Merge branch 'develop' of github.com:nymtech/nym into fix/credential-proxy-CI
This commit is contained in:
@@ -27,7 +27,7 @@ use crate::{error::Error, peer_handle::SharedBandwidthStorageManager};
|
||||
pub enum PeerControlRequest {
|
||||
AddPeer {
|
||||
peer: Peer,
|
||||
ticket_validation: bool,
|
||||
client_id: Option<i64>,
|
||||
response_tx: oneshot::Sender<AddPeerControlResponse>,
|
||||
},
|
||||
RemovePeer {
|
||||
@@ -46,7 +46,6 @@ pub enum PeerControlRequest {
|
||||
|
||||
pub struct AddPeerControlResponse {
|
||||
pub success: bool,
|
||||
pub client_id: Option<i64>,
|
||||
}
|
||||
|
||||
pub struct RemovePeerControlResponse {
|
||||
@@ -118,13 +117,13 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
|
||||
}
|
||||
|
||||
// Function that should be used for peer insertion, to handle both storage and kernel interaction
|
||||
pub async fn add_peer(&self, peer: &Peer, with_client_id: bool) -> Result<Option<i64>, Error> {
|
||||
let client_id = self
|
||||
.storage
|
||||
.insert_wireguard_peer(peer, with_client_id)
|
||||
.await?;
|
||||
let ret = self.wg_api.inner.configure_peer(peer);
|
||||
if ret.is_err() {
|
||||
pub async fn add_peer(&self, peer: &Peer, client_id: Option<i64>) -> Result<(), Error> {
|
||||
if client_id.is_none() {
|
||||
self.storage.insert_wireguard_peer(peer, false).await?;
|
||||
}
|
||||
let ret: Result<(), defguard_wireguard_rs::error::WireguardInterfaceError> =
|
||||
self.wg_api.inner.configure_peer(peer);
|
||||
if client_id.is_none() && ret.is_err() {
|
||||
// Try to revert the insertion in storage
|
||||
if self
|
||||
.storage
|
||||
@@ -135,8 +134,7 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
|
||||
log::error!("The storage has been corrupted. Wireguard peer {} will persist in storage indefinitely.", peer.public_key);
|
||||
}
|
||||
}
|
||||
ret?;
|
||||
Ok(client_id)
|
||||
Ok(ret?)
|
||||
}
|
||||
|
||||
// Function that should be used for peer removal, to handle both storage and kernel interaction
|
||||
@@ -179,9 +177,9 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
|
||||
async fn handle_add_request(
|
||||
&mut self,
|
||||
peer: &Peer,
|
||||
with_client_id: bool,
|
||||
) -> Result<Option<i64>, Error> {
|
||||
let client_id = self.add_peer(peer, with_client_id).await?;
|
||||
client_id: Option<i64>,
|
||||
) -> Result<(), Error> {
|
||||
self.add_peer(peer, client_id).await?;
|
||||
let bandwidth_storage_manager =
|
||||
Self::generate_bandwidth_manager(self.storage.clone(), &peer.public_key)
|
||||
.await?
|
||||
@@ -201,7 +199,7 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
|
||||
log::error!("Peer handle shut down ungracefully - {e}");
|
||||
}
|
||||
});
|
||||
Ok(client_id)
|
||||
Ok(())
|
||||
}
|
||||
|
||||
async fn handle_query_peer(&self, key: &Key) -> Result<Option<Peer>, Error> {
|
||||
@@ -260,12 +258,12 @@ impl<St: Storage + Clone + 'static> PeerController<St> {
|
||||
}
|
||||
msg = self.request_rx.recv() => {
|
||||
match msg {
|
||||
Some(PeerControlRequest::AddPeer { peer, ticket_validation, response_tx }) => {
|
||||
let ret = self.handle_add_request(&peer, ticket_validation).await;
|
||||
if let Ok(client_id) = ret {
|
||||
response_tx.send(AddPeerControlResponse { success: true, client_id }).ok();
|
||||
Some(PeerControlRequest::AddPeer { peer, client_id, response_tx }) => {
|
||||
let ret = self.handle_add_request(&peer, client_id).await;
|
||||
if ret.is_ok() {
|
||||
response_tx.send(AddPeerControlResponse { success: true }).ok();
|
||||
} else {
|
||||
response_tx.send(AddPeerControlResponse { success: false, client_id: None }).ok();
|
||||
response_tx.send(AddPeerControlResponse { success: false }).ok();
|
||||
}
|
||||
}
|
||||
Some(PeerControlRequest::RemovePeer { key, response_tx }) => {
|
||||
|
||||
@@ -26,6 +26,8 @@ RUN cargo build --release
|
||||
|
||||
FROM ubuntu:24.04
|
||||
|
||||
RUN apt update && apt install -yy curl ca-certificates
|
||||
|
||||
WORKDIR /nym
|
||||
|
||||
COPY --from=builder /usr/src/nym/nym-credential-proxy/target/release/nym-credential-proxy ./
|
||||
|
||||
@@ -7,11 +7,7 @@ RUN cargo build --release
|
||||
|
||||
FROM ubuntu:24.04
|
||||
|
||||
RUN echo "Acquire::http::Pipeline-Depth 0;" > /etc/apt/apt.conf.d/99custom && \
|
||||
echo "Acquire::http::No-Cache true;" >> /etc/apt/apt.conf.d/99custom && \
|
||||
echo "Acquire::BrokenProxy true;" >> /etc/apt/apt.conf.d/99custom
|
||||
|
||||
RUN apt update && apt install -yy curl
|
||||
RUN apt update && apt install -yy curl ca-certificates
|
||||
|
||||
WORKDIR /nym
|
||||
|
||||
|
||||
@@ -27,9 +27,9 @@ impl DummyHandler {
|
||||
msg = self.peer_rx.recv() => {
|
||||
if let Some(msg) = msg {
|
||||
match msg {
|
||||
PeerControlRequest::AddPeer { peer, ticket_validation, response_tx } => {
|
||||
log::info!("[DUMMY] Adding peer {:?} with ticket validation {}", peer, ticket_validation);
|
||||
response_tx.send(AddPeerControlResponse { success: true, client_id: None }).ok();
|
||||
PeerControlRequest::AddPeer { peer, client_id, response_tx } => {
|
||||
log::info!("[DUMMY] Adding peer {:?} with client id {:?}", peer, client_id);
|
||||
response_tx.send(AddPeerControlResponse { success: true }).ok();
|
||||
}
|
||||
PeerControlRequest::RemovePeer { key, response_tx } => {
|
||||
log::info!("[DUMMY] Removing peer {:?}", key);
|
||||
|
||||
@@ -7,8 +7,8 @@ use std::{
|
||||
};
|
||||
|
||||
use crate::{error::AuthenticatorError, peer_manager::PeerManager};
|
||||
use defguard_wireguard_rs::{host::Peer, key::Key};
|
||||
use futures::StreamExt;
|
||||
use log::warn;
|
||||
use nym_authenticator_requests::{
|
||||
v1, v2,
|
||||
v3::{
|
||||
@@ -235,37 +235,45 @@ impl<S: Storage + Clone + 'static> MixnetListener<S> {
|
||||
return Err(AuthenticatorError::MacVerificationFailure);
|
||||
}
|
||||
|
||||
let peer = Peer::new(Key::new(final_message.gateway_client.pub_key.to_bytes()));
|
||||
|
||||
// If gateway does ecash verification and client sends a credential, we do the additional
|
||||
// credential verification. Later this will become mandatory.
|
||||
if let (Some(ecash_verifier), Some(credential)) = (
|
||||
self.ecash_verifier.clone(),
|
||||
final_message.credential.clone(),
|
||||
) {
|
||||
let client_id = self
|
||||
.peer_manager
|
||||
.add_peer(&final_message.gateway_client, true)
|
||||
let client_id = ecash_verifier
|
||||
.storage()
|
||||
.insert_wireguard_peer(&peer, true)
|
||||
.await?
|
||||
.ok_or(AuthenticatorError::InternalError(
|
||||
"peer with ticket shouldn't have been used before without a ticket".to_string(),
|
||||
))?;
|
||||
|
||||
if let Err(e) =
|
||||
Self::credential_verification(ecash_verifier, credential, client_id).await
|
||||
Self::credential_verification(ecash_verifier.clone(), credential, client_id).await
|
||||
{
|
||||
self.peer_manager
|
||||
.remove_peer(&final_message.gateway_client)
|
||||
.await
|
||||
.inspect_err(|err| {
|
||||
warn!(
|
||||
"Could not revert adding peer {} on credential verification {err}",
|
||||
final_message.gateway_client.pub_key()
|
||||
)
|
||||
})?;
|
||||
ecash_verifier
|
||||
.storage()
|
||||
.remove_wireguard_peer(&peer.public_key.to_string())
|
||||
.await?;
|
||||
return Err(e);
|
||||
}
|
||||
let public_key = peer.public_key.to_string();
|
||||
if let Err(e) = self
|
||||
.peer_manager
|
||||
.add_peer(peer, &final_message.gateway_client, Some(client_id))
|
||||
.await
|
||||
{
|
||||
ecash_verifier
|
||||
.storage()
|
||||
.remove_wireguard_peer(&public_key)
|
||||
.await?;
|
||||
return Err(e);
|
||||
}
|
||||
} else {
|
||||
self.peer_manager
|
||||
.add_peer(&final_message.gateway_client, false)
|
||||
.add_peer(peer, &final_message.gateway_client, None)
|
||||
.await?;
|
||||
}
|
||||
registred_and_free
|
||||
|
||||
@@ -26,16 +26,16 @@ impl PeerManager {
|
||||
}
|
||||
pub async fn add_peer(
|
||||
&mut self,
|
||||
mut peer: Peer,
|
||||
client: &GatewayClient,
|
||||
ticket_validation: bool,
|
||||
) -> Result<Option<i64>> {
|
||||
let mut peer = Peer::new(Key::new(client.pub_key.to_bytes()));
|
||||
client_id: Option<i64>,
|
||||
) -> Result<()> {
|
||||
let (response_tx, response_rx) = oneshot::channel();
|
||||
peer.allowed_ips
|
||||
.push(IpAddrMask::new(client.private_ip, 32));
|
||||
let msg = PeerControlRequest::AddPeer {
|
||||
peer,
|
||||
ticket_validation,
|
||||
client_id,
|
||||
response_tx,
|
||||
};
|
||||
self.wireguard_gateway_data
|
||||
@@ -44,7 +44,7 @@ impl PeerManager {
|
||||
.await
|
||||
.map_err(|_| AuthenticatorError::PeerInteractionStopped)?;
|
||||
|
||||
let AddPeerControlResponse { success, client_id } = response_rx.await.map_err(|_| {
|
||||
let AddPeerControlResponse { success } = response_rx.await.map_err(|_| {
|
||||
AuthenticatorError::InternalError("no response for add peer".to_string())
|
||||
})?;
|
||||
if !success {
|
||||
@@ -52,10 +52,10 @@ impl PeerManager {
|
||||
"adding peer could not be performed".to_string(),
|
||||
));
|
||||
}
|
||||
Ok(client_id)
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub async fn remove_peer(&mut self, client: &GatewayClient) -> Result<()> {
|
||||
pub async fn _remove_peer(&mut self, client: &GatewayClient) -> Result<()> {
|
||||
let key = Key::new(client.pub_key().to_bytes());
|
||||
let (response_tx, response_rx) = oneshot::channel();
|
||||
let msg = PeerControlRequest::RemovePeer { key, response_tx };
|
||||
|
||||
Reference in New Issue
Block a user