Add HTTPS to Sidecar for deployment

.gitignore

@@ -10,3 +10,7 @@ IGNORE-ME*
 
 # local env files
 .env*
+
+# local certs
+local_dev/config/cert.pem
+local_dev/config/key.pem

README.md

@@ -99,6 +99,40 @@ SUPABASE_AUTH_GITHUB_CLIENT_ID="<CLIENT_ID>"
 SUPABASE_AUTH_GITHUB_SECRET="<CLIENT_SECRET>"
 ```
 
+**Traefik**
+
+install traefik
+
+```
+brew install traefik
+```
+
+update /etc/hosts with (requires sudo)
+
+```
+127.0.0.1 draft.test
+127.0.0.1 sidecar0.draft.test
+127.0.0.1 sidecar1.draft.test
+127.0.0.1 sidecar2.draft.test
+127.0.0.1 sidecar3.draft.test
+```
+
+make local certs
+
+install mkcert with
+
+```
+brew install mkcert
+```
+
+make the cert with
+
+```
+mkcert -cert-file "local_dev/config/cert.pem" -key-file "local_dev/config/key.pem" "draft.test" "*.draft.test"
+```
+
+**Run local dev**
+
 You're now ready to install, run, and develop on `draft`!
 
 To start the local development environment:
@@ -113,7 +147,7 @@ draft start-local-dev
 
 If needed, clone this repo:
 ```
-git clone https://github.com/eriktaubeneck/draft.git
+git clone https://github.com/private-attribution/draft.git
 cd draft
 ```
 
@@ -125,5 +159,74 @@ pip install --editable .
 ```
 
 
-## Credit
+## Deployment
+
+### Requirements
+
+*Instructions for AWS Linux 2023*
+
+1. **Python3.11**: Install with `sudo yum install python3.11`
+2. **git**: Install with `sudo yum install git`
+3. **draft** (this package):
+    1. Clone with `git clone https://github.com/private-attribution/draft.git`
+    2. Enter directory `cd draft`.
+    3. Create virtualenv: `python3.11 -m venv .venv`
+    4. Use virtualeenv: `source .venv/bin/activate`
+    5. Upgrade pip: `pip install --upgrade pip`
+    6. Install: `pip install --editable .`
+4. **traefik**:
+    1. Download version 2.11: `wget https://github.com/traefik/traefik/releases/download/v2.11.0/traefik_v2.11.0_linux_amd64.tar.gz`
+    2. Validate checksum: `sha256sum traefik_v2.11.0_linux_amd64.tar.gz` should print `7f31f1cc566bd094f038579fc36e354fd545cf899523eb507c3cfcbbdb8b9552  traefik_v2.11.0_linux_amd64.tar.gz`
+    3. Extract the binary: `tar -zxvf traefik_v2.11.0_linux_amd64.tar.gz`
+5. **tmux**: `sudo yum install tmux`
+
+
+### Generating TLS certs with Let's Encrypt
+
+You will need a domain name and TLS certificates for the sidecar to properly run over HTTPS. The following instructions assume your domain is `example.com`, please replace with the domain you'd like to use. You will need to create two sub-domains, `sidecar.example.com` and `helper.example.com`. (Note, you could also use a sub-domain as your base domain, e.g., `test.example.com` with two sub-domains of that: `sidecar.test.example.com` and `helper.test.example.com`.)
+
+1. Set up DNS records for `sidecar.example.com` and `helper.example.com` pointing to a server you control.
+2. Make sure you've installed the requirements above, and are using the virtual environment.
+3. Install `certbot`: `pip install certbot`
+4. `sudo .venv/bin/certbot certonly --standalone -m [email protected] -d "sidecar.example.com,helper.example.com"`
+    1. Note that you must point directly to `.venv/bin/certbot` as `sudo` does not operate in the virtualenv.
+5. Accept the [Let's Encrypt terms](https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf).
+
+
+### Make Configuration
+
+For this stage, you'll need to know a few things about the other parties involved:
+1. Their root domain
+2. Their public keys
+3. Everyone's *identity* (e.g., 0, 1, 2, 3)
+
+
+One you know these:
+1. Make a config directory `mkdir config`
+2. Copy the default network config: `cp local_dev/config/network.toml config/.`
+3. Update that file.
+    1. Replace `helper0.draft.test` and `sidecar0.draft.test` with the respective domains for party with identity=0.
+    2. Repeat for identity= 1, 2, and 3.
+    3. Replace respective certificates with their public keys.
+4. Move your Let's Encrypt key and cert into place: `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/fullchain.pem config/cert.pem` and `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/privkey.pem key.pem`
+5. Generate IPA specific keys:
+    1. TODO
+
+
+### Run draft
+
+You'll want this to continue to run, even if you disconnect from the host, so it's a good idea to start a tmux session:
+
+```
+tmux new -s draft-session
+```
+
+```
+draft start-helper-sidecar --identity <identity> --root_domain example.com --config_path config
+```
+
+
+
+
+# Credit
 [Beer tap icons created by wanicon - Flaticon]("https://www.flaticon.com/free-icons/beer-tap")

local_dev/config/network.toml

@@ -12,7 +12,7 @@ N0Gz2XisE0JNL5f0tEyrJf/PwSlnazeMxw==
 -----END CERTIFICATE-----
 """
 url = "localhost:7431"
-sidecar_port = "17431"
+sidecar_url = "sidecar1.draft.test"
 
 [peers.hpke]
 public_key = "fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e"
@@ -31,7 +31,7 @@ RwAwRAIgaX95X9bgeZHgbTCl73N2j61AnljyS8DXQ7mWb6fsQXECIFgvumh8TASD
 -----END CERTIFICATE-----
 """
 url = "localhost:7432"
-sidecar_port = "17432"
+sidecar_url = "sidecar2.draft.test"
 
 [peers.hpke]
 public_key = "4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d"
@@ -50,7 +50,7 @@ B6Bgc2gw5JC/G6ahPglwIkjO2ew02/ax6g==
 -----END CERTIFICATE-----
 """
 url = "localhost:7433"
-sidecar_port = "17433"
+sidecar_url = "sidecar3.draft.test"
 
 [peers.hpke]
 public_key = "ebedcfa02354a1d17aed80b0ed55028d0616152d5f8971291e030231dc92063d"
@@ -61,7 +61,7 @@ version = "http2"
 
 [coordinator]
 url = "localhost:7430"
-sidecar_port = "17430"
+sidecar_url = "sidecar0.draft.test"
 certificate = """
 -----BEGIN CERTIFICATE-----
 MIIBHDCBwqADAgECAghMfLQt7MF1IDAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls

server/app/auth/callback/route.ts

@@ -3,11 +3,18 @@ import { NextResponse } from "next/server";
 import { createServerClient, type CookieOptions } from "@supabase/ssr";
 
 export async function GET(request: Request) {
-  const { searchParams, origin } = new URL(request.url);
+  const { searchParams } = new URL(request.url);
   const code = searchParams.get("code");
   // if "next" is in param, use it as the redirect URL
   const next = searchParams.get("next") ?? "/";
 
+  let origin =
+    process?.env?.NEXT_PUBLIC_SITE_URL ?? // Set this to your site URL in production env.
+    process?.env?.NEXT_PUBLIC_VERCEL_URL ?? // Automatically set by Vercel.
+    "https://draft.test/";
+  // Make sure to include `https://`
+  origin = origin.includes("https://") ? origin : `https://${origin}`;
+
   if (code) {
     const cookieStore = cookies();
     const supabase = createServerClient(

server/app/login/GitHubOAuthComponent.tsx

@@ -12,9 +12,9 @@ export default function GitHubOAuthComponent() {
   let url =
     process?.env?.NEXT_PUBLIC_SITE_URL ?? // Set this to your site URL in production env.
     process?.env?.NEXT_PUBLIC_VERCEL_URL ?? // Automatically set by Vercel.
-    "http://localhost:3000/";
-  // Make sure to include `https://` when not localhost.
-  url = url.includes("http") ? url : `https://${url}`;
+    "https://draft.test/";
+  // Make sure to include `https://`
+  url = url.includes("https://") ? url : `https://${url}`;
   // Make sure to include a trailing `/`.
   url = url.charAt(url.length - 1) === "/" ? url : `${url}/`;
 

server/app/query/servers.tsx

@@ -87,19 +87,19 @@ export class RemoteServer {
 
   logsWebSocketURL(id: string): URL {
     const webSocketURL = new URL(`/ws/logs/${id}`, this.baseURL);
-    webSocketURL.protocol = "ws";
+    webSocketURL.protocol = "wss";
     return webSocketURL;
   }
 
   statusWebSocketURL(id: string): URL {
     const webSocketURL = new URL(`/ws/status/${id}`, this.baseURL);
-    webSocketURL.protocol = "ws";
+    webSocketURL.protocol = "wss";
     return webSocketURL;
   }
 
   statsWebSocketURL(id: string): URL {
     const webSocketURL = new URL(`/ws/stats/${id}`, this.baseURL);
-    webSocketURL.protocol = "ws";
+    webSocketURL.protocol = "wss";
     return webSocketURL;
   }
 
@@ -271,19 +271,26 @@ export const IPARemoteServers: RemoteServersType = {
   [RemoteServerNames.Coordinator]: new IPACoordinatorRemoteServer(
     RemoteServerNames.Coordinator,
     new URL(
-      process?.env?.NEXT_PUBLIC_COORDINATOR_URL ?? "http://localhost:17430",
+      process?.env?.NEXT_PUBLIC_COORDINATOR_URL ??
+        "https://sidecar0.draft.test",
     ),
   ),
   [RemoteServerNames.Helper1]: new IPAHelperRemoteServer(
     RemoteServerNames.Helper1,
-    new URL(process?.env?.NEXT_PUBLIC_HELPER1_URL ?? "http://localhost:17431"),
+    new URL(
+      process?.env?.NEXT_PUBLIC_HELPER1_URL ?? "https://sidecar1.draft.test",
+    ),
   ),
   [RemoteServerNames.Helper2]: new IPAHelperRemoteServer(
     RemoteServerNames.Helper2,
-    new URL(process?.env?.NEXT_PUBLIC_HELPER2_URL ?? "http://localhost:17432"),
+    new URL(
+      process?.env?.NEXT_PUBLIC_HELPER2_URL ?? "https://sidecar2.draft.test",
+    ),
   ),
   [RemoteServerNames.Helper3]: new IPAHelperRemoteServer(
     RemoteServerNames.Helper3,
-    new URL(process?.env?.NEXT_PUBLIC_HELPER3_URL ?? "http://localhost:17433"),
+    new URL(
+      process?.env?.NEXT_PUBLIC_HELPER3_URL ?? "https://sidecar3.draft.test",
+    ),
   ),
 };

server/supabase/config.toml

@@ -40,9 +40,9 @@ file_size_limit = "50MiB"
 [auth]
 # The base URL of your website. Used as an allow-list for redirects and for constructing URLs used
 # in emails.
-site_url = "http://localhost:3000"
+site_url = "https://draft.test"
 # A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
-additional_redirect_urls = ["https://localhost:3000/auth/callback"]
+additional_redirect_urls = ["https://draft.test/auth/callback"]
 # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one
 # week).
 jwt_expiry = 3600
@@ -59,11 +59,11 @@ secret = "env(SUPABASE_AUTH_GITHUB_SECRET)"
 redirect_uri = "http://localhost:54321/auth/v1/callback"
 
 [analytics]
-enabled = true
+enabled = false
 port = 54327
 vector_port = 54328
 # Setup BigQuery project to enable log viewer on local development stack.
 # See: https://supabase.com/docs/guides/getting-started/local-development#enabling-local-logging
-gcp_project_id = ""
-gcp_project_number = ""
+gcp_project_id = "null"
+gcp_project_number = "null"
 gcp_jwt_path = "supabase/gcloud.json"

sidecar/app/helpers.py

@@ -18,19 +18,10 @@ class Role(IntEnum):
 @dataclass
 class Helper:
     role: Role
-    hostname: str
-    sidecar_port: int
-    helper_port: int
+    helper_url: ParseResult
+    sidecar_url: ParseResult
     public_key: EllipticCurvePublicKey
 
-    @property
-    def sidecar_url(self) -> ParseResult:
-        return urlparse(f"http://{self.hostname}:{self.sidecar_port}")
-
-    @property
-    def helper_url(self) -> ParseResult:
-        return urlparse(f"http://{self.hostname}:{self.helper_port}")
-
 
 def load_helpers_from_network_config(network_config_path: Path) -> dict[Role, Helper]:
     with network_config_path.open("rb") as f:
@@ -39,40 +30,30 @@ def load_helpers_from_network_config(network_config_path: Path) -> dict[Role, He
         helper_roles = list(r for r in Role if r != Role.COORDINATOR)
         helpers = {}
         for helper_config, role in zip(helper_configs, helper_roles):
-            url = urlparse(f"http://{helper_config['url']}")
-            hostname = str(url.hostname)
-            helper_port = int(url.port or 0)
-            sidecar_port = int(helper_config.get("sidecar_port", 0))
-            if not hostname or not helper_port or not sidecar_port:
-                raise Exception(f"{network_data=} missing data.")
+            helper_url = urlparse(f"http://{helper_config['url']}")
+            sidecar_url = urlparse(f"http://{helper_config['sidecar_url']}")
             public_key_pem_data = helper_config.get("certificate")
             cert = load_pem_x509_certificate(public_key_pem_data.encode("utf8"))
             public_key = cert.public_key()
             assert isinstance(public_key, EllipticCurvePublicKey)
             helpers[role] = Helper(
                 role=role,
-                hostname=hostname,
-                helper_port=helper_port,
-                sidecar_port=sidecar_port,
+                helper_url=helper_url,
+                sidecar_url=sidecar_url,
                 public_key=public_key,
             )
 
-        url = urlparse(f"http://{network_data['coordinator']['url']}")
-        hostname = str(url.hostname)
-        helper_port = int(url.port or 0)
-        sidecar_port = int(network_data["coordinator"].get("sidecar_port", 0))
-        if not hostname or not helper_port or not sidecar_port:
-            raise Exception(f"{network_data=} missing data.")
+        helper_url = urlparse(f"http://{network_data['coordinator']['url']}")
+        sidecar_url = urlparse(f"http://{network_data['coordinator']['sidecar_url']}")
         public_key_pem_data = network_data["coordinator"].get("certificate")
         cert = load_pem_x509_certificate(public_key_pem_data.encode("utf8"))
         public_key = cert.public_key()
         assert isinstance(public_key, EllipticCurvePublicKey)
 
         helpers[Role.COORDINATOR] = Helper(
             role=Role.COORDINATOR,
-            hostname=hostname,
-            helper_port=helper_port,
-            sidecar_port=sidecar_port,
+            helper_url=helper_url,
+            sidecar_url=sidecar_url,
             public_key=public_key,
         )
         return helpers

sidecar/app/main.py

@@ -8,9 +8,7 @@
 app.include_router(start.router)
 app.include_router(stop.router)
 
-origins = [
-    "http://localhost:3000",
-]
+origins = ["https://draft.test", "https://draft-mpc.vercel.app"]
 
 app.add_middleware(
     CORSMiddleware,

sidecar/app/query/command.py

@@ -16,6 +16,7 @@
 class Command:
     cmd: str
     env: Optional[dict] = field(default_factory=lambda: {**os.environ}, repr=False)
+    cwd: Optional[Path] = field(default=None, repr=True)
     process: Optional[subprocess.Popen] = field(init=False, default=None, repr=True)
 
     @property
@@ -65,6 +66,7 @@ def build_process(self):
         return subprocess.Popen(
             shlex.split(self.cmd),
             env=self.env,
+            cwd=self.cwd,
         )
 
     def start(self):
@@ -99,6 +101,7 @@ def build_process(self):
             shlex.split(self.cmd),
             stdout=self.output_file,
             env=self.env,
+            cwd=self.cwd,
         )
 
     def start(self):
@@ -114,6 +117,7 @@ def build_process(self):
         return subprocess.Popen(
             shlex.split(self.cmd),
             env=self.env,
+            cwd=self.cwd,
             stdout=subprocess.PIPE,
             stderr=subprocess.PIPE,
             text=True,