Aryeh/rpc-auth

.gitignore

@@ -4,3 +4,4 @@ dist
 *.pyc
 *.egg-info
 .venv*
+.DS_Store

rpc-auth/client/index.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+
+while test $# -gt 0; do
+  case "$1" in
+  -h | --help)
+    echo "options:"
+    echo "-h, --help                show brief help"
+    echo "--cluster-address         specify ip or url for requesting nonce"
+    echo "--chain-id                specify chain id of permission chain"
+    echo "--tz-alias                specify tz alias of your key"
+    exit 0
+    ;;
+  --cluster-address)
+    shift
+    if test $# -gt 0; then
+      export CLUSTER_ADDRESS=$1
+    else
+      echo "no address specified"
+      exit 1
+    fi
+    shift
+    ;;
+  --chain-id)
+    shift
+    if test $# -gt 0; then
+      export CHAIN_ID=$1
+    else
+      echo "no chain id specified"
+      exit 1
+    fi
+    shift
+    ;;
+  --tz-alias)
+    shift
+    if test $# -gt 0; then
+      export TZ_ALIAS=$1
+    else
+      echo "no tz alias specified"
+      exit 1
+    fi
+    shift
+    ;;
+  *)
+    break
+    ;;
+  esac
+done
+
+if [ -z "$CLUSTER_ADDRESS" ]; then
+  echo "--cluster-address flag is required"
+  exit 1
+elif [ -z "$CHAIN_ID" ]; then
+  echo "--chain-id flag is required"
+  exit 1
+elif [ -z "$TZ_ALIAS" ]; then
+  echo "--tz-alias flag is required"
+  exit 1
+fi
+
+if ! tezos-client show address $TZ_ALIAS >/dev/null 2>&1; then
+  echo "no public key hash alias named $TZ_ALIAS"
+  exit 1
+fi
+
+get_response_body() {
+  echo $1 | sed -e 's/ HTTPSTATUS\:.*//g'
+}
+get_response_status() {
+  printf '%q' $1 | sed -e 's/.*HTTPSTATUS://'
+}
+
+echo "Requesting data to sign..."
+nonce_res=$(curl -s -X GET http://$CLUSTER_ADDRESS/vending-machine/$CHAIN_ID -w " HTTPSTATUS:%{http_code}")
+NONCE=$(get_response_body "$nonce_res")
+nonce_res_status=$(get_response_status "$nonce_res")
+
+if [ "$nonce_res_status" != "200" ]; then
+  echo "Failed to get nonce. [HTTP status: $nonce_res_status]"
+  echo "$nonce_res"
+  exit 1
+fi
+
+# echo NONCE: "$NONCE"
+
+echo "Signing data..."
+SIGNATURE=$(tezos-client -p PsCARTHAGazK sign bytes 0x05${NONCE} for ${TZ_ALIAS} | cut -f 2 -d " ")
+PUBLIC_KEY=$(tezos-client show address ${TZ_ALIAS} 2>/dev/null | grep "Public Key: " | awk '{print $3}')
+
+# echo SIGNATURE: "$SIGNATURE"
+# echo PUBLIC_KEY: "$PUBLIC_KEY"
+
+echo "Sending request for RPC url..."
+secret_url_res=$(curl -s -X GET -d "nonce=${NONCE}" -d "signature=${SIGNATURE}" -d "public_key=${PUBLIC_KEY}" http://$CLUSTER_ADDRESS/vending-machine -w " HTTPSTATUS:%{http_code}")
+SECRET_URL=$(get_response_body "$secret_url_res")
+secret_url_status=$(get_response_status "$secret_url_res")
+
+if [ "$secret_url_status" != "200" ]; then
+  echo "Failed to get secret url. [HTTP status: $secret_url_status]"
+  echo "$secret_url_res"
+  exit 1
+fi
+
+echo "Your secret tezos node RPC url: $SECRET_URL"
+

rpc-auth/server/.dockerignore

@@ -0,0 +1,4 @@
+
+
+# Ignore devspace.yaml file to prevent image rebuilding after config changes
+devspace.yaml

rpc-auth/server/.gitignore

@@ -0,0 +1,4 @@
+
+
+# Ignore DevSpace cache and log folder
+.devspace/

rpc-auth/server/Dockerfile

@@ -0,0 +1,30 @@
+FROM python:3.8
+
+ARG FLASK_ENV=development
+
+# Creating Application Source Code Directory
+RUN mkdir -p /var/rpc-auth/
+
+# Setting Home Directory for containers
+WORKDIR /var/rpc-auth/
+
+# Install dependencies for pytezos
+RUN apt-get update
+RUN apt-get install -y libsodium-dev libsecp256k1-dev libgmp-dev
+
+# Installing python dependencies
+COPY requirements.txt /var/rpc-auth/
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copying src code to Container
+COPY index.py /var/rpc-auth/
+
+# Application Environment variables
+ENV FLASK_ENV=$FLASK_ENV
+ENV PYTHONUNBUFFERED=x
+
+# Exposing Ports
+EXPOSE 8080
+
+# Running Python Application
+CMD ["python3", "index.py"]

rpc-auth/server/backend.yaml

@@ -0,0 +1,157 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-service
+  namespace: tqtezos
+  labels:
+    app: redis
+spec:
+  ports:
+    - name: redis
+      port: 6379
+  selector:
+    app: redis
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: redis-pv-claim
+  namespace: tqtezos
+  labels:
+    app: redis
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: tqtezos
+  labels:
+    app: redis
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: master
+          image: redis
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "redis-cli -h $(hostname) ping"
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "redis-cli -h $(hostname) ping"
+            initialDelaySeconds: 5
+            periodSeconds: 3
+          # resources:
+          #   requests:
+          #     cpu: 100m
+          #     memory: 100Mi
+          ports:
+            - containerPort: 6379
+          volumeMounts:
+            - mountPath: /data
+              name: redis-data
+      volumes:
+        - name: redis-data
+          persistentVolumeClaim:
+            claimName: redis-pv-claim
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rpc-auth-service
+  namespace: tqtezos
+spec:
+  selector:
+    app: rpc-auth
+  ports:
+    - port: 8080
+      targetPort: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rpc-auth
+  namespace: tqtezos
+spec:
+  selector:
+    matchLabels:
+      app: rpc-auth
+  template:
+    metadata:
+      labels:
+        app: rpc-auth
+    spec:
+      containers:
+        - name: rpc-auth
+          image: rpc-auth
+          imagePullPolicy: Never
+          ports:
+            - containerPort: 8080
+          env:
+            - name: REDIS_HOST
+              value: redis-service
+            - name: REDIS_PORT
+              value: "6379"
+            - name: TEZOS_RPC
+              value: tezos-rpc
+            - name: TEZOS_RPC_PORT
+              value: "8732"
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: rpc-auth-ingress
+  namespace: tqtezos
+  annotations:
+    # nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  rules:
+    - http:
+        paths:
+          # Client provides chain id and gets back a nonce
+          - path: /vending-machine/(.*)
+            pathType: Exact
+            backend:
+              service:
+                name: rpc-auth-service
+                port:
+                  number: 8080
+          # Client provides signed data and gets back a secret url
+          - path: /vending-machine
+            pathType: Exact
+            backend:
+              service:
+                name: rpc-auth-service
+                port:
+                  number: 8080
+          # Client uses secret url to access the RPC endpoint
+          - path: /tezos-node-rpc/(.*)
+            pathType: Exact
+            backend:
+              service:
+                name: rpc-auth-service
+                port:
+                  number: 8080
+---
+

rpc-auth/server/devspace.yaml

@@ -0,0 +1,23 @@
+version: v1beta9
+deployments:
+  - name: backend
+    kubectl:
+      manifests:
+        - ./backend.yaml
+images:
+  server:
+    image: rpc-auth
+dev:
+  sync:
+    - imageName: server
+      labelSelector:
+        app: rpc-auth
+hooks:
+  - command: minikube
+    args:
+      - addons
+      - enable
+      - ingress
+    when:
+      before:
+        deployments: all