From 0bec568bc6e319b701116579123a3066626d6e1f Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Thu, 12 Oct 2023 13:10:17 -0500 Subject: [PATCH 01/23] Increase chance to 5% to renew cert --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 1be05e20..5d6a5dbc 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -196,7 +196,7 @@ async function checkCertValidity(certBuffer, registerOptions) { NETWORK === "main" && cert.subjectAltName && !cert.subjectAltName.includes(".l1s.saturn.ms") && - Math.random() < 1 / 100 + Math.random() < 5 / 100 ) { debug("Certificate is missing .l1s.saturn.ms SAN, getting a new one..."); valid = false; From 1abeb67ec904713e6285c178c863f52f439682e7 Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Thu, 12 Oct 2023 21:33:40 -0500 Subject: [PATCH 02/23] Increase chance to 10% to renew cert --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 5d6a5dbc..128db15d 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -196,7 +196,7 @@ async function checkCertValidity(certBuffer, registerOptions) { NETWORK === "main" && cert.subjectAltName && !cert.subjectAltName.includes(".l1s.saturn.ms") && - Math.random() < 5 / 100 + Math.random() < 10 / 100 ) { debug("Certificate is missing .l1s.saturn.ms SAN, getting a new one..."); valid = false; From 723bd00768d5ba50b2956aea896c7b6b2a8431ad Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Fri, 13 Oct 2023 11:18:12 -0500 Subject: [PATCH 03/23] Increase chance to 15% to renew cert --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 128db15d..8c7baf9b 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -196,7 +196,7 @@ async function checkCertValidity(certBuffer, registerOptions) { NETWORK === "main" && cert.subjectAltName && !cert.subjectAltName.includes(".l1s.saturn.ms") && - Math.random() < 10 / 100 + Math.random() < 15 / 100 ) { debug("Certificate is missing .l1s.saturn.ms SAN, getting a new one..."); valid = false; From 1ebf12f6693ccf151f79ac1fa8133e901d9ec59c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Rodr=C3=ADguez=20Baquero?= Date: Fri, 13 Oct 2023 15:47:46 -0500 Subject: [PATCH 04/23] Check for unique SAN in cert, dial down to 1% chance every 12 hours (#507) --- container/shim/src/modules/registration.js | 24 +++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 8c7baf9b..897ff9a5 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -98,9 +98,9 @@ export async function register(initial = false) { const certBuffer = await fsPromises.readFile(CERT_PATH); - // Check cert validity on initial registration and at least once daily - if (initial || lastInitialRegistration < Date.now() - 24 * 60 * 60 * 1000) { - await checkCertValidity(certBuffer, registerOptions); + // Check cert validity on initial registration and at least twice daily + if (initial || lastInitialRegistration < Date.now() - 12 * 60 * 60 * 1000) { + await checkCertValidity(certBuffer, registerOptions, preregisterResponse); } if (backupCertExists) { @@ -170,7 +170,7 @@ async function handleMissingCert(registerOptions) { } } -async function checkCertValidity(certBuffer, registerOptions) { +async function checkCertValidity(certBuffer, registerOptions, preregisterResponse) { const cert = new X509Certificate(certBuffer); const validTo = Date.parse(cert.validTo); let valid = true; @@ -192,14 +192,14 @@ async function checkCertValidity(certBuffer, registerOptions) { valid = false; } - if ( - NETWORK === "main" && - cert.subjectAltName && - !cert.subjectAltName.includes(".l1s.saturn.ms") && - Math.random() < 15 / 100 - ) { - debug("Certificate is missing .l1s.saturn.ms SAN, getting a new one..."); - valid = false; + if (NETWORK === "main" && cert.subjectAltName && Math.random() < 1 / 100) { + const subdomain = preregisterResponse?.ip?.replace(/\./g, "-"); + const targetSAN = subdomain ? `${subdomain}.l1s.saturn.ms` : ".l1s.saturn.ms"; + + if (!cert.subjectAltName.includes(targetSAN)) { + debug(`Certificate is missing ${targetSAN} unique SAN, getting a new one...`); + valid = false; + } } if (NETWORK === "test" && cert.subjectAltName && !cert.subjectAltName.includes("l1s.saturn-test.ms")) { From 35d72ea410d5760139ac34eb049de7aef3ed3919 Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Tue, 17 Oct 2023 14:58:43 -0500 Subject: [PATCH 05/23] Check for unique SAN in cert, 2% chance every 12 hours --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 897ff9a5..8712e2b1 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -192,7 +192,7 @@ async function checkCertValidity(certBuffer, registerOptions, preregisterRespons valid = false; } - if (NETWORK === "main" && cert.subjectAltName && Math.random() < 1 / 100) { + if (NETWORK === "main" && cert.subjectAltName && Math.random() < 2 / 100) { const subdomain = preregisterResponse?.ip?.replace(/\./g, "-"); const targetSAN = subdomain ? `${subdomain}.l1s.saturn.ms` : ".l1s.saturn.ms"; From 38ed1c77af712ef614bd6e2440279942c6ecb4b2 Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Thu, 19 Oct 2023 15:01:24 -0500 Subject: [PATCH 06/23] Increase chance to 5% to renew cert --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 8712e2b1..e4f18bb2 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -192,7 +192,7 @@ async function checkCertValidity(certBuffer, registerOptions, preregisterRespons valid = false; } - if (NETWORK === "main" && cert.subjectAltName && Math.random() < 2 / 100) { + if (NETWORK === "main" && cert.subjectAltName && Math.random() < 5 / 100) { const subdomain = preregisterResponse?.ip?.replace(/\./g, "-"); const targetSAN = subdomain ? `${subdomain}.l1s.saturn.ms` : ".l1s.saturn.ms"; From 408cafe0df6ff438a9e02b6657cccc2480261a23 Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Fri, 20 Oct 2023 12:29:11 -0500 Subject: [PATCH 07/23] Increase chance of renewing cert to 10% --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index e4f18bb2..719dda8d 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -192,7 +192,7 @@ async function checkCertValidity(certBuffer, registerOptions, preregisterRespons valid = false; } - if (NETWORK === "main" && cert.subjectAltName && Math.random() < 5 / 100) { + if (NETWORK === "main" && cert.subjectAltName && Math.random() < 10 / 100) { const subdomain = preregisterResponse?.ip?.replace(/\./g, "-"); const targetSAN = subdomain ? `${subdomain}.l1s.saturn.ms` : ".l1s.saturn.ms"; From 7fdf2835a313643017042ddae6c0ca5ffea59831 Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Fri, 20 Oct 2023 16:14:19 -0500 Subject: [PATCH 08/23] Increase chance of renewing cert to 20% --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 719dda8d..70aaaaba 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -192,7 +192,7 @@ async function checkCertValidity(certBuffer, registerOptions, preregisterRespons valid = false; } - if (NETWORK === "main" && cert.subjectAltName && Math.random() < 10 / 100) { + if (NETWORK === "main" && cert.subjectAltName && Math.random() < 20 / 100) { const subdomain = preregisterResponse?.ip?.replace(/\./g, "-"); const targetSAN = subdomain ? `${subdomain}.l1s.saturn.ms` : ".l1s.saturn.ms"; From 06fff8bbe7becfdfa66adb0206aa47d3d3e9c126 Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Mon, 23 Oct 2023 09:00:42 -0500 Subject: [PATCH 09/23] All nodes must have unique cert now --- container/shim/src/modules/registration.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 70aaaaba..e9c924fc 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -187,12 +187,12 @@ async function checkCertValidity(certBuffer, registerOptions, preregisterRespons debug(`Certificate is valid until ${cert.validTo}`); } - if (NETWORK === "main" && cert.subjectAltName && !cert.subjectAltName.includes("l1s.saturn.ms")) { - debug("Certificate is missing l1s.saturn.ms SAN, getting a new one..."); - valid = false; - } + if (NETWORK === "main" && cert.subjectAltName) { + if (!cert.subjectAltName.includes("l1s.saturn.ms")) { + debug("Certificate is missing l1s.saturn.ms SAN, getting a new one..."); + valid = false; + } - if (NETWORK === "main" && cert.subjectAltName && Math.random() < 20 / 100) { const subdomain = preregisterResponse?.ip?.replace(/\./g, "-"); const targetSAN = subdomain ? `${subdomain}.l1s.saturn.ms` : ".l1s.saturn.ms"; From 257e3b3a87da719352cd4a3539e3a5349c1dd5cc Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Fri, 27 Oct 2023 17:05:18 -0500 Subject: [PATCH 10/23] Update dependencies --- container/shim/package-lock.json | 162 +++++++++++++++---------------- container/shim/package.json | 8 +- 2 files changed, 85 insertions(+), 85 deletions(-) diff --git a/container/shim/package-lock.json b/container/shim/package-lock.json index 301834c1..0a24ad01 100644 --- a/container/shim/package-lock.json +++ b/container/shim/package-lock.json @@ -4,9 +4,10 @@ "requires": true, "packages": { "": { + "name": "shim", "dependencies": { "@glif/filecoin-address": "^2.0.43", - "@ipld/car": "^5.2.0", + "@ipld/car": "^5.2.4", "asn1.js-rfc2560": "^5.0.1", "asn1.js-rfc5280": "^3.0.0", "debug": "^4.3.4", @@ -16,18 +17,18 @@ "logfmt": "^1.3.2", "lru-cache": "^10.0.1", "mime-types": "^2.1.35", - "multiformats": "^12.0.1", + "multiformats": "^12.1.3", "node-fetch": "^3.3.2", "p-limit": "^4.0.0", "pretty-bytes": "^6.1.1", "server-timing": "^3.3.3" }, "devDependencies": { - "eslint": "^8.51.0", + "eslint": "^8.52.0", "eslint-config-ipfs": "^6.0.0", "eslint-config-prettier": "^9.0.0", "husky": "^8.0.3", - "nock": "^13.3.3", + "nock": "^13.3.6", "test": "^3.3.0" } }, @@ -102,9 +103,9 @@ } }, "node_modules/@eslint/js": { - "version": "8.51.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.51.0.tgz", - "integrity": "sha512-HxjQ8Qn+4SI3/AFv6sOrDB+g6PpUTDwSJiQqOrnneEk8L71161srI9gjzzZvYVbzHiVg/BvcH95+cK/zfIt4pg==", + "version": "8.52.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.52.0.tgz", + "integrity": "sha512-mjZVbpaeMZludF2fsWLD0Z9gCref1Tk4i9+wddjRvpUNqqcndPkBD09N/Mapey0b3jaXbLm2kICwFv2E64QinA==", "dev": true, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" @@ -794,12 +795,12 @@ } }, "node_modules/@humanwhocodes/config-array": { - "version": "0.11.11", - "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.11.tgz", - "integrity": "sha512-N2brEuAadi0CcdeMXUkhbZB84eskAc8MEX1By6qEchoVywSgXPIjou4rYsl0V3Hj0ZnuGycGCjdNgockbzeWNA==", + "version": "0.11.13", + "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz", + "integrity": "sha512-JSBDMiDKSzQVngfRjOdFXgFfklaXI4K9nLF49Auh21lmBWRLIK3+xTErTWD4KU54pb6coM6ESE7Awz/FNU3zgQ==", "dev": true, "dependencies": { - "@humanwhocodes/object-schema": "^1.2.1", + "@humanwhocodes/object-schema": "^2.0.1", "debug": "^4.1.1", "minimatch": "^3.0.5" }, @@ -821,19 +822,19 @@ } }, "node_modules/@humanwhocodes/object-schema": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz", - "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.1.tgz", + "integrity": "sha512-dvuCeX5fC9dXgJn9t+X5atfmgQAzUOWqS1254Gh0m6i8wKd10ebXkfNKiRK+1GWi/yTvvLDHpoxLr0xxxeslWw==", "dev": true }, "node_modules/@ipld/car": { - "version": "5.2.0", - "resolved": "https://registry.npmjs.org/@ipld/car/-/car-5.2.0.tgz", - "integrity": "sha512-Y4DiyVoPaeGxY6gKV/0A/73SlIIuDu7fl25NdlrO6BYhyTN6v59KqcilmMXbiBA/zcf7cZr1GZVPHRyG2+nmAw==", + "version": "5.2.4", + "resolved": "https://registry.npmjs.org/@ipld/car/-/car-5.2.4.tgz", + "integrity": "sha512-YoVXE/o5HLXKi/Oqh9Nhcn423sdn9brRFKnbUid68/1D332/XINcoyCTvBluFcCw/9IeiTx+sEAV+onXZ/A4eA==", "dependencies": { "@ipld/dag-cbor": "^9.0.0", - "cborg": "^1.9.0", - "multiformats": "^11.0.0", + "cborg": "^4.0.0", + "multiformats": "^12.1.0", "varint": "^6.0.0" }, "engines": { @@ -841,13 +842,12 @@ "npm": ">=7.0.0" } }, - "node_modules/@ipld/car/node_modules/multiformats": { - "version": "11.0.2", - "resolved": "https://registry.npmjs.org/multiformats/-/multiformats-11.0.2.tgz", - "integrity": "sha512-b5mYMkOkARIuVZCpvijFj9a6m5wMVLC7cf/jIPd5D/ARDOfLC5+IFkbgDXQgcU2goIsTD/O9NY4DI/Mt4OGvlg==", - "engines": { - "node": ">=16.0.0", - "npm": ">=7.0.0" + "node_modules/@ipld/car/node_modules/cborg": { + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/cborg/-/cborg-4.0.5.tgz", + "integrity": "sha512-q8TAjprr8pn9Fp53rOIGp/UFDdFY6os2Nq62YogPSIzczJD9M6g2b6igxMkpCiZZKJ0kn/KzDLDvG+EqBIEeCg==", + "bin": { + "cborg": "lib/bin.js" } }, "node_modules/@ipld/dag-cbor": { @@ -1186,6 +1186,12 @@ "url": "https://opencollective.com/typescript-eslint" } }, + "node_modules/@ungap/structured-clone": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.2.0.tgz", + "integrity": "sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==", + "dev": true + }, "node_modules/abort-controller": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz", @@ -2057,18 +2063,19 @@ } }, "node_modules/eslint": { - "version": "8.51.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.51.0.tgz", - "integrity": "sha512-2WuxRZBrlwnXi+/vFSJyjMqrNjtJqiasMzehF0shoLaW7DzS3/9Yvrmq5JiT66+pNjiX4UBnLDiKHcWAr/OInA==", + "version": "8.52.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.52.0.tgz", + "integrity": "sha512-zh/JHnaixqHZsolRB/w9/02akBk9EPrOs9JwcTP2ek7yL5bVvXuRariiaAjjoJ5DvuwQ1WAE/HsMz+w17YgBCg==", "dev": true, "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", "@eslint/eslintrc": "^2.1.2", - "@eslint/js": "8.51.0", - "@humanwhocodes/config-array": "^0.11.11", + "@eslint/js": "8.52.0", + "@humanwhocodes/config-array": "^0.11.13", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", + "@ungap/structured-clone": "^1.2.0", "ajv": "^6.12.4", "chalk": "^4.0.0", "cross-spawn": "^7.0.2", @@ -3727,12 +3734,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, "node_modules/lodash.merge": { "version": "4.6.2", "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz", @@ -3866,9 +3867,9 @@ "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" }, "node_modules/multiformats": { - "version": "12.0.1", - "resolved": "https://registry.npmjs.org/multiformats/-/multiformats-12.0.1.tgz", - "integrity": "sha512-s01wijBJoDUqESWSzePY0lvTw7J3PVO9x2Cc6ASI5AMZM2Gnhh7BC17+nlFhHKU7dDzaCaRfb+NiqNzOsgPUoQ==", + "version": "12.1.3", + "resolved": "https://registry.npmjs.org/multiformats/-/multiformats-12.1.3.tgz", + "integrity": "sha512-eajQ/ZH7qXZQR2AgtfpmSMizQzmyYVmCql7pdhldPuYQi4atACekbJaQplk6dWyIi10jCaFnd6pqvcEFXjbaJw==", "engines": { "node": ">=16.0.0", "npm": ">=7.0.0" @@ -3895,14 +3896,13 @@ } }, "node_modules/nock": { - "version": "13.3.3", - "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.3.tgz", - "integrity": "sha512-z+KUlILy9SK/RjpeXDiDUEAq4T94ADPHE3qaRkf66mpEhzc/ytOMm3Bwdrbq6k1tMWkbdujiKim3G2tfQARuJw==", + "version": "13.3.6", + "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.6.tgz", + "integrity": "sha512-lT6YuktKroUFM+27mubf2uqQZVy2Jf+pfGzuh9N6VwdHlFoZqvi4zyxFTVR1w/ChPqGY6yxGehHp6C3wqCASCw==", "dev": true, "dependencies": { "debug": "^4.1.0", "json-stringify-safe": "^5.0.1", - "lodash": "^4.17.21", "propagate": "^2.0.0" }, "engines": { @@ -5368,9 +5368,9 @@ } }, "@eslint/js": { - "version": "8.51.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.51.0.tgz", - "integrity": "sha512-HxjQ8Qn+4SI3/AFv6sOrDB+g6PpUTDwSJiQqOrnneEk8L71161srI9gjzzZvYVbzHiVg/BvcH95+cK/zfIt4pg==", + "version": "8.52.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.52.0.tgz", + "integrity": "sha512-mjZVbpaeMZludF2fsWLD0Z9gCref1Tk4i9+wddjRvpUNqqcndPkBD09N/Mapey0b3jaXbLm2kICwFv2E64QinA==", "dev": true }, "@ethersproject/abi": { @@ -5757,12 +5757,12 @@ } }, "@humanwhocodes/config-array": { - "version": "0.11.11", - "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.11.tgz", - "integrity": "sha512-N2brEuAadi0CcdeMXUkhbZB84eskAc8MEX1By6qEchoVywSgXPIjou4rYsl0V3Hj0ZnuGycGCjdNgockbzeWNA==", + "version": "0.11.13", + "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz", + "integrity": "sha512-JSBDMiDKSzQVngfRjOdFXgFfklaXI4K9nLF49Auh21lmBWRLIK3+xTErTWD4KU54pb6coM6ESE7Awz/FNU3zgQ==", "dev": true, "requires": { - "@humanwhocodes/object-schema": "^1.2.1", + "@humanwhocodes/object-schema": "^2.0.1", "debug": "^4.1.1", "minimatch": "^3.0.5" } @@ -5774,26 +5774,26 @@ "dev": true }, "@humanwhocodes/object-schema": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz", - "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.1.tgz", + "integrity": "sha512-dvuCeX5fC9dXgJn9t+X5atfmgQAzUOWqS1254Gh0m6i8wKd10ebXkfNKiRK+1GWi/yTvvLDHpoxLr0xxxeslWw==", "dev": true }, "@ipld/car": { - "version": "5.2.0", - "resolved": "https://registry.npmjs.org/@ipld/car/-/car-5.2.0.tgz", - "integrity": "sha512-Y4DiyVoPaeGxY6gKV/0A/73SlIIuDu7fl25NdlrO6BYhyTN6v59KqcilmMXbiBA/zcf7cZr1GZVPHRyG2+nmAw==", + "version": "5.2.4", + "resolved": "https://registry.npmjs.org/@ipld/car/-/car-5.2.4.tgz", + "integrity": "sha512-YoVXE/o5HLXKi/Oqh9Nhcn423sdn9brRFKnbUid68/1D332/XINcoyCTvBluFcCw/9IeiTx+sEAV+onXZ/A4eA==", "requires": { "@ipld/dag-cbor": "^9.0.0", - "cborg": "^1.9.0", - "multiformats": "^11.0.0", + "cborg": "^4.0.0", + "multiformats": "^12.1.0", "varint": "^6.0.0" }, "dependencies": { - "multiformats": { - "version": "11.0.2", - "resolved": "https://registry.npmjs.org/multiformats/-/multiformats-11.0.2.tgz", - "integrity": "sha512-b5mYMkOkARIuVZCpvijFj9a6m5wMVLC7cf/jIPd5D/ARDOfLC5+IFkbgDXQgcU2goIsTD/O9NY4DI/Mt4OGvlg==" + "cborg": { + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/cborg/-/cborg-4.0.5.tgz", + "integrity": "sha512-q8TAjprr8pn9Fp53rOIGp/UFDdFY6os2Nq62YogPSIzczJD9M6g2b6igxMkpCiZZKJ0kn/KzDLDvG+EqBIEeCg==" } } }, @@ -6009,6 +6009,12 @@ "eslint-visitor-keys": "^3.3.0" } }, + "@ungap/structured-clone": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.2.0.tgz", + "integrity": "sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==", + "dev": true + }, "abort-controller": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz", @@ -6659,18 +6665,19 @@ "dev": true }, "eslint": { - "version": "8.51.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.51.0.tgz", - "integrity": "sha512-2WuxRZBrlwnXi+/vFSJyjMqrNjtJqiasMzehF0shoLaW7DzS3/9Yvrmq5JiT66+pNjiX4UBnLDiKHcWAr/OInA==", + "version": "8.52.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.52.0.tgz", + "integrity": "sha512-zh/JHnaixqHZsolRB/w9/02akBk9EPrOs9JwcTP2ek7yL5bVvXuRariiaAjjoJ5DvuwQ1WAE/HsMz+w17YgBCg==", "dev": true, "requires": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", "@eslint/eslintrc": "^2.1.2", - "@eslint/js": "8.51.0", - "@humanwhocodes/config-array": "^0.11.11", + "@eslint/js": "8.52.0", + "@humanwhocodes/config-array": "^0.11.13", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", + "@ungap/structured-clone": "^1.2.0", "ajv": "^6.12.4", "chalk": "^4.0.0", "cross-spawn": "^7.0.2", @@ -7862,12 +7869,6 @@ "p-locate": "^5.0.0" } }, - "lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, "lodash.merge": { "version": "4.6.2", "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz", @@ -7965,9 +7966,9 @@ "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" }, "multiformats": { - "version": "12.0.1", - "resolved": "https://registry.npmjs.org/multiformats/-/multiformats-12.0.1.tgz", - "integrity": "sha512-s01wijBJoDUqESWSzePY0lvTw7J3PVO9x2Cc6ASI5AMZM2Gnhh7BC17+nlFhHKU7dDzaCaRfb+NiqNzOsgPUoQ==" + "version": "12.1.3", + "resolved": "https://registry.npmjs.org/multiformats/-/multiformats-12.1.3.tgz", + "integrity": "sha512-eajQ/ZH7qXZQR2AgtfpmSMizQzmyYVmCql7pdhldPuYQi4atACekbJaQplk6dWyIi10jCaFnd6pqvcEFXjbaJw==" }, "natural-compare": { "version": "1.4.0", @@ -7987,14 +7988,13 @@ "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==" }, "nock": { - "version": "13.3.3", - "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.3.tgz", - "integrity": "sha512-z+KUlILy9SK/RjpeXDiDUEAq4T94ADPHE3qaRkf66mpEhzc/ytOMm3Bwdrbq6k1tMWkbdujiKim3G2tfQARuJw==", + "version": "13.3.6", + "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.6.tgz", + "integrity": "sha512-lT6YuktKroUFM+27mubf2uqQZVy2Jf+pfGzuh9N6VwdHlFoZqvi4zyxFTVR1w/ChPqGY6yxGehHp6C3wqCASCw==", "dev": true, "requires": { "debug": "^4.1.0", "json-stringify-safe": "^5.0.1", - "lodash": "^4.17.21", "propagate": "^2.0.0" } }, diff --git a/container/shim/package.json b/container/shim/package.json index eb480fa0..b9ca26dd 100644 --- a/container/shim/package.json +++ b/container/shim/package.json @@ -9,7 +9,7 @@ }, "dependencies": { "@glif/filecoin-address": "^2.0.43", - "@ipld/car": "^5.2.0", + "@ipld/car": "^5.2.4", "asn1.js-rfc2560": "^5.0.1", "asn1.js-rfc5280": "^3.0.0", "debug": "^4.3.4", @@ -19,18 +19,18 @@ "logfmt": "^1.3.2", "lru-cache": "^10.0.1", "mime-types": "^2.1.35", - "multiformats": "^12.0.1", + "multiformats": "^12.1.3", "node-fetch": "^3.3.2", "p-limit": "^4.0.0", "pretty-bytes": "^6.1.1", "server-timing": "^3.3.3" }, "devDependencies": { - "eslint": "^8.51.0", + "eslint": "^8.52.0", "eslint-config-ipfs": "^6.0.0", "eslint-config-prettier": "^9.0.0", "husky": "^8.0.3", - "nock": "^13.3.3", + "nock": "^13.3.6", "test": "^3.3.0" }, "eslintConfig": { From 62e6d14571e7073071129adac8ca596e655b2e90 Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Tue, 31 Oct 2023 12:24:52 -0500 Subject: [PATCH 11/23] Don't require backup cert --- container/shim/src/modules/registration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index e9c924fc..84b25fc2 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -90,7 +90,7 @@ export async function register(initial = false) { const registerOptions = postOptions(body); // If cert is not yet in the volume, register - if (!certExists || (!backupCertExists && NETWORK === "main")) { + if (!certExists) { debug("First time registering or missing cert"); await handleMissingCert(registerOptions); return; From 0eea635360b685e0f0bd153a33deb228ea6135ce Mon Sep 17 00:00:00 2001 From: Eric Guan Date: Thu, 2 Nov 2023 11:14:13 -0700 Subject: [PATCH 12/23] Verify JWT (#509) * feat: add jwt nginx modules * feat: verify jwt and check if the request domain is allowed * feat: add CORS headers to requests that fail auth. * ci: add jwt public key to container * test: add jwt integration tests * feat: allow no origin header if jwt allow_list has * --- .github/workflows/release.yml | 12 +++-- Dockerfile | 39 ++++++++++++++- container/nginx/conf.d/shared.conf | 29 ++++++----- container/nginx/jwt_pub.key | 4 ++ container/nginx/nginx.conf | 3 +- container/nginx/njs/auth.js | 78 ++++++++++++++++++++++++++++++ container/nginx/njs/badbits.js | 29 ----------- scripts/integration_tests.sh | 54 ++++++++++++++++++++- 8 files changed, 195 insertions(+), 53 deletions(-) create mode 100644 container/nginx/jwt_pub.key create mode 100644 container/nginx/njs/auth.js delete mode 100644 container/nginx/njs/badbits.js diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4090cf69..d7a4c195 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,13 +44,17 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Set orchestrator env (main) + - name: Set Up env (main) if: github.ref_type == 'tag' - run: echo "NETWORK=main" >> $GITHUB_ENV + run: | + echo "NETWORK=main" >> $GITHUB_ENV + printf ${{ secrets.PRODUCTION_BASE64_JWT_PUBLIC_KEY }} | base64 --decode > ./container/nginx/jwt_pub.key - - name: Set orchestrator env (test) + - name: Set Up env (test) if: github.ref_type == 'branch' - run: echo "NETWORK=test" >> $GITHUB_ENV + run: | + echo "NETWORK=test" >> $GITHUB_ENV + printf ${{ secrets.STAGING_BASE64_JWT_PUBLIC_KEY }} | base64 --decode > ./container/nginx/jwt_pub.key - name: Set up QEMU uses: docker/setup-qemu-action@v2 diff --git a/Dockerfile b/Dockerfile index a7899d18..409fc9c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,10 @@ ARG NGX_BROTLI_COMMIT=6e975bcb015f62e1f303054897783355e2a877dc ARG NODEJS_MAJOR_VERSION="18" # https://github.com/filecoin-project/lassie/releases ARG LASSIE_VERSION="v0.19.2" +# https://github.com/max-lt/nginx-jwt-module +ARG NGINX_JWT_VERSION="v3.2.2" +ARG LIBJWT_VERSION=1.15.3 + ############# # nginx build @@ -21,6 +25,8 @@ FROM docker.io/library/debian:bullseye AS build ARG NGINX_VERSION ARG NGX_BROTLI_COMMIT ARG NJS_VERSION +ARG NGINX_JWT_VERSION +ARG LIBJWT_VERSION # Install dependencies RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \ @@ -45,6 +51,17 @@ RUN apt-get update && apt-get install -y --no-install-recommends --no-install-su clang \ && rm -rf /var/lib/apt/lists/* + +# Install jwt dependencies +RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \ + libjansson-dev \ + autoconf \ + automake \ + libtool \ + pkg-config \ + check \ + && rm -rf /var/lib/apt/lists/* + WORKDIR /usr/src RUN echo "Cloning brotli $NGX_BROTLI_COMMIT" \ @@ -64,6 +81,20 @@ RUN echo "Cloning njs $NJS_VERSION" \ && ./configure \ && make +RUN echo "Cloning nginx-jwt-module $NGINX_JWT_VERSION" \ + && git clone --depth 1 --branch $NGINX_JWT_VERSION https://github.com/max-lt/nginx-jwt-module.git + +RUN echo "Installing libjwt $LIBJWT_VERSION" \ + && mkdir libjwt \ + && curl -sL https://github.com/benmcollins/libjwt/archive/v${LIBJWT_VERSION}.tar.gz \ + | tar -zx -C libjwt/ --strip-components=1 \ + && cd libjwt \ + && autoreconf -i \ + && ./configure \ + && make all \ + && make check \ + && make install + ARG CONFIG="--prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib/nginx/modules \ @@ -86,7 +117,8 @@ ARG CONFIG="--prefix=/etc/nginx \ --with-http_sub_module \ --with-http_v2_module \ --add-dynamic-module=/usr/src/ngx_brotli \ - --add-dynamic-module=/usr/src/njs/nginx" + --add-dynamic-module=/usr/src/njs/nginx \ + --add-dynamic-module=/usr/src/nginx-jwt-module" RUN echo "Downloading and extracting nginx $NGINX_VERSION" \ && mkdir /usr/src/nginx \ @@ -111,6 +143,9 @@ COPY --from=build /usr/sbin/nginx /usr/sbin/ COPY --from=build /usr/src/nginx/objs/ngx_http_brotli_filter_module.so /usr/lib/nginx/modules/ COPY --from=build /usr/src/nginx/objs/ngx_http_brotli_static_module.so /usr/lib/nginx/modules/ COPY --from=build /usr/src/nginx/objs/ngx_http_js_module.so /usr/lib/nginx/modules/ +COPY --from=build /usr/lib/nginx/modules/ngx_http_auth_jwt_module.so /usr/lib/nginx/modules/ +COPY --from=build /usr/local/lib/libjwt.so /lib + # Prepare RUN apt-get update \ @@ -122,7 +157,7 @@ RUN apt-get update \ # Install dependencies RUN apt-get update \ - && apt-get install --no-install-recommends -y nodejs speedtest logrotate jq \ + && apt-get install --no-install-recommends -y nodejs speedtest logrotate jq libjansson-dev \ && rm -rf /var/lib/apt/lists/* # Download lassie diff --git a/container/nginx/conf.d/shared.conf b/container/nginx/conf.d/shared.conf index 34a866b6..7c3cca08 100644 --- a/container/nginx/conf.d/shared.conf +++ b/container/nginx/conf.d/shared.conf @@ -9,23 +9,22 @@ location = / { return 302 https://saturn.tech; } -location ~ ^/(ipns|api)/ { - proxy_pass https://ipfs.io; +location / { + js_set $jwt auth.findJWT; + js_content auth.isAllowedRequest; - if ($request_method = 'OPTIONS') { - add_header 'Timing-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } -} + auth_jwt $jwt; + auth_jwt_key /etc/nginx/jwt_pub.key file; + auth_jwt_alg ES256; -location / { - js_content badbits.filterCID; + # These headers are sent if the request fails auth. + add_header 'Saturn-Node-Id' '$node_id' always; + add_header 'Saturn-Transfer-Id' $request_id always; + add_header 'Timing-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Traceparent' always; + add_header 'Access-Control-Expose-Headers' '*' always; } location @node_backend { diff --git a/container/nginx/jwt_pub.key b/container/nginx/jwt_pub.key new file mode 100644 index 00000000..30f4a950 --- /dev/null +++ b/container/nginx/jwt_pub.key @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiVrZNLTZgPFkyBXI2MDM13e+tmKf +w82SnU183R6CczlsjO4qCTp3Xni+jBUri/5Ng34GZQfljtzZfDMfo2hHRw== +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/container/nginx/nginx.conf b/container/nginx/nginx.conf index 785624cb..fdbdecb8 100644 --- a/container/nginx/nginx.conf +++ b/container/nginx/nginx.conf @@ -1,6 +1,7 @@ load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; load_module /usr/lib/nginx/modules/ngx_http_js_module.so; +load_module /usr/lib/nginx/modules/ngx_http_auth_jwt_module.so; user nginx; worker_processes auto; @@ -15,7 +16,7 @@ events { http { js_path "/etc/nginx/njs/"; js_preload_object denylist.json; - js_import badbits from badbits.js; + js_import auth from auth.js; js_import ipfsResponse from ipfs-response.js; include /etc/nginx/mime.types; diff --git a/container/nginx/njs/auth.js b/container/nginx/njs/auth.js new file mode 100644 index 00000000..58abf912 --- /dev/null +++ b/container/nginx/njs/auth.js @@ -0,0 +1,78 @@ +import crypto from "crypto"; + +const ipfsRegex = /^\/ipfs\/(\w+)(\/?.*)/; + +function isAllowedRequest(req) { + const matches = req.uri.match(ipfsRegex); + if (!matches) { + return req.internalRedirect("@node_backend"); + } + const cid = matches[1]; + + if (isBadBitsCid(cid)) { + return req.return(410); + } + + if (!isAllowedDomain(req)) { + return req.return(403); + } + + req.internalRedirect("@node_backend"); +} + +// TODO implement matching CID paths +// TODO convert CID v0 to CID v1 +// implementation ref: https://github.com/protocol/bifrost-infra/blob/af46340bd830728b38a0ea632ca517d04277f78c/ansible/roles/nginx_conf_denylist/files/lua/helpers.lua#L80 +function isBadBitsCid(cid) { + // check if root hash(`CID/`) is blocked via denylist.json + const hashedCID = crypto + .createHash("sha256") + .update(cid + "/") + .digest("hex"); + + /* eslint-disable-next-line no-undef */ + return hashedCID in denylist; +} + +function isAllowedDomain(req) { + const allowListStr = req.variables.jwt_claim_allow_list; + if (!allowListStr) { + return false; + } + + let allowList; + try { + allowList = JSON.parse(allowListStr); + } catch (err) { + return false; + } + + if (allowList.includes("*")) { + return true; + } + + // Only browser requests are allowed for now. + const requestOrigin = req.variables.http_origin; + if (!requestOrigin) { + return false; + } + const requestDomain = requestOrigin.replace(/^https?:\/\//, ""); + + const isAllowedDomain = allowList.some((domain) => domain === requestDomain); + + return isAllowedDomain; +} + +function findJWT(req) { + const jwtQuery = req.variables.arg_jwt; + + let jwtHeader = ""; + const authHeader = req.variables.http_authorization; + if (authHeader) { + jwtHeader = authHeader.replace("Bearer ", ""); + } + + return jwtQuery || jwtHeader; +} + +export default { isAllowedRequest, findJWT }; diff --git a/container/nginx/njs/badbits.js b/container/nginx/njs/badbits.js deleted file mode 100644 index 781c6825..00000000 --- a/container/nginx/njs/badbits.js +++ /dev/null @@ -1,29 +0,0 @@ -/* eslint-disable no-undef */ -import crypto from "crypto"; - -const ipfsRegex = /^\/ipfs\/(\w+)(\/?.*)/; - -// TODO implement matching CID paths -// TODO convert CID v0 to CID v1 -// implementation ref: https://github.com/protocol/bifrost-infra/blob/af46340bd830728b38a0ea632ca517d04277f78c/ansible/roles/nginx_conf_denylist/files/lua/helpers.lua#L80 -function filterCID(req) { - const matches = req.uri.match(ipfsRegex); - if (!matches) { - return req.internalRedirect("@node_backend"); - } - - const cid = matches[1]; - // check if root hash(`CID/`) is blocked via denylist.json - const hashedCID = crypto - .createHash("sha256") - .update(cid + "/") - .digest("hex"); - - if (denylist[hashedCID]) { - return req.return(410); - } - - req.internalRedirect("@node_backend"); -} - -export default { filterCID }; diff --git a/scripts/integration_tests.sh b/scripts/integration_tests.sh index 1fe6b6a8..60f8ff07 100644 --- a/scripts/integration_tests.sh +++ b/scripts/integration_tests.sh @@ -4,21 +4,30 @@ set -eux base_url="$1" +# no expire, allow_list: ['*'] +jwtAllowAll="eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjOWM5YTQ4OC1iMzIyLTQ3NjYtOWQyNy1jZDNjY2YwYjEzOGMiLCJzdWIiOiJhYmMxMjMiLCJzdWJUeXBlIjoiY2xpZW50S2V5IiwiYWxsb3dfbGlzdCI6WyIqIl0sImlhdCI6MTY5Nzc2MDcwNH0.U8yFAzv7LvhWX7QSX5Q084ZRJsgd-PySKIfXFyBmzSZdmrJH3FAlpD5BafMPP0NPzdaoZyv5A8-ssGgGA6HlNg" +# no expire, allow_list: ['google.com', 'cnn.com'] +jwtAllowExplicit="eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIzZjQzNmY1Yi02MjE4LTQ4YjktYWM0MS1jZDUwNzAyMTkxYzgiLCJzdWIiOiJhYmMxMjMiLCJzdWJUeXBlIjoiY2xpZW50S2V5IiwiYWxsb3dfbGlzdCI6WyJnb29nbGUuY29tIiwiY25uLmNvbSJdLCJpYXQiOjE2OTc3NjA3NDd9.qApsm_Bcw80MrzuiGxNM9wUD7gkE_D_AhDI8ILWw4i-Tq3nRyEHauJJdhHM5JBWBjQOHFfSi3VFBv1TR3ww5ig" + test_cid () { cid="$1" expected="$2" - code="$(curl -sw "%{http_code}\n" -o /dev/null "${base_url}/ipfs/${cid}")" + code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${base_url}/ipfs/${cid}?jwt=${jwtAllowAll}")" test "$code" -eq "$expected" || exit 1 } test_range_request () { cid="$1" - code="$(curl -sw "%{http_code}\n" -o partial.car -H "Accept: application/vnd.ipld.car" "${base_url}/ipfs/${cid}")" + code="$(curl -sw "%{http_code}\n" -o partial.car -H "Origin: https://abc.com" -H "Authorization: Bearer ${jwtAllowAll}" -H "Accept: application/vnd.ipld.car" "${base_url}/ipfs/${cid}")" test "$code" -eq 200 || exit 1 ls -lh partial.car ./car ls -v partial.car } +################ +# BAD BITS +################ + # we're good this this response code, as going further means a Lassie fetch not_blocked=501 blocked=410 @@ -30,6 +39,10 @@ test_cid "bafybeibvcisellj6bfzbas3csvioltujjmif5jqpdw5ykvvwujtvt6up7u" "$blocked # positive denylist.conf test case test_cid "bafybeidgnebuxvarpnw2grmkgnamu6cv6" "$blocked" +################ +# RANGE REQUESTS +################ + # download car tooling curl -LO -s https://github.com/ipld/go-car/releases/download/v2.8.0/go-car_2.8.0_linux_amd64.tar.gz && tar xzf go-car_2.8.0_linux_amd64.tar.gz @@ -42,3 +55,40 @@ test_range_request "QmafUYju2Ab4ETi5HJG1cqjmnjs2xw9PUuBKzU7Hi3zvXU/MC_TheSource. # range request with offset test_range_request "bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG?entity-bytes=1048576:2097152" + +################ +# JWT Auth +################ + +authentication_err=401 # jwt missing or invalid +authorization_err=403 # jwt doesn't allow request origin +cid="bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG" +url="${base_url}/ipfs/${cid}?format=car" + +# Requests fail without a jwt +code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")" +test "$code" -eq "$authentication_err" || exit 1 + +# Requests fail with explicit allow_list but without an origin header +code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowExplicit}")" +test "$code" -eq "$authorization_err" || exit 1 + +# Requests fail with explicit allow_list but not allowed origin +code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowExplicit}")" +test "$code" -eq "$authorization_err" || exit 1 + +# Requests succeed with a jwt query param +code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowAll}")" +test "$code" -eq 200 || exit 1 + +# Requests succeed with a jwt auth header +code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" -H "Authorization: Bearer ${jwtAllowAll}" "${url}")" +test "$code" -eq 200 || exit 1 + +# Requests succeed with explicit allow_list and allowed origin +code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://google.com" "${url}&jwt=${jwtAllowExplicit}")" +test "$code" -eq 200 || exit 1 + +# Requests succeed with allow_list == [*] and without an origin header +code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowAll}")" +test "$code" -eq 200 || exit 1 From 7e014b58c25a2550b760e5be59d253aa9e6d6c78 Mon Sep 17 00:00:00 2001 From: Michael Vorburger Date: Thu, 2 Nov 2023 19:21:05 +0100 Subject: [PATCH 13/23] docs(faq): Clarify manual deregisteration (#480) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michael Vorburger ⛑️ --- docs/faq.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/faq.md b/docs/faq.md index e7b2006a..68fce0cb 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -88,12 +88,20 @@ Also for the same region (country) the DNS weight will just compete with each ot If your node didn't gracefully shutdown and you need to manually deregister the node, from the host (same IP as the node): -Send an HTTP POST to https://orchestrator.strn.pl/deregister with the `Content-Type` header set to `application/json` and the following body +Send an HTTP POST to https://orchestrator.strn.pl/deregister with the `Content-Type` header set to `application/json` and the following body: ```json { "nodeId": "" } ``` +If this returns `{"error":"Unable to deregister"}` then you may have used the "short" (8 character) instead of "long" (36 character) Node ID. +Note that the _Failed registration: Node ... cannot register with newer version 1044_4292ce7 without deregistering first. Please make sure to set up graceful version upgrades._ +start-up error, which is what typically triggers having to do this, prints the short instead of the long Node ID. + +If this returns `{"error":"Invalid nodeId"}` then the syntax is wrong for another reason. + +Using [`curl`](https://curl.se) this can be done with `curl -X POST https://orchestrator.strn.pl/deregister -H 'Content-Type: application/json' -d '{ "nodeId": "12345678-a3fa-3a10-a123-987e6b543c21" }'`. + ## Wallet ### What happens if I change my wallet address and restart? From 1c0801886c8fd288f6addfe3dd76ddc4595e966e Mon Sep 17 00:00:00 2001 From: Eric Guan Date: Thu, 2 Nov 2023 15:04:59 -0700 Subject: [PATCH 14/23] fix: import register route to https server (#511) * fix: import register route to https server * fix: prettier --- container/nginx/confs/tls_proxy.conf | 1 + docs/faq.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/container/nginx/confs/tls_proxy.conf b/container/nginx/confs/tls_proxy.conf index b3d1025d..1aee2dd6 100644 --- a/container/nginx/confs/tls_proxy.conf +++ b/container/nginx/confs/tls_proxy.conf @@ -22,6 +22,7 @@ server { include /usr/src/app/shared/nginx_conf/*.conf; include /etc/nginx/conf.d/shared.conf; + include /etc/nginx/conf.d/register.conf; } server { diff --git a/docs/faq.md b/docs/faq.md index 68fce0cb..9451ed70 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -98,7 +98,7 @@ If this returns `{"error":"Unable to deregister"}` then you may have used the "s Note that the _Failed registration: Node ... cannot register with newer version 1044_4292ce7 without deregistering first. Please make sure to set up graceful version upgrades._ start-up error, which is what typically triggers having to do this, prints the short instead of the long Node ID. -If this returns `{"error":"Invalid nodeId"}` then the syntax is wrong for another reason. +If this returns `{"error":"Invalid nodeId"}` then the syntax is wrong for another reason. Using [`curl`](https://curl.se) this can be done with `curl -X POST https://orchestrator.strn.pl/deregister -H 'Content-Type: application/json' -d '{ "nodeId": "12345678-a3fa-3a10-a123-987e6b543c21" }'`. From e87d53cfd9e311c77a300708edcd7ddb6c3bf875 Mon Sep 17 00:00:00 2001 From: Eric Guan Date: Wed, 8 Nov 2023 11:49:05 -0800 Subject: [PATCH 15/23] feat: make jwt optional (#513) * feat: make jwt optional * tests: print test descriptions * tests: fix expected result --- container/nginx/conf.d/shared.conf | 6 +++++- container/nginx/njs/auth.js | 12 +++++++++++- scripts/integration_tests.sh | 16 ++++++++-------- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/container/nginx/conf.d/shared.conf b/container/nginx/conf.d/shared.conf index 7c3cca08..1e39828c 100644 --- a/container/nginx/conf.d/shared.conf +++ b/container/nginx/conf.d/shared.conf @@ -10,7 +10,11 @@ location = / { } location / { - js_set $jwt auth.findJWT; + js_var $jwt; + js_content auth.routeRequest; +} + +location @auth_node_backend { js_content auth.isAllowedRequest; auth_jwt $jwt; diff --git a/container/nginx/njs/auth.js b/container/nginx/njs/auth.js index 58abf912..b00cd1ac 100644 --- a/container/nginx/njs/auth.js +++ b/container/nginx/njs/auth.js @@ -2,6 +2,16 @@ import crypto from "crypto"; const ipfsRegex = /^\/ipfs\/(\w+)(\/?.*)/; +function routeRequest(req) { + const jwt = findJWT(req); + if (jwt) { + req.variables.jwt = jwt; + return req.internalRedirect("@auth_node_backend"); + } else { + return req.internalRedirect("@node_backend"); + } +} + function isAllowedRequest(req) { const matches = req.uri.match(ipfsRegex); if (!matches) { @@ -75,4 +85,4 @@ function findJWT(req) { return jwtQuery || jwtHeader; } -export default { isAllowedRequest, findJWT }; +export default { routeRequest, isAllowedRequest, findJWT }; diff --git a/scripts/integration_tests.sh b/scripts/integration_tests.sh index 60f8ff07..83e1efa3 100644 --- a/scripts/integration_tests.sh +++ b/scripts/integration_tests.sh @@ -65,30 +65,30 @@ authorization_err=403 # jwt doesn't allow request origin cid="bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG" url="${base_url}/ipfs/${cid}?format=car" -# Requests fail without a jwt +echo Requests succeed without a jwt code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")" -test "$code" -eq "$authentication_err" || exit 1 +test "$code" -eq 200 || exit 1 -# Requests fail with explicit allow_list but without an origin header +echo Requests fail with explicit allow_list but without an origin header code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq "$authorization_err" || exit 1 -# Requests fail with explicit allow_list but not allowed origin +echo Requests fail with explicit allow_list but not allowed origin code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq "$authorization_err" || exit 1 -# Requests succeed with a jwt query param +echo Requests succeed with a jwt query param code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowAll}")" test "$code" -eq 200 || exit 1 -# Requests succeed with a jwt auth header +echo Requests succeed with a jwt auth header code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" -H "Authorization: Bearer ${jwtAllowAll}" "${url}")" test "$code" -eq 200 || exit 1 -# Requests succeed with explicit allow_list and allowed origin +echo Requests succeed with explicit allow_list and allowed origin code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://google.com" "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq 200 || exit 1 -# Requests succeed with allow_list == [*] and without an origin header +echo Requests succeed with allow_list == [*] and without an origin header code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowAll}")" test "$code" -eq 200 || exit 1 From 6af8be724991bf071583672ed00efbb2a3131e23 Mon Sep 17 00:00:00 2001 From: Eric Guan Date: Wed, 8 Nov 2023 12:00:32 -0800 Subject: [PATCH 16/23] chore: quote strings [skip ci] --- scripts/integration_tests.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/integration_tests.sh b/scripts/integration_tests.sh index 83e1efa3..c8c40b17 100644 --- a/scripts/integration_tests.sh +++ b/scripts/integration_tests.sh @@ -65,30 +65,30 @@ authorization_err=403 # jwt doesn't allow request origin cid="bafybeifpz6onienrgwvb3mw5rg7piq5jh63ystjn7s5wk6ttezy2gy5xwu/Mexico.JPG" url="${base_url}/ipfs/${cid}?format=car" -echo Requests succeed without a jwt +echo "Requests succeed without a jwt" code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}")" test "$code" -eq 200 || exit 1 -echo Requests fail with explicit allow_list but without an origin header +echo "Requests fail with explicit allow_list but without an origin header" code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq "$authorization_err" || exit 1 -echo Requests fail with explicit allow_list but not allowed origin +echo "Requests fail with explicit allow_list but not allowed origin" code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq "$authorization_err" || exit 1 -echo Requests succeed with a jwt query param +echo "Requests succeed with a jwt query param" code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" "${url}&jwt=${jwtAllowAll}")" test "$code" -eq 200 || exit 1 -echo Requests succeed with a jwt auth header +echo "Requests succeed with a jwt auth header" code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://abc.com" -H "Authorization: Bearer ${jwtAllowAll}" "${url}")" test "$code" -eq 200 || exit 1 -echo Requests succeed with explicit allow_list and allowed origin +echo "Requests succeed with explicit allow_list and allowed origin" code="$(curl -sw "%{http_code}\n" -o /dev/null -H "Origin: https://google.com" "${url}&jwt=${jwtAllowExplicit}")" test "$code" -eq 200 || exit 1 -echo Requests succeed with allow_list == [*] and without an origin header +echo "Requests succeed with allow_list == [*] and without an origin header" code="$(curl -sw "%{http_code}\n" -o /dev/null "${url}&jwt=${jwtAllowAll}")" test "$code" -eq 200 || exit 1 From d6c369a90da92f6acfeb9bf1354b5079462c6c3f Mon Sep 17 00:00:00 2001 From: Diego Rodriguez Baquero Date: Tue, 21 Nov 2023 09:48:30 +0300 Subject: [PATCH 17/23] Enable unique cert verification in testnet --- container/shim/src/modules/registration.js | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/container/shim/src/modules/registration.js b/container/shim/src/modules/registration.js index 84b25fc2..6cfd988a 100644 --- a/container/shim/src/modules/registration.js +++ b/container/shim/src/modules/registration.js @@ -202,9 +202,19 @@ async function checkCertValidity(certBuffer, registerOptions, preregisterRespons } } - if (NETWORK === "test" && cert.subjectAltName && !cert.subjectAltName.includes("l1s.saturn-test.ms")) { - debug("Certificate is missing l1s.saturn-test.ms SAN, getting a new one..."); - valid = false; + if (NETWORK === "test" && cert.subjectAltName) { + if (!cert.subjectAltName.includes("l1s.saturn-test.ms")) { + debug("Certificate is missing l1s.saturn-test.ms SAN, getting a new one..."); + valid = false; + } + + const subdomain = preregisterResponse?.ip?.replace(/\./g, "-"); + const targetSAN = subdomain ? `${subdomain}.l1s.saturn-test.ms` : ".l1s.saturn-test.ms"; + + if (!cert.subjectAltName.includes(targetSAN)) { + debug(`Certificate is missing ${targetSAN} unique SAN, getting a new one...`); + valid = false; + } } if (!valid) { From a3748041f011ba6a85d8c7173dc785c12ac32ffd Mon Sep 17 00:00:00 2001 From: Elisey Zanko Date: Fri, 1 Dec 2023 06:04:48 +0500 Subject: [PATCH 18/23] Refine and extend Node monitoring section of README (#476) * Refine and extend Node monitoring section of README * Update README.md Co-authored-by: Hannah Howard Signed-off-by: Elisey Zanko * Update Table of Contents --------- Signed-off-by: Elisey Zanko Co-authored-by: Hannah Howard --- README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 19995ddd..d760e711 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,7 @@ on [Filecoin Slack](https://filecoinproject.slack.com/)! 👋 - [Obtaining a Filecoin wallet address](#obtaining-a-filecoin-wallet-address) - [Receiving FIL payments](#receiving-fil-payments) - [Node monitoring](#node-monitoring) + - [Community Tools](#community-tools) - [License](#license) ## Requirements @@ -279,8 +280,15 @@ When payments are scheduled to be sent out, your Filecoin wallet will receive a ### Node monitoring -- https://dashboard.saturn.tech - View historical data on your bandwidth contributions, FIL earnings, and more. -- https://orchestrator.strn.pl/stats - View detailed, real-time stats on every Saturn node. +- https://dashboard.saturn.tech - View detailed, real-time stats on every Saturn node. +- https://dashboard.saturn.tech/address - View historical data on your bandwidth contributions, FIL earnings, and more. +- https://explorer.saturn.tech - View a 3D geospatial visualization of the Saturn network, along with nodes and network statistics. + +### Community Tools + +These Saturn tools are maintained by community members outside the Saturn core team. + +- https://github.com/31z4/saturn-moonlet - Self-hosted Saturn monitoring using Prometheus and Grafana. View detailed, real-time and historical data on your nodes and earnings, setup alerts, and more. ## License From 6f82d8fd838782951332344018df471cbe63952a Mon Sep 17 00:00:00 2001 From: Ansgar Grunseid Date: Sun, 17 Dec 2023 13:58:38 -0800 Subject: [PATCH 19/23] update the readme with instructions on how to claim your node's monthly earnings --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d760e711..7a32f324 100644 --- a/README.md +++ b/README.md @@ -276,7 +276,9 @@ Slack. ### Receiving FIL payments -When payments are scheduled to be sent out, your Filecoin wallet will receive a FIL payment. +Each month, your node's earnings are calculated based on various factors such as the amount of bandwidth it served, the number of requests it handled, its performance metrics like TTFB and upload speed, and its availaility and uptime. These earnings are then sent to a payout FVM smart contract by the 7th day of the following month. For example, earnings for December 2022 would be transferred to a payout smart contract by January 7th, 2023. + +After your node's earnings are in the payout FVM smart contract, you can claim them on [payouts.saturn.tech](https://payouts.saturn.tech). Claiming your earnings moves the Filecoin your node(s) earned from the smart contract to your personal Filecoin wallet. ### Node monitoring From 023231a8f48008540ea1c2649292a6fd62f8d4d3 Mon Sep 17 00:00:00 2001 From: Ansgar Grunseid Date: Sun, 17 Dec 2023 14:01:14 -0800 Subject: [PATCH 20/23] change payments -> payouts. change language from receive earnings to claim earnings --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7a32f324..7676dbd6 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ on [Filecoin Slack](https://filecoinproject.slack.com/)! 👋 - [Switch networks between test net and main net](#switch-networks-between-test-net-and-main-net) - [Node operator guide](#node-operator-guide) - [Obtaining a Filecoin wallet address](#obtaining-a-filecoin-wallet-address) - - [Receiving FIL payments](#receiving-fil-payments) + - [Claiming your node's earnings](#claiming-your-earnings) - [Node monitoring](#node-monitoring) - [Community Tools](#community-tools) - [License](#license) @@ -253,7 +253,7 @@ Read more about Saturn's node uptime requirement in the docs, [here](https://doc ### Obtaining a Filecoin wallet address -You need to own a Filecoin wallet to receive FIL payments. +You need to own a Filecoin wallet to receive FIL payouts. - [Official Filecoin wallet documentation](https://docs.filecoin.io/get-started/overview/#wallets) @@ -274,7 +274,7 @@ The Saturn team will **never** DM you or ask you to verify/validate/upgrade your please ask in public channels such as the [#filecoin-saturn](https://filecoinproject.slack.com/archives/C03DH0BL02E) Slack. -### Receiving FIL payments +### Claiming your earnings Each month, your node's earnings are calculated based on various factors such as the amount of bandwidth it served, the number of requests it handled, its performance metrics like TTFB and upload speed, and its availaility and uptime. These earnings are then sent to a payout FVM smart contract by the 7th day of the following month. For example, earnings for December 2022 would be transferred to a payout smart contract by January 7th, 2023. From a38084d575b9eaf2e4e7c9b4c1cd3e1116fcffe0 Mon Sep 17 00:00:00 2001 From: Ansgar Grunseid Date: Sun, 17 Dec 2023 14:11:45 -0800 Subject: [PATCH 21/23] update the docs to describe the process of claiming node earnings --- README.md | 4 ++-- docs/faq.md | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 7676dbd6..8e62ac35 100644 --- a/README.md +++ b/README.md @@ -230,7 +230,7 @@ If you want to switch your node from Saturn's test network (aka `test`) to Satur ## Node operator guide -For answers to common questions about operating a node, like about receiving your filecoin payouts, see the L1 node [FAQ](docs/faq.md) page. +For answers to common questions about operating a node, see the L1 node [FAQ](docs/faq.md) page. ### Network Uptime Requirement @@ -276,7 +276,7 @@ Slack. ### Claiming your earnings -Each month, your node's earnings are calculated based on various factors such as the amount of bandwidth it served, the number of requests it handled, its performance metrics like TTFB and upload speed, and its availaility and uptime. These earnings are then sent to a payout FVM smart contract by the 7th day of the following month. For example, earnings for December 2022 would be transferred to a payout smart contract by January 7th, 2023. +Each month, your node's earnings, in FIL, are calculated by the network based on various factors such as the amount of bandwidth it served, the number of requests it handled, its performance metrics like TTFB and upload speed, and its availaility and uptime. These earnings are then sent to a payout FVM smart contract by the 7th day of the following month. For example, earnings for December 2022 would be transferred to a payout smart contract by January 7th, 2023. After your node's earnings are in the payout FVM smart contract, you can claim them on [payouts.saturn.tech](https://payouts.saturn.tech). Claiming your earnings moves the Filecoin your node(s) earned from the smart contract to your personal Filecoin wallet. diff --git a/docs/faq.md b/docs/faq.md index 9451ed70..c2de2161 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -15,15 +15,15 @@ We are continuously looking at the requirements and multiple factors, such as ge ## Payouts -### When do I receive my FIL payouts? +### When can I claim my FIL earnings? -Node earnings, in FIL, are finalized at the end of every month and payouts are made shortly thereafter -- within the following few days. So you can expect to receive your FIL payout -- for prior month's earnings -- within the first week of every calendar month. +Each month, your node's earnings, in FIL, are calculated by the network based on various factors such as the amount of bandwidth it served, the number of requests it handled, its performance metrics like TTFB and upload speed, and its availaility and uptime. These earnings are then sent to a payout FVM smart contract by the 7th day of the following month, after which they can be claimed. For example, earnings for December 2022 would be transferred to a payout smart contract by January 7th, 2023. Once transferred to the payout smart contract, they can be claimed on [payouts.saturn.tech](https://payouts.saturn.tech). -### How do I receive my FIL payout? +### How do I claim my payout? -Your FIL payout will be sent in filecoin the filecoin wallet address set in your node's `FIL_WALLET_ADDRESS` environment variable. +Once your earnings have been transferred to the monthly payout smart contract, which happens by the 7th day of the following month, they can be claimed on [payouts.saturn.tech](https://payouts.saturn.tech). -Triple check that the wallet address in `FIL_WALLET_ADDRESS` is correct; filecoin sent to the wrong address can't be undone or re-sent. +Triple check that the wallet address in `FIL_WALLET_ADDRESS` is correct; earnings earmarked under the wrong address in the payout smart contract can't be changed to be claimed by a different wallet address. ### I'm already a Filecoin storage provider, how does it work with my existing nodes, wallets, etc.? From 8266a33bd42f41c2e082b5cc4e23d02f2f244206 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Rodr=C3=ADguez=20Baquero?= Date: Tue, 16 Jan 2024 10:41:59 -0500 Subject: [PATCH 22/23] Update log ingestor URL (#518) --- container/shim/src/config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/shim/src/config.js b/container/shim/src/config.js index 6ae74296..969da4c7 100644 --- a/container/shim/src/config.js +++ b/container/shim/src/config.js @@ -57,7 +57,7 @@ function networkToOrchestrator() { function networkToIngestor() { switch (NETWORK) { case "main": { - return "https://twb3qukm2i654i3tnvx36char40aymqq.lambda-url.us-west-2.on.aws/"; + return "https://25y6y3tobkpa3thvn5wvu6kgsa0wzhdk.lambda-url.us-west-2.on.aws/"; } case "test": { return "https://p6wofrb2zgwrf26mcxjpprivie0lshfx.lambda-url.us-west-2.on.aws/"; From e7be2194ade2ac6bd2845ccfdeba734d02f57332 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Rodr=C3=ADguez=20Baquero?= Date: Tue, 16 Jan 2024 13:16:58 -0500 Subject: [PATCH 23/23] Do both platforms in parallel, update actions versions (#520) --- .github/workflows/release.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7a4c195..4cdf507f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,16 +23,20 @@ jobs: build-and-push-image: runs-on: larger + strategy: + matrix: + platform: [linux/amd64, linux/arm64] + permissions: contents: read packages: write steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Log in to the Container registry - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -40,7 +44,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -57,12 +61,12 @@ jobs: printf ${{ secrets.STAGING_BASE64_JWT_PUBLIC_KEY }} | base64 --decode > ./container/nginx/jwt_pub.key - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 with: platforms: "arm64" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Set the git short sha id: git @@ -95,7 +99,7 @@ jobs: echo "version_docker_tags=$repo:${{ github.run_number}}_${{ steps.git.outputs.sha_short }}" - name: Build and push Docker image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . push: true @@ -103,7 +107,7 @@ jobs: ${{ steps.tags.outputs.version_docker_tags }} ${{ steps.tags.outputs.mutable_docker_tags }} labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64,linux/arm64 + platforms: ${{ matrix.platform }} cache-from: type=gha,scope=l1 cache-to: type=gha,mode=max,scope=l1 build-args: |