Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

configurable region for key-manager #862

Merged
merged 2 commits into from
Dec 27, 2024
Merged

configurable region for key-manager #862

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a203e88
configurable region for key-manager
carlomazzaferro Dec 27, 2024
565efed
remove leftover
carlomazzaferro Dec 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions deploy/e2e/iris-mpc-0.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ iris-mpc-0:
value: "0"

- name: SMPC__PUBLIC_KEY_BASE_URL
value: "http://wf-$ENV-stage-public-keys.s3.localhost.localstack.cloud:4566"
value: "http://wf-$ENV-public-keys.s3.localhost.localstack.cloud:4566"

- name: SMPC__ENABLE_S3_IMPORTER
value: "false"
Expand Down Expand Up @@ -202,10 +202,13 @@ iris-mpc-0:
name: "iris-mpc-0-init"
init.sh: |
#!/usr/bin/env bash
apt update && apt install -y awscli
set -e

cd /libs

aws s3 cp s3://wf-smpcv2-stage-libs/libcublas.so.12.2.5.6 .
aws s3 cp s3://wf-smpcv2-stage-libs/libcublasLt.so.12.2.5.6 .

key-manager --node-id 0 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys
AWS_ENDPOINT="http://localstack:4566" key-manager --node-id 0 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys --region $AWS_REGION


8 changes: 5 additions & 3 deletions deploy/e2e/iris-mpc-1.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ iris-mpc-1:
value: "1"

- name: SMPC__PUBLIC_KEY_BASE_URL
value: "http://wf-$ENV-stage-public-keys.s3.localhost.localstack.cloud:4566"
value: "http://wf-$ENV-public-keys.s3.localhost.localstack.cloud:4566"

- name: SMPC__ENABLE_S3_IMPORTER
value: "false"
Expand Down Expand Up @@ -203,10 +203,12 @@ iris-mpc-1:
name: "iris-mpc-1-init"
init.sh: |
#!/usr/bin/env bash
apt-update && apt install -y awscli
set -e

cd /libs

aws s3 cp s3://wf-smpcv2-stage-libs/libcublas.so.12.2.5.6 .
aws s3 cp s3://wf-smpcv2-stage-libs/libcublasLt.so.12.2.5.6 .

key-manager --node-id 1 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys
key-manager --node-id 1 --env $ENV rotate --public-key-bucket-name wf-$ENV-public-keys

8 changes: 5 additions & 3 deletions deploy/e2e/iris-mpc-2.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ iris-mpc-2:
value: "2"

- name: SMPC__PUBLIC_KEY_BASE_URL
value: "http://wf-$ENV-stage-public-keys.s3.localhost.localstack.cloud:4566"
value: "http://wf-$ENV-public-keys.s3.localhost.localstack.cloud:4566"

- name: SMPC__ENABLE_S3_IMPORTER
value: "false"
Expand Down Expand Up @@ -203,10 +203,12 @@ iris-mpc-2:
name: "iris-mpc-2-init"
init.sh: |
#!/usr/bin/env bash
apt update && apt install -y awscli
set -e

cd /libs

aws s3 cp s3://wf-smpcv2-stage-libs/libcublas.so.12.2.5.6 .
aws s3 cp s3://wf-smpcv2-stage-libs/libcublasLt.so.12.2.5.6 .

key-manager --node-id 2 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys
key-manager --node-id 2 --env $ENV rotate --public-key-bucket-name wf-$ENV-public-keys

24 changes: 24 additions & 0 deletions iris-mpc-common/src/bin/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Key Manager CLI

The Key Manager CLI is a command line interface to rotate public and private keys used to encode shares.
The initial private key is generated using `smpc-setup`, and it is empty.

Key manager must be run from each of the participant accounts at least once before initiating the protocol.

Keys can be rotated at any time using the `rotate` command.

## Usage

```bash
>>> key-manager --node-id 2 --env prod rotate --public-key-bucket-name wf-env-stage-public-keys
```

This will:

1. Update the public key in the bucket `wf-env-stage-public-keys` for node 2.
2. Generate a new private key and store aws secrets manager under the secret name: `prod/iris-mpc/ecdh-private-key-2`

This key will be immediately valid, though the previous key will retain a validity of 24 hours (dictated by the cloudfront caching behavior,
and by application logic that checks against AWSCURRENT and AWSPREVIOUS version of the secret).


20 changes: 14 additions & 6 deletions iris-mpc-common/src/bin/key_manager.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,7 @@ use sodiumoxide::crypto::box_::{curve25519xsalsa20poly1305, PublicKey, SecretKey

const PUBLIC_KEY_S3_BUCKET_NAME: &str = "wf-smpcv2-stage-public-keys";
const PUBLIC_KEY_S3_KEY_NAME_PREFIX: &str = "public-key";
const REGION: &str = "eu-north-1";

/// A fictional versioning CLI
#[derive(Debug, Parser)] // requires `derive` feature
#[command(name = "key-manager")]
#[command(about = "Key manager CLI", long_about = None)]
Expand All @@ -32,6 +30,9 @@ struct KeyManagerCli {

#[arg(short, long, env, default_value = "stage")]
env: String,

#[arg(short, long, env, default_value = "eu-north-1")]
region: String,
}

#[derive(Debug, Subcommand)]
Expand Down Expand Up @@ -67,8 +68,9 @@ async fn main() -> eyre::Result<()> {
tracing_subscriber::fmt::init();

let args = KeyManagerCli::parse();
let region = args.region;

let region_provider = S3Region::new(REGION);
let region_provider = S3Region::new(region.clone());
let shared_config = aws_config::from_env().region(region_provider).load().await;

let bucket_key_name = format!("{}-{}", PUBLIC_KEY_S3_KEY_NAME_PREFIX, args.node_id);
Expand Down Expand Up @@ -101,6 +103,7 @@ async fn main() -> eyre::Result<()> {
b64_pub_key,
&bucket_key_name,
public_key_bucket_name,
region.clone(),
)
.await?;
}
Expand All @@ -115,6 +118,7 @@ async fn validate_keys(
b64_pub_key: Option<String>,
bucket_key_name: &str,
public_key_bucket_name: Option<String>,
region: String,
) -> eyre::Result<()> {
let sm_client = SecretsManagerClient::new(sdk_config);

Expand All @@ -133,7 +137,7 @@ async fn validate_keys(
} else {
// Otherwise, get the latest one from S3 using HTTPS
let user_pubkey_string =
download_key_from_s3(bucket_name.as_str(), bucket_key_name).await?;
download_key_from_s3(bucket_name.as_str(), bucket_key_name, region.clone()).await?;
let user_pubkey = STANDARD.decode(user_pubkey_string.as_bytes()).unwrap();
match PublicKey::from_slice(&user_pubkey) {
Some(key) => key,
Expand Down Expand Up @@ -231,9 +235,13 @@ async fn rotate_keys(
Ok(())
}

async fn download_key_from_s3(bucket: &str, key: &str) -> Result<String, reqwest::Error> {
async fn download_key_from_s3(
bucket: &str,
key: &str,
region: String,
) -> Result<String, reqwest::Error> {
print!("Downloading key from S3 bucket: {} key: {}", bucket, key);
let s3_url = format!("https://{}.s3.{}.amazonaws.com/{}", bucket, REGION, key);
let s3_url = format!("https://{}.s3.{}.amazonaws.com/{}", bucket, region, key);
let client = Client::new();
let response = client.get(&s3_url).send().await?.text().await?;
Ok(response)
Expand Down
Loading