commit bbffcde06e55c4ecc98cea726188b58befa3615c
parent 41afbc0f75cedf3c8fd3fb8727c1f9f502d1316e
Author: Florian Dold <florian@dold.me>
Date: Fri, 23 Aug 2024 16:43:05 +0200
challenger integration WIP
Diffstat:
6 files changed, 70 insertions(+), 0 deletions(-)
diff --git a/Dockerfile b/Dockerfile
@@ -129,6 +129,27 @@ RUN rm -rf /build
RUN apt-get install --no-install-recommends -y /packages/merchant/*.deb
WORKDIR /
+# Challenger
+FROM exchange as challenger
+
+COPY buildconfig/challenger.* /buildconfig/
+WORKDIR /build
+RUN TAG=$(cat /buildconfig/challenger.tag) && \
+ git clone git://git.taler.net/challenger \
+ --branch $TAG && \
+ cd challenger && git checkout $(cat /buildconfig/challenger.checkout)
+WORKDIR /build/challenger
+RUN ./bootstrap && \
+ ./configure --prefix=/usr \
+ --disable-doc
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+WORKDIR /
+RUN mkdir -p /packages/challenger
+RUN mv /build/*.deb /packages/challenger
+RUN rm -rf /build
+RUN apt-get install --no-install-recommends -y /packages/challenger/*.deb
+WORKDIR /
+
# Libeufin
FROM base-system as libeufin
@@ -242,6 +263,7 @@ COPY --from=merchant /packages/merchant/* /packages/
COPY --from=wallet /packages/wallet/* /packages/
COPY --from=libeufin /packages/libeufin/* /packages/
COPY --from=merchant-demos /packages/merchant-demos/* /packages/
+COPY --from=challenger /packages/challenger/* /packages/
RUN apt-get install --no-install-recommends -y /packages/*.deb
COPY systemd/setup-sandcastle.service /etc/systemd/system/
RUN systemctl enable setup-sandcastle.service
diff --git a/buildconfig/challenger.tag b/buildconfig/challenger.tag
@@ -0,0 +1 @@
+v0.12.1-dev.9
diff --git a/data/sandcastle-challenger-auth b/data/sandcastle-challenger-auth
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+mkdir -p /tmp/challenges/
+
+exec cat >/tmp/challenges/$1
diff --git a/print-latest-versions b/print-latest-versions
@@ -19,3 +19,4 @@ getver libeufin git://git.taler.net/libeufin
getver wallet git://git.taler.net/wallet-core
getver gnunet git://git.gnunet.org/gnunet
getver sync git://git.taler.net/sync
+getver challenger git://git.taler.net/challenger
diff --git a/sandcastle-run b/sandcastle-run
@@ -20,6 +20,8 @@ PORT_INTERNAL_LANDING=8501
PORT_INTERNAL_BLOG=8502
PORT_INTERNAL_DONATIONS=8503
PORT_INTERNAL_BANK_SPA=8505
+PORT_INTERNAL_CHALLENGER=8506
+PORT_INTERNAL_AUDITOR=8507
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
@@ -60,6 +62,7 @@ exec podman run \
-v talerdata:/talerdata:Z \
-v talerdata_persistent:/talerdata_persistent:Z \
$OVERRIDES \
+ -v $PWD/data:/data:Z \
-v $PWD/scripts:/scripts:Z \
-v $PWD/scripts/$SETUP_NAME:/provision:Z \
--entrypoint /sbin/init \
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
@@ -46,6 +46,7 @@ EXCHANGE_DOMAIN=exchange.$MYDOMAIN
MERCHANT_DOMAIN=backend.$MYDOMAIN
BLOG_DOMAIN=shop.$MYDOMAIN
DONATIONS_DOMAIN=donations.$MYDOMAIN
+CHALLENGER_DOMAIN=challenger.$MYDOMAIN
# Ports of the services running inside the container.
# Should be synchronized with the sandcastle-run script.
@@ -56,6 +57,8 @@ PORT_INTERNAL_LANDING=8501
PORT_INTERNAL_BLOG=8502
PORT_INTERNAL_DONATIONS=8503
PORT_INTERNAL_BANK_SPA=8505
+PORT_INTERNAL_CHALLENGER=8506
+PORT_INTERNAL_AUDITOR=8507
# Just make sure the services are stopped
systemctl stop taler-exchange.target
@@ -121,6 +124,7 @@ function persist_exchange_key() {
lift_dir /var/lib/taler var-lib-taler
lift_dir /etc/taler etc-taler
lift_dir /etc/libeufin etc-libeufin
+lift_dir /etc/taler etc-challenger
lift_dir /var/lib/postgresql var-lib-postgresql
persist_exchange_key /var/lib/taler/exchange-offline exchange-offline
@@ -134,6 +138,11 @@ persist_exchange_key /var/lib/taler/exchange-offline exchange-offline
systemctl stop caddy.service
cat <<EOF > /etc/caddy/Caddyfile
+
+# Internally reverse-proxy https://,
+# so that service can talk to each other via
+# https:// inside the container.
+
https://$BANK_DOMAIN {
tls internal
reverse_proxy :8080 {
@@ -153,6 +162,11 @@ https://$MERCHANT_DOMAIN {
reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock
}
+https://$CHALLENGER_DOMAIN {
+ tls internal
+ reverse_proxy unix//run/challenger/httpd/challenger.http
+}
+
# Services that only listen on unix domain sockets
# are reverse-proxied to serve on a TCP port.
@@ -172,6 +186,13 @@ https://$MERCHANT_DOMAIN {
root /settings.json /etc/libeufin/
file_server
}
+
+:$PORT_INTERNAL_CHALLENGER {
+ reverse_proxy unix//run/challenger/httpd/challenger.http {
+ # Set this, or otherwise wrong taler://pay URIs will be generated.
+ header_up X-Forwarded-Proto "https"
+ }
+}
EOF
cat <<EOF >> /etc/hosts
@@ -182,6 +203,7 @@ cat <<EOF >> /etc/hosts
127.0.0.1 $MERCHANT_DOMAIN
127.0.0.1 $BLOG_DOMAIN
127.0.0.1 $DONATIONS_DOMAIN
+127.0.0.1 $CHALLENGER_DOMAIN
# End of Taler Sandcastle Domains
EOF
@@ -192,6 +214,22 @@ caddy trust
systemctl start postgresql.service
+# Set up challenger
+
+challenger-dbconfig
+
+CHALL_CLIENT_ID=$(sudo -u challenger-httpd challenger-admin -q --add=sandbox https://$EXCHANGE_DOMAIN/kyc-proof/mychallenger)
+echo Challenger client ID: $CHALL_CLIENT_ID
+
+mkdir -p /etc/challenger/conf.d
+cat <<EOF >/etc/challenger/conf.d/setup-sandcastle.conf
+[challenger]
+ADDRESS_TYPE = email
+AUTH_COMMAND = /data/sandcastle-challenger-auth
+EOF
+
+systemctl enable --now challenger-httpd.service
+
# Set up bank
cat <<EOF >/etc/libeufin/libeufin-bank.conf
