Fix S3 proof pushing (#13)

* Fix S3 proof pushing * Support AWS in getAgentVars * Add staging output-agent-env-vars
3 years ago · b6caa0da55
parent a3c08207a3
commit b6caa0da55
3 changed files with 79 additions and 36 deletions
--- a/rust/agents/processor/src/push.rs
+++ b/rust/agents/processor/src/push.rs
@ -1,11 +1,12 @@
 use std::time::Duration;

+use ethers::utils::keccak256;
 use rusoto_core::{credential::EnvironmentProvider, HttpClient, Region, RusotoError};
 use rusoto_s3::{GetObjectError, GetObjectRequest, PutObjectRequest, S3Client, S3};

 use color_eyre::eyre::{bail, eyre, Result};

-use optics_core::{accumulator::merkle::Proof, db::OpticsDB, Encode};
+use optics_core::{accumulator::merkle::Proof, db::OpticsDB};
 use tokio::{task::JoinHandle, time::sleep};
 use tracing::{debug, info, info_span, instrument::Instrumented, Instrument};

@ -118,11 +119,10 @@ impl Pusher {
                        let message = self
                            .db
                            .message_by_leaf_index(index)?
+                            .map(|message| message.message)
                            .ok_or_else(|| eyre!("Missing message for known proof"))?;
-                        let proven = ProvenMessage {
-                            proof,
-                            message: message.to_vec(),
-                        };
+                        debug_assert_eq!(keccak256(&message), *proof.leaf.as_fixed_bytes());
+                        let proven = ProvenMessage { proof, message };
                        // upload if not already present
                        if !self.already_uploaded(&proven).await? {
                            self.upload_proof(&proven).await?;
--- a/typescript/optics-deploy/scripts/staging-community/output-agent-env-vars.ts
+++ b/typescript/optics-deploy/scripts/staging-community/output-agent-env-vars.ts
@ -0,0 +1,16 @@
+import { writeFile } from "fs/promises";
+import { getAgentEnvVars } from "../../src/agents"
+import { agentConfig, configs } from './agentConfig';
+
+async function main() {
+  const args = process.argv.slice(2)
+  if (args.length != 3) {
+    throw new Error("unknown arguments, usage: cmd network role filePath")
+  }
+  // @ts-ignore
+  const envVars = await getAgentEnvVars(args[0], args[1], agentConfig, configs)
+
+  await writeFile(args[2], envVars.join('\n'))
+}
+
+main().then(console.log).catch(console.error)
--- a/typescript/optics-deploy/src/agents.ts
+++ b/typescript/optics-deploy/src/agents.ts
@ -155,6 +155,24 @@ function include(condition: boolean, data: any) {
  return condition ? data : {};
 }

+const awsSignerCredentials = (role: KEY_ROLE_ENUM, agentConfig: AgentConfig, homeChainName: string) => {
+    // When staging-community was deployed, we mixed up the attestation and signer keys, so we have to switch for this environment
+    const adjustedRole =
+      agentConfig.environment === 'staging-community' &&
+      role === KEY_ROLE_ENUM.UpdaterAttestation
+        ? KEY_ROLE_ENUM.UpdaterSigner
+        : agentConfig.environment === 'staging-community' &&
+          role === KEY_ROLE_ENUM.UpdaterSigner
+        ? KEY_ROLE_ENUM.UpdaterAttestation
+        : role;
+    return {
+      aws: {
+        keyId: `alias/${agentConfig.runEnv}-${homeChainName}-${adjustedRole}`,
+        region: agentConfig.awsRegion,
+      },
+    };
+};
+
 async function helmValuesForChain(
  chainName: string,
  agentConfig: AgentConfig,
@ -178,21 +196,7 @@ async function helmValuesForChain(
    if (!!gcpKeys) {
      return { hexKey: strip0x(gcpKeys![role].privateKey) };
    } else {
-      // When staging-community was deployed, we mixed up the attestation and signer keys, so we have to switch for this environment
-      const adjustedRole =
-        agentConfig.environment === 'staging-community' &&
-        role === KEY_ROLE_ENUM.UpdaterAttestation
-          ? KEY_ROLE_ENUM.UpdaterSigner
-          : agentConfig.environment === 'staging-community' &&
-            role === KEY_ROLE_ENUM.UpdaterSigner
-          ? KEY_ROLE_ENUM.UpdaterAttestation
-          : role;
-      return {
-        aws: {
-          keyId: `alias/${agentConfig.runEnv}-${chainName}-${adjustedRole}`,
-          region: agentConfig.awsRegion,
-        },
-      };
+      return awsSignerCredentials(role, agentConfig, chainName)
    }
  };

@ -273,9 +277,7 @@ export async function getAgentEnvVars(
  agentConfig: AgentConfig,
  configs: AgentChainConfigs,
 ) {
-  const gcpKeys = await getAgentGCPKeys(agentConfig.environment);
  const valueDict = await helmValuesForChain(home, agentConfig, configs);
-
  const envVars: string[] = [];

  // Base vars from config map
@ -292,22 +294,47 @@ export async function getAgentEnvVars(
    );
  });

-  // Signer key
-  Object.keys(configs).forEach((network) => {
-    envVars.push(
-      `OPT_BASE_SIGNERS_${network.toUpperCase()}_KEY=${strip0x(
-        gcpKeys[role].privateKey,
-      )}`,
-    );
-  });
+  try {
+    const gcpKeys = await getAgentGCPKeys(agentConfig.environment);
+    // Signer keys
+    Object.keys(configs).forEach((network) => {
+      envVars.push(
+        `OPT_BASE_SIGNERS_${network.toUpperCase()}_KEY=${strip0x(
+          gcpKeys[role].privateKey,
+        )}`,
+      );
+    });

-  if (role.startsWith('updater')) {
-    envVars.push(
-      `OPT_BASE_UPDATER_KEY=${strip0x(
-        gcpKeys[KEY_ROLE_ENUM.UpdaterAttestation].privateKey,
-      )}`,
-    );
+    // Updater attestation key
+    if (role.startsWith('updater')) {
+      envVars.push(
+        `OPT_BASE_UPDATER_KEY=${strip0x(
+          gcpKeys[KEY_ROLE_ENUM.UpdaterAttestation].privateKey,
+        )}`,
+      );
+    }
+  } catch (error) {
+    // Keys are in AWS
+    envVars.push(`AWS_ACCESS_KEY_ID=${valueDict.optics.aws.accessKeyId}`)
+    envVars.push(`AWS_SECRET_ACCESS_KEY=${valueDict.optics.aws.secretAccessKey}`)
+
+    // Signers
+    Object.keys(configs).forEach((network) => {
+      const awsSigner = awsSignerCredentials(role, agentConfig, home)
+      envVars.push(`OPT_BASE_SIGNERS_${network.toUpperCase()}_TYPE=aws`)
+      envVars.push(`OPT_BASE_SIGNERS_${network.toUpperCase()}_ID=${awsSigner.aws.keyId}`)
+      envVars.push(`OPT_BASE_SIGNERS_${network.toUpperCase()}_REGION=${awsSigner.aws.region}`)
+    })
+
+    // Updater attestation key
+    if (role.startsWith('updater')) {
+      const awsSigner = awsSignerCredentials(role, agentConfig, home)
+      envVars.push(`OPT_BASE_UPDATER_TYPE=aws`)
+      envVars.push(`OPT_BASE_UPDATER_ID=${awsSigner.aws.keyId}`)
+      envVars.push(`OPT_BASE_UPDATER_REGION=${awsSigner.aws.region}`)
+    }
  }
+
  return envVars;
 }