Merge pull request #4 from bobanetwork/wsdt/fix-dev-prod

feat: Add Prod mode for AWS KMS

.env.example

@@ -1,3 +1,5 @@
+# dev = development, prod = productive
+LIGHTBRIDGE_ENV=dev
 # dev=false, prod=true
 LIGHTBRIDGE_REJECT_UNAUTHORIZED=false
 # Main rpc this service is running on
@@ -38,3 +40,4 @@ LIGHTBRIDGE_AIRDROP_ENABLED=false
 LIGHTBRIDGE_POLLING_INTERVAL=
 LIGHTBRIDGE_BLOCK_RANGE_PER_POLLING=
 
+

README.md

@@ -22,6 +22,7 @@ All configuration is done via environment variables. See all variables at [.env.
 | LIGHTBRIDGE_POSTGRES_DB                 | The database name                                  | postgres        |
 | LIGHTBRIDGE_POSTGRES_PORT               | The database port                                  | 5432            |
 | LIGHTBRIDGE_POSTGRES_USER               | The database user                                  | postgres        |
+| LIGHTBRIDGE_ENV                         | The environment mode (dev or prod)                 | dev             |
 
 ## Building & Running
 

docker-compose.test.yml

@@ -24,6 +24,7 @@ services:
       RPC_URL: "http://anvil:8545"
       LIGHTBRIDGE_REJECT_UNAUTHORIZED: "true"
       # KMS setup (incl. defaults)
+      LIGHTBRIDGE_ENV: "dev"
       LIGHTBRIDGE_AWS_KMS_ACCESS_KEY: "1"
       LIGHTBRIDGE_AWS_KMS_SECRET_KEY: "2"
       LIGHTBRIDGE_AWS_KMS_KEY_ID: "lb_disburser_pk"

docker-compose.yml

@@ -13,6 +13,7 @@ services:
     environment:
       RPC_URL: "${RPC_URL:-https://replica.goerli.boba.network}"
       # KMS setup (incl. defaults)
+      LIGHTBRIDGE_ENV: "dev"
       LIGHTBRIDGE_AWS_KMS_ACCESS_KEY: "${LIGHTBRIDGE_AWS_KMS_ACCESS_KEY:-1}"
       LIGHTBRIDGE_AWS_KMS_SECRET_KEY: "${LIGHTBRIDGE_AWS_KMS_SECRET_KEY:-2}"
       LIGHTBRIDGE_AWS_KMS_KEY_ID: "${LIGHTBRIDGE_AWS_KMS_KEY_ID:-lb_disburser_pk}"

src/exec/run.ts

@@ -39,6 +39,13 @@ const main = async () => {
   })
 
   const env = process.env
+
+  if (env.LIGHTBRIDGE_ENV !== 'dev' && env.LIGHTBRIDGE_ENV !== 'prod') {
+    throw Error('must define env: LIGHTBRIDGE_ENV either dev or prod')
+  }
+
+  const envModeIsDevelopment = env.LIGHTBRIDGE_ENV === 'dev'
+
   const RPC_URL = config.str('l2-node-web3-url', env.RPC_URL)
   // This private key is used to send funds to the contract and initiate the tx,
   // so it should have enough BOBA balance
@@ -93,11 +100,12 @@ const main = async () => {
     throw new Error('Must pass RPC_URL')
   }
   if (
-    !LIGHTBRIDGE_AWS_KMS_ACCESS_KEY ||
-    !LIGHTBRIDGE_AWS_KMS_SECRET_KEY ||
-    !LIGHTBRIDGE_AWS_KMS_KEY_ID ||
-    !LIGHTBRIDGE_AWS_KMS_ENDPOINT ||
-    !LIGHTBRIDGE_AWS_KMS_REGION
+    envModeIsDevelopment &&
+    (!LIGHTBRIDGE_AWS_KMS_ACCESS_KEY ||
+      !LIGHTBRIDGE_AWS_KMS_SECRET_KEY ||
+      !LIGHTBRIDGE_AWS_KMS_KEY_ID ||
+      !LIGHTBRIDGE_AWS_KMS_ENDPOINT ||
+      !LIGHTBRIDGE_AWS_KMS_REGION)
   ) {
     throw new Error('Must pass TELEPORTATION AWS CONFIG ENV')
   }
@@ -134,11 +142,17 @@ const main = async () => {
     pollingInterval: POLLING_INTERVAL,
     blockRangePerPolling: BLOCK_RANGE_PER_POLLING,
     awsConfig: {
-      awsKmsAccessKey: LIGHTBRIDGE_AWS_KMS_ACCESS_KEY,
-      awsKmsSecretKey: LIGHTBRIDGE_AWS_KMS_SECRET_KEY,
+      awsKmsAccessKey: envModeIsDevelopment
+        ? LIGHTBRIDGE_AWS_KMS_ACCESS_KEY
+        : null,
+      awsKmsSecretKey: envModeIsDevelopment
+        ? LIGHTBRIDGE_AWS_KMS_SECRET_KEY
+        : null,
       awsKmsKeyId: LIGHTBRIDGE_AWS_KMS_KEY_ID,
       awsKmsRegion: LIGHTBRIDGE_AWS_KMS_REGION,
-      awsKmsEndpoint: LIGHTBRIDGE_AWS_KMS_ENDPOINT,
+      awsKmsEndpoint: envModeIsDevelopment
+        ? LIGHTBRIDGE_AWS_KMS_ENDPOINT
+        : null,
     },
     airdropConfig: {
       airdropAmountWei: LIGHTBRIDGE_AIRDROP_GAS_AMOUNT_WEI,

src/service.ts

@@ -86,7 +86,10 @@ export class LightBridgeService extends BaseService<TeleportationOptions> {
     })
 
     this.logger.info('Initializing KMSSigner...')
-    this.state.KMSSigner = new KMSSigner(this.options.awsConfig)
+    this.state.KMSSigner = new KMSSigner(
+      this.options.awsConfig,
+      process.env.LIGHTBRIDGE_ENV === 'dev'
+    )
 
     this.logger.info('Connecting to Teleportation contract...')
     this.state.Teleportation = await getBobaContractAt(

src/utils/kms-signing.ts

@@ -21,8 +21,8 @@ import {
 export interface IKMSSignerConfig {
   awsKmsEndpoint: string
   awsKmsRegion: string
-  awsKmsAccessKey: string
-  awsKmsSecretKey: string
+  awsKmsAccessKey?: string
+  awsKmsSecretKey?: string
   awsKmsKeyId: string
   /** @dev Should always be enabled, but can be helpful for debugging and unit tests, .. */
   disableDisburserCheck?: boolean
@@ -32,22 +32,29 @@ export class KMSSigner {
   private kmsClient: KMSClient
   private readonly kmsKeyId: string
 
-  constructor(kmsSignerConfig: IKMSSignerConfig) {
+  constructor(kmsSignerConfig: IKMSSignerConfig, isDevelopment = true) {
     const {
       awsKmsEndpoint,
       awsKmsKeyId,
       awsKmsRegion,
       awsKmsSecretKey,
       awsKmsAccessKey,
     } = kmsSignerConfig
-    this.kmsClient = new KMSClient({
-      region: awsKmsRegion,
-      endpoint: awsKmsEndpoint,
-      credentials: {
-        accessKeyId: awsKmsAccessKey, // credentials for your IAM user with KMS access
-        secretAccessKey: awsKmsSecretKey, // credentials for your IAM user with KMS access
-      },
-    })
+    if (isDevelopment) {
+      this.kmsClient = new KMSClient({
+        region: awsKmsRegion,
+        endpoint: awsKmsEndpoint,
+        credentials: {
+          accessKeyId: awsKmsAccessKey, // credentials for your IAM user with KMS access
+          secretAccessKey: awsKmsSecretKey, // credentials for your IAM user with KMS access
+        },
+      })
+    } else {
+      this.kmsClient = new KMSClient({
+        region: awsKmsRegion,
+      })
+    }
+
     this.kmsKeyId = awsKmsKeyId
   }