Inomurko/bump vault image

.gitignore

@@ -1 +1,23 @@
-contracts/data/geth
+contracts/data/geth
+contracts/immutability/config/ca.crt
+contracts/immutability/config/ca.key
+contracts/immutability/config/ca.srl
+contracts/immutability/config/my-service.crt
+contracts/immutability/config/my-service.csr
+contracts/immutability/config/my-service.key
+contracts/immutability/config/openssl.cnf
+contracts/immutability/config/unseal.json
+contracts/plasma-contracts/contracts/
+
+contracts_reorg/data/geth
+contracts_reorg/immutability/config/ca.crt
+contracts_reorg/immutability/config/ca.key
+contracts_reorg/immutability/config/ca.srl
+contracts_reorg/immutability/config/my-service.crt
+contracts_reorg/immutability/config/my-service.csr
+contracts_reorg/immutability/config/my-service.key
+contracts_reorg/immutability/config/openssl.cnf
+contracts_reorg/immutability/config/unseal.json
+contracts_reorg/plasma-contracts/contracts/
+contracts_reorg/ethash/
+

builder/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.13
 
 LABEL maintainer="OmiseGO Team <omg@omise.co>"
 LABEL description="Builder image for OmiseGO elixir-omg"

builder/Dockerfile.erlang

@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.13
 
 ARG OTP_VERSION="23.1.4"
 ARG OTP_DOWNLOAD_SHA256="8f6718b82bbca72d7dfe0b0de10b6e043cefe9e5ac08d3f84e18f8522d794967"

builder_childchain/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.13
 
 LABEL maintainer="OmiseGO Team <omg@omise.co>"
 LABEL description="Thin Builder image for OmiseGO Childchain"

contracts/data/command

@@ -0,0 +1,37 @@
+# don't run --allow-insecure-unlock in production!
+apk add --update curl
+# Configures geth with the deployer and authority accounts. This includes:
+#   1. Configuring the deployer's keystore
+#   2. Configuring the authority's keystore
+#   3. Configuring the keystores' password
+#   4. Unlocking the accounts by their indexes
+geth --datadir data/ init data/geth/genesis.json
+echo "" > /tmp/geth-blank-password
+# Starts geth
+geth \
+--nousb \
+--miner.gastarget 7500000 \
+--miner.gasprice "10" \
+--datadir data/ \
+--syncmode 'full' \
+--networkid 1337 \
+--keystore=./data/geth/keystore/ \
+--password /tmp/geth-blank-password \
+--unlock "0,1" \
+--http \
+--http.api personal,web3,eth,net \
+--http.addr 0.0.0.0 \
+--http.vhosts=* \
+--http.port 8545 \
+--ws \
+--ws.addr 0.0.0.0 \
+--ws.origins '*' \
+--ws.api personal,web3,eth,net \
+--rpc.allow-unprotected-txs \
+--mine \
+--allow-insecure-unlock
+
+
+# Since we realize people/tooling issuing unprotected transactions can’t change overnight,
+# Geth v1.10.0 supports reverting to the old behavior and accepting non-EIP155 transactions via --rpc.allow-unprotected-txs.
+# Be advised that this is a temporary mechanism that will be removed long term.

contracts/data/geth/genesis.json

@@ -11,6 +11,7 @@
     "petersburgBlock": 6,
     "istanbulBlock": 7,
     "muirGlacierBlock": 8,
+    "berlinBlock": 9,
     "clique": {
       "period": 1,
       "epoch": 30000

contracts/docker-compose.vault.yml

@@ -0,0 +1,7 @@
+version: "2.3"
+services:
+  plasma-contracts:
+    environment:
+      - VAULT=true
+
+

contracts/docker-compose.yml

@@ -6,10 +6,15 @@ services:
       - /bin/sh
       - -c
       - |
+          # deploy the multisig
+          cd /home/node/plasma-contracts/MultiSigWallet
+          npx truffle migrate --accounts 0x6De4b3B9C28E9C3e84c2b2d3a875C947a84de68D --confirmations 1 --network remote
           apk add --update curl
           cd /home/node/plasma-contracts/plasma_framework
           # Fix block gas limit issue by retrying truffle migration up to 5 times
           npx truffle version
+          export VAULT_TOKEN=$$(cat /tmp/unseal.json | jq -r .root_token)
+          echo $$VAULT_TOKEN
           for i in 1 2 3 4 5; do \
             echo 'Running truffle migration attempt #$${i}'
             npx truffle migrate --network remote command && break; \
@@ -24,6 +29,7 @@ services:
     volumes:
       - ${PWD}/plasma-contracts/contracts/:/home/node/plasma-contracts/plasma_framework/build/contracts/
       - ${PWD}/plasma-contracts/build/db.json:/home/node/plasma-contracts/plasma_framework/build/db.json
+      - "./immutability/config:/tmp:rw"
     environment:
       # DEPLOYER_PRIVATEKEY is the geth dev account initially funded address
       - DEPLOYER_PRIVATEKEY=d885a307e35738f773d8c9c63c7a3f3977819274638d04aaf934a1e1158513ce # 0x6De4b3B9C28E9C3e84c2b2d3a875C947a84de68D
@@ -32,10 +38,18 @@ services:
       - REMOTE_URL=http://geth:8545
       - DEPLOY_TEST_CONTRACTS=true
       - MIN_EXIT_PERIOD=${MIN_EXIT_PERIOD}
+      # HEY THIS IS IMPORTANT
+      - VAULT=false
+      - VAULT_ADDR=https://vault_server:8200
+      - NODE_TLS_REJECT_UNAUTHORIZED=0
+      - VAULT_RPC_REMOTE_URL=http://geth:8545
+      - CHAIN_ID=1337
     env_file: ../tester/CONTRACT_EXPERIMENTAL_FEATURES
     depends_on:
       geth:
         condition: service_healthy
+      vault_server:
+        condition: service_healthy
     restart: always
     healthcheck:
       test: curl plasma-contracts:8000/contracts
@@ -45,36 +59,8 @@ services:
       start_period: 5m
 
   geth:
-    image: ethereum/client-go:v1.9.15
-    entrypoint:
-      - /bin/sh
-      - -c
-      - |
-          # don't run --allow-insecure-unlock in production!
-          apk add --update curl
-          # Configures geth with the deployer and authority accounts. This includes:
-          #   1. Configuring the deployer's keystore
-          #   2. Configuring the authority's keystore
-          #   3. Configuring the keystores' password
-          #   4. Unlocking the accounts by their indexes
-          geth --datadir data/ init data/geth/genesis.json
-          echo "" > /tmp/geth-blank-password
-          # Starts geth
-
-          geth --miner.gastarget 7500000 \
-            --miner.gasprice "10" \
-            --datadir data/ \
-            --syncmode 'full' \
-            --networkid 1337 \
-            --gasprice '1' \
-            --keystore=./data/geth/keystore/ \
-            --password /tmp/geth-blank-password \
-            --unlock "0,1" \
-            --rpc --rpcapi personal,web3,eth,net --rpcaddr 0.0.0.0 --rpcvhosts=* --rpcport=8545 \
-            --ws --wsaddr 0.0.0.0 --wsorigins='*' \
-            --mine \
-            --allow-insecure-unlock
-
+    image: ethereum/client-go:v1.10.1
+    entrypoint: /bin/sh -c ". data/command"
     ports:
       - "8545:8545"
       - "8546:8546"
@@ -88,3 +74,26 @@ services:
       interval: 5s
       timeout: 3s
       retries: 5
+
+  vault_server:
+    image: gcr.io/omisego-development/omgnetwork/vault:0.0.7
+    entrypoint: >
+      /bin/sh -c "
+        sleep 2
+
+        /vault/config/entrypoint.sh
+      "
+    ports:
+      - "8200:8200"
+    links:
+      - "geth"
+    volumes:
+      - "./immutability/ca:/vault/ca:rw"
+      - "./immutability/ca/certs/:/etc/ssl/certs/"
+      - "./immutability/config:/vault/config:rw"
+    healthcheck:
+      test: vault status --tls-skip-verify
+      interval: 5s
+      timeout: 3s
+      retries: 5
+

contracts/immutability/config/entrypoint.sh

@@ -0,0 +1,174 @@
+#!/bin/bash
+
+# Vault running in the container must listen on a different port.
+
+VAULT_CREDENTIALS="/vault/config/unseal.json"
+
+CONFIG_DIR="/vault/config"
+
+CA_CERT="$CONFIG_DIR/ca.crt"
+CA_KEY="$CONFIG_DIR/ca.key"
+TLS_KEY="$CONFIG_DIR/my-service.key"
+TLS_CERT="$CONFIG_DIR/my-service.crt"
+CONFIG="$CONFIG_DIR/openssl.cnf"
+CSR="$CONFIG_DIR/my-service.csr"
+
+export VAULT_ADDR="https://127.0.0.1:8200"
+export VAULT_CACERT="$CA_CERT"
+
+function create_config {
+
+	cat > "$CONFIG" << EOF
+
+[req]
+default_bits = 2048
+encrypt_key  = no
+default_md   = sha256
+prompt       = no
+utf8         = yes
+
+# Speify the DN here so we aren't prompted (along with prompt = no above).
+distinguished_name = req_distinguished_name
+
+# Extensions for SAN IP and SAN DNS
+req_extensions = v3_req
+
+# Be sure to update the subject to match your organization.
+[req_distinguished_name]
+C  = TH
+ST = Bangkok
+L  = Vault
+O  = omiseGO
+CN = localhost
+
+# Allow client and server auth. You may want to only allow server auth.
+# Link to SAN names.
+[v3_req]
+basicConstraints     = CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage             = digitalSignature, keyEncipherment
+extendedKeyUsage     = clientAuth, serverAuth
+subjectAltName       = @alt_names
+
+# Alternative names are specified as IP.# and DNS.# for IPs and
+# DNS accordingly.
+[alt_names]
+IP.1  = 127.0.0.1
+IP.2  = 192.168.64.1
+IP.3  = 192.168.122.1
+DNS.1 = localhost
+EOF
+}
+
+function gencerts {
+
+    create_config
+	openssl req \
+	-new \
+	-sha256 \
+	-newkey rsa:2048 \
+	-days 120 \
+	-nodes \
+	-x509 \
+	-subj "/C=US/ST=Maryland/L=Vault/O=My Company CA" \
+	-keyout "$CA_KEY" \
+	-out "$CA_CERT"
+
+	# Generate the private key for the service. Again, you may want to increase
+	# the bits to 2048.
+	openssl genrsa -out "$TLS_KEY" 2048
+
+	# Generate a CSR using the configuration and the key just generated. We will
+	# give this CSR to our CA to sign.
+	openssl req \
+	-new -key "$TLS_KEY" \
+	-out "$CSR" \
+	-config "$CONFIG"
+
+	# Sign the CSR with our CA. This will generate a new certificate that is signed
+	# by our CA.
+	openssl x509 \
+	-req \
+	-days 120 \
+	-in "$CSR" \
+	-CA "$CA_CERT" \
+	-CAkey "$CA_KEY" \
+	-CAcreateserial \
+	-sha256 \
+	-extensions v3_req \
+	-extfile "$CONFIG" \
+	-out "$TLS_CERT"
+
+	openssl x509 -in "$TLS_CERT" -noout -text
+
+	# rm openssl.cnf
+
+#  chown -R nobody:nobody $CONFIG_DIR && chmod -R 777 $CONFIG_DIR
+}
+
+gencerts
+
+nohup vault server -log-level=debug -config /vault/config/vault.hcl &
+VAULT_PID=$!
+
+function unseal() {
+    VAULT_INIT=$(cat $VAULT_CREDENTIALS)
+    UNSEAL_KEY=$(echo $VAULT_INIT | jq -r '.unseal_keys_hex[0]')
+    ROOT_TOKEN=$(echo $VAULT_INIT | jq -r .root_token)
+    vault operator unseal $UNSEAL_KEY
+    export VAULT_TOKEN=$ROOT_TOKEN
+}
+
+function configure_plugin {
+	plugin_file="immutability-eth-plugin"
+
+	echo "ADDING TO CATALOG: sys/plugins/catalog/secret/${plugin_file}"
+
+	# just testing for now
+	plugin_file="${plugin_file}"
+	ls -latr /vault/plugins
+	sha256sum=`cat /vault/plugins/SHA256SUMS | awk '{print $1}'`
+	vault write sys/plugins/catalog/secret/${plugin_file} \
+		  sha_256="$sha256sum" \
+		  command="$plugin_file --ca-cert=$CA_CERT --client-cert=$TLS_CERT --client-key=$TLS_KEY"
+
+	if [[ $? -eq 2 ]] ; then
+	  echo "Vault Catalog update failed!"
+	  exit 2
+	fi
+
+	echo "MOUNTING: ${plugin_file}"
+	vault secrets enable -path=${plugin_file} -plugin-name=${plugin_file} plugin
+	if [[ $? -eq 2 ]] ; then
+	  echo "Failed to mount ${plugin_file} plugin for test!"
+	  exit 2
+	fi
+}
+
+function test_banner {
+    echo "************************************************************************************************************************************"
+}
+
+
+if [ -f "$VAULT_CREDENTIALS" ]; then
+    echo "unseal.json exists"
+    sleep 10
+    unseal
+    vault status
+    vault secrets list
+else
+    echo "sleeping for 10s and generating unseal.json"
+		sleep 10
+    VAULT_INIT=$(vault operator init -key-shares=1 -key-threshold=1 -format=json | jq .)
+    echo $VAULT_INIT > $VAULT_CREDENTIALS
+    unseal
+    configure_plugin
+    vault audit enable file file_path=stdout
+    vault status
+    vault secrets list
+    test_banner
+fi
+
+# Don't exit until vault dies
+
+wait $VAULT_PID