Relayer url and api_key moved to the partner struct, refactoring (#286)

* relayer url and api_key moved to the partner struct, refactoring * relayer set in tfvars * terraform parameter renamed * signing nodes accepts only oidc_providers
near · Sep 14, 2023 · f3c5c4f · f3c5c4f
1 parent 9041dd7
commit f3c5c4f
Show file tree

Hide file tree

Showing 17 changed files with 297 additions and 214 deletions.
diff --git a/DEPLOY.md b/DEPLOY.md
@@ -99,7 +99,7 @@ $ gcloud run deploy <GCP_CLOUD_RUN_SERVICE> \
     --memory=2Gi \
     --min-instances=1 \
     --max-instances=1 \
-    --set-env-vars=MPC_RECOVERY_NODE_ID=<MPC_NODE_ID>,MPC_RECOVERY_GCP_PROJECT_ID=<GCP_PROJECT_ID>,MPC_RECOVERY_WEB_PORT=3000,RUST_LOG=mpc_recovery=debug,ALLOWED_OIDC_PROVIDERS='[{"issuer":"https://securetoken.google.com/near-fastauth-prod","audience":"near-fastauth-prod"}]' \
+    --set-env-vars=MPC_RECOVERY_NODE_ID=<MPC_NODE_ID>,MPC_RECOVERY_GCP_PROJECT_ID=<GCP_PROJECT_ID>,MPC_RECOVERY_WEB_PORT=3000,RUST_LOG=mpc_recovery=debug,OIDC_PROVIDERS='[{"issuer":"https://securetoken.google.com/near-fastauth-prod","audience":"near-fastauth-prod"}]' \
     --set-secrets=MPC_RECOVERY_SK_SHARE=<GCP_SM_KEY_NAME>:latest,MPC_RECOVERY_CIPHER_KEY=<GCP_SM_CIPHER_NAME>:latest \
     --no-cpu-throttling \
     --region=<GCP_REGION> \

diff --git a/infra/main.tf b/infra/main.tf
@@ -23,17 +23,12 @@ locals {
   env = {
     defaults = {
       near_rpc          = "https://rpc.testnet.near.org"
-      relayer_api_key   = null
-      relayer_url       = "http://34.70.226.83:3030"
       near_root_account = "testnet"
     }
     testnet = {
     }
     mainnet = {
-      near_rpc = "https://rpc.mainnet.near.org"
-      // TODO: move relayer API key to secrets
-      relayer_api_key   = "dfadcb16-2293-4649-896b-4bc4224adea0"
-      relayer_url       = "http://near-relayer-mainnet.api.pagoda.co"
+      near_rpc          = "https://rpc.mainnet.near.org"
       near_root_account = "near"
     }
   }
@@ -109,8 +104,8 @@ module "signer" {
   service_account_email = google_service_account.service_account.email
   docker_image          = docker_image.mpc_recovery.name
 
-  node_id                = count.index
-  allowed_oidc_providers = var.allowed_oidc_providers
+  node_id        = count.index
+  oidc_providers = var.oidc_providers
 
   cipher_key = var.cipher_keys[count.index]
   sk_share   = var.sk_shares[count.index]
@@ -128,13 +123,11 @@ module "leader" {
   service_account_email = google_service_account.service_account.email
   docker_image          = docker_image.mpc_recovery.name
 
-  signer_node_urls       = concat(module.signer.*.node.uri, var.external_signer_node_urls)
-  near_rpc               = local.workspace.near_rpc
-  relayer_api_key        = local.workspace.relayer_api_key
-  relayer_url            = local.workspace.relayer_url
-  near_root_account      = local.workspace.near_root_account
-  account_creator_id     = var.account_creator_id
-  allowed_oidc_providers = var.allowed_oidc_providers
+  signer_node_urls   = concat(module.signer.*.node.uri, var.external_signer_node_urls)
+  near_rpc           = local.workspace.near_rpc
+  near_root_account  = local.workspace.near_root_account
+  account_creator_id = var.account_creator_id
+  fast_auth_partners = var.fast_auth_partners
 
   account_creator_sk = var.account_creator_sk
 

diff --git a/infra/modules/leader/main.tf b/infra/modules/leader/main.tf
@@ -16,20 +16,20 @@ resource "google_secret_manager_secret_iam_member" "account_creator_secret_acces
   member    = "serviceAccount:${var.service_account_email}"
 }
 
-resource "google_secret_manager_secret" "allowed_oidc_providers" {
+resource "google_secret_manager_secret" "fast_auth_partners" {
   secret_id = "mpc-recovery-allowed-oidc-providers-leader-${var.env}"
   replication {
     automatic = true
   }
 }
 
-resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
-  secret      = google_secret_manager_secret.allowed_oidc_providers.name
-  secret_data = jsonencode(var.allowed_oidc_providers)
+resource "google_secret_manager_secret_version" "fast_auth_partners_data" {
+  secret      = google_secret_manager_secret.fast_auth_partners.name
+  secret_data = jsonencode(var.fast_auth_partners)
 }
 
-resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
-  secret_id = google_secret_manager_secret.allowed_oidc_providers.id
+resource "google_secret_manager_secret_iam_member" "fast_auth_partners_secret_access" {
+  secret_id = google_secret_manager_secret.fast_auth_partners.id
   role      = "roles/secretmanager.secretAccessor"
   member    = "serviceAccount:${var.service_account_email}"
 }
@@ -63,17 +63,6 @@ resource "google_cloud_run_v2_service" "leader" {
         name  = "MPC_RECOVERY_NEAR_RPC"
         value = var.near_rpc
       }
-      dynamic "env" {
-        for_each = var.relayer_api_key == null ? [] : [1]
-        content {
-          name  = "MPC_RECOVERY_RELAYER_API_KEY"
-          value = var.relayer_api_key
-        }
-      }
-      env {
-        name  = "MPC_RECOVERY_RELAYER_URL"
-        value = var.relayer_url
-      }
       env {
         name  = "MPC_RECOVERY_NEAR_ROOT_ACCOUNT"
         value = var.near_root_account
@@ -111,9 +100,9 @@ resource "google_cloud_run_v2_service" "leader" {
   }
   depends_on = [
     google_secret_manager_secret_version.account_creator_sk_data,
-    google_secret_manager_secret_version.allowed_oidc_providers_data,
+    google_secret_manager_secret_version.fast_auth_partners_data,
     google_secret_manager_secret_iam_member.account_creator_secret_access,
-    google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access
+    google_secret_manager_secret_iam_member.fast_auth_partners_secret_access
   ]
 }
 

diff --git a/infra/modules/leader/variables.tf b/infra/modules/leader/variables.tf
@@ -24,20 +24,24 @@ variable "signer_node_urls" {
 variable "near_rpc" {
 }
 
-variable "relayer_api_key" {
-}
-
-variable "relayer_url" {
-}
-
 variable "near_root_account" {
 }
 
 variable "account_creator_id" {
 }
 
-variable "allowed_oidc_providers" {
-  type = list(map(string))
+variable "fast_auth_partners" {
+  type = list(object({
+    oidc_provider = object({
+      issuer   = string
+      audience = string
+    })
+    relayer = object({
+      url     = string
+      api_key = string
+    })
+  }))
+  default = []
 }
 
 # Secrets

diff --git a/infra/modules/signer/main.tf b/infra/modules/signer/main.tf
@@ -34,20 +34,20 @@ resource "google_secret_manager_secret_iam_member" "secret_share_secret_access"
   member    = "serviceAccount:${var.service_account_email}"
 }
 
-resource "google_secret_manager_secret" "allowed_oidc_providers" {
+resource "google_secret_manager_secret" "oidc_providers" {
   secret_id = "mpc-recovery-allowed-oidc-providers-${var.node_id}-${var.env}"
   replication {
     automatic = true
   }
 }
 
-resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
-  secret      = google_secret_manager_secret.allowed_oidc_providers.name
-  secret_data = jsonencode(var.allowed_oidc_providers)
+resource "google_secret_manager_secret_version" "oidc_providers_data" {
+  secret      = google_secret_manager_secret.oidc_providers.name
+  secret_data = jsonencode(var.oidc_providers)
 }
 
-resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
-  secret_id = google_secret_manager_secret.allowed_oidc_providers.id
+resource "google_secret_manager_secret_iam_member" "oidc_providers_secret_access" {
+  secret_id = google_secret_manager_secret.oidc_providers.id
   role      = "roles/secretmanager.secretAccessor"
   member    = "serviceAccount:${var.service_account_email}"
 }
@@ -107,10 +107,10 @@ resource "google_cloud_run_v2_service" "signer" {
   depends_on = [
     google_secret_manager_secret_version.cipher_key_data,
     google_secret_manager_secret_version.secret_share_data,
-    google_secret_manager_secret_version.allowed_oidc_providers_data,
+    google_secret_manager_secret_version.oidc_providers_data,
     google_secret_manager_secret_iam_member.cipher_key_secret_access,
     google_secret_manager_secret_iam_member.secret_share_secret_access,
-    google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access
+    google_secret_manager_secret_iam_member.oidc_providers_secret_access
   ]
 }
 

diff --git a/infra/modules/signer/variables.tf b/infra/modules/signer/variables.tf
@@ -20,8 +20,12 @@ variable "docker_image" {
 variable "node_id" {
 }
 
-variable "allowed_oidc_providers" {
-  type = list(map(string))
+variable "oidc_providers" {
+  type = list(object({
+    issuer   = string
+    audience = string
+  }))
+  default = []
 }
 
 # Secrets

diff --git a/infra/terraform-dev.tfvars b/infra/terraform-dev.tfvars
@@ -9,6 +9,25 @@ sk_shares = [
   "{\"public_key\":{\"curve\":\"ed25519\",\"point\":[46,181,130,13,164,112,16,130,63,196,212,83,38,63,120,124,0,35,238,100,212,32,46,7,233,221,2,16,20,189,198,167]},\"expanded_private_key\":{\"prefix\":{\"curve\":\"ed25519\",\"scalar\":[35,145,79,79,99,72,33,94,114,179,89,56,252,168,145,28,195,10,230,89,247,39,194,127,202,75,119,182,59,120,144,83]},\"private_key\":{\"curve\":\"ed25519\",\"scalar\":[88,71,177,97,38,226,233,158,49,168,14,146,117,128,240,16,97,35,56,137,0,69,150,237,4,210,81,35,0,44,233,98]}}}",
   "{\"public_key\":{\"curve\":\"ed25519\",\"point\":[226,221,12,58,210,76,171,11,139,88,242,44,18,207,126,120,5,90,208,108,4,93,19,188,24,172,130,61,51,94,10,34]},\"expanded_private_key\":{\"prefix\":{\"curve\":\"ed25519\",\"scalar\":[72,32,251,204,100,91,164,82,140,231,84,166,176,30,167,99,107,71,71,195,83,40,241,205,6,89,122,227,140,146,82,4]},\"private_key\":{\"curve\":\"ed25519\",\"scalar\":[8,248,184,114,40,88,141,189,156,115,215,171,36,210,85,189,12,217,176,9,208,28,141,207,18,18,57,230,231,14,118,116]}}}"
 ]
-allowed_oidc_providers = [
-  { issuer = "https://securetoken.google.com/pagoda-oboarding-dev", audience = "pagoda-oboarding-dev" }
-]
+
+// For leader node
+fast_auth_partners = [
+  {
+    oidc_provider = {
+      issuer   = "https://securetoken.google.com/pagoda-oboarding-dev",
+      audience = "pagoda-oboarding-dev"
+    },
+    relayer = {
+      url     = "http://34.70.226.83:3030",
+      api_key = null,
+    },
+  }
+]
+
+// For signing nodes
+oidc_providers = [
+  {
+    issuer   = "https://securetoken.google.com/pagoda-oboarding-dev",
+    audience = "pagoda-oboarding-dev"
+  }
+]
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -24,8 +24,25 @@ variable "zone" {
 variable "account_creator_id" {
 }
 
-variable "allowed_oidc_providers" {
-  type    = list(map(string))
+variable "fast_auth_partners" {
+  type = list(object({
+    oidc_provider = object({
+      issuer   = string
+      audience = string
+    })
+    relayer = object({
+      url     = string
+      api_key = string
+    })
+  }))
+  default = []
+}
+
+variable "oidc_providers" {
+  type = list(object({
+    issuer   = string
+    audience = string
+  }))
   default = []
 }
 

diff --git a/integration-tests/src/containers.rs b/integration-tests/src/containers.rs
@@ -7,6 +7,7 @@ use ed25519_dalek::ed25519::signature::digest::{consts::U32, generic_array::Gene
 use ed25519_dalek::{PublicKey as PublicKeyEd25519, Verifier};
 use futures::{lock::Mutex, StreamExt};
 use hyper::StatusCode;
+use mpc_recovery::firewall::allowed::DelegateActionRelayer;
 use mpc_recovery::sign_node::oidc::OidcToken;
 use mpc_recovery::{
     msg::{
@@ -389,7 +390,7 @@ impl<'a> SignerNode<'a> {
     // Container port used for the docker network, does not have to be unique
     const CONTAINER_PORT: u16 = 3000;
 
-    pub async fn run(
+    pub async fn run_signing_node(
         docker_client: &'a DockerClient,
         network: &str,
         node_id: u64,
@@ -417,14 +418,13 @@ impl<'a> SignerNode<'a> {
                 hex::encode(cipher_key),
                 "--web-port".to_string(),
                 Self::CONTAINER_PORT.to_string(),
-                "--allowed-oidc-providers".to_string(),
+                "--oidc-providers".to_string(),
                 serde_json::json!([
                     {
-                        "issuer": format!("https://securetoken.google.com/{firebase_audience_id}"),
+                        "issuer": format!("https://securetoken.google.com/{}", firebase_audience_id),
                         "audience": firebase_audience_id,
                     },
-                ])
-                .to_string(),
+                ]).to_string(),
                 "--gcp-project-id".to_string(),
                 gcp_project_id.to_string(),
                 "--gcp-datastore-url".to_string(),
@@ -520,6 +520,7 @@ pub struct LeaderNode<'a> {
 
 pub struct LeaderNodeApi {
     pub address: String,
+    pub relayer: DelegateActionRelayer,
     client: NearRpcAndRelayerClient,
 }
 
@@ -552,22 +553,25 @@ impl<'a> LeaderNode<'a> {
             Self::CONTAINER_PORT.to_string(),
             "--near-rpc".to_string(),
             near_rpc.to_string(),
-            "--relayer-url".to_string(),
-            relayer_url.to_string(),
             "--near-root-account".to_string(),
             near_root_account.to_string(),
             "--account-creator-id".to_string(),
             account_creator_id.to_string(),
             "--account-creator-sk".to_string(),
             account_creator_sk.to_string(),
-            "--allowed-oidc-providers".to_string(),
+            "--fast-auth-partners".to_string(),
             serde_json::json!([
                 {
-                    "issuer": format!("https://securetoken.google.com/{firebase_audience_id}"),
-                    "audience": firebase_audience_id,
+                    "oidc_provider": {
+                        "issuer": format!("https://securetoken.google.com/{}", firebase_audience_id),
+                        "audience": firebase_audience_id,
+                    },
+                    "relayer": {
+                        "url": relayer_url.to_string(),
+                        "api_key": serde_json::Value::Null,
+                    },
                 },
-            ])
-            .to_string(),
+            ]).to_string(),
             "--gcp-project-id".to_string(),
             gcp_project_id.to_string(),
             "--gcp-datastore-url".to_string(),
@@ -600,10 +604,11 @@ impl<'a> LeaderNode<'a> {
         })
     }
 
-    pub fn api(&self, near_rpc: &str, relayer_url: &str) -> LeaderNodeApi {
+    pub fn api(&self, near_rpc: &str, relayer: &DelegateActionRelayer) -> LeaderNodeApi {
         LeaderNodeApi {
             address: self.local_address.clone(),
-            client: NearRpcAndRelayerClient::connect(near_rpc, relayer_url.to_string(), None),
+            client: NearRpcAndRelayerClient::connect(near_rpc),
+            relayer: relayer.clone(),
         }
     }
 }
@@ -721,10 +726,13 @@ impl LeaderNodeApi {
         };
         let response = self
             .client
-            .send_meta_tx(SignedDelegateAction {
-                delegate_action: add_key_delegate_action,
-                signature: near_crypto::Signature::ED25519(*signature),
-            })
+            .send_meta_tx(
+                SignedDelegateAction {
+                    delegate_action: add_key_delegate_action,
+                    signature: near_crypto::Signature::ED25519(*signature),
+                },
+                self.relayer.clone(),
+            )
             .await?;
         if matches!(response.status, FinalExecutionStatus::SuccessValue(_)) {
             Ok((status_code, sign_response))
@@ -771,10 +779,13 @@ impl LeaderNodeApi {
         };
         let response = self
             .client
-            .send_meta_tx(SignedDelegateAction {
-                delegate_action: delete_key_delegate_action,
-                signature: near_crypto::Signature::ED25519(*signature),
-            })
+            .send_meta_tx(
+                SignedDelegateAction {
+                    delegate_action: delete_key_delegate_action,
+                    signature: near_crypto::Signature::ED25519(*signature),
+                },
+                self.relayer.clone(),
+            )
             .await?;
         if matches!(response.status, FinalExecutionStatus::SuccessValue(_)) {
             Ok((status_code, sign_response))