feat: read token from file and remove config from upload command

NibiruChain · Oct 24, 2023 · f36253b · f36253b
1 parent f167e65
commit f36253b
Show file tree

Hide file tree

Showing 9 changed files with 70 additions and 69 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,28 @@
+name: Build docker image
+
+on:
+  push:
+    branches:
+      - feat/add-vault-support
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ghcr.io/nibiruchain/tmkms:hashicorp
diff --git a/src/commands.rs b/src/commands.rs
@@ -85,8 +85,8 @@ impl Configurable<KmsConfig> for KmsCommand {
             KmsCommand::Yubihsm(yubihsm) => yubihsm.config_path(),
             #[cfg(feature = "ledger")]
             KmsCommand::Ledger(ledger) => ledger.config_path(),
-            #[cfg(feature = "hashicorp")]
-            KmsCommand::Hashicorp(hashicorp) => hashicorp.config_path(),
+            // #[cfg(feature = "hashicorp")]
+            // KmsCommand::Hashicorp(hashicorp) => hashicorp.config_path(),
             _ => return None,
         };
 

diff --git a/src/commands/hashicorp.rs b/src/commands/hashicorp.rs
@@ -8,7 +8,6 @@ pub use self::upload::UploadCommand;
 
 use abscissa_core::{Command, Runnable};
 use clap::Subcommand;
-use std::path::PathBuf;
 
 /// `hashicorp` subcommand
 #[derive(Command, Debug, Runnable, Subcommand)]
@@ -21,12 +20,12 @@ pub enum HashicorpCommand {
 }
 
 impl HashicorpCommand {
-    pub(super) fn config_path(&self) -> Option<&PathBuf> {
-        match self {
-            HashicorpCommand::Test(init) => init.config.as_ref(),
-            HashicorpCommand::Upload(init) => init.config.as_ref(),
-        }
-    }
+    // pub(super) fn config_path(&self) -> Option<&PathBuf> {
+    //     match self {
+    //         HashicorpCommand::Test(init) => init.config.as_ref(),
+    //         HashicorpCommand::Upload(_init) => None,
+    //     }
+    // }
 
     pub(super) fn verbose(&self) -> bool {
         match self {

diff --git a/src/commands/hashicorp/test.rs b/src/commands/hashicorp/test.rs
@@ -4,7 +4,7 @@ use crate::prelude::*;
 use abscissa_core::{Command, Runnable};
 use clap::Parser;
 use signature::SignerMut;
-use std::{path::PathBuf, process, time::Instant};
+use std::{fs, path::PathBuf, process, time::Instant};
 
 /// The `hashicorp test` subcommand
 #[derive(Command, Debug, Default, Parser)]
@@ -17,6 +17,7 @@ pub struct TestCommand {
         help = "/path/to/tmkms.toml"
     )]
     pub config: Option<PathBuf>,
+
     /// enable verbose debug logging
     #[clap(short = 'v', long = "verbose")]
     pub verbose: bool,
@@ -54,9 +55,12 @@ impl Runnable for TestCommand {
 
         let started_at = Instant::now();
 
+        let token = fs::read_to_string(&config.token_file)
+            .expect("Failed to read token from file");
+
         let app = crate::keyring::providers::hashicorp::client::TendermintValidatorApp::connect(
             &config.api_endpoint,
-            &config.access_token,
+            &token,
             &self.pk_name,
             "",
         )

diff --git a/src/commands/hashicorp/upload.rs b/src/commands/hashicorp/upload.rs
@@ -1,11 +1,11 @@
 //! Test the Hashicorp is working by performing signatures successively
 
-use crate::{config::provider::hashicorp::HashiCorpConfig, prelude::*};
+use crate::prelude::*;
 use abscissa_core::{Command, Runnable};
 use aes_kw;
 use clap::Parser;
 use serde::Serialize;
-use std::{path::PathBuf, process};
+use std::process;
 
 use crate::keyring::providers::hashicorp::{client, error};
 use rsa::{pkcs8::DecodePublicKey, PaddingScheme, PublicKey, RsaPublicKey};
@@ -18,15 +18,6 @@ const PKCS8_HEADER: &[u8; 16] = b"\x30\x2e\x02\x01\x00\x30\x05\x06\x03\x2b\x65\x
 /// The `hashicorp test` subcommand
 #[derive(Command, Debug, Default, Parser)]
 pub struct UploadCommand {
-    /// path to tmkms.toml
-    #[clap(
-        short = 'c',
-        long = "config",
-        value_name = "CONFIG",
-        help = "/path/to/tmkms.toml"
-    )]
-    pub config: Option<PathBuf>,
-
     /// enable verbose debug logging
     #[clap(short = 'v', long = "verbose")]
     pub verbose: bool,
@@ -49,60 +40,43 @@ struct ImportRequest {
 }
 
 impl Runnable for UploadCommand {
-    /// Perform a import using the current TMKMS configuration
+    /// Perform a import
     fn run(&self) {
         if self.pk_name.is_empty() {
             status_err!("pk_name cannot be empty!");
             process::exit(1);
         }
-
-        let config = APP.config();
-
-        //finding key in config will point to correct Vault's URL
-        let config = if let Some(c) = config
-            .providers
-            .hashicorp
-            .iter()
-            .find(|c| c.pk_name == self.pk_name)
-        {
-            c
-        } else {
-            let cfg_path = if let Some(path) = self.config.as_ref() {
-                path.clone()
-            } else {
-                PathBuf::from("./tmkms.toml")
-            };
-            status_err!(
-                "pk_name is not configured in provided \"{}\"!",
-                cfg_path.as_path().to_str().unwrap()
-            );
-            process::exit(1);
-        };
-
-        self.upload(config);
+        self.upload();
     }
 }
 
 impl UploadCommand {
-    fn upload(&self, config: &HashiCorpConfig) {
+    fn upload(&self) {
         //https://www.vaultproject.io/docs/secrets/transit#bring-your-own-key-byok
         //https://learn.hashicorp.com/tutorials/vault/eaas-transit
 
+        // API address
+        let vault_addr = std::env::var("VAULT_ADDR")
+            .expect("vault address \"VAULT_ADDR\" is not set!");
+
         //root token or token with enough admin rights
         let vault_token = std::env::var("VAULT_TOKEN")
-            .expect("root token \"VAULT_TOKEN\" is not set (confg token is NOT used)!");
+            .expect("root token \"VAULT_TOKEN\" is not set!");
+
+        // path to vault CA cert
+        let vault_ca = std::env::var("VAULT_CACERT").unwrap();
 
         let ed25519_input_key = input_key(&self.payload)
             .expect("secret: error converting \"key-to-upload\"[ed25519] with PKCS8 wrapping");
 
         //create app instance
         let app = client::TendermintValidatorApp::connect(
-            &config.api_endpoint,
+            &vault_addr,
             &vault_token,
             &self.pk_name,
-            &config.ca_cert,
+            &vault_ca,
         )
-        .unwrap_or_else(|_| panic!("Unable to connect to Vault at {}", config.api_endpoint));
+        .unwrap_or_else(|_| panic!("Unable to connect to Vault at {}", vault_addr));
 
         use aes_gcm::KeyInit;
         let v_aes_key = aes_gcm::Aes256Gcm::generate_key(&mut aes_gcm::aead::OsRng);
@@ -234,7 +208,6 @@ mod tests {
 
     const PK_NAME: &str = "upload-test";
     const VAULT_TOKEN: &str = "access-token";
-    const CHAIN_ID: &str = "mock-chain-id";
     const ED25519: &str =
         "4YZKJ/pfJj42tdcl40dXz/ugRgrBR0/Pp5C2kjHL6AZhBFozq5EspBwCb44zef0cLEO/WuLf3dI+BPCNOPwxRw==";
 
@@ -245,18 +218,11 @@ mod tests {
         let cmd = UploadCommand {
             verbose: false,
             pk_name: PK_NAME.into(),
-            config: None,
             payload: ED25519.into(),
         };
 
-        let config = HashiCorpConfig {
-            access_token: "crazy-long-string".into(),
-            api_endpoint: format!("http://{}", server_address()),
-            pk_name: PK_NAME.into(),
-            chain_id: tendermint::chain::Id::try_from(CHAIN_ID).unwrap(),
-        };
-
         std::env::set_var("VAULT_TOKEN", VAULT_TOKEN);
+        std::env::set_var("VAULT_ADDR", format!("http://{}", server_address()));
 
         //init
         let lookup_self = mock("GET", "/v1/auth/token/lookup-self")
@@ -279,7 +245,7 @@ mod tests {
             .create();
 
         //test
-        cmd.upload(&config);
+        cmd.upload();
 
         lookup_self.assert();
         export.assert();

diff --git a/src/commands/init/templates/keyring/hashicorp.toml b/src/commands/init/templates/keyring/hashicorp.toml
@@ -3,8 +3,8 @@
 chain_id = "$CHAIN_ID"
 #Vault's api url - VAULT_ADDR
 api_endpoint= "http://127.0.0.1:8200"
-#Vault's access token - vault token create -policy=<tmkms-transit-sign-policy>
-access_token="hvs.CAESINi91lCOFj-_dOGiUfpdZUPKk93LD8YyHz-qZcYLVwH_Gh4KHGh2cy5kdXV1T2tpcXliakFFblU1SUpqanczYjU"
+#Vault's access token path - path to file containing vault token
+token_file="path/to/token/file"
 #Vault's transit secret engine key - vault write transit/keys/<cosmoshub-sign-key> type=ed25519
 pk_name="cosmoshub-sign-key"
 #Path to CA certificate to be used to connect to vault

diff --git a/src/config/provider/hashicorp.rs b/src/config/provider/hashicorp.rs
@@ -14,7 +14,7 @@ pub struct HashiCorpConfig {
     pub api_endpoint: String,
 
     /// Access token for authenticating to HashiCorp Vault
-    pub access_token: String,
+    pub token_file: String,
 
     /// Vault's key name with ed25519 pub+priv key
     pub pk_name: String,

diff --git a/src/keyring/providers/hashicorp.rs b/src/keyring/providers/hashicorp.rs
@@ -3,6 +3,7 @@ pub(crate) mod client;
 pub(crate) mod error;
 pub(crate) mod signer;
 
+use std::fs;
 use crate::{
     chain,
     config::provider::hashicorp::HashiCorpConfig,
@@ -40,9 +41,12 @@ pub fn init(
             chains.push(config.chain_id.to_string())
         }
 
+        let token = fs::read_to_string(&config.token_file)
+            .expect("Failed to read token from file");
+
         let mut app = client::TendermintValidatorApp::connect(
             &config.api_endpoint,
-            &config.access_token,
+            &token,
             &config.pk_name,
             &config.ca_cert,
         )

diff --git a/tmkms-hashicorp.toml b/tmkms-hashicorp.toml
@@ -18,13 +18,13 @@ state_file = "/home/soleinik/work/rust/tmkms/state/cosmoshub-3-consensus.json"
 [[providers.hashicorp]]
 chain_id = "cosmoshub-4"
 api_endpoint= "http://127.0.0.1:8200"
-access_token="hvs.CAESIBwDAKQh2JKuxibeHOV-jmc2T68loAKLNWO2_QX1l7L3Gh4KHGh2cy5iYnRJRVVLdHBqTVMwUGdLZFNGWjNCZkc"
+token="path/to/token/file"
 pk_name="cosmoshub-sign-key"
 
 [[providers.hashicorp]]
 chain_id = "cosmoshub-4"
 api_endpoint= "http://127.0.0.1:8200"
-access_token="hvs.CAESIBwDAKQh2JKuxibeHOV-jmc2T68loAKLNWO2_QX1l7L3Gh4KHGh2cy5iYnRJRVVLdHBqTVMwUGdLZFNGWjNCZkc"
+token="path/to/token/file"
 pk_name="cosmoshub-sign-key"