smartnode/addons/rescue_node/addon.go at 6eeb11a20eadee211810aa90eadc811cecfa8193 · rocket-pool/smartnode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
package rescue_node

import (
	"bytes"
	"encoding/base64"
	"fmt"
	"os"
	"time"

	"github.com/ethereum/go-ethereum/common"
	"google.golang.org/protobuf/proto"

	"github.com/rocket-pool/smartnode/addons/rescue_node/pb"
	"github.com/rocket-pool/smartnode/shared/types/addons"
	cfgtypes "github.com/rocket-pool/smartnode/shared/types/config"
)

const (
	colorReset  string = "\033[0m"
	colorRed    string = "\033[31m"
	colorGreen  string = "\033[32m"
	colorYellow string = "\033[33m"
	colorBlue   string = "\033[36m"

	soloAuthValidity = 10 * time.Hour * 24
	rpAuthValidity   = 15 * time.Hour * 24
)

type credentialDetails struct {
	solo   bool
	issued time.Time
}

func (c *credentialDetails) GetTimeLeft() time.Duration {

	if c.solo {
		return time.Until(c.issued.Add(soloAuthValidity))
	}

	return time.Until(c.issued.Add(rpAuthValidity))
}

type RescueNode struct {
	cfg *RescueNodeConfig `yaml:"config,omitempty"`
}

func NewRescueNode() addons.SmartnodeAddon {
	return &RescueNode{
		cfg: NewConfig(),
	}
}

func (r *RescueNode) GetName() string {
	return "Rescue Node"
}

func (r *RescueNode) GetConfig() cfgtypes.Config {
	return r.cfg
}

func (r *RescueNode) GetContainerName() string {
	return ""
}

func (r *RescueNode) GetContainerTag() string {
	return ""
}

func (r *RescueNode) GetDescription() string {
	return `Rocket Rescue Node

The Rocket Rescue Node is a community-run, trust-minimized, and secured fallback node for emergencies and maintenance.

For more information, see https://rescuenode.com`
}

func (r *RescueNode) GetEnabledParameter() *cfgtypes.Parameter {
	return &r.cfg.Enabled
}

func (r *RescueNode) UpdateEnvVars(envVars map[string]string) error {
	return nil
}

func (r *RescueNode) getCredentialDetails() (*credentialDetails, error) {
	if !r.cfg.Enabled.Value.(bool) {
		panic("getCredentialDetails() should not be called without checking if RN plugin is enabled")
	}

	password := r.cfg.Password.Value.(string)
	if password == "" {
		return nil, fmt.Errorf("Rescue Node enabled, but no Username provided")
	}

	protoBytes, err := base64.URLEncoding.DecodeString(password)
	if err != nil {
		return nil, fmt.Errorf("Rescue Node enabled, but Password is not valid - error decoding base64: %w", err)
	}

	// To avoid a dependency on Rescue Node code, we will parse the protobuf by hand.
	msg := new(pb.AuthenticatedCredential)
	err = proto.Unmarshal(protoBytes, msg)
	if err != nil {
		return nil, fmt.Errorf("Rescue Node enabled, but Password is not valid - error decoding proto: %w", err)
	}

	return &credentialDetails{
		solo:   msg.Credential.OperatorType == pb.OperatorType_OT_SOLO,
		issued: time.Unix(msg.Credential.Timestamp, 0),
	}, nil
}

func (r *RescueNode) getCredentialNodeId() (*common.Address, error) {
	if !r.cfg.Enabled.Value.(bool) {
		panic("getCredentialNodeId() should not be called without checking if RN plugin is enabled")
	}

	username := r.cfg.Username.Value.(string)
	if username == "" {
		return nil, fmt.Errorf("Rescue Node enabled, but no Username provided")
	}

	addr, err := base64.URLEncoding.DecodeString(username)
	if err != nil {
		return nil, fmt.Errorf("Rescue Node enabled, but Username is not valid - error decoding base64: %w", err)
	}

	out := common.BytesToAddress(addr)
	return &out, nil
}

func (r *RescueNode) PrintStatusText(nodeAddr common.Address) {
	if !r.cfg.Enabled.Value.(bool) {
		return
	}

	fmt.Printf("%s=== Rescue Node Add-on Enabled ===%s\n", colorYellow, colorReset)
	// Check the Username
	usernameNodeAddr, err := r.getCredentialNodeId()
	if err != nil {
		fmt.Printf("%s%v%s\n", colorRed, err, colorReset)
	} else {
		fmt.Printf("Using a credential issued to %s%s%s.\n", colorBlue, usernameNodeAddr.String(), colorReset)
		if !bytes.Equal(usernameNodeAddr.Bytes(), nodeAddr.Bytes()) {
			fmt.Printf("%s - WARNING: This does not match the Node Account!%s\n", colorYellow, colorReset)
		}
	}

	credentialDetails, err := r.getCredentialDetails()
	if err != nil {
		fmt.Printf("%s%v%s\n", colorRed, err, colorReset)
	} else {
		if credentialDetails.solo {
			fmt.Printf("%s - WARNING: This credential was issued to a solo staker!%s\n", colorYellow, colorReset)
		}

		timeLeft := credentialDetails.GetTimeLeft().Truncate(time.Second)
		if timeLeft < 0 {
			fmt.Printf("%sWARNING: This credential expired %s ago!%s\n", colorRed, timeLeft.String(), colorReset)
		} else if timeLeft < time.Hour*24 {
			fmt.Printf("%sWARNING: This credential expires in %s!%s\n", colorYellow, timeLeft.String(), colorReset)
		} else {
			fmt.Printf("%sThis credential expires in %s.%s\n", colorGreen, timeLeft.String(), colorReset)
		}
	}
}

func (r *RescueNode) ApplyValidatorOverrides(cc cfgtypes.ConsensusClient) (func(), error) {
	nop := func() {}
	if !r.cfg.Enabled.Value.(bool) {
		return nop, nil
	}

	username := r.cfg.Username.Value.(string)
	password := r.cfg.Password.Value.(string)

	if username == "" || password == "" {
		return nop, fmt.Errorf("Rescue Node can not be enabled without a Username and Password configured.")
	}

	switch cc {
	case cfgtypes.ConsensusClient_Unknown:
		return nop, fmt.Errorf("Unable to generate rescue node URLs for unknown consensus client")
	case cfgtypes.ConsensusClient_Lighthouse,
		cfgtypes.ConsensusClient_Nimbus,
		cfgtypes.ConsensusClient_Lodestar,
		cfgtypes.ConsensusClient_Teku:

		rescueURL := fmt.Sprintf("https://%s:%s@%s.rescuenode.com", username, password, cc)

		oldCC := os.Getenv("CC_API_ENDPOINT")
		cleanup := func() {
			os.Setenv("CC_API_ENDPOINT", oldCC)
		}
		os.Setenv("CC_API_ENDPOINT", rescueURL)
		return cleanup, nil
	case cfgtypes.ConsensusClient_Prysm:
		extraFlags := fmt.Sprintf("--grpc-headers=rprnauth=%s:%s --tls-cert=/etc/ssl/certs/ca-certificates.crt", username, password)

		oldExtraFlags := os.Getenv("VC_ADDITIONAL_FLAGS")
		if oldExtraFlags != "" {
			extraFlags = fmt.Sprintf("%s %s", oldExtraFlags, extraFlags)
		}

		oldCC := os.Getenv("CC_RPC_ENDPOINT")

		cleanup := func() {
			os.Setenv("CC_RPC_ENDPOINT", oldCC)
			os.Setenv("VC_ADDITIONAL_FLAGS", oldExtraFlags)
		}
		os.Setenv("CC_RPC_ENDPOINT", "prysm-grpc.rescuenode.com:443")
		os.Setenv("VC_ADDITIONAL_FLAGS", extraFlags)

		return cleanup, nil
	}

	return nop, nil
}