Merge branch 'develop' of github.com:nymtech/nym into fix/credential-…

…proxy-CI
nymtech · Oct 18, 2024 · 81ca65d · 81ca65d
2 parents 524231f + 7b1200f
commit 81ca65d
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 51 deletions.
diff --git a/common/wireguard/src/peer_controller.rs b/common/wireguard/src/peer_controller.rs
@@ -27,7 +27,7 @@ use crate::{error::Error, peer_handle::SharedBandwidthStorageManager};
 pub enum PeerControlRequest {
     AddPeer {
         peer: Peer,
-        ticket_validation: bool,
+        client_id: Option<i64>,
         response_tx: oneshot::Sender<AddPeerControlResponse>,
     },
     RemovePeer {
@@ -46,7 +46,6 @@ pub enum PeerControlRequest {
 
 pub struct AddPeerControlResponse {
     pub success: bool,
-    pub client_id: Option<i64>,
 }
 
 pub struct RemovePeerControlResponse {
@@ -118,13 +117,13 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
     }
 
     // Function that should be used for peer insertion, to handle both storage and kernel interaction
-    pub async fn add_peer(&self, peer: &Peer, with_client_id: bool) -> Result<Option<i64>, Error> {
-        let client_id = self
-            .storage
-            .insert_wireguard_peer(peer, with_client_id)
-            .await?;
-        let ret = self.wg_api.inner.configure_peer(peer);
-        if ret.is_err() {
+    pub async fn add_peer(&self, peer: &Peer, client_id: Option<i64>) -> Result<(), Error> {
+        if client_id.is_none() {
+            self.storage.insert_wireguard_peer(peer, false).await?;
+        }
+        let ret: Result<(), defguard_wireguard_rs::error::WireguardInterfaceError> =
+            self.wg_api.inner.configure_peer(peer);
+        if client_id.is_none() && ret.is_err() {
             // Try to revert the insertion in storage
             if self
                 .storage
@@ -135,8 +134,7 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
                 log::error!("The storage has been corrupted. Wireguard peer {} will persist in storage indefinitely.", peer.public_key);
             }
         }
-        ret?;
-        Ok(client_id)
+        Ok(ret?)
     }
 
     // Function that should be used for peer removal, to handle both storage and kernel interaction
@@ -179,9 +177,9 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
     async fn handle_add_request(
         &mut self,
         peer: &Peer,
-        with_client_id: bool,
-    ) -> Result<Option<i64>, Error> {
-        let client_id = self.add_peer(peer, with_client_id).await?;
+        client_id: Option<i64>,
+    ) -> Result<(), Error> {
+        self.add_peer(peer, client_id).await?;
         let bandwidth_storage_manager =
             Self::generate_bandwidth_manager(self.storage.clone(), &peer.public_key)
                 .await?
@@ -201,7 +199,7 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
                 log::error!("Peer handle shut down ungracefully - {e}");
             }
         });
-        Ok(client_id)
+        Ok(())
     }
 
     async fn handle_query_peer(&self, key: &Key) -> Result<Option<Peer>, Error> {
@@ -260,12 +258,12 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
                 }
                 msg = self.request_rx.recv() => {
                     match msg {
-                        Some(PeerControlRequest::AddPeer { peer, ticket_validation, response_tx }) => {
-                            let ret = self.handle_add_request(&peer, ticket_validation).await;
-                            if let Ok(client_id) = ret {
-                                response_tx.send(AddPeerControlResponse { success: true, client_id }).ok();
+                        Some(PeerControlRequest::AddPeer { peer, client_id, response_tx }) => {
+                            let ret = self.handle_add_request(&peer, client_id).await;
+                            if ret.is_ok() {
+                                response_tx.send(AddPeerControlResponse { success: true }).ok();
                             } else {
-                                response_tx.send(AddPeerControlResponse { success: false, client_id: None }).ok();
+                                response_tx.send(AddPeerControlResponse { success: false }).ok();
                             }
                         }
                         Some(PeerControlRequest::RemovePeer { key, response_tx }) => {

diff --git a/nym-credential-proxy/nym-credential-proxy/Dockerfile b/nym-credential-proxy/nym-credential-proxy/Dockerfile
@@ -26,6 +26,8 @@ RUN cargo build --release
 
 FROM ubuntu:24.04
 
+RUN apt update && apt install -yy curl ca-certificates
+
 WORKDIR /nym
 
 COPY --from=builder /usr/src/nym/nym-credential-proxy/target/release/nym-credential-proxy ./

diff --git a/nym-data-observatory/Dockerfile b/nym-data-observatory/Dockerfile
@@ -7,11 +7,7 @@ RUN cargo build --release
 
 FROM ubuntu:24.04
 
-RUN echo "Acquire::http::Pipeline-Depth 0;" > /etc/apt/apt.conf.d/99custom && \
-  echo "Acquire::http::No-Cache true;" >> /etc/apt/apt.conf.d/99custom && \
-  echo "Acquire::BrokenProxy    true;" >> /etc/apt/apt.conf.d/99custom
-
-RUN apt update && apt install -yy curl
+RUN apt update && apt install -yy curl ca-certificates
 
 WORKDIR /nym
 

diff --git a/service-providers/authenticator/src/cli/peer_handler.rs b/service-providers/authenticator/src/cli/peer_handler.rs
@@ -27,9 +27,9 @@ impl DummyHandler {
                 msg = self.peer_rx.recv() => {
                     if let Some(msg) = msg {
                         match msg {
-                            PeerControlRequest::AddPeer { peer, ticket_validation, response_tx } => {
-                                log::info!("[DUMMY] Adding peer {:?} with ticket validation {}", peer, ticket_validation);
-                                response_tx.send(AddPeerControlResponse { success: true, client_id: None }).ok();
+                            PeerControlRequest::AddPeer { peer, client_id, response_tx } => {
+                                log::info!("[DUMMY] Adding peer {:?} with client id {:?}", peer, client_id);
+                                response_tx.send(AddPeerControlResponse { success: true }).ok();
                             }
                             PeerControlRequest::RemovePeer { key, response_tx } => {
                                 log::info!("[DUMMY] Removing peer {:?}", key);

diff --git a/service-providers/authenticator/src/mixnet_listener.rs b/service-providers/authenticator/src/mixnet_listener.rs
@@ -7,8 +7,8 @@ use std::{
 };
 
 use crate::{error::AuthenticatorError, peer_manager::PeerManager};
+use defguard_wireguard_rs::{host::Peer, key::Key};
 use futures::StreamExt;
-use log::warn;
 use nym_authenticator_requests::{
     v1, v2,
     v3::{
@@ -235,37 +235,45 @@ impl<S: Storage + Clone + 'static> MixnetListener<S> {
             return Err(AuthenticatorError::MacVerificationFailure);
         }
 
+        let peer = Peer::new(Key::new(final_message.gateway_client.pub_key.to_bytes()));
+
         // If gateway does ecash verification and client sends a credential, we do the additional
         // credential verification. Later this will become mandatory.
         if let (Some(ecash_verifier), Some(credential)) = (
             self.ecash_verifier.clone(),
             final_message.credential.clone(),
         ) {
-            let client_id = self
-                .peer_manager
-                .add_peer(&final_message.gateway_client, true)
+            let client_id = ecash_verifier
+                .storage()
+                .insert_wireguard_peer(&peer, true)
                 .await?
                 .ok_or(AuthenticatorError::InternalError(
                     "peer with ticket shouldn't have been used before without a ticket".to_string(),
                 ))?;
-
             if let Err(e) =
-                Self::credential_verification(ecash_verifier, credential, client_id).await
+                Self::credential_verification(ecash_verifier.clone(), credential, client_id).await
             {
-                self.peer_manager
-                    .remove_peer(&final_message.gateway_client)
-                    .await
-                    .inspect_err(|err| {
-                        warn!(
-                            "Could not revert adding peer {} on credential verification {err}",
-                            final_message.gateway_client.pub_key()
-                        )
-                    })?;
+                ecash_verifier
+                    .storage()
+                    .remove_wireguard_peer(&peer.public_key.to_string())
+                    .await?;
+                return Err(e);
+            }
+            let public_key = peer.public_key.to_string();
+            if let Err(e) = self
+                .peer_manager
+                .add_peer(peer, &final_message.gateway_client, Some(client_id))
+                .await
+            {
+                ecash_verifier
+                    .storage()
+                    .remove_wireguard_peer(&public_key)
+                    .await?;
                 return Err(e);
             }
         } else {
             self.peer_manager
-                .add_peer(&final_message.gateway_client, false)
+                .add_peer(peer, &final_message.gateway_client, None)
                 .await?;
         }
         registred_and_free

diff --git a/service-providers/authenticator/src/peer_manager.rs b/service-providers/authenticator/src/peer_manager.rs
@@ -26,16 +26,16 @@ impl PeerManager {
     }
     pub async fn add_peer(
         &mut self,
+        mut peer: Peer,
         client: &GatewayClient,
-        ticket_validation: bool,
-    ) -> Result<Option<i64>> {
-        let mut peer = Peer::new(Key::new(client.pub_key.to_bytes()));
+        client_id: Option<i64>,
+    ) -> Result<()> {
         let (response_tx, response_rx) = oneshot::channel();
         peer.allowed_ips
             .push(IpAddrMask::new(client.private_ip, 32));
         let msg = PeerControlRequest::AddPeer {
             peer,
-            ticket_validation,
+            client_id,
             response_tx,
         };
         self.wireguard_gateway_data
@@ -44,18 +44,18 @@ impl PeerManager {
             .await
             .map_err(|_| AuthenticatorError::PeerInteractionStopped)?;
 
-        let AddPeerControlResponse { success, client_id } = response_rx.await.map_err(|_| {
+        let AddPeerControlResponse { success } = response_rx.await.map_err(|_| {
             AuthenticatorError::InternalError("no response for add peer".to_string())
         })?;
         if !success {
             return Err(AuthenticatorError::InternalError(
                 "adding peer could not be performed".to_string(),
             ));
         }
-        Ok(client_id)
+        Ok(())
     }
 
-    pub async fn remove_peer(&mut self, client: &GatewayClient) -> Result<()> {
+    pub async fn _remove_peer(&mut self, client: &GatewayClient) -> Result<()> {
         let key = Key::new(client.pub_key().to_bytes());
         let (response_tx, response_rx) = oneshot::channel();
         let msg = PeerControlRequest::RemovePeer { key, response_tx };