diff --git a/common/wireguard/src/peer_controller.rs b/common/wireguard/src/peer_controller.rs index c6316a720e0..bc3fbad0a46 100644 --- a/common/wireguard/src/peer_controller.rs +++ b/common/wireguard/src/peer_controller.rs @@ -27,7 +27,7 @@ use crate::{error::Error, peer_handle::SharedBandwidthStorageManager}; pub enum PeerControlRequest { AddPeer { peer: Peer, - ticket_validation: bool, + client_id: Option, response_tx: oneshot::Sender, }, RemovePeer { @@ -46,7 +46,6 @@ pub enum PeerControlRequest { pub struct AddPeerControlResponse { pub success: bool, - pub client_id: Option, } pub struct RemovePeerControlResponse { @@ -118,13 +117,13 @@ impl PeerController { } // Function that should be used for peer insertion, to handle both storage and kernel interaction - pub async fn add_peer(&self, peer: &Peer, with_client_id: bool) -> Result, Error> { - let client_id = self - .storage - .insert_wireguard_peer(peer, with_client_id) - .await?; - let ret = self.wg_api.inner.configure_peer(peer); - if ret.is_err() { + pub async fn add_peer(&self, peer: &Peer, client_id: Option) -> Result<(), Error> { + if client_id.is_none() { + self.storage.insert_wireguard_peer(peer, false).await?; + } + let ret: Result<(), defguard_wireguard_rs::error::WireguardInterfaceError> = + self.wg_api.inner.configure_peer(peer); + if client_id.is_none() && ret.is_err() { // Try to revert the insertion in storage if self .storage @@ -135,8 +134,7 @@ impl PeerController { log::error!("The storage has been corrupted. Wireguard peer {} will persist in storage indefinitely.", peer.public_key); } } - ret?; - Ok(client_id) + Ok(ret?) } // Function that should be used for peer removal, to handle both storage and kernel interaction @@ -179,9 +177,9 @@ impl PeerController { async fn handle_add_request( &mut self, peer: &Peer, - with_client_id: bool, - ) -> Result, Error> { - let client_id = self.add_peer(peer, with_client_id).await?; + client_id: Option, + ) -> Result<(), Error> { + self.add_peer(peer, client_id).await?; let bandwidth_storage_manager = Self::generate_bandwidth_manager(self.storage.clone(), &peer.public_key) .await? @@ -201,7 +199,7 @@ impl PeerController { log::error!("Peer handle shut down ungracefully - {e}"); } }); - Ok(client_id) + Ok(()) } async fn handle_query_peer(&self, key: &Key) -> Result, Error> { @@ -260,12 +258,12 @@ impl PeerController { } msg = self.request_rx.recv() => { match msg { - Some(PeerControlRequest::AddPeer { peer, ticket_validation, response_tx }) => { - let ret = self.handle_add_request(&peer, ticket_validation).await; - if let Ok(client_id) = ret { - response_tx.send(AddPeerControlResponse { success: true, client_id }).ok(); + Some(PeerControlRequest::AddPeer { peer, client_id, response_tx }) => { + let ret = self.handle_add_request(&peer, client_id).await; + if ret.is_ok() { + response_tx.send(AddPeerControlResponse { success: true }).ok(); } else { - response_tx.send(AddPeerControlResponse { success: false, client_id: None }).ok(); + response_tx.send(AddPeerControlResponse { success: false }).ok(); } } Some(PeerControlRequest::RemovePeer { key, response_tx }) => { diff --git a/nym-credential-proxy/nym-credential-proxy/Dockerfile b/nym-credential-proxy/nym-credential-proxy/Dockerfile index 83d8aa0620c..e4548e89289 100644 --- a/nym-credential-proxy/nym-credential-proxy/Dockerfile +++ b/nym-credential-proxy/nym-credential-proxy/Dockerfile @@ -26,6 +26,8 @@ RUN cargo build --release FROM ubuntu:24.04 +RUN apt update && apt install -yy curl ca-certificates + WORKDIR /nym COPY --from=builder /usr/src/nym/nym-credential-proxy/target/release/nym-credential-proxy ./ diff --git a/nym-data-observatory/Dockerfile b/nym-data-observatory/Dockerfile index 2293a8ca91d..bc756ebaa53 100644 --- a/nym-data-observatory/Dockerfile +++ b/nym-data-observatory/Dockerfile @@ -7,11 +7,7 @@ RUN cargo build --release FROM ubuntu:24.04 -RUN echo "Acquire::http::Pipeline-Depth 0;" > /etc/apt/apt.conf.d/99custom && \ - echo "Acquire::http::No-Cache true;" >> /etc/apt/apt.conf.d/99custom && \ - echo "Acquire::BrokenProxy true;" >> /etc/apt/apt.conf.d/99custom - -RUN apt update && apt install -yy curl +RUN apt update && apt install -yy curl ca-certificates WORKDIR /nym diff --git a/service-providers/authenticator/src/cli/peer_handler.rs b/service-providers/authenticator/src/cli/peer_handler.rs index 561e995b65c..99a260ff7ec 100644 --- a/service-providers/authenticator/src/cli/peer_handler.rs +++ b/service-providers/authenticator/src/cli/peer_handler.rs @@ -27,9 +27,9 @@ impl DummyHandler { msg = self.peer_rx.recv() => { if let Some(msg) = msg { match msg { - PeerControlRequest::AddPeer { peer, ticket_validation, response_tx } => { - log::info!("[DUMMY] Adding peer {:?} with ticket validation {}", peer, ticket_validation); - response_tx.send(AddPeerControlResponse { success: true, client_id: None }).ok(); + PeerControlRequest::AddPeer { peer, client_id, response_tx } => { + log::info!("[DUMMY] Adding peer {:?} with client id {:?}", peer, client_id); + response_tx.send(AddPeerControlResponse { success: true }).ok(); } PeerControlRequest::RemovePeer { key, response_tx } => { log::info!("[DUMMY] Removing peer {:?}", key); diff --git a/service-providers/authenticator/src/mixnet_listener.rs b/service-providers/authenticator/src/mixnet_listener.rs index a68b86ff7e9..44b44217294 100644 --- a/service-providers/authenticator/src/mixnet_listener.rs +++ b/service-providers/authenticator/src/mixnet_listener.rs @@ -7,8 +7,8 @@ use std::{ }; use crate::{error::AuthenticatorError, peer_manager::PeerManager}; +use defguard_wireguard_rs::{host::Peer, key::Key}; use futures::StreamExt; -use log::warn; use nym_authenticator_requests::{ v1, v2, v3::{ @@ -235,37 +235,45 @@ impl MixnetListener { return Err(AuthenticatorError::MacVerificationFailure); } + let peer = Peer::new(Key::new(final_message.gateway_client.pub_key.to_bytes())); + // If gateway does ecash verification and client sends a credential, we do the additional // credential verification. Later this will become mandatory. if let (Some(ecash_verifier), Some(credential)) = ( self.ecash_verifier.clone(), final_message.credential.clone(), ) { - let client_id = self - .peer_manager - .add_peer(&final_message.gateway_client, true) + let client_id = ecash_verifier + .storage() + .insert_wireguard_peer(&peer, true) .await? .ok_or(AuthenticatorError::InternalError( "peer with ticket shouldn't have been used before without a ticket".to_string(), ))?; - if let Err(e) = - Self::credential_verification(ecash_verifier, credential, client_id).await + Self::credential_verification(ecash_verifier.clone(), credential, client_id).await { - self.peer_manager - .remove_peer(&final_message.gateway_client) - .await - .inspect_err(|err| { - warn!( - "Could not revert adding peer {} on credential verification {err}", - final_message.gateway_client.pub_key() - ) - })?; + ecash_verifier + .storage() + .remove_wireguard_peer(&peer.public_key.to_string()) + .await?; + return Err(e); + } + let public_key = peer.public_key.to_string(); + if let Err(e) = self + .peer_manager + .add_peer(peer, &final_message.gateway_client, Some(client_id)) + .await + { + ecash_verifier + .storage() + .remove_wireguard_peer(&public_key) + .await?; return Err(e); } } else { self.peer_manager - .add_peer(&final_message.gateway_client, false) + .add_peer(peer, &final_message.gateway_client, None) .await?; } registred_and_free diff --git a/service-providers/authenticator/src/peer_manager.rs b/service-providers/authenticator/src/peer_manager.rs index 9d70036c9ca..4cb66d5e181 100644 --- a/service-providers/authenticator/src/peer_manager.rs +++ b/service-providers/authenticator/src/peer_manager.rs @@ -26,16 +26,16 @@ impl PeerManager { } pub async fn add_peer( &mut self, + mut peer: Peer, client: &GatewayClient, - ticket_validation: bool, - ) -> Result> { - let mut peer = Peer::new(Key::new(client.pub_key.to_bytes())); + client_id: Option, + ) -> Result<()> { let (response_tx, response_rx) = oneshot::channel(); peer.allowed_ips .push(IpAddrMask::new(client.private_ip, 32)); let msg = PeerControlRequest::AddPeer { peer, - ticket_validation, + client_id, response_tx, }; self.wireguard_gateway_data @@ -44,7 +44,7 @@ impl PeerManager { .await .map_err(|_| AuthenticatorError::PeerInteractionStopped)?; - let AddPeerControlResponse { success, client_id } = response_rx.await.map_err(|_| { + let AddPeerControlResponse { success } = response_rx.await.map_err(|_| { AuthenticatorError::InternalError("no response for add peer".to_string()) })?; if !success { @@ -52,10 +52,10 @@ impl PeerManager { "adding peer could not be performed".to_string(), )); } - Ok(client_id) + Ok(()) } - pub async fn remove_peer(&mut self, client: &GatewayClient) -> Result<()> { + pub async fn _remove_peer(&mut self, client: &GatewayClient) -> Result<()> { let key = Key::new(client.pub_key().to_bytes()); let (response_tx, response_rx) = oneshot::channel(); let msg = PeerControlRequest::RemovePeer { key, response_tx };