Skip to content

Commit

Permalink
fix: Do not reuse anvil admin key
Browse files Browse the repository at this point in the history
In #8277 we added a PUBLIC_API_KEY that was used for accessing anvil
with cheat codes disabled, and the API_KEY was left for "admin" access
with cheat codes allowed. However, the API_KEY is also needed for
connecting to the node, which is is needed for retrieving proofs, needed
for prover nodes to operate.

This PR changes how keys are handled. API_KEY is now mapped to the anvil
public access, so it is not disclosed when sharing access to the node
API. A new FORK_ADMIN_API_KEY is introduced for admin access, and only
used for bootstrapping operations and for the bootstrapping sequencer.
  • Loading branch information
spalladino committed Aug 30, 2024
1 parent 6e84970 commit 5b6154b
Show file tree
Hide file tree
Showing 9 changed files with 36 additions and 24 deletions.
36 changes: 22 additions & 14 deletions .github/workflows/devnet-deploys.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
API_KEY: ${{ secrets.DEVNET_API_KEY }}
PUBLIC_API_KEY: ${{ secrets.DEVNET_API_KEY }}
FORK_ADMIN_API_KEY: ${{ secrets.DEVNET_API_KEY }}
FORK_MNEMONIC: ${{ secrets.FORK_MNEMONIC }}
CONTRACT_PUBLISHER_PRIVATE_KEY: ${{ secrets.CONTRACT_PUBLISHER_PRIVATE_KEY }}
CONTRACT_S3_BUCKET: s3://static.aztec.network
Expand Down Expand Up @@ -65,7 +65,7 @@ env:
# Anvil
TF_VAR_FORK_MNEMONIC: ${{ secrets.FORK_MNEMONIC }}
TF_VAR_INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
TF_VAR_PUBLIC_API_KEY: ${{ secrets.DEVNET_API_KEY }}
TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets.DEVNET_API_KEY }}

# Faucet
TF_VAR_FAUCET_ACCOUNT_INDEX: 9
Expand Down Expand Up @@ -107,7 +107,7 @@ jobs:
deploy_tag: ${{ steps.set_network_vars.outputs.deploy_tag }}
branch_name: ${{ steps.set_network_vars.outputs.branch_name }}
network_api_key: ${{ steps.set_network_vars.outputs.network_api_key }}
network_public_api_key: ${{ steps.set_network_vars.outputs.network_public_api_key }}
network_fork_admin_api_key: ${{ steps.set_network_vars.outputs.network_fork_admin_api_key }}
agents_per_prover: ${{ steps.set_network_vars.outputs.agents_per_prover }}
bot_interval: ${{ steps.set_network_vars.outputs.bot_interval }}
node_tcp_range_start: ${{ steps.set_network_vars.outputs.node_tcp_range_start }}
Expand All @@ -134,7 +134,7 @@ jobs:
echo "deploy_tag=devnet" >> $GITHUB_OUTPUT
echo "branch_name=devnet" >> $GITHUB_OUTPUT
echo "network_api_key=DEVNET_API_KEY" >> $GITHUB_OUTPUT
echo "network_public_api_key=DEVNET_API_KEY" >> $GITHUB_OUTPUT
echo "network_fork_admin_api_key=DEVNET_API_KEY" >> $GITHUB_OUTPUT
echo "agents_per_prover=4" >> $GITHUB_OUTPUT
echo "bot_interval=180" >> $GITHUB_OUTPUT
echo "node_tcp_range_start=40100" >> $GITHUB_OUTPUT
Expand All @@ -155,7 +155,7 @@ jobs:
echo "deploy_tag=provernet" >> $GITHUB_OUTPUT
echo "branch_name=provernet" >> $GITHUB_OUTPUT
echo "network_api_key=PROVERNET_API_KEY" >> $GITHUB_OUTPUT
echo "network_public_api_key=PROVERNET_PUBLIC_API_KEY" >> $GITHUB_OUTPUT
echo "network_fork_admin_api_key=PROVERNET_FORK_ADMIN_API_KEY" >> $GITHUB_OUTPUT
echo "agents_per_prover=8" >> $GITHUB_OUTPUT
echo "bot_interval=10" >> $GITHUB_OUTPUT
echo "node_tcp_range_start=40200" >> $GITHUB_OUTPUT
Expand All @@ -176,7 +176,7 @@ jobs:
echo "deploy_tag=alphanet" >> $GITHUB_OUTPUT
echo "branch_name=alphanet" >> $GITHUB_OUTPUT
echo "network_api_key=ALPHANET_API_KEY" >> $GITHUB_OUTPUT
echo "network_public_api_key=ALPHANET_API_KEY" >> $GITHUB_OUTPUT
echo "network_fork_admin_api_key=ALPHANET_API_KEY" >> $GITHUB_OUTPUT
echo "agents_per_prover=1" >> $GITHUB_OUTPUT
echo "bot_interval=30" >> $GITHUB_OUTPUT
echo "node_tcp_range_start=40000" >> $GITHUB_OUTPUT
Expand Down Expand Up @@ -206,8 +206,8 @@ jobs:
TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
TF_VAR_PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
API_KEY_NAME: ${{ needs.set-network.outputs.network_api_key }}
runs-on: ${{ github.actor }}-x86
steps:
Expand Down Expand Up @@ -334,6 +334,8 @@ jobs:
TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
API_KEY_NAME: ${{ needs.set-network.outputs.network_api_key }}
runs-on: ${{ github.actor }}-x86
steps:
Expand Down Expand Up @@ -451,8 +453,8 @@ jobs:
TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
TF_VAR_PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_AGENTS_PER_PROVER: ${{ needs.set-network.outputs.agents_per_prover }}
TF_VAR_BOT_TX_INTERVAL_SECONDS: ${{ needs.set-network.outputs.bot_interval }}
TF_VAR_NODE_LB_RULE_PRIORITY: ${{ needs.set-network.outputs.node_lb_priority_range_start }}
Expand Down Expand Up @@ -495,7 +497,7 @@ jobs:
docker pull aztecprotocol/aztec:${{ env.DEPLOY_TAG }}
docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} deploy-l1-contracts \
--private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }} \
--rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
--rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
--l1-chain-id ${{ env.L1_CHAIN_ID }} \
--salt ${{ github.run_id }} \
--json | tee ./l1_contracts.json
Expand Down Expand Up @@ -563,6 +565,8 @@ jobs:
TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
steps:
- uses: actions/checkout@v4
with:
Expand Down Expand Up @@ -600,7 +604,7 @@ jobs:
set -o pipefail
docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} bootstrap-network \
--rpc-url https://api.aztec.network/${{ env.DEPLOY_TAG }}/aztec-pxe/${{ env.API_KEY }} \
--l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
--l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
--l1-chain-id ${{ env.L1_CHAIN_ID }} \
--l1-private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }} \
--json | tee ./basic_contracts.json
Expand All @@ -617,6 +621,8 @@ jobs:
TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_FAUCET_LB_RULE_PRIORITY: ${{ needs.set-network.outputs.faucet_lb_priority }}
steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -659,6 +665,8 @@ jobs:
TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
TF_VAR_AGENTS_PER_PROVER: ${{ needs.set-network.outputs.agents_per_prover }}
TF_VAR_BOT_TX_INTERVAL_SECONDS: ${{ needs.set-network.outputs.bot_interval }}
TF_VAR_NODE_LB_RULE_PRIORITY: ${{ needs.set-network.outputs.node_lb_priority_range_start }}
Expand Down Expand Up @@ -694,7 +702,7 @@ jobs:
# set -eo pipefail
# docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} set-proven-until \
# --rpc-url https://api.aztec.network/${{ env.DEPLOY_TAG }}/aztec-pxe/${{ env.API_KEY }} \
# --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
# --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
# --l1-chain-id ${{ env.L1_CHAIN_ID }} \
# --l1-private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }}

Expand Down Expand Up @@ -734,7 +742,7 @@ jobs:
set -eo pipefail
docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} deploy-l1-verifier \
--rpc-url https://api.aztec.network/${{ env.DEPLOY_TAG }}/aztec-pxe/${{ env.API_KEY }} \
--l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
--l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
--l1-chain-id ${{ env.L1_CHAIN_ID }} \
--l1-private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion build-system/scripts/deploy_terraform
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ export TF_VAR_DOCKERHUB_ACCOUNT=$DOCKERHUB_ACCOUNT
export TF_VAR_FORK_MNEMONIC=$FORK_MNEMONIC
export TF_VAR_INFURA_API_KEY=$INFURA_API_KEY
export TF_VAR_API_KEY=$FORK_API_KEY
export TF_VAR_PUBLIC_API_KEY=${PUBLIC_FORK_API_KEY:-$FORK_API_KEY}
export TF_VAR_FORK_ADMIN_API_KEY=${FORK_ADMIN_API_KEY:-$FORK_API_KEY}
export TF_VAR_L1_CHAIN_ID=$CHAIN_ID

# If given a repository name, use it to construct and set/override the backend key.
Expand Down
6 changes: 3 additions & 3 deletions iac/mainnet-fork/nginx/gateway.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ server {
listen 80 default_server;
listen 8545;

location /{{ADMIN_API_KEY}} {
location /admin-{{ADMIN_API_KEY}} {
proxy_pass http://0.0.0.0:8544;
rewrite ^/{{ADMIN_API_KEY}}(.*) /$1 break;
}

location /public-{{PUBLIC_API_KEY}} {
location /{{PUBLIC_API_KEY}} {
client_body_buffer_size 20M;
client_body_in_single_buffer on;
js_import main from njs/anvil_validation.js;
Expand All @@ -16,7 +16,7 @@ server {

location @anvil {
proxy_pass http://0.0.0.0:8544;
rewrite ^/({{ADMIN_API_KEY}}|public-{{PUBLIC_API_KEY}})(.*) /$2 break;
rewrite ^/(admin-{{ADMIN_API_KEY}}|{{PUBLIC_API_KEY}})(.*) /$2 break;
}

# Error responses
Expand Down
4 changes: 2 additions & 2 deletions iac/mainnet-fork/scripts/run_nginx_anvil.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ set -eum pipefail

# Replace API_KEYs in nginx config
echo "Replacing api keys in nginx config..."
sed -i 's/{{PUBLIC_API_KEY}}/'$PUBLIC_API_KEY'/g' /etc/nginx/gateway.conf
sed -i 's/{{ADMIN_API_KEY}}/'$API_KEY'/g' /etc/nginx/gateway.conf
sed -i 's/{{PUBLIC_API_KEY}}/'$API_KEY'/g' /etc/nginx/gateway.conf
sed -i 's/{{ADMIN_API_KEY}}/'$FORK_ADMIN_API_KEY'/g' /etc/nginx/gateway.conf

# Run nginx and anvil alongside each other
trap 'kill $(jobs -p)' SIGTERM
Expand Down
2 changes: 1 addition & 1 deletion iac/mainnet-fork/scripts/wait_for_fork
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ set -e
# This script waits on a healthy status from the fork - a valid response to the chainid request
# We retry every 20 seconds, and wait for a total of 5 minutes (15 times)

export ETHEREUM_HOST="https://$DEPLOY_TAG-mainnet-fork.aztec.network:8545/$FORK_API_KEY"
export ETHEREUM_HOST="https://$DEPLOY_TAG-mainnet-fork.aztec.network:8545/$API_KEY"

curl -H "Content-Type: application/json" -X POST --data '{"method":"eth_chainId","params":[],"id":33,"jsonrpc":"2.0"}' \
--connect-timeout 30 \
Expand Down
2 changes: 1 addition & 1 deletion iac/mainnet-fork/terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ resource "aws_ecs_task_definition" "aztec_mainnet_fork" {
essential = true
environment = [
{ name = "API_KEY", value = "${var.API_KEY}" },
{ name = "PUBLIC_API_KEY", value = "${var.PUBLIC_API_KEY}" },
{ name = "FORK_ADMIN_API_KEY", value = "${var.FORK_ADMIN_API_KEY}" },
{ name = "MNEMONIC", value = "${var.FORK_MNEMONIC}" },
{ name = "INFURA_API_KEY", value = "${var.INFURA_API_KEY}" },
{ name = "L1_CHAIN_ID", value = "${var.L1_CHAIN_ID}" },
Expand Down
2 changes: 1 addition & 1 deletion iac/mainnet-fork/terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ variable "API_KEY" {
type = string
}

variable "PUBLIC_API_KEY" {
variable "FORK_ADMIN_API_KEY" {
type = string
}

Expand Down
2 changes: 1 addition & 1 deletion yarn-project/aztec/terraform/node/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ resource "aws_ecs_task_definition" "aztec-node" {
},
{
name = "ETHEREUM_HOST"
value = "https://${var.DEPLOY_TAG}-mainnet-fork.aztec.network:8545/${var.API_KEY}"
value = "https://${var.DEPLOY_TAG}-mainnet-fork.aztec.network:8545/admin-${var.FORK_ADMIN_API_KEY}"
},
{
name = "DATA_DIRECTORY"
Expand Down
4 changes: 4 additions & 0 deletions yarn-project/aztec/terraform/node/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ variable "API_KEY" {
type = string
}

variable "FORK_ADMIN_API_KEY" {
type = string
}

variable "SEQUENCER_PRIVATE_KEYS" {
type = list(string)
}
Expand Down

0 comments on commit 5b6154b

Please sign in to comment.