forked from tacoinfra/remote-signer
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from harryttd/kms
Add AWS KMS signer and file based ratchet
- Loading branch information
Showing
19 changed files
with
932 additions
and
220 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,12 @@ | ||
./src/__pycache__ | ||
.git | ||
.github/** | ||
.gitignore | ||
.idea | ||
docker-compose.yaml | ||
LICENSE.md | ||
Makefile | ||
README.md | ||
test | ||
tezos-kms | ||
venv |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
name: CI | ||
|
||
on: | ||
workflow_dispatch: | ||
|
||
push: | ||
# Trigger CI on all branch pushes but... | ||
branches: | ||
- "**" | ||
# don't double trigger on new tag push when creating release. Should only | ||
# trigger once for the release. | ||
tags-ignore: | ||
- "*.*.*" | ||
paths-ignore: | ||
- README.md | ||
- LICENSE.md | ||
- MAKEFILE | ||
- .gitignore | ||
- docker-compose* | ||
|
||
release: | ||
types: [created] | ||
|
||
jobs: | ||
publish-to-ghcr: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: 1 | ||
token: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Set up Docker Buildx | ||
id: buildx | ||
uses: docker/setup-buildx-action@master | ||
|
||
- name: Login to registry | ||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
|
||
- name: Cache Docker layers | ||
uses: actions/cache@v2 | ||
with: | ||
path: /tmp/.buildx-cache | ||
key: ${{ runner.os }}-single-buildx-${{ github.sha }} | ||
restore-keys: | | ||
${{ runner.os }}-single-buildx | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v3 | ||
with: | ||
images: ghcr.io/${{ github.repository_owner }}/tacoinfra-remote-signer | ||
tags: | | ||
type=ref,event=branch | ||
type=ref,event=pr | ||
type=match,pattern=([0-9]+\.[0-9]+\.[0-9]+),group=1 | ||
- name: Push ${{ matrix.container }} container to GHCR | ||
uses: docker/build-push-action@v2 | ||
with: | ||
builder: ${{ steps.buildx.outputs.name }} | ||
cache-from: type=local,src=/tmp/.buildx-cache | ||
cache-to: type=local,dest=/tmp/.buildx-cache-new | ||
context: . | ||
file: Dockerfile | ||
labels: ${{ steps.meta.outputs.labels }} | ||
push: true | ||
tags: ${{ steps.meta.outputs.tags }} | ||
|
||
# Temp fix | ||
# https://github.com/docker/build-push-action/issues/252 | ||
# https://github.com/moby/buildkit/issues/1896 | ||
- name: Move cache | ||
run: | | ||
rm -rf /tmp/.buildx-cache | ||
mv /tmp/.buildx-cache-new /tmp/.buildx-cache |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,3 +9,5 @@ | |
src/bitcoin | ||
keys.json | ||
remote-signer.log | ||
|
||
testing-files |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,28 +1,67 @@ | ||
FROM amazonlinux:1 | ||
FROM python:3.9-slim@sha256:3e45d072301981add6ab1d376394edc4eb0ec2afb70e7ffcbb3113eb432ab709 | ||
|
||
RUN \ | ||
yum install -y wget aws-cli python36 python36-devel git gcc && \ | ||
easy_install-3.6 pip | ||
RUN mkdir -p /app | ||
WORKDIR /app | ||
|
||
COPY requirements.txt . | ||
|
||
RUN apt-get update \ | ||
&& apt-get install -y git gcc g++ make python3-dev swig \ | ||
&& apt-get install -y jq awscli curl \ | ||
&& apt-get install -y libsodium23 libsecp256k1-0 libgmp10 \ | ||
&& apt-get install -y libsodium-dev libsecp256k1-dev libgmp-dev \ | ||
&& pip --no-cache install -r ./requirements.txt \ | ||
&& cd /tmp \ | ||
&& git clone https://github.com/tacoinfra/libhsm \ | ||
&& cd libhsm/build \ | ||
&& ./build_libhsm \ | ||
&& cp libhsm.so /usr/lib/x86_64-linux-gnu/libhsm.so \ | ||
&& cd / \ | ||
&& rm -rf /tmp/libhsm \ | ||
&& apt-get purge -y git gcc g++ make python3-dev swig \ | ||
&& apt-get purge -y libsodium-dev libsecp256k1-dev libgmp-dev \ | ||
&& apt-get autoremove -y \ | ||
&& rm -rf /var/lib/apt /var/cache/apt /root/.cache \ | ||
&& rm -rf __pycache__ | ||
# | ||
# We do not install the dependencies for the following packages because | ||
# we use only a subset of their functionality and the dependencies are | ||
# not necesary for us. | ||
# | ||
# XXXrcd: We should fetch a particular version of these libraries. | ||
# | ||
# XXXrcd: in future we might only install the .so because we only use | ||
# the "configure" command which just manipulates a little JSON. | ||
|
||
RUN TOP=https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient \ | ||
VER=EL6 \ | ||
CLIENT=cloudhsm-client-3.1.0-3.el6.x86_64.rpm \ | ||
PKCS11=cloudhsm-client-pkcs11-3.1.0-3.el6.x86_64.rpm; \ | ||
VER=Bionic \ | ||
PKCS11=cloudhsm-pkcs11_latest_u18.04_amd64.deb; \ | ||
\ | ||
set -e; \ | ||
\ | ||
for i in $CLIENT $PKCS11; do \ | ||
wget "$TOP/$VER/$i"; \ | ||
yum install -y "$i"; \ | ||
rm -f "$i"; \ | ||
done | ||
curl -s -o "$PKCS11" "$TOP/$VER/$PKCS11"; \ | ||
dpkg -i --force-depends "$PKCS11"; \ | ||
rm -f "$PKCS11" | ||
|
||
ARG FLASK_ENV=production | ||
ENV FLASK_ENV=$FLASK_ENV | ||
|
||
RUN groupadd -r -g 999 remotesigner && \ | ||
useradd -r -u 999 -g remotesigner remotesigner | ||
|
||
COPY requirements.txt / | ||
RUN pip3 install -r /requirements.txt && \ | ||
/opt/cloudhsm/bin/configure -a hsm.internal && \ | ||
yum clean all | ||
COPY src ./src | ||
COPY entrypoint.sh ./ | ||
COPY hsm-remote-signer.sh ./ | ||
COPY signer.py ./ | ||
|
||
COPY src/. /src/ | ||
RUN chmod 755 /src/start-remote-signer.sh | ||
# Make files un-writeable | ||
RUN rm -rf /usr/local/bin/pip \ | ||
&& rm requirements.txt \ | ||
&& chown -R remotesigner:remotesigner . \ | ||
&& chmod 540 entrypoint.sh hsm-remote-signer.sh signer.py \ | ||
&& chmod -R 540 src \ | ||
&& chmod 770 . | ||
|
||
COPY signer.py / | ||
USER 999 | ||
|
||
ENTRYPOINT ["/src/start-remote-signer.sh"] | ||
ENTRYPOINT ["./entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#!/bin/sh | ||
|
||
set -xe | ||
|
||
CMD="$1" | ||
shift | ||
|
||
case "$CMD" in | ||
hsm) exec hsm-remote-signer.sh "$@" ;; | ||
kms) if ! python3 signer.py "kms"; then | ||
echo "Failed to start kms signer." | ||
exit 1 | ||
fi | ||
esac | ||
|
||
echo "ERROR: could not find \"$CMD\"." | ||
echo | ||
echo "Valid options are:" | ||
echo " hsm" | ||
echo " kms" | ||
|
||
exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,20 @@ | ||
-e git+https://github.com/tacoinfra/pybitcointools.git@aeb0a2bbb8bbfe421432d776c649650eaeb882a5#egg=bitcoin | ||
boto3==1.9.142 | ||
botocore==1.12.142 | ||
Click==7.0 | ||
docutils==0.14 | ||
pytezos==3.3.0 | ||
boto3==1.20.49 | ||
botocore==1.23.49 | ||
Click==8.0.3 | ||
docutils==0.18.1 | ||
dyndbmutex==0.4.0 | ||
Flask==1.0.2 | ||
itsdangerous==1.1.0 | ||
Jinja2==2.11.3 | ||
jmespath==0.9.4 | ||
MarkupSafe==1.1.1 | ||
Flask==2.0.2 | ||
itsdangerous==2.0.1 | ||
Jinja2==3.0.3 | ||
jmespath==0.10.0 | ||
MarkupSafe==2.0.1 | ||
PyKCS11==1.5.10 | ||
py-hsm==2.5.0 | ||
pyblake2==1.1.2 | ||
python-dateutil==2.8.0 | ||
s3transfer==0.2.0 | ||
six==1.12.0 | ||
urllib3==1.24.3 | ||
python-dateutil==2.8.2 | ||
s3transfer==0.5.1 | ||
six==1.16.0 | ||
urllib3==1.26.8 | ||
uuid==1.30 | ||
Werkzeug==0.15.3 | ||
Werkzeug==2.0.2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
Oops, something went wrong.