preliminary support for running under http/localhost - sandcastle-ng - Scripts for the deployment of Sandcastle (GNU Taler)

commit f68974567768eb48baab6924f30fa5e17fedcb5d
parent a827fd24afbb597d2947d0d590339bfa0e3aa3f7
Author: Florian Dold <florian@dold.me>
Date:   Wed, 20 Nov 2024 12:49:53 +0100

preliminary support for running under http/localhost

Diffstat:
M sandcastle-run  | 7 +++++++
M scripts/demo/setup-sandcastle.sh  | 188 ++++++++++++++++++++++++++++++++++++++++++++++++++-----------------------------

2 files changed, 127 insertions(+), 68 deletions(-)
diff --git a/sandcastle-run b/sandcastle-run
@@ -4,6 +4,7 @@
 
 set -exou
 
+# Ports where individual services are published to the host
 SANDCASTLE_PORT_MERCHANT=${SANDCASTLE_PORT_MERCHANT:-127.0.0.1:16000}
 SANDCASTLE_PORT_EXCHANGE=${SANDCASTLE_PORT_EXCHANGE:-127.0.0.1:16001}
 SANDCASTLE_PORT_BLOG=${SANDCASTLE_PORT_BLOG:-127.0.0.1:16002}
@@ -40,6 +41,11 @@ fi
 SETUP_NAME=${SANDCASTLE_SETUP_NAME:-demo}
 if [[ -n ${SANDCASTLE_OVERRIDE_NAME:-} ]]; then
   OVERRIDES="-v $PWD/overrides/${SANDCASTLE_OVERRIDE_NAME}:/overrides:Z"
+  EXTERNAL_PORT=$(source $PWD/overrides/${SANDCASTLE_OVERRIDE_NAME}; echo $EXTERNAL_PORT)
+  if [[ $EXTERNAL_PORT =~ ^[0-9]+$ ]]; then
+    echo Serving via port $EXTERNAL_PORT
+  fi
+  PUBLISH_EXTERNAL_PORT="-p=${EXTERNAL_PORT}:${EXTERNAL_PORT}"
 else
   OVERRIDES=""
 fi
@@ -69,6 +75,7 @@ exec podman run \
   -v talerdata:/talerdata:Z \
   -v talerdata_persistent:/talerdata_persistent:Z \
   $OVERRIDES \
+  ${PUBLISH_EXTERNAL_PORT:-} \
   -v $PWD/credentials:/credentials:Z \
   -v $PWD/data:/data:Z \
   -v $PWD/scripts:/scripts:Z \
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
@@ -25,6 +25,16 @@ if [[ -e /overrides ]]; then
   source /overrides
 fi
 
+# When serving on an external port (for localhost deployments),
+# we use http.
+if [[ ${EXTERNAL_PORT:-} =~ ^[0-9]+$ ]]; then
+  PROTO=http
+  PORT_SUFFIX=:$EXTERNAL_PORT
+else
+  PROTO=https
+  PORT_SUFFIX=
+fi
+
 CURRENCY=${CURRENCY:="KUDOS"}
 EXCHANGE_IBAN=DE159593
 EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN
@@ -174,6 +184,53 @@ systemctl stop caddy.service
 
 cat <<EOF >/etc/caddy/Caddyfile
 
+# Services that only listen on unix domain sockets
+# are reverse-proxied to serve on a TCP port.
+
+:$PORT_INTERNAL_EXCHANGE {
+  reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
+}
+
+:$PORT_INTERNAL_MERCHANT {
+  reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock {
+    # Set this, or otherwise wrong taler://pay URIs will be generated.
+    header_up X-Forwarded-Proto "https"
+  }
+}
+
+:$PORT_INTERNAL_BANK_SPA {
+  root * /usr/share/libeufin/spa
+  root /settings.json /etc/libeufin/
+  file_server
+}
+
+:$PORT_INTERNAL_AUDITOR {
+  reverse_proxy unix//run/taler/auditor-httpd/auditor-http.sock
+}
+
+:$PORT_INTERNAL_CHALLENGER {
+  handle {
+    reverse_proxy unix//run/challenger/httpd/challenger.http {
+      # Set this, or otherwise wrong taler://pay URIs will be generated.
+      header_up X-Forwarded-Proto "https"
+    }
+  }
+
+  # Serve challenges via HTTP.
+  # This is obviously completely insecure, but fine
+  # for the demo sandcastle.
+  handle_path /challenges/* {
+    root * /tmp/challenges/
+    file_server {
+      browse
+    }
+  }
+}
+EOF
+
+if [[ $PROTO = https ]]; then
+  cat <<EOF >>/etc/caddy/Caddyfile
+
 # Internally reverse-proxy https://,
 # so that service can talk to each other via
 # https:// inside the container.
@@ -209,51 +266,42 @@ https://$CHALLENGER_DOMAIN {
   tls internal
   reverse_proxy unix//run/challenger/httpd/challenger.http
 }
+EOF
 
-# Services that only listen on unix domain sockets
-# are reverse-proxied to serve on a TCP port.
+else
 
-:$PORT_INTERNAL_EXCHANGE {
+  cat <<EOF >>/etc/caddy/Caddyfile
+
+http://$BANK_DOMAIN$PORT_SUFFIX {
+  reverse_proxy :8080 {
+    # libeufin-bank should eventually not require this anymore,
+    # but currently doesn't work without this header.
+    header_up X-Forwarded-Prefix ""
+  }
+}
+
+http://$EXCHANGE_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
 }
 
-:$PORT_INTERNAL_MERCHANT {
+http://$MERCHANT_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock {
     # Set this, or otherwise wrong taler://pay URIs will be generated.
     header_up X-Forwarded-Proto "https"
   }
 }
 
-:$PORT_INTERNAL_BANK_SPA {
-  root * /usr/share/libeufin/spa
-  root /settings.json /etc/libeufin/
-  file_server
-}
-
-:$PORT_INTERNAL_AUDITOR {
+http://$AUDITOR_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/taler/auditor-httpd/auditor-http.sock
 }
 
-:$PORT_INTERNAL_CHALLENGER {
-  handle {
-    reverse_proxy unix//run/challenger/httpd/challenger.http {
-      # Set this, or otherwise wrong taler://pay URIs will be generated.
-      header_up X-Forwarded-Proto "https"
-    }
-  }
-
-  # Serve challenges via HTTP.
-  # This is obviously completely insecure, but fine
-  # for the demo sandcastle.
-  handle_path /challenges/* {
-    root * /tmp/challenges/
-    file_server {
-      browse
-    }
-  }
+http://$CHALLENGER_DOMAIN$PORT_SUFFIX {
+  reverse_proxy unix//run/challenger/httpd/challenger.http
 }
 EOF
 
+fi
+
 cat <<EOF >>/etc/hosts
 # Start of Taler Sandcastle Domains
 127.0.0.1 $LANDING_DOMAIN
@@ -298,8 +346,8 @@ cat <<EOF >/etc/libeufin/libeufin-bank.conf
 CURRENCY = $CURRENCY
 DEFAULT_DEBT_LIMIT = $CURRENCY:500
 REGISTRATION_BONUS = $CURRENCY:100
-SPA_CAPTCHA_URL = https://$BANK_DOMAIN/webui/#/operation/{woid}
-SUGGESTED_WITHDRAWAL_EXCHANGE = https://$EXCHANGE_DOMAIN/
+SPA_CAPTCHA_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/webui/#/operation/{woid}
+SUGGESTED_WITHDRAWAL_EXCHANGE = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
 ALLOW_REGISTRATION = yes
 SERVE = tcp
 PORT = 8080
@@ -326,10 +374,10 @@ EOF
 cat <<EOF >/etc/libeufin/settings.json
 {
   "topNavSites": {
-    "Landing": "https://$LANDING_DOMAIN/",
-    "Bank": "https://$BANK_DOMAIN",
-    "Essay Shop": "https://$BLOG_DOMAIN",
-    "Donations": "https://$DONATIONS_DOMAIN"
+    "Landing": "$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/",
+    "Bank": "$PROTO://$BANK_DOMAIN$PORT_SUFFIX",
+    "Essay Shop": "$PROTO://$BLOG_DOMAIN$PORT_SUFFIX",
+    "Donations": "$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX"
   }
 }
 EOF
@@ -343,52 +391,54 @@ sudo -i -u libeufin-bank libeufin-bank passwd admin $(get_credential_pw bank/adm
 
 systemctl enable --now libeufin-bank.service
 
-taler-harness deployment wait-taler-service taler-corebank https://$BANK_DOMAIN/config
+BANK_BASEURL=$PROTO://$BANK_DOMAIN$PORT_SUFFIX/
+
+taler-harness deployment wait-taler-service taler-corebank ${BANK_BASEURL}config
 
 sudo -i -u libeufin-bank libeufin-bank passwd exchange $(get_credential_pw bank/exchange) || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login exchange --exchange --public \
   --payto $EXCHANGE_PLAIN_PAYTO \
   --name Exchange \
   --password $(get_credential_pw bank/exchange)
 
 sudo -i -u libeufin-bank libeufin-bank passwd merchant-default $(get_credential_pw bank/merchant-default) || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-default --public \
   --payto "payto://iban/$MERCHANT_IBAN_DEFAULT" \
   --name "Default Demo Merchant" \
   --password $(get_credential_pw bank/merchant-default)
 
 sudo -i -u libeufin-bank libeufin-bank passwd merchant-pos $(get_credential_pw bank/merchant-pos) || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-pos --public \
   --payto "payto://iban/$MERCHANT_IBAN_POS" \
   --name "PoS Merchant" \
   --password $(get_credential_pw bank/merchant-pos)
 
 sudo -i -u libeufin-bank libeufin-bank passwd merchant-blog $(get_credential_pw bank/merchant-blog) || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-blog --public \
   --payto "payto://iban/$MERCHANT_IBAN_BLOG" \
   --name "Blog Merchant" \
   --password $(get_credential_pw bank/merchant-blog)
 
 sudo -i -u libeufin-bank libeufin-bank passwd merchant-gnunet $(get_credential_pw bank/merchant-gnunet) || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-gnunet --public \
   --payto "payto://iban/$MERCHANT_IBAN_GNUNET" \
   --name "GNUnet Donations Merchant" \
   --password $(get_credential_pw bank/merchant-gnunet)
 
 sudo -i -u libeufin-bank libeufin-bank passwd merchant-taler $(get_credential_pw bank/merchant-taler) || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-taler --public \
   --payto "payto://iban/$MERCHANT_IBAN_TALER" \
   --name "Taler Donations Merchant" \
   --password $(get_credential_pw bank/merchant-taler)
 
 sudo -i -u libeufin-bank libeufin-bank passwd merchant-tor $(get_credential_pw bank/merchant-tor) || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-tor --public \
   --payto "payto://iban/$MERCHANT_IBAN_TOR" \
   --name "Tor Donations Merchant" \
@@ -396,7 +446,7 @@ taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
 
 # Special bank account without a secure password
 sudo -i -u libeufin-bank libeufin-bank passwd merchant-sandbox sandbox || true
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-sandbox --public \
   --payto "payto://iban/$MERCHANT_IBAN_SANDBOX" \
   --name "Sandbox Merchant" \
@@ -428,7 +478,7 @@ alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
 [exchange]
 AML_THRESHOLD = $CURRENCY:1000000
 MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
-BASE_URL = https://$EXCHANGE_DOMAIN/
+BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
 
 [exchange-account-default]
 PAYTO_URI = $EXCHANGE_FULL_PAYTO
@@ -508,9 +558,9 @@ CONVERTER = /bin/true
 KYC_OAUTH2_VALIDITY = 2d
 KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID
 KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET
-KYC_OAUTH2_AUTHORIZE_URL = "https://$CHALLENGER_DOMAIN/authorize#setup"
-KYC_OAUTH2_TOKEN_URL = "https://$CHALLENGER_DOMAIN/token"
-KYC_OAUTH2_INFO_URL = "https://$CHALLENGER_DOMAIN/info"
+KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup"
+KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token"
+KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info"
 KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html"
 KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh
 EOF
@@ -528,7 +578,7 @@ chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf
 
 cat <<EOF >/etc/taler/secrets/exchange-accountcredentials-default.secret.conf
 [exchange-accountcredentials-default]
-WIRE_GATEWAY_URL = https://$BANK_DOMAIN/accounts/exchange/taler-wire-gateway/
+WIRE_GATEWAY_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/accounts/exchange/taler-wire-gateway/
 WIRE_GATEWAY_AUTH_METHOD = basic
 USERNAME = exchange
 PASSWORD = $(get_credential_pw bank/exchange)
@@ -559,8 +609,8 @@ taler-terms-generator -K -i /usr/share/taler/terms/exchange-pp-v0
 
 systemctl enable --now taler-exchange.target
 
-taler-harness deployment wait-taler-service taler-exchange https://$EXCHANGE_DOMAIN/config
-taler-harness deployment wait-endpoint https://$EXCHANGE_DOMAIN/management/keys
+taler-harness deployment wait-taler-service taler-exchange $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/config
+taler-harness deployment wait-endpoint $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/management/keys
 
 sudo -i -u taler-exchange-offline \
   taler-exchange-offline \
@@ -617,13 +667,15 @@ rm -f /usr/share/taler/config.d/kudos.conf
 
 cat <<EOF >/etc/taler/conf.d/merchant-exchanges.conf
 [merchant-exchange-sandcastle]
-EXCHANGE_BASE_URL = https://$EXCHANGE_DOMAIN/
+EXCHANGE_BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
 MASTER_KEY = $MASTER_PUBLIC_KEY
 CURRENCY = $CURRENCY
 EOF
 
+MERCHANT_BASEURL=$PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/
+
 systemctl enable --now taler-merchant-httpd
-taler-harness deployment wait-taler-service taler-merchant https://$MERCHANT_DOMAIN/config
+taler-harness deployment wait-taler-service taler-merchant ${MERCHANT_BASEURL}config
 
 function reset_merchant_pw() {
   pw=secret-token:$(get_credential_pw merchant/$1)
@@ -632,7 +684,7 @@ function reset_merchant_pw() {
 
 reset_merchant_pw default
 taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
+  ${MERCHANT_BASEURL} \
   --management-token secret-token:$(get_credential_pw merchant/default) \
   --instance-token secret-token:$(get_credential_pw merchant/default) \
   --name Merchant \
@@ -641,7 +693,7 @@ taler-harness deployment provision-merchant-instance \
 
 reset_merchant_pw pos
 taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
+  ${MERCHANT_BASEURL} \
   --management-token secret-token:$(get_credential_pw merchant/default) \
   --instance-token secret-token:$(get_credential_pw merchant/pos) \
   --name "POS Merchant" \
@@ -650,7 +702,7 @@ taler-harness deployment provision-merchant-instance \
 
 reset_merchant_pw blog
 taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
+  ${MERCHANT_BASEURL} \
   --management-token secret-token:$(get_credential_pw merchant/default) \
   --instance-token secret-token:$(get_credential_pw merchant/blog) \
   --name "Blog Merchant" \
@@ -659,7 +711,7 @@ taler-harness deployment provision-merchant-instance \
 
 reset_merchant_pw gnunet
 taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
+  ${MERCHANT_BASEURL} \
   --management-token secret-token:$(get_credential_pw merchant/default) \
   --instance-token secret-token:$(get_credential_pw merchant/gnunet) \
   --name "GNUnet Merchant" \
@@ -668,7 +720,7 @@ taler-harness deployment provision-merchant-instance \
 
 reset_merchant_pw taler
 taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
+  ${MERCHANT_BASEURL} \
   --management-token secret-token:$(get_credential_pw merchant/default) \
   --instance-token secret-token:$(get_credential_pw merchant/taler) \
   --name "Taler Merchant" \
@@ -677,7 +729,7 @@ taler-harness deployment provision-merchant-instance \
 
 reset_merchant_pw tor
 taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
+  ${MERCHANT_BASEURL} \
   --management-token secret-token:$(get_credential_pw merchant/default) \
   --instance-token secret-token:$(get_credential_pw merchant/tor) \
   --name "Tor Merchant" \
@@ -687,7 +739,7 @@ taler-harness deployment provision-merchant-instance \
 # Special instance with fixed "sandbox" password
 sudo -u taler-merchant-httpd taler-merchant-passwd sandbox secret-token:sandbox || true
 taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
+  ${MERCHANT_BASEURL} \
   --management-token secret-token:$(get_credential_pw merchant/default) \
   --instance-token secret-token:sandbox \
   --name "sandbox merchant" \
@@ -710,28 +762,28 @@ HTTP_PORT = $PORT_INTERNAL_LANDING
 [frontend-demo-blog]
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_BLOG
-BACKEND_URL = https://$MERCHANT_DOMAIN/instances/blog/
+BACKEND_URL = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/blog/
 BACKEND_APIKEY = secret-token:$(get_credential_pw merchant/blog)
 
 [frontend-demo-donations]
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_DONATIONS
-BACKEND_URL_TOR = https://$MERCHANT_DOMAIN/instances/tor/
+BACKEND_URL_TOR = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/tor/
 BACKEND_APIKEY_TOR = secret-token:$(get_credential_pw merchant/tor)
-BACKEND_URL_TALER = https://$MERCHANT_DOMAIN/instances/taler/
+BACKEND_URL_TALER = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/taler/
 BACKEND_APIKEY_TALER = secret-token:$(get_credential_pw merchant/taler)
-BACKEND_URL_GNUNET = https://$MERCHANT_DOMAIN/instances/gnunet/
+BACKEND_URL_GNUNET = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/gnunet/
 BACKEND_APIKEY_GNUNET = secret-token:$(get_credential_pw merchant/gnunet)
 EOF
 
 # This really should not exist, the taler-merchant-frontends
 # should be easier to configure!
 cat <<EOF >/etc/taler/taler-merchant-frontends.env
-TALER_ENV_URL_INTRO=https://$LANDING_DOMAIN/
-TALER_ENV_URL_LANDING=https://$LANDING_DOMAIN/
-TALER_ENV_URL_BANK=https://$BANK_DOMAIN/
-TALER_ENV_URL_MERCHANT_BLOG=https://$BLOG_DOMAIN/
-TALER_ENV_URL_MERCHANT_DONATIONS=https://$DONATIONS_DOMAIN/
+TALER_ENV_URL_INTRO=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_LANDING=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_BANK=$PROTO://$BANK_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_MERCHANT_BLOG=$PROTO://$BLOG_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_MERCHANT_DONATIONS=$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX/
 EOF
 
 systemctl enable --now taler-demo-landing

	sandcastle-ng Scripts for the deployment of Sandcastle (GNU Taler)
	Log \| Files \| Refs \| README

M	sandcastle-run	\|	7	+++++++
M	scripts/demo/setup-sandcastle.sh	\|	188	++++++++++++++++++++++++++++++++++++++++++++++++++-----------------------------