From 7bf37433208e06b3c5f95651cfe9de9c8595af63 Mon Sep 17 00:00:00 2001 From: David Dornseifer Date: Thu, 19 Dec 2024 13:59:55 +0100 Subject: [PATCH 1/2] Fix IMDSv2 token handling and docker permissions * Made blueprint IMDSv2 compatible and extended hop_limit to 3 * Updated cdk and crypto libraries to current stable versions * Added extended persissions to inbound TCP proxy running on EC2 parent instance due to changed docker security model * Made blueprint ARM build compatible by adding LINUX_AMD64 as target platform * Added troubleshooting section about `buildx/arm` related build issues --- README.md | 21 ++++++ .../eth2/lambda/layer/requirements.txt | 6 +- application/eth2/watchdog/watchdog.py | 66 ++++++++++++------- nitro_wallet/nitro_wallet_stack.py | 11 +++- requirements-dev.txt | 10 +-- requirements.txt | 8 +-- .../load_validator_keys.py | 9 ++- scripts/load_validator_keys/requirements.txt | 44 ++++++------- scripts/start_signing_service.sh | 25 +++++-- tests/e2e/e2e_setup.sh | 17 ++++- tests/e2e/web3signer_status.sh | 8 ++- user_data/user_data.sh | 8 ++- 12 files changed, 159 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index 23942dd..f5a9b9e 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,27 @@ cdk deploy prodNitroSigner -O output.json Follow all subsequent steps from the dev deployment pointed out above. +## Troubleshooting + +**Docker Image Push/Pull Error** +* On `building` instance during `cdk deploy` step: +```shell +devNitroWalletEth: fail: docker push 012345678910.dkr.ecr.us-east-1.amazonaws.com/cdk-hnb659fds-container-assets-012345678910-us-east-1:ab3fe... exited with error code 1: failed commit on ref "manifest-sha256:7141...": unexpected status from PUT request to https://012345678910.dkr.ecr.us-east-1.amazonaws.com/v2/cdk-hnb659fds-container-assets-012345678910-us-east-1/manifests/ab3fe...: 400 Bad Request +Failed to publish asset ab3fe...:012345678910-us-east-1 +``` + +* On EC2 instance pulling docker container +```shell +ab3fe...: Pulling from cdk-hnb659fds-container-assets-012345678910-us-east-1 +unsupported media type application/vnd.in-toto+json +``` + +**Solution** +* Issue might be related building and publishing docker containers from an `arm` based instances such as Apple Silicon, requiring docker `buildx` [issue](https://github.com/aws/aws-cdk/issues/30258) +* Cleanup images from local docker repository (`docker rmi ...`) and from Amazon Elastic Container Registry (ECR) e.g. via AWS console +* Set environment variable in terminal session (`export BUILDX_NO_DEFAULT_ATTESTATIONS=1`) or specify it during cdk deployment (`BUILDX_NO_DEFAULT_ATTESTATIONS=1 cdk deploy`) + + ## Security See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. diff --git a/application/eth2/lambda/layer/requirements.txt b/application/eth2/lambda/layer/requirements.txt index c636a8e..553c57d 100644 --- a/application/eth2/lambda/layer/requirements.txt +++ b/application/eth2/lambda/layer/requirements.txt @@ -1,3 +1,3 @@ -cryptography==39.0.2 ; python_version >= "3.9" and python_version < "4" -requests>=2.28.1 ; python_version >= "3.9" and python_version < "4" -urllib3<2; python_version >= "3.9" and python_version < "4" \ No newline at end of file +cryptography==41.0.7 +requests>=2.31.0 +urllib3==2.1.0 diff --git a/application/eth2/watchdog/watchdog.py b/application/eth2/watchdog/watchdog.py index ccf8c25..7f2582b 100644 --- a/application/eth2/watchdog/watchdog.py +++ b/application/eth2/watchdog/watchdog.py @@ -28,29 +28,51 @@ _logger.addHandler(handler) -def get_aws_session_token() -> dict: +def get_imds_token(): http_ec2_client = client.HTTPConnection("169.254.169.254") - http_ec2_client.request("GET", "/latest/meta-data/iam/security-credentials/") - r = http_ec2_client.getresponse() + headers = { + "X-aws-ec2-metadata-token-ttl-seconds": "21600" # Token valid for 6 hours + } + http_ec2_client.request("PUT", "/latest/api/token", headers=headers) + token_response = http_ec2_client.getresponse() + return token_response.read().decode() - instance_profile_name = r.read().decode() - http_ec2_client = client.HTTPConnection("169.254.169.254") - http_ec2_client.request( - "GET", - f"/latest/meta-data/iam/security-credentials/{instance_profile_name}", - ) - r = http_ec2_client.getresponse() +def get_aws_session_token(): + try: + token = get_imds_token() - response = json.loads(r.read()) + http_ec2_client = client.HTTPConnection("169.254.169.254") + headers = {"X-aws-ec2-metadata-token": token} - credential = { - "access_key_id": response["AccessKeyId"], - "secret_access_key": response["SecretAccessKey"], - "token": response["Token"], - } + # Get instance profile name + http_ec2_client.request( + "GET", + "/latest/meta-data/iam/security-credentials/", + headers=headers + ) + r = http_ec2_client.getresponse() + instance_profile_name = r.read().decode() + + # Get credentials + http_ec2_client.request( + "GET", + f"/latest/meta-data/iam/security-credentials/{instance_profile_name}", + headers=headers + ) + r = http_ec2_client.getresponse() + response = json.loads(r.read()) + return { + "access_key_id": response["AccessKeyId"], + "secret_access_key": response["SecretAccessKey"], + "token": response["Token"], + } - return credential + except Exception as e: + raise Exception(f"Failed to retrieve instance credentials: {str(e)}") + finally: + if 'http_ec2_client' in locals(): + http_ec2_client.close() def get_cloudformation_stack_id(cf_stack_name: str) -> str: @@ -92,8 +114,8 @@ def nitro_cli_describe_call(name: str = None) -> bool: return False if ( - response[0].get("EnclaveName") != name - and response[0].get("State") != "Running" + response[0].get("EnclaveName") != name + and response[0].get("State") != "Running" ): return False @@ -230,7 +252,7 @@ def get_encrypted_tls_key(tls_keys_table_name: str, key_id=1) -> str: def init_web3signer_call( - tls_keys_table_name: str, cf_stack_name: str, validator_keys_table_name: str + tls_keys_table_name: str, cf_stack_name: str, validator_keys_table_name: str ) -> None: uuid = get_cloudformation_stack_id(cf_stack_name) encrypted_validator_keys = get_encrypted_validator_keys( @@ -238,11 +260,11 @@ def init_web3signer_call( ) encrypted_tls_key = get_encrypted_tls_key(tls_keys_table_name=tls_keys_table_name) - credential = get_aws_session_token() + credentials = get_aws_session_token() payload = { "operation": "init", - "credential": credential, + "credential": credentials, "encrypted_tls_key": encrypted_tls_key, "encrypted_validator_keys": encrypted_validator_keys, } diff --git a/nitro_wallet/nitro_wallet_stack.py b/nitro_wallet/nitro_wallet_stack.py index 81ccffe..fcf50a6 100644 --- a/nitro_wallet/nitro_wallet_stack.py +++ b/nitro_wallet/nitro_wallet_stack.py @@ -94,6 +94,9 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: "EthereumSigningServerImage", directory="./application/{}/server".format(application_type), build_args={"REGION_ARG": self.region, "LOG_LEVEL_ARG": log_level}, + platform=ecr_assets.Platform.LINUX_AMD64, + asset_name="EthereumSigningServerImage" + ) signing_enclave_image = ecr_assets.DockerImageAsset( @@ -101,6 +104,8 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: "EthereumSigningEnclaveImage", directory="./application/{}/enclave".format(application_type), build_args={"REGION_ARG": self.region, "LOG_LEVEL_ARG": log_level}, + platform=ecr_assets.Platform.LINUX_AMD64, + asset_name="EthereumSigningEnclaveImage" ) watchdog = s3_assets.Asset( @@ -227,6 +232,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: block_devices=[block_device], role=role, security_group=nitro_instance_sg, + http_put_response_hop_limit=3 ) nitro_nlb = elbv2.NetworkLoadBalancer( @@ -292,7 +298,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: self, "NitroInvokeLambdaLayer", entry="application/{}/lambda/layer".format(params["application_type"]), - compatible_runtimes=[lambda_.Runtime.PYTHON_3_9], + compatible_runtimes=[lambda_.Runtime.PYTHON_3_11], ) invoke_lambda = lambda_python.PythonFunction( @@ -301,7 +307,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: entry="application/{}/lambda/NitroInvoke".format(params["application_type"]), handler="lambda_handler", index="lambda_function.py", - runtime=lambda_.Runtime.PYTHON_3_9, + runtime=lambda_.Runtime.PYTHON_3_11, timeout=Duration.minutes(2), memory_size=256, environment={ @@ -314,6 +320,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS), security_groups=[signer_client_sg], + architecture=lambda_.Architecture.X86_64 ) encryption_key.grant_encrypt(invoke_lambda) diff --git a/requirements-dev.txt b/requirements-dev.txt index 1078a19..ef5ce5e 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,5 +1,5 @@ -pytest==6.2.5 ; python_version >= "3.9" and python_version < "3.10" -black>=22.10.0 ; python_version >= "3.9" and python_version < "3.10" -pre-commit>=2.20.0 ; python_version >= "3.9" and python_version < "3.10" -bandit>=1.7.4 ; python_version >= "3.9" and python_version < "3.10" -flake8==7.0.0 ; python_version >= "3.9" and python_version < "3.10" +pytest==7.4.4 +black>=23.12.1 +pre-commit>=3.6.0 +bandit>=1.7.6 +flake8==7.0.0 diff --git a/requirements.txt b/requirements.txt index 0ed5d8b..291cf5b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -aws-cdk-lib==2.51.1 ; python_version >= "3.9" and python_version < "3.10" -constructs>=10.0.0,<11.0.0 ; python_version >= "3.9" and python_version < "3.10" -aws-cdk.aws-lambda-python-alpha==2.51.0a0 ; python_version >= "3.9" and python_version < "3.10" -cdk-nag>=2.21.11 ; python_version >= "3.9" and python_version < "3.10" \ No newline at end of file +aws-cdk-lib==2.98.0 +constructs==10.1.271 +aws-cdk.aws-lambda-python-alpha==2.51.0a0 +cdk-nag==2.27.88 \ No newline at end of file diff --git a/scripts/load_validator_keys/load_validator_keys.py b/scripts/load_validator_keys/load_validator_keys.py index 4e105bb..bea0837 100644 --- a/scripts/load_validator_keys/load_validator_keys.py +++ b/scripts/load_validator_keys/load_validator_keys.py @@ -78,12 +78,11 @@ def verify_keystore(credential: Credential, keystore: Keystore, password: str) - def main( - num_validators=5, - mnemonic_language="english", - chain="goerli", - eth1_withdrawal_address="0x6F4b46423fc6181a0cF34e6716c220BD4d6C2471", + num_validators=5, + mnemonic_language="english", + chain="sepolia", + eth1_withdrawal_address="0x6F4b46423fc6181a0cF34e6716c220BD4d6C2471", ) -> list: - if kms_key_arn is None: raise ValueError("Specify KMS_KEY_ARN environment variable") diff --git a/scripts/load_validator_keys/requirements.txt b/scripts/load_validator_keys/requirements.txt index d45a20d..bda8c99 100644 --- a/scripts/load_validator_keys/requirements.txt +++ b/scripts/load_validator_keys/requirements.txt @@ -1,22 +1,22 @@ -boto3>=1.26.14 ; python_version >= "3.9" and python_version < "3.10" -botocore>=1.29.14 ; python_version >= "3.9" and python_version < "3.10" -cached-property==1.5.2 ; python_version >= "3.9" and python_version < "3.10" -click==8.1.3 ; python_version >= "3.9" and python_version < "3.10" -cytoolz==0.11.2 ; python_version >= "3.9" and python_version < "3.10" -eth-hash==0.3.2 ; python_version >= "3.9" and python_version < "3.10" -eth-typing==2.3.0 ; python_version >= "3.9" and python_version < "3.10" -eth-utils==1.10.0 ; python_version >= "3.9" and python_version < "3.10" -jmespath==1.0.1 ; python_version >= "3.9" and python_version < "3.10" -lru-dict==1.1.7 ; python_version >= "3.9" and python_version < "3.10" -mypy-extensions==0.4.3 ; python_version >= "3.9" and python_version < "3.10" -py-ecc==5.2.0 ; python_version >= "3.9" and python_version < "3.10" -pycryptodome==3.14.1 ; python_version >= "3.9" and python_version < "3.10" -pyrsistent==0.16.1 ; python_version >= "3.9" and python_version < "3.10" -python-dateutil==2.8.2 ; python_version >= "3.9" and python_version < "3.10" -s3transfer==0.6.0 ; python_version >= "3.9" and python_version < "3.10" -six==1.16.0 ; python_version >= "3.9" and python_version < "3.10" -ssz==0.2.4 ; python_version >= "3.9" and python_version < "3.10" -staking-deposit @ git+https://github.com/ethereum/staking-deposit-cli.git@v2.3.0 ; python_version >= "3.9" and python_version < "3.10" -toolz==0.11.2 ; python_version >= "3.9" and python_version < "3.10" -urllib3==1.26.12 ; python_version >= "3.9" and python_version < "3.10" -cryptography==39.0.2 ; python_version >= "3.9" and python_version < "3.10" +boto3==1.34.14 +botocore==1.34.14 +cached-property==1.5.2 +click==8.1.7 +cytoolz==0.12.2 +eth-hash==0.5.2 +eth-typing==3.5.1 +eth-utils==2.3.1 +jmespath==1.0.1 +lru-dict==1.2.0 +mypy-extensions==1.0.0 +py-ecc==6.0.0 +pycryptodome==3.19.0 +pyrsistent>=0.16.0 +python-dateutil==2.8.2 +s3transfer==0.10.0 +six==1.16.0 +ssz==0.3.1 +staking-deposit @ git+https://github.com/ethereum/staking-deposit-cli.git@v2.8.0 +toolz==0.12.0 +urllib3<2.1.0 +cryptography==41.0.7 diff --git a/scripts/start_signing_service.sh b/scripts/start_signing_service.sh index 93c0b62..a9431ef 100755 --- a/scripts/start_signing_service.sh +++ b/scripts/start_signing_service.sh @@ -13,18 +13,35 @@ web3signer_init_flag_param_name=$(jq -r '."'${stack_name}'"."Web3SignerInitFlagP instance_ids=$(./scripts/get_asg_instances.sh ${asg_name} | tr "\n" " ") -start_command_id=$(aws ssm send-command --region "${CDK_DEPLOY_REGION}" --document-name "AWS-RunShellScript" --instance-ids ${instance_ids} --parameters 'commands=["sudo systemctl start nitro-signing-server.service"]' | jq -r '.Command.CommandId') +start_command_id=$(aws ssm send-command \ + --region "${CDK_DEPLOY_REGION}" \ + --document-name "AWS-RunShellScript" \ + --instance-ids ${instance_ids} \ + --parameters 'commands=["sudo systemctl start nitro-signing-server.service"]' | jq -r '.Command.CommandId') sleep 15 -status_command_id_hot=$(aws ssm send-command --region "${CDK_DEPLOY_REGION}" --document-name "AWS-RunShellScript" --instance-ids ${instance_ids} --parameters 'commands=["sudo systemctl status nitro-signing-server.service"]' | jq -r '.Command.CommandId') +status_command_id_hot=$(aws ssm send-command \ + --region "${CDK_DEPLOY_REGION}" \ + --document-name "AWS-RunShellScript" \ + --instance-ids ${instance_ids} \ + --parameters 'commands=["sudo systemctl status nitro-signing-server.service"]' | jq -r '.Command.CommandId') instance_ids_nl=$(echo ${instance_ids} | tr "\n " " ") for instance_id in ${instance_ids_nl}; do - status=$(aws ssm list-command-invocations --instance-id ${instance_id} --command-id ${status_command_id_hot} --details | jq -r '.CommandInvocations[0].CommandPlugins[0].Output') + status=$(aws ssm list-command-invocations \ + --instance-id ${instance_id} \ + --command-id ${status_command_id_hot} \ + --details | jq -r '.CommandInvocations[0].CommandPlugins[0].Output') echo "${instance_id}:" echo ${status} done -aws ssm put-parameter --name "${web3signer_init_flag_param_name}" --type "String" --value "true" --overwrite +aws ssm put-parameter \ + --name "${web3signer_init_flag_param_name}" \ + --type "String" \ + --value "true" \ + --overwrite \ + --region ${CDK_DEPLOY_REGION} \ + --no-cli-pager printf "\n%s\n" "($(date '+%d/%m/%Y %H:%M:%S')) service has been started and is healthy" \ No newline at end of file diff --git a/tests/e2e/e2e_setup.sh b/tests/e2e/e2e_setup.sh index 62c4447..814de7d 100755 --- a/tests/e2e/e2e_setup.sh +++ b/tests/e2e/e2e_setup.sh @@ -3,10 +3,11 @@ # SPDX-License-Identifier: MIT-0 set -e -set -x +set +x export CDK_DEPLOY_REGION=us-east-1 export CDK_DEPLOY_ACCOUNT=$(aws sts get-caller-identity | jq -r '.Account') +export BUILDX_NO_DEFAULT_ATTESTATIONS=1 ./scripts/build_kmstool_enclave_cli.sh cdk deploy devNitroValidator -O nitro_validator_output.json --require-approval=never @@ -22,7 +23,17 @@ python3 load_validator_keys.py cd ../.. ./scripts/generate_key_policy.sh nitro_validator_output.json >key_policy.json -aws kms put-key-policy --policy-name default --key-id "${KMS_KEY_ARN}" --policy file://key_policy.json -aws lambda invoke --function-name "${FUNCTION_ARN}" --cli-binary-format raw-in-base64-out --payload '{"operation": "set_tls_key"}' lambda-output +aws kms put-key-policy \ + --policy-name default \ + --key-id "${KMS_KEY_ARN}" \ + --policy file://key_policy.json \ + --region ${CDK_DEPLOY_REGION} \ + --no-cli-pager + +aws lambda invoke --no-cli-pager \ + --function-name "${FUNCTION_ARN}" \ + --region "${CDK_DEPLOY_REGION}" \ + --cli-binary-format raw-in-base64-out \ + --payload '{"operation": "set_tls_key"}' lambda-output ./scripts/start_signing_service.sh nitro_validator_output.json ./tests/e2e/web3signer_status.sh nitro_validator_output.json diff --git a/tests/e2e/web3signer_status.sh b/tests/e2e/web3signer_status.sh index 6442f22..ce8c83a 100755 --- a/tests/e2e/web3signer_status.sh +++ b/tests/e2e/web3signer_status.sh @@ -19,7 +19,13 @@ function send_request() { printf "\n%s\n" "$(date '+%d/%m/%Y %H:%M:%S'): sending request" echo "${GENERIC_REQUEST}" | jq '.operation="'${1}'"' >.tmp.payload # $( echo ${payload} | jq -R -s '.') - aws lambda invoke --cli-binary-format raw-in-base64-out --function-name "${lambda_function_name}" --payload file://.tmp.payload .tmp.out + # --no-cli-pager requires aws cliv2 + aws lambda invoke \ + --no-cli-pager \ + --cli-binary-format raw-in-base64-out \ + --region "${CDK_DEPLOY_REGION}" \ + --function-name "${lambda_function_name}" \ + --payload file://.tmp.payload .tmp.out echo "result: $(<.tmp.out)" rm -rf .tmp.out .tmp.payload } diff --git a/user_data/user_data.sh b/user_data/user_data.sh index 62bc31e..0421458 100644 --- a/user_data/user_data.sh +++ b/user_data/user_data.sh @@ -74,8 +74,10 @@ if [[ ! -d ./app/server ]]; then set -x set -e -account_id=$( aws sts get-caller-identity | jq -r '.Account' ) -region=$( curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r '.region' ) +token=$( curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" ) +account_id=$( curl -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r '.accountId' ) +region=$( curl -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/placement/region ) + aws ecr get-login-password --region $region | docker login --username AWS --password-stdin $account_id.dkr.ecr.$region.amazonaws.com docker pull ${__SIGNING_SERVER_IMAGE_URI__} docker pull ${__SIGNING_ENCLAVE_IMAGE_URI__} @@ -111,5 +113,5 @@ if [[ $init_flag == "true" ]]; then fi # docker over system process manager -sudo docker run -d --restart unless-stopped --name http_server -p 8443:443 ${__SIGNING_SERVER_IMAGE_URI__} +sudo docker run -d --restart unless-stopped --security-opt seccomp=unconfined --name http_server -p 8443:443 ${__SIGNING_SERVER_IMAGE_URI__} --//-- From dfb160ad0f2949ce4ceb76549b3d6f12b61671e6 Mon Sep 17 00:00:00 2001 From: David Dornseifer Date: Fri, 20 Dec 2024 11:19:27 +0100 Subject: [PATCH 2/2] Fix missing region statements/e2e test condition * added missing region statements in key creation * fixed e2e_test bash script --- README.md | 3 +-- scripts/load_validator_keys/load_validator_keys.py | 11 ++++++++--- scripts/start_signing_service.sh | 1 + tests/e2e/e2e_setup.sh | 12 ++++++++++++ tests/e2e/web3signer_status.sh | 5 ++--- 5 files changed, 24 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index f5a9b9e..b66003d 100644 --- a/README.md +++ b/README.md @@ -85,10 +85,9 @@ The following table provides a sample cost breakdown for deploying this Guidance * An [AWS Identity and Access Management](http://aws.amazon.com/iam) (IAM) user with administrator access * [Configured AWS credentials](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html#getting_started_prerequisites) * [Docker](https://docs.docker.com/get-docker/), [Node.js](https://nodejs.org/en/download/) - , [Python 3.9](https://www.python.org/downloads/release/python-3916), [pip](https://pip.pypa.io/en/stable/installing/), + , [>=Python 3.11](https://www.python.org/downloads/release/python-3110/), [pip](https://pip.pypa.io/en/stable/installing/), and [jq](https://stedolan.github.io/jq/) installed on the workstation that you plan to deploy the guidance from. -Note that the guidance is **only** compatible with Python 3.9. ### Deploy with AWS CDK diff --git a/scripts/load_validator_keys/load_validator_keys.py b/scripts/load_validator_keys/load_validator_keys.py index bea0837..77739fc 100644 --- a/scripts/load_validator_keys/load_validator_keys.py +++ b/scripts/load_validator_keys/load_validator_keys.py @@ -37,12 +37,16 @@ logger.addHandler(handler) logger.propagate = False +region = os.getenv("CDK_DEPLOY_REGION", "us-east-1") + kms_key_arn = os.getenv("KMS_KEY_ARN") table_name = os.getenv("DDB_TABLE_NAME") cf_stack_name = os.getenv("CF_STACK_NAME") -client_kms = boto3.client("kms") -dynamodb = boto3.resource("dynamodb") +client_kms = boto3.client(service_name="kms", + region_name=region) +dynamodb = boto3.resource(service_name="dynamodb", + region_name=region) words_list_path = "word_lists" @@ -50,7 +54,8 @@ def get_cloudformation_stack_id(cf_stack_name): """Get CF Stack ID""" - client = boto3.client(service_name="cloudformation") + client = boto3.client(service_name="cloudformation", + region_name=region) try: response = client.describe_stacks( diff --git a/scripts/start_signing_service.sh b/scripts/start_signing_service.sh index a9431ef..474b13d 100755 --- a/scripts/start_signing_service.sh +++ b/scripts/start_signing_service.sh @@ -29,6 +29,7 @@ status_command_id_hot=$(aws ssm send-command \ instance_ids_nl=$(echo ${instance_ids} | tr "\n " " ") for instance_id in ${instance_ids_nl}; do status=$(aws ssm list-command-invocations \ + --region ${CDK_DEPLOY_REGION} \ --instance-id ${instance_id} \ --command-id ${status_command_id_hot} \ --details | jq -r '.CommandInvocations[0].CommandPlugins[0].Output') diff --git a/tests/e2e/e2e_setup.sh b/tests/e2e/e2e_setup.sh index 814de7d..50bd320 100755 --- a/tests/e2e/e2e_setup.sh +++ b/tests/e2e/e2e_setup.sh @@ -9,7 +9,10 @@ export CDK_DEPLOY_REGION=us-east-1 export CDK_DEPLOY_ACCOUNT=$(aws sts get-caller-identity | jq -r '.Account') export BUILDX_NO_DEFAULT_ATTESTATIONS=1 +printf "building kmstool_enclave_cli\n" ./scripts/build_kmstool_enclave_cli.sh + +printf "deploying cdk stack" cdk deploy devNitroValidator -O nitro_validator_output.json --require-approval=never export CF_STACK_NAME=$(jq -r '. |= keys | .[0]' nitro_validator_output.json) @@ -17,12 +20,16 @@ export KMS_KEY_ARN=$(jq -r ".$CF_STACK_NAME.KMSKeyARN" nitro_validator_output.js export DDB_TABLE_NAME=$(jq -r ".${CF_STACK_NAME}.ValidatorKeysTableName" nitro_validator_output.json) export FUNCTION_ARN=$(jq -r ".${CF_STACK_NAME}.LambdaFunctionArn" nitro_validator_output.json) +printf "loading validator keys\n" cd scripts/load_validator_keys pip3 install -r requirements.txt python3 load_validator_keys.py cd ../.. +printf "generating key policy\n" ./scripts/generate_key_policy.sh nitro_validator_output.json >key_policy.json + +printf "putting key policy\n" aws kms put-key-policy \ --policy-name default \ --key-id "${KMS_KEY_ARN}" \ @@ -30,10 +37,15 @@ aws kms put-key-policy \ --region ${CDK_DEPLOY_REGION} \ --no-cli-pager +printf "setting tls key\n" aws lambda invoke --no-cli-pager \ --function-name "${FUNCTION_ARN}" \ --region "${CDK_DEPLOY_REGION}" \ --cli-binary-format raw-in-base64-out \ --payload '{"operation": "set_tls_key"}' lambda-output + +printf "starting signing service\n" ./scripts/start_signing_service.sh nitro_validator_output.json + +printf "checking web3singer status\n" ./tests/e2e/web3signer_status.sh nitro_validator_output.json diff --git a/tests/e2e/web3signer_status.sh b/tests/e2e/web3signer_status.sh index ce8c83a..5153834 100755 --- a/tests/e2e/web3signer_status.sh +++ b/tests/e2e/web3signer_status.sh @@ -19,7 +19,6 @@ function send_request() { printf "\n%s\n" "$(date '+%d/%m/%Y %H:%M:%S'): sending request" echo "${GENERIC_REQUEST}" | jq '.operation="'${1}'"' >.tmp.payload # $( echo ${payload} | jq -R -s '.') - # --no-cli-pager requires aws cliv2 aws lambda invoke \ --no-cli-pager \ --cli-binary-format raw-in-base64-out \ @@ -30,8 +29,8 @@ function send_request() { rm -rf .tmp.out .tmp.payload } -while True; do +while true; do send_request "${STATUS_OPERATION}" send_request "${PUBLIC_KEYS_OPERATION}" - sleep 1 + sleep 5 done