commit 3ef02f7c521b404c37ed1789ded28ee1fbb17818 parent 74005a1e5467e91c24c8157c2851277b2851fdef Author: Antoine A <> Date: Wed, 12 Feb 2025 15:25:02 +0100 magnet-bank: improve deb and config Diffstat:
16 files changed, 227 insertions(+), 121 deletions(-)
diff --git a/Cargo.lock b/Cargo.lock @@ -365,9 +365,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.28" +version = "4.5.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e77c3243bd94243c03672cb5154667347c457ca271254724f9f393aee1c05ff" +checksum = "8acebd8ad879283633b343856142139f2da2317c96b05b4dd6181c61e2480184" dependencies = [ "clap_builder", "clap_derive", @@ -375,9 +375,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.27" +version = "4.5.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b26884eb4b57140e4d2d93652abfa49498b938b3c9179f9fc487b0acc3edad7" +checksum = "f6ba32cbda51c7e1dfd49acc1457ba1a7dec5b64fe360e828acb13ca8dc9c2f9" dependencies = [ "anstream", "anstyle", @@ -1508,9 +1508,9 @@ dependencies = [ [[package]] name = "miniz_oxide" -version = "0.8.3" +version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8402cab7aefae129c6977bb0ff1b8fd9a04eb5b51efc50a70bea51cda0c7924" +checksum = "b3b1c9bd4fe1f0f8b387f6eb9eb3b4a1aa26185e5750efb9140301703f62cd1b" dependencies = [ "adler2", ] @@ -2061,9 +2061,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.22" +version = "0.23.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fb9263ab4eb695e42321db096e3b8fbd715a59b154d5c88d82db2175b681ba7" +checksum = "47796c98c480fce5406ef69d1c76378375492c3b0a0de587be0c1d9feb12f395" dependencies = [ "once_cell", "ring", diff --git a/contrib/ci/jobs/0-codespell/job.sh b/contrib/ci/jobs/0-codespell/job.sh @@ -4,11 +4,12 @@ set -exuo pipefail job_dir=$(dirname "${BASH_SOURCE[0]}") skip=$(cat <<EOF -*/debian/* */doc/prebuilt/* */.git/* +*/.ci/* */target/* */contrib/ci/* +./common/taler-common/src/error_code.rs EOF ); diff --git a/contrib/ci/jobs/3-deb/test.sh b/contrib/ci/jobs/3-deb/test.sh @@ -3,4 +3,6 @@ taler-magnet-bank --version echo -e "\ntaler-magnet-bank-httpd user:" id taler-magnet-bank-httpd echo -e "\ntaler-magnet-bank-worker user:" -id taler-magnet-bank-worker -\ No newline at end of file +id taler-magnet-bank-worker +echo -e "\n purge magnet-bank:" +dpkg --purge taler-magnet-bank +\ No newline at end of file diff --git a/contrib/magnet-bank.conf b/contrib/magnet-bank.conf @@ -1,76 +0,0 @@ -[magnet-bank] -# URL of the Magnet Bank API server -API_URL = "https://mobil.magnetbank.hu" - -# Your Magnet Bank API unique identifier -CONSUMER_KEY = "Consumer" - -# Your Magnet Bank API confidential key -CONSUMER_SECRET = "qikgjxc5y06tiil7qgrmh09l7rfi5a8e" - -# IBAN of the Magnet Bank account to sync -IBAN = - -# Legal entity that is associated with the Magnet Bank account -NAME = - -# File that holds the crypto keys and access token. -KEYS_FILE = keys.json - -# Specify the account type and therefore the indexing behavior. -# This can either can be normal or exchange. -# Exchange accounts bounce invalid incoming Taler transactions. -ACCOUNT_TYPE = exchange - -[magnet-bank-httpd] -# How "taler-magnet-bank serve" serves its API, this can either be tcp or unix -SERVE = tcp - -# Port on which the HTTP server listens, e.g. 9967. Only used if SERVE is tcp. -PORT = 8080 - -# Which IP address should we bind to? E.g. ``127.0.0.1`` or ``::1``for loopback. Only used if SERVE is tcp. -BIND_TO = 0.0.0.0 - -# Which unix domain path should we bind to? Only used if SERVE is unix. -# UNIXPATH = libeufin-bank.sock - -# What should be the file access permissions for UNIXPATH? Only used if SERVE is unix. -# UNIXPATH_MODE = 660 - -[magnet-bank-httpd-wire-gateway-api] -# Whether to serve the Wire Gateway API -ENABLED = NO - -# Authentication scheme, this can either can be basic, bearer or none. -AUTH_METHOD = bearer - -# User name for basic authentication scheme -# USERNAME = - -# Password for basic authentication scheme -# PASSWORD = - -# Token for bearer authentication scheme -TOKEN = - - -[magnet-bank-httpd-revenue-api] -# Whether to serve the Revenue API -ENABLED = NO - -# Authentication scheme, this can either can be basic, bearer or none. -AUTH_METHOD = bearer - -# User name for basic authentication scheme -# USERNAME = - -# Password for basic authentication scheme -# PASSWORD = - -# Token for bearer authentication scheme -TOKEN = - - -[magnet-bank-db-postgres] -CONFIG = postgres:/taler-magnet-bank-adapter -\ No newline at end of file diff --git a/contrib/taler-magnet-bank-dbconfig b/contrib/taler-magnet-bank-dbconfig @@ -13,8 +13,7 @@ # You should have received a copy of the GNU Lesser General Public License along with # TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> # -# @author Christian Grothoff -# @author Florian Dold +# @author Antoine d'Aligny # Error checking on set -eu @@ -24,22 +23,27 @@ RESET_DB=0 FORCE_PERMS=0 SKIP_INIT=0 DBUSER="taler-magnet-bank-httpd" +DBGROUP="taler-magnet-bank-db" CFGFILE="/etc/taler-magnet-bank/taler-magnet-bank.conf" # Parse command-line options -while getopts 'c:g:hprs:' OPTION; do +while getopts 'c:g:hprsu:' OPTION; do case "$OPTION" in c) CFGFILE="$OPTARG" ;; + g) + DBGROUP="$OPTARG" + ;; h) echo 'Supported options:' echo " -c FILENAME -- use configuration FILENAME (default: $CFGFILE)" + echo " -g GROUP -- taler-magnet-bank to be run by GROUP (default: $DBGROUP)" echo " -h -- print this help text" echo " -r -- reset database (dangerous)" echo " -p -- force permission setup even without database initialization" echo " -s -- skip database initialization" - echo " -u USER -- taler-merchant to be run by USER (default: $DBUSER)" + echo " -u USER -- taler-magnet-bank to be run by USER (default: $DBUSER)" exit 0 ;; p) @@ -80,10 +84,10 @@ fi # Check OS users exist if ! id "$DBUSER" >/dev/null; then - exit_fail "Could not find '$DBUSER' user. Cannot continue" + exit_fail "Could not find '$DBUSER' user. Please set it up first" fi -# Create DB users matching OS users names +# Create DB user matching OS user name echo "Setting up database user '$DBUSER'." 1>&2 if ! sudo -i -u postgres createuser "$DBUSER" 2>/dev/null; then echo "Database user '$DBUSER' already existed. Continuing anyway." 1>&2 @@ -115,7 +119,7 @@ fi # Create database if [ 1 = "$DO_CREATE" ]; then echo "Creating database '$DBNAME'." 1>&2 - if ! sudo -i -u postgres createdb -O "$DBGROUP" "$DBNAME"; then + if ! sudo -i -u postgres createdb -O "$DBUSER" "$DBNAME"; then exit_fail "Failed to create database '$DBNAME'" fi fi @@ -127,6 +131,32 @@ if [ 0 = "$SKIP_DBINIT" ]; then fi fi -# TODO set permission explicitly +# Set permission for group user +if [ 0 = "$SKIP_DBINIT" ] || [ 1 = "$FORCE_PERMS" ]; then + # Create DB group matching OS group name + echo "Setting up database group '$DBGROUP'." 1>&2 + if ! sudo -i -u postgres createuser "$DBGROUP" 2>/dev/null; then + echo "Database group '$DBGROUP' already existed. Continuing anyway." 1>&2 + fi + if ! echo "GRANT ALL PRIVILEGES ON ALL TABLES TO \"$DBGROUP\"" | + sudo -i -u postgres psql "$DBNAME"; then + exit_fail "Failed to grant access to '$DBGROUP'." + fi + + # Update group users rights + DB_GRP="$(getent group "$DBGROUP" | sed -e "s/.*://g" -e "s/,/ /g")" + echo "Initializing permissions for '$DB_GRP' users." 1>&2 + for GROUPIE in $DB_GRP; do + if [ "$GROUPIE" != "$DBUSER" ]; then + if ! sudo -i -u postgres createuser "$GROUPIE" 2>/dev/null; then + echo "Database user '$GROUPIE' already existed. Continuing anyway." 1>&2 + fi + fi + if ! echo "GRANT ROLE \"$DBGROUP\" ON SCHEMA exchange TO \"$GROUPIE\"" | + sudo -i -u postgres psql "$DBNAME"; then + exit_fail "Failed to make '$GROUPIE' part of '$DBGROUP' db group." + fi + done +fi echo "Database configuration finished." 1>&2 diff --git a/debian/etc/taler-magnet-bank/conf.d/magnet-bank-httpd.conf b/debian/etc/taler-magnet-bank/conf.d/magnet-bank-httpd.conf @@ -0,0 +1,9 @@ +# Configuration the magnet bank adapter worker REST API. + +[magnet-bank-httpd-wire-gateway-api] +# ENABLED = YES +@inline-secret@ magnet-bank-httpd-wire-gateway-api secrets/magnet-bank-httpd.secret.conf + +[magnet-bank-httpd-revenue-api] +# ENABLED = YES +@inline-secret@ magnet-bank-httpd-revenue-api secrets/magnet-bank-httpd.secret.conf +\ No newline at end of file diff --git a/debian/etc/taler-magnet-bank/conf.d/magnet-bank-system.conf b/debian/etc/taler-magnet-bank/conf.d/magnet-bank-system.conf @@ -0,0 +1,6 @@ +# Configuration for system aspects of the magnet bank adapter. + +# Read secret sections into configuration, but only +# if we have permission to do so. +@inline-secret@ magnet-bankdb-postgres ../secrets/magnet-bank-db.secret.conf + diff --git a/debian/etc/taler-magnet-bank/conf.d/magnet-bank-worker.conf b/debian/etc/taler-magnet-bank/conf.d/magnet-bank-worker.conf @@ -0,0 +1,6 @@ +# Configuration the magnet bank adapter worker. + +[magnet-bank-worker] +CONSUMER_KEY = +CONSUMER_SECRET = +KEYS_FILE = ${MAGNET_BANK_HOME}/keys.json +\ No newline at end of file diff --git a/debian/etc/taler-magnet-bank/overrides.conf b/debian/etc/taler-magnet-bank/overrides.conf @@ -0,0 +1 @@ +# This configuration will be changed by tooling. Do not touch it manually. diff --git a/debian/etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf b/debian/etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf @@ -0,0 +1,8 @@ +[magnet-bankdb-postgres] + +# Typically, there should only be a single line here, of the form: + +CONFIG=postgres:/taler-magnet-bank + +# The details of the URI depend on where the database lives and how +# access control was configured. diff --git a/debian/etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf b/debian/etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf @@ -0,0 +1,7 @@ +[magnet-bank-httpd-wire-gateway-api] +# AUTH_METHOD = bearer +# TOKEN = + +[magnet-bank-httpd-revenue-api] +# AUTH_METHOD = bearer +# TOKEN = +\ No newline at end of file diff --git a/debian/etc/taler-magnet-bank/taler-magnet-bank.conf b/debian/etc/taler-magnet-bank/taler-magnet-bank.conf @@ -1 +1,33 @@ -# This is the main configuration entrypoint for taler-magnet-bank. -\ No newline at end of file +# Main entry point for the Taler Magnet Bank Adapter configuration. +# +# Structure: +# - taler-magne-bank.conf is the main configuration entry point +# used by all Taler Magnet Bank Adapter components (the file you are currently +# looking at. +# - overrides.conf contains configuration overrides that are +# set by some tools that help with the configuration, +# and should not be edited by humans. Comments in this file +# are not preserved. +# - conf.d/ contains configuration files for +# Taler components, which can be read by all +# users of the system and are included by the main +# configuration. +# - secrets/ contains configuration snippets +# with secrets for particular services. +# These files should have restrictive permissions +# so that only users of the relevant services +# can read it. All files in it should end with +# ".secret.conf". + +# Inline configurations from all Taler Magnet Bank Adapter components. +@inline-matching@ conf.d/*.conf + +# Overrides from tools that help with configuration. +@inline@ overrides.conf + +[paths] + +# Paths for the system-wide installation of the Taler Magnet Bank Adapter. Do not remove +# or change these unless you are very sure of what you are doing. + +MAGNET_BANK_HOME = /var/lib/taler-magnet-bank/ +\ No newline at end of file diff --git a/debian/taler-magnet-bank.postinst b/debian/taler-magnet-bank.postinst @@ -9,12 +9,28 @@ _HTTPDUSER=taler-magnet-bank-httpd _WORKERUSER=taler-magnet-bank-worker if [ "$1" = "configure" ] ; then + # Create taler groups as needed + if ! getent group ${_DBGROUP} >/dev/null; then + addgroup --quiet --system ${_DBGROUP} + fi # Create users as needed if ! getent passwd ${_HTTPDUSER} >/dev/null; then - adduser --quiet --system --no-create-home --home ${MAGNET_HOME} ${_HTTPDUSER} + adduser --quiet --system --no-create-home --ingroup ${_DBGROUP} --home ${MAGNET_HOME} ${_HTTPDUSER} fi if ! getent passwd ${_WORKERUSER} >/dev/null; then - adduser --quiet --system --no-create-home --home ${MAGNET_HOME} ${_WORKERUSER} + adduser --quiet --system --no-create-home --ingroup ${_DBGROUP} --home ${MAGNET_HOME} ${_WORKERUSER} + fi + + # Update secret files permissions + if ! dpkg-statoverride --list /etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf >/dev/null 2>&1; then + dpkg-statoverride --add --update \ + root ${_DBGROUP} 460 \ + /etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf + fi + if ! dpkg-statoverride --list /etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf >/dev/null 2>&1; then + dpkg-statoverride --add --update \ + ${_WORKERUSER} root 640 \ + /etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf fi fi diff --git a/taler-magnet-bank/Cargo.toml b/taler-magnet-bank/Cargo.toml @@ -53,27 +53,11 @@ systemd-units = [ recommends = ["apache2 | nginx | httpd", "postgresql (>= 15.0)"] assets = [ # Binary - [ - "target/release/taler-magnet-bank", - "/usr/bin/", - "755", - ], + ["target/release/taler-magnet-bank", "/usr/bin/", "755"], # Scripts - [ - "../contrib/taler-magnet-bank-dbconfig", - "/usr/bin/", - "755", - ], + ["../contrib/taler-magnet-bank-dbconfig", "/usr/bin/", "755"], # Default config - [ - "../contrib/magnet-bank.conf", - "/usr/share/taler-magnet-bank/config.d/", - "644", - ], + ["magnet-bank.conf", "/usr/share/taler-magnet-bank/config.d/", "644"], # Configs - [ - "../debian/etc/**/*", - "/etc", - "644", - ], + ["../debian/etc/**/*", "/etc", "644"], ] diff --git a/taler-magnet-bank/magnet-bank.conf b/taler-magnet-bank/magnet-bank.conf @@ -0,0 +1,77 @@ +[magnet-bank] +# IBAN of the Magnet Bank account to sync +IBAN = + +# Legal entity that is associated with the Magnet Bank account +NAME = + +[magnet-bank-worker] +# URL of the Magnet Bank API server +API_URL = "https://mobil.magnetbank.hu" + +# Your Magnet Bank API unique identifier +# CONSUMER_KEY = "Consumer" + +# Your Magnet Bank API confidential key +# CONSUMER_SECRET = "qikgjxc5y06tiil7qgrmh09l7rfi5a8e" + +# File that holds the crypto keys and access token. +# KEYS_FILE = ${MAGNET_BANK_HOME}/keys.json + +# Specify the account type and therefore the indexing behavior. +# This can either can be normal or exchange. +# Exchange accounts bounce invalid incoming Taler transactions. +ACCOUNT_TYPE = exchange + +[magnet-bank-httpd] +# How "taler-magnet-bank serve" serves its API, this can either be tcp or unix +SERVE = tcp + +# Port on which the HTTP server listens, e.g. 9967. Only used if SERVE is tcp. +PORT = 8080 + +# Which IP address should we bind to? E.g. ``127.0.0.1`` or ``::1``for loopback. Only used if SERVE is tcp. +BIND_TO = 0.0.0.0 + +# Which unix domain path should we bind to? Only used if SERVE is unix. +# UNIXPATH = libeufin-bank.sock + +# What should be the file access permissions for UNIXPATH? Only used if SERVE is unix. +# UNIXPATH_MODE = 660 + +[magnet-bank-httpd-wire-gateway-api] +# Whether to serve the Wire Gateway API +ENABLED = NO + +# Authentication scheme, this can either can be basic, bearer or none. +AUTH_METHOD = bearer + +# User name for basic authentication scheme +# USERNAME = + +# Password for basic authentication scheme +# PASSWORD = + +# Token for bearer authentication scheme +TOKEN = + + +[magnet-bank-httpd-revenue-api] +# Whether to serve the Revenue API +ENABLED = NO + +# Authentication scheme, this can either can be basic, bearer or none. +AUTH_METHOD = bearer + +# User name for basic authentication scheme +# USERNAME = + +# Password for basic authentication scheme +# PASSWORD = + +# Token for bearer authentication scheme +TOKEN = + + +[magnet-bankdb-postgres] +CONFIG = postgres:/taler-magnet-bank +\ No newline at end of file diff --git a/taler-magnet-bank/src/config.rs b/taler-magnet-bank/src/config.rs @@ -110,7 +110,7 @@ pub struct WorkerCfg { impl WorkerCfg { pub fn parse(cfg: &Config) -> Result<Self, ValueErr> { - let sect = cfg.section("magnet-bank"); + let sect = cfg.section("magnet-bank-worker"); Ok(Self { api_url: sect.parse("URL", "API_URL").require()?, consumer: Token {