From af22c20c0a7ade6635c5512cef8b8d3b3bf761ee Mon Sep 17 00:00:00 2001 From: ms Date: Thu, 16 Sep 2021 16:49:44 +0200 Subject: euFin deployment: first steps --- bin/taler-deployment-prepare-with-eufin | 375 ++++++++++++++++++++++++++++++++ taler-arm/libeufin-nexus.conf | 2 +- taler-arm/libeufin-sandbox.conf | 4 + 3 files changed, 380 insertions(+), 1 deletion(-) create mode 100755 bin/taler-deployment-prepare-with-eufin create mode 100644 taler-arm/libeufin-sandbox.conf diff --git a/bin/taler-deployment-prepare-with-eufin b/bin/taler-deployment-prepare-with-eufin new file mode 100755 index 0000000..1d373ec --- /dev/null +++ b/bin/taler-deployment-prepare-with-eufin @@ -0,0 +1,375 @@ +#!/bin/bash + +# Prepare a deployment for execution: +# * generate the configuration and setup database +# * put keys in the right place +# * set bank password for the exchange +# * sign the exchange's wire response +# * run some sanity checks (FIXME: not done yet!) + +set -eu + +source "$HOME/activate" + +# $1 = {yes,no} indicates WITH_DB_RESET. Defaults to no. +# Helps avoiding color Y destroying the DB while color X is in +# production. +WITH_DB_RESET=${1-no} + +if [[ -z ${TALER_ENV_NAME+x} ]]; then + echo "TALER_ENV_NAME not set" + exit 1 +fi + +if [[ -z ${TALER_CONFIG_CURRENCY+x} ]]; then + echo "TALER_CONFIG_CURRENCY not set" + exit 1 +fi + +# The script stops what started along the flow. +# This function should help against processes left +# somehow running. +function stop_running() { + taler-deployment-stop + for n in `jobs -p` + do + kill $n 2> /dev/null || true + done + wait +} + +trap "stop_running" EXIT + +function generate_config() { + EXCHANGE_PUB=$(gnunet-ecc -p "$HOME/deployment/private-keys/${TALER_ENV_NAME}-exchange-master.priv") + + mkdir -p "$HOME/.config" + + taler-deployment-config-generate \ + --exchange-pub "$EXCHANGE_PUB" \ + --currency "$TALER_CONFIG_CURRENCY" \ + --outdir "$HOME/.config" \ + --envname "$TALER_ENV_NAME" \ + --frontends-apitoken "$TALER_ENV_FRONTENDS_APITOKEN" +} + +## +## Step 1: Generate config +## + +case $TALER_ENV_NAME in + tanker|demo|test|int|local) + generate_config + ;; + *) + echo "Not generating config for env $TALER_ENV_NAME" + ;; +esac + +## +## Step 1b: initialize database +## + +if test $WITH_DB_RESET = yes; then + taler-exchange-dbinit --reset +fi + +## +## Step 2: Copy key material and update denom keys +## + +# For demo, make sure the link to shared data between demo-blue and demo-green is +# set up properly. +case $TALER_ENV_NAME in + demo) + echo "linking taler-data" + ln -sfT ~demo/shared-data ~/taler-data + # Check if we won't mess up permissions later + if [[ ! -g ~/taler-data ]]; then + echo "the shared-data directory should have the set-group-id bit set" + exit 1 + fi + ;; +esac + +case $TALER_ENV_NAME in + demo|test|int|local) + EXCHANGE_PUB=$(gnunet-ecc -p "$HOME/deployment/private-keys/${TALER_ENV_NAME}-exchange-master.priv") + EXCHANGE_PRIV_FILE=$(taler-config -f -s exchange-offline -o master_priv_file) + if [[ -e "$EXCHANGE_PRIV_FILE" ]]; then + EXCHANGE_PUB2=$(gnunet-ecc -p "$EXCHANGE_PRIV_FILE") + if [[ "$EXCHANGE_PUB" != "$EXCHANGE_PUB2" ]]; then + echo "Warning: Different exchange private key already exists, not copying" + fi + else + mkdir -p "$(dirname "$EXCHANGE_PRIV_FILE")" + cp "$HOME/deployment/private-keys/${TALER_ENV_NAME}-exchange-master.priv" "$EXCHANGE_PRIV_FILE" + fi + ;; + *) + echo "Not copying key material for env $TALER_ENV_NAME" + ;; +esac + +EXCHANGE_MASTER_PUB=$(taler-config -s exchange -o master_public_key) +taler-auditor-exchange \ + -m "$EXCHANGE_MASTER_PUB" \ + -u "$(taler-config -s exchange -o base_url)" || true + +# Make configuration accessible to auditor +chmod 750 "$HOME/.config" + + +## +## Step 3: Set up the exchange key material +## + +taler-deployment-arm -s + +# Quickly start+shutdown exchange httpd and crypto SM helpers +taler-deployment-arm -i taler-exchange +taler-deployment-arm -i taler-exchange-secmod-rsa +taler-deployment-arm -i taler-exchange-secmod-eddsa + +sleep 2 # FIXME: poll keys? +if ! taler-deployment-arm -I | grep "^taler-exchange" | grep "status=started" > /dev/null; then + echo "Exchange didn't start, cannot set up keys" + exit 1 +fi +if ! taler-deployment-arm -I | grep "^taler-exchange-secmod-rsa" | grep "status=started" > /dev/null; then + echo "Exchange (RSA module) didn't start, cannot set up keys." + exit 1 +fi + +if ! taler-deployment-arm -I | grep "^taler-exchange-secmod-eddsa" | grep "status=started" > /dev/null; then + echo "Exchange (EDDSA module) didn't start, cannot set up keys." + exit 1 +fi + +taler-exchange-offline download sign upload + +payto_uri=$(taler-config -s exchange-account-1 -o payto_uri) +taler-exchange-offline enable-account "$payto_uri" upload + +# Set up wire fees for next 5 years +year=$(date +%Y) +curr=$TALER_CONFIG_CURRENCY +for y in $(seq $year $((year + 5))); do + taler-exchange-offline wire-fee $y x-taler-bank "$curr:0.01" "$curr:0.01" upload +done + +taler-deployment-arm -k taler-exchange +taler-deployment-arm -k taler-exchange-secmod-rsa +taler-deployment-arm -k taler-exchange-secmod-eddsa + +# Give time to store to disk. +sleep 5 + +## +## Step 4: Set up euFin +## + +function prepare_sandbox_account() { + echo -n "Activating ebics subscriber $1 at the sandbox ..." + libeufin-cli \ + sandbox --sandbox-url=$SANDBOX_URL \ + ebicssubscriber create \ + --host-id=$EBICS_HOST \ + --partner-id=$2 \ + --user-id=$1 + echo " OK" + echo -n "Giving a bank account ($4) to $1 ..." + libeufin-cli \ + sandbox --sandbox-url=$SANDBOX_URL \ + ebicsbankaccount create \ + --iban=$5 \ + --bic="BCMAESM1XXX"\ + --person-name="$3" \ + --account-name=$4 \ + --ebics-user-id=$1 \ + --ebics-host-id=$EBICS_HOST \ + --ebics-partner-id=$2 \ + --currency=$CURRENCY + echo " OK" +} + +SANDBOX_SQLITE_FILE="$HOME/sandbox.sqlite" +NEXUS_SQLITE_FILE="$HOME/nexus.sqlite" + +NEXUS_URL="http://localhost:5001/" +SANDBOX_URL="http://localhost:5000/" + + +# Deleting old data: +rm $SANDBOX_SQLITE_FILE +rm $NEXUS_SQLITE_FILE + +export LIBEUFIN_NEXUS_DB_CONNECTION="jdbc:sqlite:$SANDBOX_SQLITE_FILE" +export LIBEUFIN_SANDBOX_DB_CONNECTION="jdbc:sqlite:$NEXUS_SQLITE_FILE" + +taler-deployment-arm -i libeufin-nexus +taler-deployment-arm -i libeufin-sandbox + +if ! curl -s --retry 5 --retry-connrefused $SANDBOX_URL > /dev/null; then + echo "Could not launch Sandbox" + stop_running + exit 1 +fi + +if ! curl -s --retry 5 --retry-connrefused $NEXUS_URL > /dev/null; then + echo "Could not launch Nexus" + stop_running + exit 1 +fi + +EBICS_HOST="ebicsDeployedHost" + +echo -n "Preparing Sandbox ..." +libeufin-cli \ + sandbox --sandbox-url=$SANDBOX_URL \ + ebicshost create \ + --host-id=$EBICS_HOST +echo " OK" + +echo -n "Preparing accounts ..." +# note: Ebisc schema doesn't allow dashed names. +prepare_sandbox_account \ + ebicsuserExchange \ + ebicspartnerExchange \ + "Person Exchange" \ + sandbox-account-exchange \ + $IBAN_EXCHANGE +prepare_sandbox_account \ + ebicsuserMerchant \ + ebicspartnerMerchant \ + "Person Merchant" \ + sandbox-account-merchant \ + $IBAN_MERCHANT +prepare_sandbox_account \ + ebicsuserCustomer \ + ebicspartnerCustomer \ + "Person Customer" \ + sandbox-account-customer \ + $IBAN_CUSTOMER +echo "Sandbox preparation done" + +# Only the exchange needs Nexus. +echo -n "Preparing Nexus ..." +export LIBEUFIN_NEXUS_URL=$NEXUS_URL +EXCHANGE_NEXUS_USERNAME=exchange-nexus-user +EXCHANGE_NEXUS_PASSWORD=exchange-nexus-password +libeufin-nexus superuser $EXCHANGE_NEXUS_USERNAME --password=$EXCHANGE_NEXUS_PASSWORD +echo " OK" +export LIBEUFIN_NEXUS_USERNAME=$EXCHANGE_NEXUS_USERNAME +export LIBEUFIN_NEXUS_PASSWORD=$EXCHANGE_NEXUS_PASSWORD + +# FIXME: this command below likely not needed. Please +# remove, run the test, and commit+push if it still works! +prepare_nexus_account \ + ebicsuserExchange \ + ebicspartnerExchange \ + bankconnection-exchange \ + nexus-bankaccount-exchange \ + sandbox-account-exchange + +echo -n "Create Taler facade ..." +libeufin-cli facades new-taler-wire-gateway-facade \ + --currency=$TALER_CONFIG_CURRENCY \ + --facade-name=facade-exchange \ + bankconnection-exchange nexus-bankaccount-exchange +echo " OK" +FACADE_URL=$(libeufin-cli facades list | jq .facades[0].baseUrl | tr -d \") + +taler-deployment-arm -k libeufin-nexus +taler-deployment-arm -k libeufin-sandbox + +# For now, override what the non-euFin deployment put +# in the configuration. Later, the three values below +# will be specified by the "config generator". +taler-config -s exchange-accountcredentials-1 \ + -o WIRE_GATEWAY_URL \ + -V "${FACADE_URL}" + +taler-config -s exchange-accountcredentials-1 \ + -o USERNAME \ + -V "${EXCHANGE_NEXUS_USERNAME}" + +taler-config -s exchange-accountcredentials-1 \ + -o PASSWORD \ + -V "${EXCHANGE_NEXUS_PASSWORD}" + +## +## Step 5: Adjust some permissions +## + +case $TALER_ENV_NAME in + demo|test|int) + # Make sure the web server can read ~/local + chmod og+rx ~/local + + # Make sure that shared files created by this user + # are group writable and readable. + find ~/taler-data/ -user "$USER" -exec chmod g+rw {} \; + ;; + *) + ;; +esac + +## +## Step 6: Set up merchant +## + +if test $WITH_DB_RESET = yes; then + taler-merchant-dbinit --reset +fi + +# Making sure ARM is not running yet. +taler-deployment-arm -e + +# Need the following services to config instances and tip reserve: +taler-deployment-arm -s +taler-deployment-arm -i taler-merchant +taler-deployment-arm -i taler-demobank + +taler-deployment-arm -i taler-exchange +taler-deployment-arm -i taler-exchange-secmod-rsa +taler-deployment-arm -i taler-exchange-secmod-eddsa +sleep 5 + +if ! taler-deployment-arm -I | grep "^taler-merchant" | grep "status=started" > /dev/null; then + echo "Merchant didn't start, cannot configure instances / create tip reserve." + exit 1 +fi + +if ! taler-deployment-arm -I | grep "^taler-demobank" | grep "status=started" > /dev/null; then + echo "Bank didn't start, cannot create tip reserve." + exit 1 +fi + +if ! taler-deployment-arm -I | grep "^taler-exchange" | grep "status=started" > /dev/null; then + echo "Exchange didn't start, cannot create tip reserve." + exit 1 +fi + +if ! taler-deployment-arm -I | grep "^taler-exchange-secmod-rsa" | grep "status=started" > /dev/null; then + echo "Exchange (RSA module) didn't start, cannot create tip reserve." + exit 1 +fi + +if ! taler-deployment-arm -I | grep "^taler-exchange-secmod-eddsa" | grep "status=started" > /dev/null; then + echo "Exchange (EDDSA module) didn't start, cannot create tip reserve." + exit 1 +fi + +echo "Configuring instances" +taler-deployment-config-instances + +echo "Creating tip reserve" +taler-deployment-config-tips + +taler-deployment-arm -k taler-merchant +taler-deployment-arm -k taler-demobank +taler-deployment-arm -k taler-exchange +taler-deployment-arm -k taler-exchange-secmod-rsa +taler-deployment-arm -k taler-exchange-secmod-eddsa +taler-deployment-arm -e diff --git a/taler-arm/libeufin-nexus.conf b/taler-arm/libeufin-nexus.conf index c653abe..dbb3db6 100644 --- a/taler-arm/libeufin-nexus.conf +++ b/taler-arm/libeufin-nexus.conf @@ -1,4 +1,4 @@ [libeufin-nexus] TYPE = simple BINARY = taler-log-adapter -OPTIONS = $HOME/logs/nexus-%Y-%m-%d.log nexus serve +OPTIONS = $HOME/logs/nexus-%Y-%m-%d.log libeufin-nexus serve diff --git a/taler-arm/libeufin-sandbox.conf b/taler-arm/libeufin-sandbox.conf new file mode 100644 index 0000000..7da437f --- /dev/null +++ b/taler-arm/libeufin-sandbox.conf @@ -0,0 +1,4 @@ +[libeufin-sandbox] +TYPE = simple +BINARY = taler-log-adapter +OPTIONS = $HOME/logs/sandbox-%Y-%m-%d.log libeufin-sandbox serve -- cgit v1.2.3