feat(signer): store proxy keys and delegations (#166)

* add proxy store * refactor exports * config and cli init * docs * clippy
Commit-Boost · Nov 2, 2024 · 62d6428 · 62d6428
1 parent a293bdb
commit 62d6428
Show file tree

Hide file tree

Showing 19 changed files with 370 additions and 81 deletions.
diff --git a/config.example.toml b/config.example.toml
@@ -102,6 +102,12 @@ key_path = "./keys.example.json"
 # keys_path = ""
 # ValidatorsDir: path to the secrets directory
 # secrets_path = ""
+# Configuration for how the Signer module should store proxy delegations. Currently one type of store is supported:
+#   - File: store keys and delegations from a plain text file (unsafe, use only for testing purposes)
+# OPTIONAL, if missing proxies are lost on restart
+[signer.store]
+# File: path to the keys file
+proxy_dir = "./proxies"
 
 # Commit-Boost can optionally run "modules" which extend the capabilities of the sidecar.
 # Currently, two types of modules are supported:

diff --git a/crates/cli/src/docker_init.rs b/crates/cli/src/docker_init.rs
@@ -4,11 +4,12 @@ use cb_common::{
     config::{
         CommitBoostConfig, LogsSettings, ModuleKind, BUILDER_PORT_ENV, BUILDER_URLS_ENV,
         CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV, JWTS_ENV, LOGS_DIR_DEFAULT, LOGS_DIR_ENV,
-        METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV, PBS_MODULE_NAME, SIGNER_DEFAULT,
-        SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV, SIGNER_DIR_SECRETS, SIGNER_DIR_SECRETS_ENV,
-        SIGNER_KEYS_ENV, SIGNER_MODULE_NAME, SIGNER_PORT_ENV, SIGNER_URL_ENV,
+        METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV, PBS_MODULE_NAME, PROXY_DIR_DEFAULT,
+        PROXY_DIR_ENV, SIGNER_DEFAULT, SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV,
+        SIGNER_DIR_SECRETS_DEFAULT, SIGNER_DIR_SECRETS_ENV, SIGNER_KEYS_ENV, SIGNER_MODULE_NAME,
+        SIGNER_PORT_ENV, SIGNER_URL_ENV,
     },
-    loader::SignerLoader,
+    signer::{ProxyStore, SignerLoader},
     types::ModuleId,
     utils::random_jwt,
 };
@@ -299,27 +300,47 @@ pub fn handle_docker_init(config_path: String, output_dir: String) -> Result<()>
 
             match signer_config.loader {
                 SignerLoader::File { key_path } => {
-                    volumes.push(Volumes::Simple(format!("./{}:{}:ro", key_path, SIGNER_DEFAULT)));
+                    volumes.push(Volumes::Simple(format!(
+                        "{}:{}:ro",
+                        key_path.display(),
+                        SIGNER_DEFAULT
+                    )));
                     let (k, v) = get_env_val(SIGNER_KEYS_ENV, SIGNER_DEFAULT);
                     signer_envs.insert(k, v);
                 }
                 SignerLoader::ValidatorsDir { keys_path, secrets_path } => {
                     volumes.push(Volumes::Simple(format!(
                         "{}:{}:ro",
-                        keys_path, SIGNER_DIR_KEYS_DEFAULT
+                        keys_path.display(),
+                        SIGNER_DIR_KEYS_DEFAULT
                     )));
                     let (k, v) = get_env_val(SIGNER_DIR_KEYS_ENV, SIGNER_DIR_KEYS_DEFAULT);
                     signer_envs.insert(k, v);
 
                     volumes.push(Volumes::Simple(format!(
                         "{}:{}:ro",
-                        secrets_path, SIGNER_DIR_SECRETS
+                        secrets_path.display(),
+                        SIGNER_DIR_SECRETS_DEFAULT
                     )));
-                    let (k, v) = get_env_val(SIGNER_DIR_SECRETS_ENV, SIGNER_DIR_SECRETS);
+                    let (k, v) = get_env_val(SIGNER_DIR_SECRETS_ENV, SIGNER_DIR_SECRETS_DEFAULT);
                     signer_envs.insert(k, v);
                 }
             };
 
+            if let Some(store) = signer_config.store {
+                match store {
+                    ProxyStore::File { proxy_dir } => {
+                        volumes.push(Volumes::Simple(format!(
+                            "{}:{}:rw",
+                            proxy_dir.display(),
+                            PROXY_DIR_DEFAULT
+                        )));
+                        let (k, v) = get_env_val(PROXY_DIR_ENV, PROXY_DIR_DEFAULT);
+                        signer_envs.insert(k, v);
+                    }
+                }
+            }
+
             volumes.extend(get_log_volume(&cb_config.logs, SIGNER_MODULE_NAME));
 
             // networks

diff --git a/crates/common/src/commit/client.rs b/crates/common/src/commit/client.rs
@@ -15,10 +15,7 @@ use super::{
     },
 };
 use crate::{
-    signer::{
-        schemes::{bls::BlsPublicKey, ecdsa::EcdsaSignature},
-        EcdsaPublicKey,
-    },
+    signer::{BlsPublicKey, EcdsaPublicKey, EcdsaSignature},
     DEFAULT_REQUEST_TIMEOUT,
 };
 

diff --git a/crates/common/src/commit/request.rs b/crates/common/src/commit/request.rs
@@ -10,7 +10,7 @@ use crate::{
     constants::COMMIT_BOOST_DOMAIN,
     error::BlstErrorWrapper,
     signature::verify_signed_message,
-    signer::schemes::{bls::BlsPublicKey, ecdsa::EcdsaPublicKey},
+    signer::{BlsPublicKey, EcdsaPublicKey},
     types::Chain,
 };
 

diff --git a/crates/common/src/config/constants.rs b/crates/common/src/config/constants.rs
@@ -41,7 +41,10 @@ pub const SIGNER_DIR_KEYS_ENV: &str = "CB_SIGNER_LOADER_KEYS_DIR";
 pub const SIGNER_DIR_KEYS_DEFAULT: &str = "/keys";
 /// Path to `secrets` folder
 pub const SIGNER_DIR_SECRETS_ENV: &str = "CB_SIGNER_LOADER_SECRETS_DIR";
-pub const SIGNER_DIR_SECRETS: &str = "/secrets";
+pub const SIGNER_DIR_SECRETS_DEFAULT: &str = "/secrets";
+/// Path to store proxies
+pub const PROXY_DIR_ENV: &str = "CB_PROXY_STORE_DIR";
+pub const PROXY_DIR_DEFAULT: &str = "/proxies";
 
 ///////////////////////// MODULES /////////////////////////
 

diff --git a/crates/common/src/config/signer.rs b/crates/common/src/config/signer.rs
@@ -8,7 +8,7 @@ use super::{
     CommitBoostConfig, SIGNER_PORT_ENV,
 };
 use crate::{
-    loader::SignerLoader,
+    signer::{ProxyStore, SignerLoader},
     types::{Chain, Jwt, ModuleId},
 };
 
@@ -19,6 +19,8 @@ pub struct SignerConfig {
     pub docker_image: String,
     /// Which keys to load
     pub loader: SignerLoader,
+    /// How to store keys
+    pub store: Option<ProxyStore>,
 }
 
 fn default_signer() -> String {
@@ -29,6 +31,7 @@ fn default_signer() -> String {
 pub struct StartSignerConfig {
     pub chain: Chain,
     pub loader: SignerLoader,
+    pub store: Option<ProxyStore>,
     pub server_port: u16,
     pub jwts: BiHashMap<ModuleId, Jwt>,
 }
@@ -40,11 +43,14 @@ impl StartSignerConfig {
         let jwts = load_jwts()?;
         let server_port = load_env_var(SIGNER_PORT_ENV)?.parse()?;
 
+        let signer_config = config.signer.expect("Signer config is missing");
+
         Ok(StartSignerConfig {
             chain: config.chain,
-            loader: config.signer.expect("Signer config is missing").loader,
+            loader: signer_config.loader,
             server_port,
             jwts,
+            store: signer_config.store,
         })
     }
 }
diff --git a/crates/common/src/lib.rs b/crates/common/src/lib.rs
@@ -4,7 +4,6 @@ pub mod commit;
 pub mod config;
 pub mod constants;
 pub mod error;
-pub mod loader;
 pub mod pbs;
 pub mod signature;
 pub mod signer;

diff --git a/crates/common/src/signature.rs b/crates/common/src/signature.rs
@@ -5,7 +5,7 @@ use tree_hash_derive::TreeHash;
 use crate::{
     constants::{COMMIT_BOOST_DOMAIN, GENESIS_VALIDATORS_ROOT},
     error::BlstErrorWrapper,
-    signer::{schemes::bls::verify_bls_signature, BlsSecretKey},
+    signer::{verify_bls_signature, BlsSecretKey},
     types::Chain,
 };
 

diff --git a/crates/common/src/loader.rs → crates/common/src/signer/loader.rs b/crates/common/src/loader.rs → crates/common/src/signer/loader.rs
@@ -1,4 +1,4 @@
-use std::fs;
+use std::{fs, path::PathBuf};
 
 use alloy::{primitives::hex::FromHex, rpc::types::beacon::BlsPublicKey};
 use eth2_keystore::Keystore;
@@ -15,11 +15,11 @@ use crate::{
 pub enum SignerLoader {
     /// Plain text, do not use in prod
     File {
-        key_path: String,
+        key_path: PathBuf,
     },
     ValidatorsDir {
-        keys_path: String,
-        secrets_path: String,
+        keys_path: PathBuf,
+        secrets_path: PathBuf,
     },
 }
 

diff --git a/crates/common/src/signer/mod.rs b/crates/common/src/signer/mod.rs
@@ -1,8 +1,11 @@
-pub mod schemes;
+mod loader;
+mod schemes;
+mod store;
+mod types;
 
-pub use schemes::{
-    bls::{BlsPublicKey, BlsSecretKey, BlsSignature, BlsSigner},
-    ecdsa::{EcdsaPublicKey, EcdsaSecretKey, EcdsaSignature, EcdsaSigner},
-};
+pub use loader::*;
+pub use schemes::*;
+pub use store::*;
+pub use types::*;
 
 pub type ConsensusSigner = BlsSigner;
diff --git a/crates/common/src/signer/schemes/bls.rs b/crates/common/src/signer/schemes/bls.rs
@@ -57,6 +57,12 @@ impl BlsSigner {
         }
     }
 
+    pub fn secret(&self) -> [u8; 32] {
+        match self {
+            BlsSigner::Local(secret) => secret.clone().to_bytes(),
+        }
+    }
+
     pub async fn sign(&self, chain: Chain, object_root: [u8; 32]) -> BlsSignature {
         match self {
             BlsSigner::Local(sk) => sign_commit_boost_root(chain, sk, object_root),

diff --git a/crates/common/src/signer/schemes/ecdsa.rs b/crates/common/src/signer/schemes/ecdsa.rs
@@ -162,6 +162,12 @@ impl EcdsaSigner {
         }
     }
 
+    pub fn secret(&self) -> Vec<u8> {
+        match self {
+            EcdsaSigner::Local(secret) => secret.to_bytes().to_vec(),
+        }
+    }
+
     pub async fn sign(&self, chain: Chain, object_root: [u8; 32]) -> EcdsaSignature {
         match self {
             EcdsaSigner::Local(sk) => {

diff --git a/crates/common/src/signer/schemes/mod.rs b/crates/common/src/signer/schemes/mod.rs
@@ -1,2 +1,5 @@
-pub mod bls;
-pub mod ecdsa;
+mod bls;
+mod ecdsa;
+
+pub use bls::*;
+pub use ecdsa::*;