Merge branch 'add-ip-bind-to-signer' into rate-limit-jwt

Author: jclapis

.github/workflows/release.yml

@@ -180,11 +180,12 @@ jobs:
 
       - name: Extract binaries
         run: |
-          mkdir -p ./artifacts/bin
+          mkdir -p ./artifacts/bin/linux_amd64
+          mkdir -p ./artifacts/bin/linux_arm64
           tar -xzf ./artifacts/commit-boost-pbs-${{ github.ref_name }}-linux_x86-64/commit-boost-pbs-${{ github.ref_name }}-linux_x86-64.tar.gz -C ./artifacts/bin
-          mv ./artifacts/bin/commit-boost-pbs ./artifacts/bin/commit-boost-pbs-linux-amd64
+          mv ./artifacts/bin/commit-boost-pbs ./artifacts/bin/linux_amd64/commit-boost-pbs
           tar -xzf ./artifacts/commit-boost-pbs-${{ github.ref_name }}-linux_arm64/commit-boost-pbs-${{ github.ref_name }}-linux_arm64.tar.gz -C ./artifacts/bin
-          mv ./artifacts/bin/commit-boost-pbs ./artifacts/bin/commit-boost-pbs-linux-arm64
+          mv ./artifacts/bin/commit-boost-pbs ./artifacts/bin/linux_arm64/commit-boost-pbs
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -232,11 +233,12 @@ jobs:
 
       - name: Extract binaries
         run: |
-          mkdir -p ./artifacts/bin
+          mkdir -p ./artifacts/bin/linux_amd64
+          mkdir -p ./artifacts/bin/linux_arm64
           tar -xzf ./artifacts/commit-boost-signer-${{ github.ref_name }}-linux_x86-64/commit-boost-signer-${{ github.ref_name }}-linux_x86-64.tar.gz -C ./artifacts/bin
-          mv ./artifacts/bin/commit-boost-signer ./artifacts/bin/commit-boost-signer-linux-amd64
+          mv ./artifacts/bin/commit-boost-signer ./artifacts/bin/linux_amd64/commit-boost-signer
           tar -xzf ./artifacts/commit-boost-signer-${{ github.ref_name }}-linux_arm64/commit-boost-signer-${{ github.ref_name }}-linux_arm64.tar.gz -C ./artifacts/bin
-          mv ./artifacts/bin/commit-boost-signer ./artifacts/bin/commit-boost-signer-linux-arm64
+          mv ./artifacts/bin/commit-boost-signer ./artifacts/bin/linux_arm64/commit-boost-signer
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

Cargo.lock

@@ -5,7 +5,7 @@ resolver = "2"
 [workspace.package]
 edition = "2021"
 rust-version = "1.83"
-version = "0.8.0-rc.1"
+version = "0.8.0-rc.2"
 
 [workspace.dependencies]
 aes = "0.8"
@@ -45,6 +45,7 @@ eyre = "0.6.12"
 futures = "0.3.30"
 headers = "0.4.0"
 indexmap = "2.2.6"
+jsonwebtoken = { version = "9.3.1", default-features = false }
 lazy_static = "1.5.0"
 parking_lot = "0.12.3"
 pbkdf2 = "0.12.2"
@@ -72,4 +73,3 @@ typenum = "1.17.0"
 unicode-normalization = "0.1.24"
 url = { version = "2.5.0", features = ["serde"] }
 uuid = { version = "1.8.0", features = ["fast-rng", "serde", "v4"] }
-jsonwebtoken = { version = "9.3.1", default-features = false }

Cargo.toml

@@ -148,6 +148,13 @@ url = "http://0xa119589bb33ef52acbb8116832bec2b58fca590fe5c85eac5d3230b44d5bc09f
 # Docker image to use for the Signer module.
 # OPTIONAL, DEFAULT: ghcr.io/commit-boost/signer:latest
 # docker_image = "ghcr.io/commit-boost/signer:latest"
+# Host to bind the Signer API server to
+# OPTIONAL, DEFAULT: 127.0.0.1
+host = "127.0.0.1"
+# Port to listen for Signer API calls on
+# OPTIONAL, DEFAULT: 20000
+port = 20000
+
 # For Remote signer:
 # [signer.remote]
 # URL of the Web3Signer instance

config.example.toml

@@ -6,16 +6,16 @@ use std::{
 
 use cb_common::{
     config::{
-        load_optional_env_var, CommitBoostConfig, LogsSettings, ModuleKind, SignerConfig,
-        SignerType, BUILDER_PORT_ENV, BUILDER_URLS_ENV, CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV,
-        DIRK_CA_CERT_DEFAULT, DIRK_CA_CERT_ENV, DIRK_CERT_DEFAULT, DIRK_CERT_ENV,
-        DIRK_DIR_SECRETS_DEFAULT, DIRK_DIR_SECRETS_ENV, DIRK_KEY_DEFAULT, DIRK_KEY_ENV, JWTS_ENV,
-        LOGS_DIR_DEFAULT, LOGS_DIR_ENV, METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV,
-        PBS_ENDPOINT_ENV, PBS_MODULE_NAME, PROXY_DIR_DEFAULT, PROXY_DIR_ENV,
-        PROXY_DIR_KEYS_DEFAULT, PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT,
-        PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT, SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV,
-        SIGNER_DIR_SECRETS_DEFAULT, SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV,
-        SIGNER_JWT_SECRET_ENV, SIGNER_KEYS_ENV, SIGNER_MODULE_NAME, SIGNER_URL_ENV,
+        CommitBoostConfig, LogsSettings, ModuleKind, SignerConfig, SignerType, BUILDER_PORT_ENV,
+        BUILDER_URLS_ENV, CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV, DIRK_CA_CERT_DEFAULT,
+        DIRK_CA_CERT_ENV, DIRK_CERT_DEFAULT, DIRK_CERT_ENV, DIRK_DIR_SECRETS_DEFAULT,
+        DIRK_DIR_SECRETS_ENV, DIRK_KEY_DEFAULT, DIRK_KEY_ENV, JWTS_ENV, LOGS_DIR_DEFAULT,
+        LOGS_DIR_ENV, METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV, PBS_ENDPOINT_ENV,
+        PBS_MODULE_NAME, PROXY_DIR_DEFAULT, PROXY_DIR_ENV, PROXY_DIR_KEYS_DEFAULT,
+        PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT, PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT,
+        SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV, SIGNER_DIR_SECRETS_DEFAULT,
+        SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV, SIGNER_KEYS_ENV, SIGNER_MODULE_NAME,
+        SIGNER_URL_ENV,
     },
     pbs::{BUILDER_API_PATH, GET_STATUS_PATH},
     signer::{ProxyStore, SignerLoader, DEFAULT_SIGNER_PORT},
@@ -73,11 +73,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
     let mut targets = Vec::new();
 
     // address for signer API communication
-    let signer_port = if let Some(signer_config) = &cb_config.signer {
-        signer_config.port
-    } else {
-        DEFAULT_SIGNER_PORT
-    };
+    let signer_port = cb_config.signer.as_ref().map(|s| s.port).unwrap_or(DEFAULT_SIGNER_PORT);
     let signer_server =
         if let Some(SignerConfig { inner: SignerType::Remote { url }, .. }) = &cb_config.signer {
             url.to_string()
@@ -105,8 +101,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
                 ModuleKind::Commit => {
                     let mut ports = vec![];
 
-                    let jwt_secret = load_optional_env_var(SIGNER_JWT_SECRET_ENV)
-                        .unwrap_or_else(random_jwt_secret);
+                    let jwt_secret = random_jwt_secret();
                     let jwt_name = format!("CB_JWT_{}", module.id.to_uppercase());
 
                     // module ids are assumed unique, so envs dont override each other

crates/cli/src/docker_init.rs

@@ -42,8 +42,6 @@ pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV: &str =
 
 /// Comma separated list module_id=jwt_secret
 pub const JWTS_ENV: &str = "CB_JWTS";
-/// The JWT secret for the signer to validate the modules requests
-pub const SIGNER_JWT_SECRET_ENV: &str = "CB_SIGNER_JWT_SECRET";
 
 /// Path to json file with plaintext keys (testing only)
 pub const SIGNER_KEYS_ENV: &str = "CB_SIGNER_LOADER_FILE";

crates/common/src/config/constants.rs

@@ -242,6 +242,10 @@ async fn fetch_lido_registry_keys(
     let total_keys =
         registry.getTotalSigningKeyCount(node_operator_id).call().await?._0.try_into()?;
 
+    if total_keys == 0 {
+        return Ok(Vec::new());
+    }
+
     debug!("fetching {total_keys} total keys");
 
     const CALL_BATCH_SIZE: u64 = 250u64;

crates/common/src/config/mux.rs

@@ -146,26 +146,22 @@ impl StartSignerConfig {
 
         let jwts = load_jwt_secrets()?;
 
-        // Load the server endpoint first from the env var, then the config, and finally
-        // the defaults
+        let signer_config = config.signer.ok_or_eyre("Signer config is missing")?;
+
+        // Load the server endpoint first from the env var if present, otherwise the
+        // config
         let endpoint = if let Some(endpoint) = load_optional_env_var(SIGNER_ENDPOINT_ENV) {
             endpoint.parse()?
         } else {
-            match config.signer {
-                Some(ref signer) => SocketAddr::from((signer.host, signer.port)),
-                None => SocketAddr::from((default_host(), DEFAULT_SIGNER_PORT)),
-            }
+            SocketAddr::from((signer_config.host, signer_config.port))
         };
 
         // Load the JWT auth fail limit the same way
         let jwt_auth_fail_limit =
             if let Some(limit) = load_optional_env_var(SIGNER_JWT_AUTH_FAIL_LIMIT_ENV) {
                 limit.parse()?
             } else {
-                match config.signer {
-                    Some(ref signer) => signer.jwt_auth_fail_limit,
-                    None => DEFAULT_JWT_AUTH_FAIL_LIMIT,
-                }
+                signer_config.jwt_auth_fail_limit
             };
 
         // Load the JWT auth fail timeout the same way
@@ -174,15 +170,10 @@ impl StartSignerConfig {
         {
             timeout.parse()?
         } else {
-            match config.signer {
-                Some(ref signer) => signer.jwt_auth_fail_timeout_seconds,
-                None => DEFAULT_JWT_AUTH_FAIL_TIMEOUT_SECONDS,
-            }
+            signer_config.jwt_auth_fail_timeout_seconds
         };
 
-        let signer = config.signer.ok_or_eyre("Signer config is missing")?.inner;
-
-        match signer {
+        match signer_config.inner {
             SignerType::Local { loader, store, .. } => Ok(StartSignerConfig {
                 chain: config.chain,
                 loader: Some(loader),