Inomurko/start vault (#676)

* immutability vault

* new lines

.circleci/config.yml

@@ -65,6 +65,17 @@ commands:
             - /usr/local/lib/node_modules
 
 jobs:
+  Deploy with Vault:
+    machine: true
+    working_directory: ~/repo
+    steps:
+      - checkout
+      - run: docker login -u $DOCKER_USER -p $DOCKER_PASS
+      - run:
+          name: Start services
+          command: docker-compose up -d
+          working_directory: ~/repo/MultiSigWalletOverride
+
   Truffle tests:
     executor: truffle_executor
     working_directory: ~/repo
@@ -219,6 +230,9 @@ workflows:
       - Solidity coverage
       - Javascript linter
       - Solidity linter
+  Other:
+    jobs:
+      - Deploy with Vault
 
   Run python slow tests:
     jobs:

MultiSigWalletOverride/docker-compose.yml

@@ -0,0 +1,58 @@
+version: "3.2"
+services:
+  ganache:
+    image: trufflesuite/ganache-cli:latest
+    ports:
+      - "8545:8545"
+    volumes:
+      - ./ganache_data:/ganache_data
+    entrypoint:
+      - node
+      - ./ganache-core.docker.cli.js
+      - --deterministic
+      - --db=/ganache_data
+      - --mnemonic
+      - 'minimum symptom minute gloom tragic situate silver mechanic salad amused elite beef'
+      - --networkId
+      - '5777'
+      - --hostname
+      - '0.0.0.0'
+      - --debug
+  gencerts:
+    image: alpine:3.10
+    volumes:
+      - "./docker/immutability/ca:/home/root/ca:rw"
+      - "./docker/immutability/config:/home/root/:rw"
+    entrypoint: >
+      /bin/sh -c "
+        apk add bash openssl
+        chown -R nobody:nobody /home/root/ca && chmod -R 777 /home/root/ca
+        # only gen if they aren't there
+        if [ -f /home/root/ca/certs/my-service.crt ];then
+          exit 0
+        else
+          /home/root/gencerts.sh
+        fi
+      "
+  vault_server:
+    image: omisego/immutability-vault-ethereum:latest
+    ports:
+      - "8200:8200"
+    depends_on:
+      - "gencerts"
+      - "ganache"
+    links:
+      - "ganache"
+    volumes:
+      - "./docker/immutability/ca:/home/vault/ca:rw"
+      - "./docker/immutability/ca/certs/:/etc/ssl/certs/"
+      - "./docker/immutability/config:/home/vault/config:ro"
+    entrypoint: >
+      /bin/sh -c "
+        sleep 2
+        while [ ! -f /home/vault/ca/certs/my-service.crt ];do
+          echo Waiting on gencerts...
+          sleep 1
+        done;
+        /home/vault/config/entrypoint.sh
+      "

MultiSigWalletOverride/docker/immutability/config/entrypoint.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# Vault running in the container must listen on a different port.
+export VAULT_ADDR="http://127.0.0.1:8900"
+
+nohup vault server -dev -dev-root-token-id="totally-secure" \
+  -log-level=debug -config=/home/vault/config/ -dev-listen-address="0.0.0.0:8900" &
+VAULT_PID=$!
+
+count=1
+while [ "$count" -le 60 ]; do
+  if vault status; then break; fi
+  count=$((count+1))
+  sleep 0.5
+done
+
+vault status
+
+function configure_plugin {
+	plugin_file="immutability-eth-plugin"
+
+	echo "ADDING TO CATALOG: sys/plugins/catalog/secret/${plugin_file}"
+
+	# just testing for now
+	plugin_file="${plugin_file}"
+	ls -latr /home/vault/plugins
+	sha256sum=`cat /home/vault/plugins/SHA256SUMS | awk '{print $1}'`
+	vault write sys/plugins/catalog/secret/${plugin_file} \
+		  sha_256="$sha256sum" \
+		  command="$plugin_file --ca-cert=/home/vault/ca/certs/ca.crt --client-cert=/home/vault/ca/certs/my-service.crt --client-key=/home/vault/ca/private/my-service.key"
+
+	if [[ $? -eq 2 ]] ; then
+	  echo "Vault Catalog update failed!"
+	  exit 2
+	fi
+
+	echo "MOUNTING: ${plugin_file}"
+	vault secrets enable -path=${plugin_file} -plugin-name=${plugin_file} plugin
+	if [[ $? -eq 2 ]] ; then
+	  echo "Failed to mount ${plugin_file} plugin for test!"
+	  exit 2
+	fi
+}
+
+configure_plugin
+
+# Log to STDOUT
+vault audit enable file file_path=stdout
+
+# Don't exit until vault dies
+wait $VAULT_PID

MultiSigWalletOverride/docker/immutability/config/gencerts.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+
+set -ex
+
+function gencerts {
+
+	mkdir -p /home/root/ca/certs /home/root/ca/private
+
+	cat > "./openssl.cnf" << EOF
+[req]
+default_bits = 2048
+encrypt_key  = no
+default_md   = sha256
+prompt       = no
+utf8         = yes
+
+# Speify the DN here so we aren't prompted (along with prompt = no above).
+distinguished_name = req_distinguished_name
+
+# Extensions for SAN IP and SAN DNS
+req_extensions = v3_req
+
+# Be sure to update the subject to match your organization.
+[req_distinguished_name]
+C  = TH
+ST = Bangkok
+L  = Vault
+O  = omiseGO
+CN = localhost
+
+# Allow client and server auth. You may want to only allow server auth.
+# Link to SAN names.
+[v3_req]
+basicConstraints     = CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage             = digitalSignature, keyEncipherment
+extendedKeyUsage     = clientAuth, serverAuth
+subjectAltName       = @alt_names
+
+# Alternative names are specified as IP.# and DNS.# for IPs and
+# DNS accordingly.
+[alt_names]
+IP.1  = 127.0.0.1
+IP.2  = 192.168.64.1
+IP.3  = 192.168.122.1
+DNS.1 = localhost
+EOF
+
+	openssl req \
+	-new \
+	-sha256 \
+	-newkey rsa:2048 \
+	-days 120 \
+	-nodes \
+	-x509 \
+	-subj "/C=US/ST=Maryland/L=Vault/O=My Company CA" \
+	-keyout "/home/root/ca/private/ca.key" \
+	-out "/home/root/ca/certs/ca.crt"
+
+	# Generate the private key for the service. Again, you may want to increase
+	# the bits to 2048.
+	openssl genrsa -out "/home/root/ca/private/my-service.key" 2048
+
+	# Generate a CSR using the configuration and the key just generated. We will
+	# give this CSR to our CA to sign.
+	openssl req \
+	-new -key "/home/root/ca/private/my-service.key" \
+	-out "/home/root/ca/my-service.csr" \
+	-config "openssl.cnf"
+
+	# Sign the CSR with our CA. This will generate a new certificate that is signed
+	# by our CA.
+	openssl x509 \
+	-req \
+	-days 120 \
+	-in "/home/root/ca/my-service.csr" \
+	-CA "/home/root/ca/certs/ca.crt" \
+	-CAkey "/home/root/ca/private/ca.key" \
+	-CAcreateserial \
+	-sha256 \
+	-extensions v3_req \
+	-extfile "openssl.cnf" \
+	-out "/home/root/ca/certs/my-service.crt"
+
+	openssl x509 -in "/home/root/ca/certs/my-service.crt" -noout -text
+
+	rm openssl.cnf
+
+  chown -R nobody:nobody /home/root/ca && chmod -R 777 /home/root/ca
+}
+
+gencerts

MultiSigWalletOverride/docker/immutability/config/vault.json

@@ -0,0 +1,15 @@
+{
+  "disable_mlock": "true",
+  "ui": "true",
+  "listener": {
+    "tcp": {
+      "address": "0.0.0.0:8200",
+      "tls_cert_file": "/home/vault/ca/certs/my-service.crt",
+      "tls_key_file": "/home/vault/ca/private/my-service.key",
+      "tls_require_and_verify_client_cert": "false"
+    }
+  },
+  "default_lease_ttl": "168h",
+  "max_lease_ttl": "720h",
+  "plugin_directory": "/home/vault/plugins"
+}