Added Native and Automatic HTTPS support to Rest, fixes #280 by yilmazbahadir · Pull Request #284 · fboucquez/symbol-bootstrap

yilmazbahadir · 2021-07-28T09:56:32Z

Fixes #280

Added HTTPS support selection to the wizard (Native(default) | Automatic | None)
- Native HTTPS support selection will ask user to provide SSL key and certificate, file contents will be stored in the custom-preset file as base64 and encrypted(key), will be copied over the target/gateways folder during compose
- Automatic HTTPS support selection will result in setting gateways[].httpsProxy(true|number) which will integrate Https-Portal into the docker-compose.yml file during compose, default inbound port will be 3001
- None: continue to have an insecure protocol as it used to be, HTTP
HttpsProxies preset is added to the ConfigPreset with the help of this preset user will be able to have more control over the parameters.
Added unit tests

fboucquez · 2021-07-28T11:48:25Z

+                    services.push(
+                        await resolveService(n, {
+                            container_name: n.name,
+                            // user, // TODO fix the user permissions issue


Does the user need Sudo to clean up the target folder? Are sudo files stored in the HTTP proxy volumen?

Not I'm afraid, I think it's because of the 's6-overlay' that the https-portal docker file is using. Couldn't find a decent solution yet but will continue to research; I think that docker file needs to do the setup with root user and then use a less privileged user. We might end up extending that docker file and keeping a less privileged user.

what if we don't use volumes and SSL cert is reevaluated on restart? not great but may solve the sudo issue?

You can create the empty volumen folder too, which solves some of the issues

We might end up extending that docker file and keeping a less privileged user. - probably, but given lack of user above, I'm guessing this should be solved sooner rather than later (read: prior to merging to main)

I removed the user and the volume parts from ComposeService. The container will hold the certificates produced unless there is an image upgrade which doesn't happen frequently, so we are safe from the produced file permissions issues. There will be another PR for the symbol-bootstrap stop command improvement (which will prevent containers to be removed when stopped).

fboucquez · 2021-07-28T11:49:36Z

 symbolFaucetImage: symbolplatform/symbol-faucet:1.0.1-alpha
 symbolAgentImage: symbolplatform/symbol-node-rewards-agent:2.0.0
 mongoImage: mongo:4.4.3-bionic
+httpsPortalImage: steveltn/https-portal:1


we would need an alpha rest eventually to test the native implementation

Yes, I'm currently working on the catapult-rest part.

symbol/catapult-rest#641

Jaguar0625 · 2021-07-30T00:01:25Z

 votingKeyDesiredLifetime: 360
 votingKeyDesiredFutureLifetime: 60
-lastKnownNetworkEpoch: 255
+lastKnownNetworkEpoch: 271


how is this related to this change?

It's an automatic unit test that patches these epochs. The idea is that when a user creates a new voting node, the voting file starts from the most current epoch (in offline mode, in online mode bootstrap queries the network). We can probably disable that unit tests and revert that change. Then manually update that value in other PRs.

fboucquez · 2021-08-03T15:02:00Z

@yilmazbahadir @Wayonb @gimer , I have drafted how the community can eventually upgrade the nodes to HTTPs using Bootstrap. Please have an initial look so then @segfaultxavi can do his magic

https://hackmd.io/_F7gPWl2Td6WslNZRXeThA?view

segfaultxavi · 2021-08-03T15:48:50Z

@yilmazbahadir @Wayonb @gimer , I have drafted how the community can eventually upgrade the nodes to HTTPs using Bootstrap. Please have an initial look so then @segfaultxavi can do his magic

https://hackmd.io/_F7gPWl2Td6WslNZRXeThA?view

Yeah, ping me when you're done reviewing... and when you give me access to the file :)

fboucquez · 2021-08-03T17:26:25Z

Moved to syndicate HackMD https://hackmd.io/Cx1KQCOxRaaHrNNwuNI7CQ?view

fboucquez · 2021-07-28T13:33:47Z

+                    services.push(
+                        await resolveService(n, {
+                            container_name: n.name,
+                            // user, // TODO fix the user permissions issue


what if we don't use volumes and SSL cert is reevaluated on restart? not great but may solve the sudo issue?

You can create the empty volumen folder too, which solves some of the issues

fboucquez · 2021-08-11T12:58:51Z

I just realized that my comments were pending for the last 2 weeks. I just submitted the comments. Sorry for the confusion guys.

…pport

…c refactoring

fixed typo and unit test. improved package.json scripts

Removed httpProxy param from gateway, the httpProxies array can handle it.

Added native ssl unit compose unit test

…shared.yml as they are optional and bumped docker compose version in tests

…tal image version Currently https-portal only works with the root user but this wouldn't be an issue since we don't mount any volumes any more. symbolbootstrap stop command will actually stop containers and run command will start, unless there is a version upgrade(which will trigger a new container creation) it wouldn't need to re-sign the certificates. So most of the time it will be reusing the same certificates.

…T SSL changes)

sonarqubecloud · 2021-08-17T14:28:53Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
4 Code Smells