diff options
Diffstat (limited to 'sandcastle-ng')
-rwxr-xr-x | sandcastle-ng/scripts/test/setup-sandcastle.sh | 511 |
1 files changed, 511 insertions, 0 deletions
diff --git a/sandcastle-ng/scripts/test/setup-sandcastle.sh b/sandcastle-ng/scripts/test/setup-sandcastle.sh new file mode 100755 index 0000000..00f30a9 --- /dev/null +++ b/sandcastle-ng/scripts/test/setup-sandcastle.sh @@ -0,0 +1,511 @@ +#!/usr/bin/env bash + +# This scripts provisions all configuration and +# services for the Taler sandcastle container. +# +# Important: This script needs to be completely +# idempotent, nothing must break if it is executed +# multiple times. + +set -eu +set -x + +if [[ ! -z "${SANDCASTLE_SKIP_SETUP:-}" ]]; then + echo "skipping sandcastle setup, requested by environment var SANDCASTLE_SKIP_SETUP" + exit 1 +fi + +echo "Provisioning sandcastle" + +# General configuration. +# Might eventually be moved to an external file. + +CURRENCY=TESTKUDOS +EXCHANGE_IBAN=DE159593 +EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN +EXCHANGE_FULL_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc" +EXCHANGE_BANK_PASSWORD=sandbox + +# Randomly generated IBANs for the merchants +MERCHANT_IBAN_DEFAULT=DE5135717 +MERCHANT_IBAN_POS=DE4218710 +MERCHANT_IBAN_BLOG=DE8292195 +MERCHANT_IBAN_GNUNET=DE9709960 +MERCHANT_IBAN_TALER=DE1740597 +MERCHANT_IBAN_TOR=DE2648777 +MERCHANT_IBAN_SURVEY=DE0793060 + +MYDOMAIN=test.taler.net +LANDING_DOMAIN=$MYDOMAIN +BANK_DOMAIN=bank.$MYDOMAIN +EXCHANGE_DOMAIN=exchange.$MYDOMAIN +MERCHANT_DOMAIN=backend.$MYDOMAIN +BLOG_DOMAIN=shop.$MYDOMAIN +DONATIONS_DOMAIN=donations.$MYDOMAIN +SURVEY_DOMAIN=survey.$MYDOMAIN + +# Ports of the services running inside the container. +# Should be synchronized with the sandcastle-run script. +PORT_INTERNAL_EXCHANGE=8201 +PORT_INTERNAL_MERCHANT=8301 +PORT_INTERNAL_LIBEUFIN_BANK=8080 +PORT_INTERNAL_LANDING=8501 +PORT_INTERNAL_BLOG=8502 +PORT_INTERNAL_DONATIONS=8503 +PORT_INTERNAL_SURVEY=8504 +PORT_INTERNAL_BANK_SPA=8505 + +# Just make sure the services are stopped +systemctl stop taler-exchange.target +systemctl stop taler-merchant-httpd.service +systemctl stop postgresql.service +systemctl stop taler-demo-landing.service +systemctl stop taler-demo-blog.service +systemctl stop taler-demo-donations.service +systemctl stop taler-demo-survey.service +systemctl stop libeufin-bank.service + +# We now make sure that some important locations are symlinked to +# the persistent storage volume. +# Files that already exist in this location are moved to the storage volume +# and then symlinked. +# These locations are: +# /etc/taler +# /etc/libeufin-bank +# /var/lib/taler +# postgres DB directory + +function lift_dir() { + src=$1 + target=$2 + if [[ -L "$src" ]]; then + # be idempotent + echo "$src is already a symlink" + elif [[ -d /talerdata/$target ]]; then + echo "symlinking existing /talerdata/$target" + rm -rf "$src" + ln -s "/talerdata/$target" "$src" + else + echo "symlinking new /talerdata/$target" + mv "$src" "/talerdata/$target" + ln -s "/talerdata/$target" "$src" + fi +} + +lift_dir /var/lib/taler var-lib-taler +lift_dir /etc/taler etc-taler +lift_dir /etc/libeufin-bank etc-libeufin-bank +lift_dir /var/lib/postgresql var-lib-postgresql +lift_dir /usr/share/taler/terms usr-share-taler-terms + +# Caddy configuration. +# We use the caddy reverse proxy with automatic +# internal TLS setup to ensure that the services are +# reachable inside the container without any external +# DNS setup under the same domain name and with TLS +# from inside the container. + +systemctl stop caddy.service + +cat <<EOF > /etc/caddy/Caddyfile +https://$BANK_DOMAIN { + tls internal + reverse_proxy :8080 { + # libeufin-bank should eventually not require this anymore, + # but currently doesn't work without this header. + header_up X-Forwarded-Prefix "" + } +} + +https://$EXCHANGE_DOMAIN { + tls internal + reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock +} + +https://$MERCHANT_DOMAIN { + tls internal + reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock +} + +# Services that only listen on unix domain sockets +# are reverse-proxied to serve on a TCP port. + +:$PORT_INTERNAL_EXCHANGE { + reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock +} + +:$PORT_INTERNAL_MERCHANT { + reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock { + # Set this, or otherwise wrong taler://pay URIs will be generated. + header_up X-Forwarded-Proto "https" + } +} + +:$PORT_INTERNAL_BANK_SPA { + root * /usr/share/libeufin-bank/spa + root /demobank-ui-settings.js /etc/libeufin-bank/ + file_server +} +EOF + +cat <<EOF >> /etc/hosts +# Start of Taler Sandcastle Domains +127.0.0.1 $LANDING_DOMAIN +127.0.0.1 $BANK_DOMAIN +127.0.0.1 $EXCHANGE_DOMAIN +127.0.0.1 $MERCHANT_DOMAIN +127.0.0.1 $BLOG_DOMAIN +127.0.0.1 $DONATIONS_DOMAIN +127.0.0.1 $SURVEY_DOMAIN +# End of Taler Sandcastle Domains +EOF + +systemctl start caddy.service + +# Install local, internal CA certs for caddy +caddy trust + +systemctl start postgresql.service + +# Set up bank + +BANK_DB=libeufinbank +# Use "|| true" to continue if these already exist. +sudo -i -u postgres createuser -d libeufin-bank || true +sudo -i -u postgres createdb -O libeufin-bank $BANK_DB || true + +sudo -i -u libeufin-bank libeufin-bank dbinit + +cat <<EOF >/etc/libeufin-bank/libeufin-bank.conf +[libeufin-bank] +CURRENCY = $CURRENCY +DEFAULT_CUSTOMER_DEBT_LIMIT = $CURRENCY:5000 +DEFAULT_ADMIN_DEBT_LIMIT = $CURRENCY:200000000000 +REGISTRATION_BONUS = $CURRENCY:100 +REGISTRATION_BONUS_ENABLED = yes +SPA_CAPTCHA_URL = https://$BANK_DOMAIN/webui/#/operation/{woid} +SUGGESTED_WITHDRAWAL_EXCHANGE = https://$EXCHANGE_DOMAIN/ + +[currency-$CURRENCY] +ENABLED = YES +name = "$CURRENCY (Taler Demonstrator)" +code = "$CURRENCY" +decimal_separator = "." +fractional_input_digits = 2 +fractional_normal_digits = 2 +fractional_trailing_zero_digits = 2 +is_currency_name_leading = NO +alt_unit_names = {"0":"$CURRENCY"} +EOF + +cat <<EOF >/etc/libeufin-bank/demobank-ui-settings.js +globalThis.talerDemobankSettings = { + // Only Admin adds users + allowRegistrations: false, + bankName: "Taler Bank", + allowRegistrations: true, + simplePasswordForRandomAccounts: true, + allowRandomAccountCreation: true, + // Show explainer text and navbar to other demo sites + showDemoNav: false, + demoSites: [ + ["Landing", "https://$LANDING_DOMAIN/"], + ["Bank", "https://$BANK_DOMAIN/"], + ["Essay Shop", "https://$BLOG_DOMAIN/"], + ["Donations", "https://$DONATIONS_DOMAIN/"], + ["Survey", "https://$SURVEY_DOMAIN/"], + ], + backendBaseURL: "https://$BANK_DOMAIN/", +}; +EOF + +systemctl enable --now libeufin-bank.service + +# TODO: Create accounts for exchange and merchants + +taler-harness deployment wait-taler-service libeufin-bank https://$BANK_DOMAIN/config +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login exchange --exchange --public \ + --payto $EXCHANGE_PLAIN_PAYTO \ + --name Exchange \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-default --public \ + --payto "payto://iban/$MERCHANT_IBAN_DEFAULT" \ + --name "Default Demo Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-pos --public \ + --payto "payto://iban/$MERCHANT_IBAN_POS" \ + --name "PoS Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-blog --public \ + --payto "payto://iban/$MERCHANT_IBAN_BLOG" \ + --name "Blog Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-gnunet --public \ + --payto "payto://iban/$MERCHANT_IBAN_GNUNET" \ + --name "GNUnet Donations Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-taler --public \ + --payto "payto://iban/$MERCHANT_IBAN_TALER" \ + --name "Taler Donations Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-tor --public \ + --payto "payto://iban/$MERCHANT_IBAN_TOR" \ + --name "Tor Donations Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-survey --public \ + --payto "payto://iban/$MERCHANT_IBAN_SURVEY" \ + --name "Tor Survey Merchant" \ + --password sandbox + +# Set up exchange + +MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LDEBUG setup) + +EXCHANGE_DB=talerexchange +# Use "|| true" to continue if these already exist. +sudo -i -u postgres createuser -d taler-exchange-httpd || true +sudo -i -u postgres createuser taler-exchange-wire || true +sudo -i -u postgres createuser taler-exchange-closer || true +sudo -i -u postgres createuser taler-exchange-aggregator || true +sudo -i -u postgres createdb -O taler-exchange-httpd $EXCHANGE_DB || true + +# Generate /etc/taler/conf.d/setup.conf +cat <<EOF > /etc/taler/conf.d/setup.conf +[taler] +CURRENCY = $CURRENCY +CURRENCY_ROUND_UNIT = $CURRENCY:0.01 + +[currency-$CURRENCY] +ENABLED = YES +name = "$CURRENCY (Taler Demonstrator)" +code = "$CURRENCY" +decimal_separator = "." +fractional_input_digits = 2 +fractional_normal_digits = 2 +fractional_trailing_zero_digits = 2 +is_currency_name_leading = NO +alt_unit_names = {"0":"$CURRENCY"} + +[exchange] +AML_THRESHOLD = $CURRENCY:1000000 +MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY +BASE_URL = https://$EXCHANGE_DOMAIN/ + +[exchange-account-default] +PAYTO_URI = $EXCHANGE_FULL_PAYTO +ENABLE_DEBIT = YES +ENABLE_CREDIT = YES +@inline-secret@ exchange-accountcredentials-default ../secrets/exchange-accountcredentials-default.secret.conf +EOF + +cat <<EOF >/etc/taler/secrets/exchange-db.secret.conf +[exchangedb-postgres] +CONFIG=postgres:///${EXCHANGE_DB} +EOF +chmod 440 /etc/taler/secrets/exchange-db.secret.conf +chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf + +cat <<EOF > /etc/taler/secrets/exchange-accountcredentials-default.secret.conf +[exchange-accountcredentials-default] +WIRE_GATEWAY_URL = https://$BANK_DOMAIN/accounts/exchange/taler-wire-gateway/ +WIRE_GATEWAY_AUTH_METHOD = basic +USERNAME = exchange +PASSWORD = ${EXCHANGE_BANK_PASSWORD} +EOF +chmod 400 /etc/taler/secrets/exchange-accountcredentials-default.secret.conf +chown taler-exchange-wire:taler-exchange-db /etc/taler/secrets/exchange-accountcredentials-default.secret.conf + +if [[ ! -e /etc/taler/conf.d/$CURRENCY-coins.conf ]]; then + # Only create if necessary, as each [COIN-...] section + # has a unique name with a timestamp. + taler-harness deployment gen-coin-config \ + --min-amount "${CURRENCY}:0.01" \ + --max-amount "${CURRENCY}:100" \ + >"/etc/taler/conf.d/$CURRENCY-coins.conf" +fi + +echo "Initializing exchange database" +sudo -u taler-exchange-httpd taler-exchange-dbinit -LDEBUG -c /etc/taler/taler.conf + +echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} + +echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} + +echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} + + +# # The ToS generator is currently borked, we don't generated ToS until that's fixed. +TOS_PATH=/usr/share/taler/terms +if [[ ! -e "$TOS_PATH/stamp-generated" ]]; then + # ToS generator is picky about the path that it is being run from + cd $TOS_PATH + taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en + taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en + taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH + taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH + touch "$TOS_PATH/stamp-generated" + cd - +fi + +systemctl enable --now taler-exchange.target + +taler-harness deployment wait-taler-service taler-exchange https://$EXCHANGE_DOMAIN/config +taler-harness deployment wait-endpoint https://$EXCHANGE_DOMAIN/management/keys + +sudo -i -u taler-exchange-offline \ + taler-exchange-offline \ + -c /etc/taler/taler.conf \ + download \ + sign \ + upload + +sudo -i -u taler-exchange-offline \ + taler-exchange-offline \ + enable-account "${EXCHANGE_FULL_PAYTO}" \ + wire-fee now iban "${CURRENCY}":0 "${CURRENCY}":0 \ + global-fee now "${CURRENCY}":0 "${CURRENCY}":0 "${CURRENCY}":0 1h 6a 0 \ + upload + +# Set up merchant backend + +MERCHANT_DB=talermerchant +# Use "|| true" to continue if these already exist. +sudo -i -u postgres createuser -d taler-merchant-httpd || true +sudo -i -u postgres createdb -O taler-merchant-httpd $MERCHANT_DB || true + +cat <<EOF >/etc/taler/secrets/merchant-db.secret.conf +[merchantdb-postgres] +CONFIG=postgres:///${MERCHANT_DB} +EOF +chmod 440 /etc/taler/secrets/merchant-db.secret.conf +chown taler-merchant-httpd:root /etc/taler/secrets/merchant-db.secret.conf + +sudo -u taler-merchant-httpd taler-merchant-dbinit -c /etc/taler/taler.conf + +cat <<EOF >/etc/taler/conf.d/merchant-exchanges.conf +[merchant-exchange-sandcastle] +EXCHANGE_BASE_URL = https://$EXCHANGE_DOMAIN/ +MASTER_KEY = $MASTER_PUBLIC_KEY +CURRENCY = $CURRENCY +EOF + +systemctl enable --now taler-merchant-httpd +taler-harness deployment wait-taler-service taler-merchant https://$MERCHANT_DOMAIN/config + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name Merchant \ + --id default \ + --payto "payto://iban/$MERCHANT_IBAN_DEFAULT?receiver-name=Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "POS Merchant" \ + --id pos \ + --payto "payto://iban/$MERCHANT_IBAN_POS?receiver-name=POS+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "Blog Merchant" \ + --id blog \ + --payto "payto://iban/$MERCHANT_IBAN_BLOG?receiver-name=Blog+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "GNUnet Merchant" \ + --id gnunet \ + --payto "payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "Taler Merchant" \ + --id taler \ + --payto "payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "Tor Merchant" \ + --id tor \ + --payto "payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant" + + +# Now we set up the taler-merchant-demos + +cat <<EOF >/etc/taler/taler-merchant-frontends.conf +# Different entry point, we need to repeat some settings. +# In the future, taler-merchant-demos should become +# robust enough to read from the main config. +[taler] +CURRENCY = $CURRENCY +[frontends] +BACKEND = https://$MERCHANT_DOMAIN/ +BACKEND_APIKEY = secret-token:sandbox +[landing] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_LANDING +[blog] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_BLOG +[donations] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_DONATIONS +[survey] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_SURVEY +EOF + +# This really should not exist, the taler-merchant-frontends +# should be easier to configure! +cat <<EOF >/etc/taler/taler-merchant-frontends.env +TALER_ENV_URL_INTRO=https://$LANDING_DOMAIN/ +TALER_ENV_URL_LANDING=https://$LANDING_DOMAIN/ +TALER_ENV_URL_BANK=https://$BANK_DOMAIN/ +TALER_ENV_URL_MERCHANT_BLOG=https://$BLOG_DOMAIN/ +TALER_ENV_URL_MERCHANT_DONATIONS=https://$DONATIONS_DOMAIN/ +TALER_ENV_URL_MERCHANT_SURVEY=https://$SURVEY_DOMAIN/ +EOF + +systemctl enable --now taler-demo-landing +systemctl enable --now taler-demo-blog +systemctl enable --now taler-demo-donations +systemctl enable --now taler-demo-survey + + +# FIXME: Maybe do some taler-wallet-cli test? +# FIXME: How do we report errors occurring during the setup script? |