
+mkdir -p credentials
+
 # Beware: It is futile to pass environment variables to the container here,
 # as they will not be available in the systemd unit that provisions the
 # services in the container.
@@ -66,6 +69,7 @@ exec podman run \
   -v talerdata:/talerdata:Z \
   -v talerdata_persistent:/talerdata_persistent:Z \
   $OVERRIDES \
+  -v $PWD/credentials:/credentials:Z \
   -v $PWD/data:/data:Z \
   -v $PWD/scripts:/scripts:Z \
   -v $PWD/scripts/$SETUP_NAME:/provision:Z \
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
index f5f599f..ba582e3 100755
--- a/scripts/demo/setup-sandcastle.sh
+++ b/scripts/demo/setup-sandcastle.sh
@@ -10,7 +10,7 @@
 set -eu
 set -x
 
-if [[ ! -z "${SANDCASTLE_SKIP_SETUP:-}" ]]; then
+if [[ -n ${SANDCASTLE_SKIP_SETUP:-} ]]; then
   echo "skipping sandcastle setup, requested by environment var 
SANDCASTLE_SKIP_SETUP"
   exit 1
 fi
@@ -61,7 +61,6 @@ PORT_INTERNAL_BANK_SPA=8505
 PORT_INTERNAL_CHALLENGER=8506
 PORT_INTERNAL_AUDITOR=8507
 
-
 # Just make sure the services are stopped
 systemctl stop taler-auditor.target
 systemctl stop taler-exchange.target
@@ -92,7 +91,7 @@ systemctl reset-failed
 function lift_dir() {
   src=$1
   target=$2
-  if [[ -L "$src" ]]; then
+  if [[ -L $src ]]; then
     # be idempotent
     echo "$src is already a symlink"
   elif [[ -d /talerdata/$target ]]; then
@@ -109,7 +108,7 @@ function lift_dir() {
 function persist_exchange_key() {
   src=$1
   target=$2
-  if [[ -L "$src" ]]; then
+  if [[ -L $src ]]; then
     # be idempotent
     echo "$src is already a symlink"
   elif [[ -d /talerdata_persistent/$target ]]; then
@@ -133,6 +132,20 @@ lift_dir /etc/taler etc-challenger
 lift_dir /var/lib/postgresql var-lib-postgresql
 persist_exchange_key /var/lib/taler/exchange-offline exchange-offline
 
+# Usage: get_credential_pw COMPONENT/ACCOUNT
+function get_credential_pw() {
+  if [[ ${USE_INSECURE_SANDBOX_PASSWORDS:-0} = 1 ]]; then
+    echo "sandbox"
+    return
+  fi
+  p=/credentials/$1
+  if [[ ! -f $p ]]; then
+    mkdir -p $(dirname "$p")
+    uuidgen -r >$p
+  fi
+  cat "$p"
+}
+
 # Caddy configuration.
 # We use the caddy reverse proxy with automatic
 # internal TLS setup to ensure that the services are
@@ -142,7 +155,7 @@ persist_exchange_key /var/lib/taler/exchange-offline 
exchange-offline
 
 systemctl stop caddy.service
 
-cat <<EOF > /etc/caddy/Caddyfile
+cat <<EOF >/etc/caddy/Caddyfile
 
 # Internally reverse-proxy https://,
 # so that service can talk to each other via
@@ -224,7 +237,7 @@ https://$CHALLENGER_DOMAIN {
 }
 EOF
 
-cat <<EOF >> /etc/hosts
+cat <<EOF >>/etc/hosts
 # Start of Taler Sandcastle Domains
 127.0.0.1 $LANDING_DOMAIN
 127.0.0.1 $BANK_DOMAIN
@@ -305,53 +318,60 @@ EOF
 libeufin-dbconfig
 
 sudo -i -u libeufin-bank libeufin-bank edit-account admin 
--debit_threshold=$CURRENCY:1000000
-sudo -i -u libeufin-bank libeufin-bank passwd admin sandbox
+sudo -i -u libeufin-bank libeufin-bank passwd admin $(get_credential_pw 
bank/admin)
 
 systemctl enable --now libeufin-bank.service
 
 taler-harness deployment wait-taler-service taler-corebank 
https://$BANK_DOMAIN/config
 
+sudo -i -u libeufin-bank libeufin-bank passwd exchange $(get_credential_pw 
bank/exchange) || true
 taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
   --login exchange --exchange --public \
   --payto $EXCHANGE_PLAIN_PAYTO \
   --name Exchange \
-  --password sandbox
+  --password $(get_credential_pw bank/exchange)
 
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-default 
$(get_credential_pw bank/merchant-default) || true
 taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
   --login merchant-default --public \
   --payto "payto://iban/$MERCHANT_IBAN_DEFAULT" \
   --name "Default Demo Merchant" \
-  --password sandbox
+  --password $(get_credential_pw bank/merchant-default)
 
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-pos $(get_credential_pw 
bank/merchant-pos) || true
 taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
   --login merchant-pos --public \
   --payto "payto://iban/$MERCHANT_IBAN_POS" \
   --name "PoS Merchant" \
-  --password sandbox
+  --password $(get_credential_pw bank/merchant-pos)
 
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-blog 
$(get_credential_pw bank/merchant-blog) || true
 taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
   --login merchant-blog --public \
   --payto "payto://iban/$MERCHANT_IBAN_BLOG" \
   --name "Blog Merchant" \
-  --password sandbox
+  --password $(get_credential_pw bank/merchant-blog)
 
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-gnunet 
$(get_credential_pw bank/merchant-gnunet) || true
 taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
   --login merchant-gnunet --public \
   --payto "payto://iban/$MERCHANT_IBAN_GNUNET" \
   --name "GNUnet Donations Merchant" \
-  --password sandbox
+  --password $(get_credential_pw bank/merchant-gnunet)
 
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-taler 
$(get_credential_pw bank/merchant-taler) || true
 taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
   --login merchant-taler --public \
   --payto "payto://iban/$MERCHANT_IBAN_TALER" \
   --name "Taler Donations Merchant" \
-  --password sandbox
+  --password $(get_credential_pw bank/merchant-taler)
 
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-tor $(get_credential_pw 
bank/merchant-tor) || true
 taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
   --login merchant-tor --public \
   --payto "payto://iban/$MERCHANT_IBAN_TOR" \
   --name "Tor Donations Merchant" \
-  --password sandbox
+  --password $(get_credential_pw bank/merchant-tor)
 
 # Set up exchange
 
@@ -360,7 +380,7 @@ MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline 
taler-exchange-offline -LD
 EXCHANGE_DB=talerexchange
 
 # Generate /etc/taler/conf.d/setup.conf
-cat <<EOF > /etc/taler/conf.d/setup.conf
+cat <<EOF >/etc/taler/conf.d/setup.conf
 [taler]
 CURRENCY = $CURRENCY
 CURRENCY_ROUND_UNIT = $CURRENCY:0.01
@@ -392,9 +412,9 @@ EOF
 ## Configure KYC if enabled
 ##
 
-if [[ "${ENABLE_KYC:-0}" = 1 ]]; then
-# KYC config
-cat <<EOF > /etc/taler/conf.d/sandcastle-kyc.conf
+if [[ ${ENABLE_KYC:-0} == 1 ]]; then
+  # KYC config
+  cat <<EOF >/etc/taler/conf.d/sandcastle-kyc.conf
 [exchange]
 enable_kyc = yes
 
@@ -477,7 +497,7 @@ EOF
 chmod 440 /etc/taler/secrets/exchange-db.secret.conf
 chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf
 
-cat <<EOF > /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
+cat <<EOF >/etc/taler/secrets/exchange-accountcredentials-default.secret.conf
 [exchange-accountcredentials-default]
 WIRE_GATEWAY_URL = https://$BANK_DOMAIN/accounts/exchange/taler-wire-gateway/
 WIRE_GATEWAY_AUTH_METHOD = basic
@@ -495,7 +515,7 @@ if [[ ! -e /etc/taler/conf.d/$CURRENCY-coins.conf ]]; then
   taler-harness deployment gen-coin-config \
     --min-amount "${CURRENCY}:0.01" \
     --max-amount "${CURRENCY}:100" \
-      >"/etc/taler/conf.d/$CURRENCY-coins.conf"
+    >"/etc/taler/conf.d/$CURRENCY-coins.conf"
 fi
 
 # Add auditor user to DB group *before* running taler-exchange-dbconfig,
@@ -529,7 +549,6 @@ sudo -i -u taler-exchange-offline \
 
 systemctl enable --now taler-exchange-offline.timer
 
-
 #
 # Set up exchange auditor
 #
@@ -576,55 +595,65 @@ EOF
 systemctl enable --now taler-merchant-httpd
 taler-harness deployment wait-taler-service taler-merchant 
https://$MERCHANT_DOMAIN/config
 
+function reset_merchant_pw() {
+  pw=secret-token:$(get_credential_pw merchant/$1)
+  sudo -u taler-merchant-httpd taler-merchant-passwd $1 $pw || true
+}
+
+reset_merchant_pw default
 taler-harness deployment provision-merchant-instance \
   https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
+  --management-token secret-token:$(get_credential_pw merchant/default) \
+  --instance-token secret-token:$(get_credential_pw merchant/default) \
   --name Merchant \
   --id default \
   --payto "payto://iban/$MERCHANT_IBAN_DEFAULT?receiver-name=Merchant"
 
+reset_merchant_pw pos
 taler-harness deployment provision-merchant-instance \
   https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
+  --management-token secret-token:$(get_credential_pw merchant/default) \
+  --instance-token secret-token:$(get_credential_pw merchant/pos) \
   --name "POS Merchant" \
   --id pos \
   --payto "payto://iban/$MERCHANT_IBAN_POS?receiver-name=POS+Merchant"
 
+reset_merchant_pw blog
 taler-harness deployment provision-merchant-instance \
   https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
+  --management-token secret-token:$(get_credential_pw merchant/default) \
+  --instance-token secret-token:$(get_credential_pw merchant/blog) \
   --name "Blog Merchant" \
   --id blog \
   --payto "payto://iban/$MERCHANT_IBAN_BLOG?receiver-name=Blog+Merchant"
 
+reset_merchant_pw gnunet
 taler-harness deployment provision-merchant-instance \
   https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
+  --management-token secret-token:$(get_credential_pw merchant/default) \
+  --instance-token secret-token:$(get_credential_pw merchant/gnunet) \
   --name "GNUnet Merchant" \
   --id gnunet \
   --payto "payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant"
 
+reset_merchant_pw taler
 taler-harness deployment provision-merchant-instance \
   https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
+  --management-token secret-token:$(get_credential_pw merchant/default) \
+  --instance-token secret-token:$(get_credential_pw merchant/taler) \
   --name "Taler Merchant" \
   --id taler \
   --payto "payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant"
 
+reset_merchant_pw tor
 taler-harness deployment provision-merchant-instance \
   https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
+  --management-token secret-token:$(get_credential_pw merchant/default) \
+  --instance-token secret-token:$(get_credential_pw merchant/tor) \
   --name "Tor Merchant" \
   --id tor \
   --payto "payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant"
 
-
 # Now we set up the taler-merchant-demos
 
 cat <<EOF >/etc/taler/taler-merchant-frontends.conf
@@ -633,18 +662,26 @@ cat <<EOF >/etc/taler/taler-merchant-frontends.conf
 # robust enough to read from the main config.
 [taler]
 CURRENCY = $CURRENCY
-[frontends]
-BACKEND = https://$MERCHANT_DOMAIN/
-BACKEND_APIKEY = secret-token:sandbox
-[landing]
+
+[frontend-demo-landing]
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_LANDING
-[blog]
+
+[frontend-demo-blog]
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_BLOG
-[donations]
+BACKEND_URL = https://$MERCHANT_DOMAIN/instances/blog/
+BACKEND_APIKEY = secret-token:$(get_credential_pw merchant/blog)
+
+[frontend-demo-donations]
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_DONATIONS
+BACKEND_URL_TOR = https://$MERCHANT_DOMAIN/instances/tor/
+BACKEND_APIKEY_TOR = secret-token:$(get_credential_pw merchant/tor)
+BACKEND_URL_TALER = https://$MERCHANT_DOMAIN/instances/taler/
+BACKEND_APIKEY_TALER = secret-token:$(get_credential_pw merchant/taler)
+BACKEND_URL_GNUNET = https://$MERCHANT_DOMAIN/instances/gnunet/
+BACKEND_APIKEY_GNUNET = secret-token:$(get_credential_pw merchant/gnunet)
 EOF
 
 # This really should not exist, the taler-merchant-frontends
@@ -661,6 +698,5 @@ systemctl enable --now taler-demo-landing
 systemctl enable --now taler-demo-blog
 systemctl enable --now taler-demo-donations
 
-
 # FIXME: Maybe do some taler-wallet-cli test?
 # FIXME: How do we report errors occurring during the setup script?

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]