Merge pull request #28 from rarimo/fix/vault-new

Parse secrets map from vault

Author: Dmytro-Hladkykh

config.yaml

@@ -1,7 +1,12 @@
+vault:
+  disabled: false
+  addr: "http://127.0.0.1:8200"
+  mount_path: "secret_data"
+  secrets:
+    relayer: "relayer"
+
 network:
   rpc: "https://rpc.evm.mainnet.rarimo.com/"
-  vault_address: "http://127.0.0.1:8200"
-  vault_mount_path: "secret_data"
   gas_multiplier: 1.23
   private_key: without '0x' # For security purposes this key may be omitted and flow with Vault would be used
 
@@ -33,8 +38,6 @@ pinger:
 voting_v2:
   rpc: ""
   private_key: ""
-  vault_address: "https://127.0.0.1:8200"
-  vault_mount_path: "secret_data"
   proposal_state_address: ""
   block: 0
   gas_limit: 800000

internal/config/main.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"github.com/rarimo/proof-verification-relayer/internal/pkg/vault"
 	"gitlab.com/distributed_lab/kit/comfig"
 	"gitlab.com/distributed_lab/kit/copus"
 	"gitlab.com/distributed_lab/kit/copus/types"
@@ -16,6 +17,7 @@ type Config interface {
 	NetworkConfiger
 	ContractsConfiger
 	VotingV2Configer
+	vault.Vaulter
 	Pinger() Pinger
 	Replicator() Replicator
 	Ipfs() Ipfs
@@ -30,21 +32,32 @@ type config struct {
 	NetworkConfiger
 	ContractsConfiger
 	VotingV2Configer
+	vault.Vaulter
 
 	pinger     comfig.Once
 	replicator comfig.Once
 	ipfs       comfig.Once
 }
 
 func New(getter kv.Getter) Config {
+	vaulter := vault.NewVaulter(getter)
+	v := vaulter.Vault()
+
+	networkConfiger := NewNetworkConfiger(getter)
+	votingV2Configer := NewVotingV2Configer(getter)
+
+	networkConfiger.(*ethereum).SetVault(v)
+	votingV2Configer.(*ethereumVoting).SetVault(v)
+
 	return &config{
 		getter:            getter,
 		Databaser:         pgdb.NewDatabaser(getter),
 		Copuser:           copus.NewCopuser(getter),
 		Listenerer:        comfig.NewListenerer(getter),
 		Logger:            comfig.NewLogger(getter, comfig.LoggerOpts{}),
-		NetworkConfiger:   NewNetworkConfiger(getter),
 		ContractsConfiger: NewContractsConfiger(getter),
-		VotingV2Configer:  NewVotingV2Configer(getter),
+		NetworkConfiger:   networkConfiger,
+		VotingV2Configer:  votingV2Configer,
+		Vaulter:           vaulter,
 	}
 }

internal/config/network.go

@@ -8,14 +8,17 @@ import (
 
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/ethclient"
-	vaultapi "github.com/hashicorp/vault/api"
-	"gitlab.com/distributed_lab/dig"
+	"github.com/rarimo/proof-verification-relayer/internal/pkg/vault"
 	"gitlab.com/distributed_lab/figure/v3"
 	"gitlab.com/distributed_lab/kit/comfig"
 	"gitlab.com/distributed_lab/kit/kv"
 	"gitlab.com/distributed_lab/logan/v3/errors"
 )
 
+const (
+	relayerSecretName = "relayer"
+)
+
 type NetworkConfiger interface {
 	NetworkConfig() *NetworkConfig
 }
@@ -29,16 +32,18 @@ func NewNetworkConfiger(getter kv.Getter) NetworkConfiger {
 type ethereum struct {
 	once   comfig.Once
 	getter kv.Getter
+	vault  vault.Vault
+}
+
+func (e *ethereum) SetVault(v vault.Vault) {
+	e.vault = v
 }
 
 type NetworkConfig struct {
 	Client        *ethclient.Client `fig:"rpc,required"`
-	Address       string            `fig:"vault_address,required"`
-	MountPath     string            `fig:"vault_mount_path,required"`
 	GasMultiplier float64           `fig:"gas_multiplier,required"`
 
 	ChainID    *big.Int          `fig:"chain_id"`
-	Token      string            `dig:"VAULT_TOKEN,clear"`
 	PrivateKey *ecdsa.PrivateKey `fig:"private_key"`
 	nonce      uint64
 
@@ -65,11 +70,16 @@ func (e *ethereum) NetworkConfig() *NetworkConfig {
 
 		result.ChainID = chainID
 
-		if result.PrivateKey == nil {
-			result.PrivateKey, err = retrieveVaultPrivateKey(result)
+		if result.PrivateKey == nil && e.vault != nil {
+			var relayerSecret struct {
+				PrivateKey *ecdsa.PrivateKey `fig:"private_key,required"`
+			}
+
+			err := e.vault.FigureOutSecret(relayerSecretName, &relayerSecret, false)
 			if err != nil {
-				panic(errors.Wrap(err, "failed to retrieve vault private key"))
+				panic(errors.Wrap(err, "failed to figure out relayer secret"))
 			}
+			result.PrivateKey = relayerSecret.PrivateKey
 		}
 
 		nonce, err := result.Client.NonceAt(context.Background(), crypto.PubkeyToAddress(result.PrivateKey.PublicKey), nil)
@@ -85,46 +95,6 @@ func (e *ethereum) NetworkConfig() *NetworkConfig {
 	}).(*NetworkConfig)
 }
 
-func retrieveVaultPrivateKey(result NetworkConfig) (*ecdsa.PrivateKey, error) {
-	vaultCfg := struct {
-		Token string `dig:"VAULT_TOKEN,clear"`
-	}{}
-
-	if err := dig.Out(&vaultCfg).Now(); err != nil {
-		panic(err)
-	}
-	result.Token = vaultCfg.Token
-
-	conf := vaultapi.DefaultConfig()
-	conf.Address = result.Address
-
-	vaultClient, err := vaultapi.NewClient(conf)
-	if err != nil {
-		panic(errors.Wrap(err, "failed to initialize new client"))
-	}
-
-	vaultClient.SetToken(result.Token)
-
-	secret, err := vaultClient.KVv2(result.MountPath).Get(context.Background(), "relayer")
-	if err != nil {
-		panic(errors.Wrap(err, "failed to get secret"))
-	}
-
-	vaultRelayerConf := struct {
-		PrivateKey *ecdsa.PrivateKey `fig:"private_key,required"`
-	}{}
-
-	if err := figure.
-		Out(&vaultRelayerConf).
-		With(figure.BaseHooks, figure.EthereumHooks).
-		From(secret.Data).
-		Please(); err != nil {
-		panic(errors.Wrap(err, "failed to figure out"))
-	}
-
-	return vaultRelayerConf.PrivateKey, nil
-}
-
 func (n *NetworkConfig) LockNonce() {
 	n.mut.Lock()
 }

internal/config/voting_v2_config.go

@@ -8,10 +8,8 @@ import (
 
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
-
 	"github.com/ethereum/go-ethereum/ethclient"
-	vaultapi "github.com/hashicorp/vault/api"
-	"gitlab.com/distributed_lab/dig"
+	"github.com/rarimo/proof-verification-relayer/internal/pkg/vault"
 	"gitlab.com/distributed_lab/figure/v3"
 	"gitlab.com/distributed_lab/kit/comfig"
 	"gitlab.com/distributed_lab/kit/kv"
@@ -31,6 +29,11 @@ func NewVotingV2Configer(getter kv.Getter) VotingV2Configer {
 type ethereumVoting struct {
 	once   comfig.Once
 	getter kv.Getter
+	vault  vault.Vault
+}
+
+func (e *ethereumVoting) SetVault(v vault.Vault) {
+	e.vault = v
 }
 
 type VotingV2Config struct {
@@ -68,15 +71,13 @@ func (e *ethereumVoting) VotingV2Config() *VotingV2Config {
 		var result VotingV2Config
 
 		networkConfig := struct {
-			RPC            *ethclient.Client `fig:"rpc,required"`
-			PrivateKey     *ecdsa.PrivateKey `fig:"private_key"`
-			VaultAddress   string            `fig:"vault_address"`
-			VaultMountPath string            `fig:"vault_mount_path"`
-			Address        common.Address    `fig:"proposal_state_address,required"`
-			Block          uint64            `fig:"block"`
-			GasLimit       uint64            `fig:"gas_limit"`
-			Enable         bool              `fig:"enable"`
-			WithSub        bool              `fig:"check_with_subscribe"`
+			RPC        *ethclient.Client `fig:"rpc,required"`
+			PrivateKey *ecdsa.PrivateKey `fig:"private_key"`
+			Address    common.Address    `fig:"proposal_state_address,required"`
+			Block      uint64            `fig:"block"`
+			GasLimit   uint64            `fig:"gas_limit"`
+			Enable     bool              `fig:"enable"`
+			WithSub    bool              `fig:"check_with_subscribe"`
 		}{}
 		err := figure.
 			Out(&networkConfig).
@@ -96,14 +97,23 @@ func (e *ethereumVoting) VotingV2Config() *VotingV2Config {
 		}
 
 		result.PrivateKey = networkConfig.PrivateKey
-		if result.PrivateKey == nil {
-			result.PrivateKey = extractPrivateKey(networkConfig.VaultAddress, networkConfig.VaultMountPath)
-		}
+		if result.PrivateKey == nil && e.vault != nil {
+			var relayerSecret struct {
+				PrivateKey *ecdsa.PrivateKey `fig:"private_key,required"`
+			}
+
+			err := e.vault.FigureOutSecret(relayerSecretName, &relayerSecret, false)
+			if err != nil {
+				panic(errors.Wrap(err, "failed to figure out relayer secret"))
+			}
 
-		result.nonce, err = result.RPC.NonceAt(context.Background(), crypto.PubkeyToAddress(result.PrivateKey.PublicKey), nil)
+			result.PrivateKey = relayerSecret.PrivateKey
+		}
+		nonce, err := result.RPC.NonceAt(context.Background(), crypto.PubkeyToAddress(result.PrivateKey.PublicKey), nil)
 		if err != nil {
 			panic(errors.Wrap(err, "failed to get nonce"))
 		}
+		result.nonce = nonce
 		result.Address = networkConfig.Address
 		result.mut = &sync.Mutex{}
 		result.Block = networkConfig.Block
@@ -137,43 +147,3 @@ func (n *VotingV2Config) ResetNonce(client *ethclient.Client) error {
 	n.nonce = nonce
 	return nil
 }
-
-func extractPrivateKey(vaultAddress, vaultMountPath string) *ecdsa.PrivateKey {
-	conf := vaultapi.DefaultConfig()
-	conf.Address = vaultAddress
-
-	vaultClient, err := vaultapi.NewClient(conf)
-	if err != nil {
-		panic(errors.Wrap(err, "failed to initialize new client"))
-	}
-
-	token := struct {
-		Token string `dig:"VAULT_TOKEN,clear"`
-	}{}
-
-	err = dig.Out(&token).Now()
-	if err != nil {
-		panic(errors.Wrap(err, "failed to dig out token"))
-	}
-
-	vaultClient.SetToken(token.Token)
-
-	secret, err := vaultClient.KVv2(vaultMountPath).Get(context.Background(), "relayer")
-	if err != nil {
-		panic(errors.Wrap(err, "failed to get secret"))
-	}
-
-	vaultRelayerConf := struct {
-		PrivateKey *ecdsa.PrivateKey `fig:"private_key,required"`
-	}{}
-
-	if err := figure.
-		Out(&vaultRelayerConf).
-		With(figure.EthereumHooks).
-		From(secret.Data).
-		Please(); err != nil {
-		panic(errors.Wrap(err, "failed to figure out"))
-	}
-
-	return vaultRelayerConf.PrivateKey
-}