commit 917d79505812d9f93c68957464dc8ed8f93dab27
parent 4c44210b9e53c52a580aafb53092d5bae877a2e7
Author: Florian Dold <florian@dold.me>
Date: Tue, 3 Sep 2024 17:25:09 +0200
generate and use proper credentials
Diffstat:
11 files changed, 96 insertions(+), 55 deletions(-)
diff --git a/Dockerfile b/Dockerfile
@@ -255,7 +255,8 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get -y upgrade && apt-g
less \
caddy \
systemd-coredump \
- libnss3-tools
+ libnss3-tools \
+ uuid-runtime
RUN mkdir -p /packages
COPY --from=gnunet /packages/gnunet/* /packages/
diff --git a/buildconfig/challenger.tag b/buildconfig/challenger.tag
@@ -1 +1 @@
-v0.12.1-dev.10
+v0.13.0
diff --git a/buildconfig/exchange.tag b/buildconfig/exchange.tag
@@ -1 +1 @@
-v0.12.1-dev.23
+v0.13.0
diff --git a/buildconfig/gnunet.tag b/buildconfig/gnunet.tag
@@ -1 +1 @@
-v0.21.3-talerdev.1
+v0.22.0
diff --git a/buildconfig/libeufin.tag b/buildconfig/libeufin.tag
@@ -1 +1 @@
-v0.12.0
+v0.13.0
diff --git a/buildconfig/merchant-demos.tag b/buildconfig/merchant-demos.tag
@@ -1 +1 @@
-v0.10.1
+v0.13.0-dev.2
diff --git a/buildconfig/merchant.tag b/buildconfig/merchant.tag
@@ -1 +1 @@
-v0.12.1-dev.2
+v0.13.0
diff --git a/buildconfig/sync.tag b/buildconfig/sync.tag
@@ -1 +1 @@
-v0.11.1
+v0.13.1
diff --git a/buildconfig/wallet.tag b/buildconfig/wallet.tag
@@ -1 +1 @@
-v0.12.9
+v0.13.1
diff --git a/sandcastle-run b/sandcastle-run
@@ -25,12 +25,12 @@ PORT_INTERNAL_BANK_SPA=8505
PORT_INTERNAL_CHALLENGER=8506
PORT_INTERNAL_AUDITOR=8507
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
cd $SCRIPT_DIR
existing_id=$(podman ps -q -a -f=name=taler-sandcastle)
-if [[ ! -z "$existing_id" ]]; then
+if [[ -n $existing_id ]]; then
echo "removing existing taler-sandcastle container $existing_id"
podman rm "$existing_id"
fi
@@ -38,12 +38,15 @@ fi
# We need to be careful with SELinux when using volume mounts, relabel!
SETUP_NAME=${SANDCASTLE_SETUP_NAME:-demo}
-if [[ ! -z "${SANDCASTLE_OVERRIDE_NAME:-}" ]]; then
- OVERRIDES="-v $PWD/overrides/${SANDCASTLE_OVERRIDE_NAME}:/overrides:Z"
+if [[ -n ${SANDCASTLE_OVERRIDE_NAME:-} ]]; then
+ OVERRIDES="-v $PWD/overrides/${SANDCASTLE_OVERRIDE_NAME}:/overrides:Z"
else
- OVERRIDES=""
+ OVERRIDES=""
fi
+# Will be mounted inside the container
+mkdir -p credentials
+
# Beware: It is futile to pass environment variables to the container here,
# as they will not be available in the systemd unit that provisions the
# services in the container.
@@ -66,6 +69,7 @@ exec podman run \
-v talerdata:/talerdata:Z \
-v talerdata_persistent:/talerdata_persistent:Z \
$OVERRIDES \
+ -v $PWD/credentials:/credentials:Z \
-v $PWD/data:/data:Z \
-v $PWD/scripts:/scripts:Z \
-v $PWD/scripts/$SETUP_NAME:/provision:Z \
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
@@ -10,7 +10,7 @@
set -eu
set -x
-if [[ ! -z "${SANDCASTLE_SKIP_SETUP:-}" ]]; then
+if [[ -n ${SANDCASTLE_SKIP_SETUP:-} ]]; then
echo "skipping sandcastle setup, requested by environment var SANDCASTLE_SKIP_SETUP"
exit 1
fi
@@ -61,7 +61,6 @@ PORT_INTERNAL_BANK_SPA=8505
PORT_INTERNAL_CHALLENGER=8506
PORT_INTERNAL_AUDITOR=8507
-
# Just make sure the services are stopped
systemctl stop taler-auditor.target
systemctl stop taler-exchange.target
@@ -92,7 +91,7 @@ systemctl reset-failed
function lift_dir() {
src=$1
target=$2
- if [[ -L "$src" ]]; then
+ if [[ -L $src ]]; then
# be idempotent
echo "$src is already a symlink"
elif [[ -d /talerdata/$target ]]; then
@@ -109,7 +108,7 @@ function lift_dir() {
function persist_exchange_key() {
src=$1
target=$2
- if [[ -L "$src" ]]; then
+ if [[ -L $src ]]; then
# be idempotent
echo "$src is already a symlink"
elif [[ -d /talerdata_persistent/$target ]]; then
@@ -133,6 +132,20 @@ lift_dir /etc/taler etc-challenger
lift_dir /var/lib/postgresql var-lib-postgresql
persist_exchange_key /var/lib/taler/exchange-offline exchange-offline
+# Usage: get_credential_pw COMPONENT/ACCOUNT
+function get_credential_pw() {
+ if [[ ${USE_INSECURE_SANDBOX_PASSWORDS:-0} = 1 ]]; then
+ echo "sandbox"
+ return
+ fi
+ p=/credentials/$1
+ if [[ ! -f $p ]]; then
+ mkdir -p $(dirname "$p")
+ uuidgen -r >$p
+ fi
+ cat "$p"
+}
+
# Caddy configuration.
# We use the caddy reverse proxy with automatic
# internal TLS setup to ensure that the services are
@@ -142,7 +155,7 @@ persist_exchange_key /var/lib/taler/exchange-offline exchange-offline
systemctl stop caddy.service
-cat <<EOF > /etc/caddy/Caddyfile
+cat <<EOF >/etc/caddy/Caddyfile
# Internally reverse-proxy https://,
# so that service can talk to each other via
@@ -224,7 +237,7 @@ https://$CHALLENGER_DOMAIN {
}
EOF
-cat <<EOF >> /etc/hosts
+cat <<EOF >>/etc/hosts
# Start of Taler Sandcastle Domains
127.0.0.1 $LANDING_DOMAIN
127.0.0.1 $BANK_DOMAIN
@@ -305,53 +318,60 @@ EOF
libeufin-dbconfig
sudo -i -u libeufin-bank libeufin-bank edit-account admin --debit_threshold=$CURRENCY:1000000
-sudo -i -u libeufin-bank libeufin-bank passwd admin sandbox
+sudo -i -u libeufin-bank libeufin-bank passwd admin $(get_credential_pw bank/admin)
systemctl enable --now libeufin-bank.service
taler-harness deployment wait-taler-service taler-corebank https://$BANK_DOMAIN/config
+sudo -i -u libeufin-bank libeufin-bank passwd exchange $(get_credential_pw bank/exchange) || true
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
--login exchange --exchange --public \
--payto $EXCHANGE_PLAIN_PAYTO \
--name Exchange \
- --password sandbox
+ --password $(get_credential_pw bank/exchange)
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-default $(get_credential_pw bank/merchant-default) || true
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
--login merchant-default --public \
--payto "payto://iban/$MERCHANT_IBAN_DEFAULT" \
--name "Default Demo Merchant" \
- --password sandbox
+ --password $(get_credential_pw bank/merchant-default)
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-pos $(get_credential_pw bank/merchant-pos) || true
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
--login merchant-pos --public \
--payto "payto://iban/$MERCHANT_IBAN_POS" \
--name "PoS Merchant" \
- --password sandbox
+ --password $(get_credential_pw bank/merchant-pos)
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-blog $(get_credential_pw bank/merchant-blog) || true
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
--login merchant-blog --public \
--payto "payto://iban/$MERCHANT_IBAN_BLOG" \
--name "Blog Merchant" \
- --password sandbox
+ --password $(get_credential_pw bank/merchant-blog)
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-gnunet $(get_credential_pw bank/merchant-gnunet) || true
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
--login merchant-gnunet --public \
--payto "payto://iban/$MERCHANT_IBAN_GNUNET" \
--name "GNUnet Donations Merchant" \
- --password sandbox
+ --password $(get_credential_pw bank/merchant-gnunet)
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-taler $(get_credential_pw bank/merchant-taler) || true
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
--login merchant-taler --public \
--payto "payto://iban/$MERCHANT_IBAN_TALER" \
--name "Taler Donations Merchant" \
- --password sandbox
+ --password $(get_credential_pw bank/merchant-taler)
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-tor $(get_credential_pw bank/merchant-tor) || true
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
--login merchant-tor --public \
--payto "payto://iban/$MERCHANT_IBAN_TOR" \
--name "Tor Donations Merchant" \
- --password sandbox
+ --password $(get_credential_pw bank/merchant-tor)
# Set up exchange
@@ -360,7 +380,7 @@ MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LD
EXCHANGE_DB=talerexchange
# Generate /etc/taler/conf.d/setup.conf
-cat <<EOF > /etc/taler/conf.d/setup.conf
+cat <<EOF >/etc/taler/conf.d/setup.conf
[taler]
CURRENCY = $CURRENCY
CURRENCY_ROUND_UNIT = $CURRENCY:0.01
@@ -392,9 +412,9 @@ EOF
## Configure KYC if enabled
##
-if [[ "${ENABLE_KYC:-0}" = 1 ]]; then
-# KYC config
-cat <<EOF > /etc/taler/conf.d/sandcastle-kyc.conf
+if [[ ${ENABLE_KYC:-0} == 1 ]]; then
+ # KYC config
+ cat <<EOF >/etc/taler/conf.d/sandcastle-kyc.conf
[exchange]
enable_kyc = yes
@@ -477,7 +497,7 @@ EOF
chmod 440 /etc/taler/secrets/exchange-db.secret.conf
chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf
-cat <<EOF > /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
+cat <<EOF >/etc/taler/secrets/exchange-accountcredentials-default.secret.conf
[exchange-accountcredentials-default]
WIRE_GATEWAY_URL = https://$BANK_DOMAIN/accounts/exchange/taler-wire-gateway/
WIRE_GATEWAY_AUTH_METHOD = basic
@@ -495,7 +515,7 @@ if [[ ! -e /etc/taler/conf.d/$CURRENCY-coins.conf ]]; then
taler-harness deployment gen-coin-config \
--min-amount "${CURRENCY}:0.01" \
--max-amount "${CURRENCY}:100" \
- >"/etc/taler/conf.d/$CURRENCY-coins.conf"
+ >"/etc/taler/conf.d/$CURRENCY-coins.conf"
fi
# Add auditor user to DB group *before* running taler-exchange-dbconfig,
@@ -529,7 +549,6 @@ sudo -i -u taler-exchange-offline \
systemctl enable --now taler-exchange-offline.timer
-
#
# Set up exchange auditor
#
@@ -576,55 +595,65 @@ EOF
systemctl enable --now taler-merchant-httpd
taler-harness deployment wait-taler-service taler-merchant https://$MERCHANT_DOMAIN/config
+function reset_merchant_pw() {
+ pw=secret-token:$(get_credential_pw merchant/$1)
+ sudo -u taler-merchant-httpd taler-merchant-passwd $1 $pw || true
+}
+
+reset_merchant_pw default
taler-harness deployment provision-merchant-instance \
https://$MERCHANT_DOMAIN/ \
- --management-token secret-token:sandbox \
- --instance-token secret-token:sandbox \
+ --management-token secret-token:$(get_credential_pw merchant/default) \
+ --instance-token secret-token:$(get_credential_pw merchant/default) \
--name Merchant \
--id default \
--payto "payto://iban/$MERCHANT_IBAN_DEFAULT?receiver-name=Merchant"
+reset_merchant_pw pos
taler-harness deployment provision-merchant-instance \
https://$MERCHANT_DOMAIN/ \
- --management-token secret-token:sandbox \
- --instance-token secret-token:sandbox \
+ --management-token secret-token:$(get_credential_pw merchant/default) \
+ --instance-token secret-token:$(get_credential_pw merchant/pos) \
--name "POS Merchant" \
--id pos \
--payto "payto://iban/$MERCHANT_IBAN_POS?receiver-name=POS+Merchant"
+reset_merchant_pw blog
taler-harness deployment provision-merchant-instance \
https://$MERCHANT_DOMAIN/ \
- --management-token secret-token:sandbox \
- --instance-token secret-token:sandbox \
+ --management-token secret-token:$(get_credential_pw merchant/default) \
+ --instance-token secret-token:$(get_credential_pw merchant/blog) \
--name "Blog Merchant" \
--id blog \
--payto "payto://iban/$MERCHANT_IBAN_BLOG?receiver-name=Blog+Merchant"
+reset_merchant_pw gnunet
taler-harness deployment provision-merchant-instance \
https://$MERCHANT_DOMAIN/ \
- --management-token secret-token:sandbox \
- --instance-token secret-token:sandbox \
+ --management-token secret-token:$(get_credential_pw merchant/default) \
+ --instance-token secret-token:$(get_credential_pw merchant/gnunet) \
--name "GNUnet Merchant" \
--id gnunet \
--payto "payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant"
+reset_merchant_pw taler
taler-harness deployment provision-merchant-instance \
https://$MERCHANT_DOMAIN/ \
- --management-token secret-token:sandbox \
- --instance-token secret-token:sandbox \
+ --management-token secret-token:$(get_credential_pw merchant/default) \
+ --instance-token secret-token:$(get_credential_pw merchant/taler) \
--name "Taler Merchant" \
--id taler \
--payto "payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant"
+reset_merchant_pw tor
taler-harness deployment provision-merchant-instance \
https://$MERCHANT_DOMAIN/ \
- --management-token secret-token:sandbox \
- --instance-token secret-token:sandbox \
+ --management-token secret-token:$(get_credential_pw merchant/default) \
+ --instance-token secret-token:$(get_credential_pw merchant/tor) \
--name "Tor Merchant" \
--id tor \
--payto "payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant"
-
# Now we set up the taler-merchant-demos
cat <<EOF >/etc/taler/taler-merchant-frontends.conf
@@ -633,18 +662,26 @@ cat <<EOF >/etc/taler/taler-merchant-frontends.conf
# robust enough to read from the main config.
[taler]
CURRENCY = $CURRENCY
-[frontends]
-BACKEND = https://$MERCHANT_DOMAIN/
-BACKEND_APIKEY = secret-token:sandbox
-[landing]
+
+[frontend-demo-landing]
SERVE = http
HTTP_PORT = $PORT_INTERNAL_LANDING
-[blog]
+
+[frontend-demo-blog]
SERVE = http
HTTP_PORT = $PORT_INTERNAL_BLOG
-[donations]
+BACKEND_URL = https://$MERCHANT_DOMAIN/instances/blog/
+BACKEND_APIKEY = secret-token:$(get_credential_pw merchant/blog)
+
+[frontend-demo-donations]
SERVE = http
HTTP_PORT = $PORT_INTERNAL_DONATIONS
+BACKEND_URL_TOR = https://$MERCHANT_DOMAIN/instances/tor/
+BACKEND_APIKEY_TOR = secret-token:$(get_credential_pw merchant/tor)
+BACKEND_URL_TALER = https://$MERCHANT_DOMAIN/instances/taler/
+BACKEND_APIKEY_TALER = secret-token:$(get_credential_pw merchant/taler)
+BACKEND_URL_GNUNET = https://$MERCHANT_DOMAIN/instances/gnunet/
+BACKEND_APIKEY_GNUNET = secret-token:$(get_credential_pw merchant/gnunet)
EOF
# This really should not exist, the taler-merchant-frontends
@@ -661,6 +698,5 @@ systemctl enable --now taler-demo-landing
systemctl enable --now taler-demo-blog
systemctl enable --now taler-demo-donations
-
# FIXME: Maybe do some taler-wallet-cli test?
# FIXME: How do we report errors occurring during the setup script?
