diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ac63fc7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+.idea
+dist/**
+!dist/setup.sh
+!dist/sr.sh
diff --git a/README.md b/README.md
index 6e901f9..224a5f0 100644
--- a/README.md
+++ b/README.md
@@ -1,47 +1,78 @@
# cyphernode
-Modular Bitcoin full-node microservices API server architecture and utilities toolkit to build scalable, secure and featureful apps and services without trusted third parties.
+Modular Bitcoin full-node microservices API server architecture and utilities toolkit to build scalable, secure and featureful apps and services without trusted third parties.
# What is cyphernode?
-An open-source self-hosted API which allows you to spawn and call your encrypted overlay network of dockerized Bitcoin and crypto software projects (virtual machines).
+Cyphernode is a Free open-source alternative to hosted services and commercial Bitcoin APIs such as Blockchain.info, Bitpay, Coinbase, BlockCypher, Bitgo, etc. You can use it to build Bitcoin services and applications using your own Bitcoin and Lightning Network full nodes. It is a substitute for the Bitcore and Insight software projects.
-You can use it to build Bitcoin services and applications using your own Bitcoin and Lightning Network full nodes.
+It implements a self-hosted API which allows you to spawn and call your encrypted overlay network of dockerized Bitcoin and crypto software projects (virtual machines). The Docker containers used in this project are hosted at www.bitcoindockers.com.
-It is an alternative to hosted services and commercial Bitcoin APIs such as Blockchain.info, Bitpay, Coinbase, Blocypher, Bitgo, etc.
-
-It is a substitute for the Bitcore and Insight software projects.
-
-If aims to offer all advanced features and utilities necessary to operate entreprise grade Bitcoin services. We provide a curated list of functions using multiple software, but you can build your own private ones or add yours as a default option in the project.
-
-It is designed to be deployed on virtual machines with launch scripts, but with efficiency and minimalism in mind so that it can also run on multiple Rasberry Pi with very low computing ressources (and extremely low if installing pre-synchronized blockchain and pruned). Because of the modular architecture, heavier modules like blockchain indexers are optional (and not needed for most commercial use-cases). For a full-node and all modules, prepare 350GB of space and 2GB of RAM.
-
-Hardware wallets (ColdCard, Trezor) will be utilized for key generation and signing (using PSBT BIP174), as well as for connecting to self-hosted web user interfaces.
+It aims to offer all advanced features and utilities necessary to operate entreprise-grade Bitcoin services. It includes a curated list of functions using multiple software, but you can build your own private ones or add yours as a default option in the project.
It is currently in production by Bylls.com, Canada's first and largest Bitcoin payment processor, as well as Bitcoin Outlet, a fixed-rate Bitcoin exchange service alternative to Coinbase which allows Canadians to purchase bitcoins sent directly to their own Bitcoin wallet.
-The docker containers used in this project are hosted at www.bitcoindockers.com
+The project is in **heavy development** - we are currently looking for reviews, new features, user feedback and contributors to our roadmap.
-The project is in **heavy development** - we are currently looking for review, new features, user feedback and contributors to our roadmap.
+
+
+# Low requirements, efficient use of resources
+
+Cyphernode is designed to be deployed on virtual machines with launch scripts, but with efficiency and minimalism in mind so that it can also run on multiple Rasberry Pi with very low computing ressources (and extremely low if installing pre-synchronized blockchain and pruned). Because of the modular architecture, heavier modules like blockchain indexers are optional (and not needed for most commercial use-cases).
+
+* For a full-node and all modules:
+ * 350 GB of storage, 2GB of RAM.
+* Hardware wallets (ColdCard, Trezor) for key generation and signing (using PSBT BIP174), as well as for connecting to self-hosted web user interfaces.
+
+# Cyphernode Architecture
+Cyphernode is an assembly of Docker containers being called by a request dispatcher.
+
+The request dispatcher (requesthandler.sh) is the HTTP entry point.
+The request dispatcher is stateful: it keeps some data to be more effective on next calls.
+The request dispatcher is where Cyphernode scales with new features: add your switch, dispatch requests to your stuff.
+We are trying to construct each container so that it can be used separately, as a standalone reusable component.
+
+Important to us:
+
+Be as optimized as possible, using Alpine when possible and having the smallest Docker image size possible
+Reuse existing software: built-in shell commands, well-established pieces of software, etc.
+Use open-source software
+Don't reinvent the wheel
+Expose the less possible surface
+Center element: proxy_docker
+The proxy_docker is the container receiving and dispatching calls from clients. When adding a feature to Cyphernode, it is the first part to be modified to integrate the new feature.
+
+proxy_docker/app/script/requesthandler.sh
+You will find in there the switch statement used to dispatch the requests. Just add a case block with your command, using other cases as examples for POST or GET requests.
+
+proxy_docker/app/config
+You will find there config files. config.properties should be used to centralize configs. spender and watcher properties are used to obfuscate credentials on curl calls.
+
+proxy_docker/app/data
+watching.sql contains the data model. Called "watching" because in the beginning of the project, it was only used for watching addresses. Now could be used to index the blockchain (build an explorer) and add more features.
+
+cron_docker
+If you have jobs to be scheduled, use this container. Just add an executable and add it to the crontab.
+
+Currently used to make sure callbacks have been called for missed transactions.
# About this project
-- Created and maintained by www.satoshiportal.com
-- Dedicated full-time developer @kexkey
-- Project manager @FrancisPouliot
-- Disclaimer: as of release on Sept. 23 2018 the project is still it its early stages (Alpha) and many of the features have yet to be implemented. The core architecture and basic wallet operations and blockchain query functions are fully functional.
+* Created and maintained by www.satoshiportal.com
+* Dedicated full-time developer @kexkey
+* Project manager @FrancisPouliot
+* Contributor: @\_\_escapee\_\_
+* Disclaimer: as of release on Sept. 23 2018 the project is still it its early stages (Alpha) and many of the features have yet to be implemented. The core architecture and basic wallet operations and blockchain query functions are fully functional.
# How to use cyphernode?
The core component of cyphernode is a request handler which exposes HTTP endpoints via REST API, acting as an absctration layer between your apps and the open-source Bitcoin sofware you want to interact with.
-## DOCS
+## Documentation
-Read the API docs here: https://github.com/SatoshiPortal/cyphernode/blob/master/doc/API.md
-
-Installation documentation: https://github.com/SatoshiPortal/cyphernode/blob/master/doc/INSTALL.md
-
-Step-by-step manual install: https://github.com/SatoshiPortal/cyphernode/blob/master/doc/INSTALL-MANUAL-STEPS.md
+* Read the API docs here: https://github.com/SatoshiPortal/cyphernode/blob/master/doc/API.md
+* Installation documentation: https://github.com/SatoshiPortal/cyphernode/blob/master/doc/INSTALL.md
+* Step-by-step manual install (deprecated): https://github.com/SatoshiPortal/cyphernode/blob/master/doc/INSTALL-MANUAL-STEPS.md
## When calling a cyphernode endpoint, you are either
diff --git a/api_auth_docker/Dockerfile b/api_auth_docker/Dockerfile
index 6a534f6..ab22ed9 100644
--- a/api_auth_docker/Dockerfile
+++ b/api_auth_docker/Dockerfile
@@ -11,12 +11,14 @@ RUN apk add --update --no-cache \
su-exec
COPY auth.sh /etc/nginx/conf.d/
-COPY default-ssl.conf /etc/nginx/conf.d/default.conf
-COPY statuspage.html /etc/nginx/conf.d/status/
+COPY default.conf /etc/nginx/conf.d/default.conf
COPY entrypoint.sh entrypoint.sh
COPY trace.sh /etc/nginx/conf.d/
COPY tests.sh /etc/nginx/conf.d/
RUN chmod +x /etc/nginx/conf.d/auth.sh entrypoint.sh
+RUN touch /var/log/gatekeeper.log
+RUN chmod a+rw /var/log/gatekeeper.log
+
ENTRYPOINT ["./entrypoint.sh"]
diff --git a/api_auth_docker/api-sample.properties b/api_auth_docker/api-sample.properties
index f78e34b..4d59d81 100644
--- a/api_auth_docker/api-sample.properties
+++ b/api_auth_docker/api-sample.properties
@@ -1,8 +1,22 @@
# The file api.properties generated by the installer should look like this.
-# Watcher can:
+# Stats can:
+action_helloworld=stats
+action_getblockchaininfo=stats
+action_installation_info=stats
+action_getmempoolinfo=stats
+action_getblockhash=stats
+
+# Watcher can do what the stats can do, plus:
action_watch=watcher
action_unwatch=watcher
+action_watchxpub=watcher
+action_unwatchxpubbyxpub=watcher
+action_unwatchxpubbylabel=watcher
+action_getactivewatchesbyxpub=watcher
+action_getactivewatchesbylabel=watcher
+action_getactivexpubwatches=watcher
+action_watchtxid=watcher
action_getactivewatches=watcher
action_getbestblockhash=watcher
action_getbestblockinfo=watcher
@@ -10,11 +24,16 @@ action_getblockinfo=watcher
action_gettransaction=watcher
action_ln_getinfo=watcher
action_ln_create_invoice=watcher
+action_ln_getconnectionstring=watcher
+action_ln_decodebolt11=watcher
# Spender can do what the watcher can do, plus:
action_getbalance=spender
+action_getbalancebyxpub=spender
+action_getbalancebyxpublabel=spender
action_getnewaddress=spender
action_spend=spender
+action_bumpfee=spender
action_addtobatch=spender
action_batchspend=spender
action_deriveindex=spender
@@ -23,11 +42,15 @@ action_ln_pay=spender
action_ln_newaddr=spender
action_ots_stamp=spender
action_ots_getfile=spender
+action_ln_getinvoice=spender
+action_ln_decodebolt11=spender
+action_ln_connectfund=spender
# Admin can do what the spender can do, plus:
# Should be called from inside the Docker network only:
action_conf=internal
+action_newblock=internal
action_executecallbacks=internal
action_ots_backoffice=internal
diff --git a/api_auth_docker/auth.sh b/api_auth_docker/auth.sh
old mode 100644
new mode 100755
index 8604f3a..7a543b9
--- a/api_auth_docker/auth.sh
+++ b/api_auth_docker/auth.sh
@@ -16,20 +16,19 @@
. ./trace.sh
-verify_sign()
-{
+verify_sign() {
local returncode
- local header64=$(echo ${1} | cut -sd '.' -f1)
- local payload64=$(echo ${1} | cut -sd '.' -f2)
- local signature=$(echo ${1} | cut -sd '.' -f3)
+ local header64=$(echo "${1}" | cut -sd '.' -f1)
+ local payload64=$(echo "${1}" | cut -sd '.' -f2)
+ local signature=$(echo "${1}" | cut -sd '.' -f3)
trace "[verify_sign] header64=${header64}"
trace "[verify_sign] payload64=${payload64}"
trace "[verify_sign] signature=${signature}"
- local payload=$(echo -n ${payload64} | base64 -d)
- local exp=$(echo ${payload} | jq ".exp")
+ local payload=$(echo -n "${payload64}" | base64 -d)
+ local exp=$(echo "${payload}" | jq ".exp")
local current=$(date +"%s")
trace "[verify_sign] payload=${payload}"
@@ -38,7 +37,7 @@ verify_sign()
if [ ${exp} -gt ${current} ]; then
trace "[verify_sign] Not expired, let's validate signature"
- local id=$(echo ${payload} | jq ".id" | tr -d '"')
+ local id=$(echo "${payload}" | jq -r ".id")
trace "[verify_sign] id=${id}"
# Check for code injection
@@ -82,38 +81,47 @@ verify_sign()
return 1
}
-verify_group()
-{
+verify_group() {
trace "[verify_group] Verifying group..."
local id=${1}
# REQUEST_URI should look like this: /v0/watch/2blablabla
+ local context=$(echo "${REQUEST_URI#\/}" | cut -d '/' -f1)
local action=$(echo "${REQUEST_URI#\/}" | cut -d '/' -f2)
- trace "[verify_group] action=${action}"
+ trace "[verify_group] context=${context} action=${action}"
# Check for code injection
# action can be alphanum... and _ and - but nothing else
- local actiontoinspect=$(echo "$action" | tr -d '_-')
+ local actiontoinspect=$(echo "$action" | tr -d '_-')
case $actiontoinspect in (*[![:alnum:]]*|"")
trace "[verify_group] Potential code injection, exiting"
return 1
esac
- # It is so much faster to include the keys here instead of grep'ing the file for key.
- . ./api.properties
-
local needed_group
local ugroups
- eval needed_group='$action_'${action}
- trace "[verify_group] needed_group=${needed_group}"
-
eval ugroups='$ugroups_'$id
trace "[verify_group] user groups=${ugroups}"
- case "${ugroups}" in
- *${needed_group}*) trace "[verify_group] Access granted"; return 0 ;;
- esac
+ if [ ${context} = "s" ]; then
+ # static files only accessible by a certain group
+ needed_group=${action}
+ elif [ ${context} = "v0" ]; then
+ # actual api calls
+ # It is so much faster to include the keys here instead of grep'ing the file for key.
+ . ./api.properties
+ eval needed_group='$action_'${action}
+ fi
+
+ trace "[verify_group] needed_group=${needed_group}"
+
+ # If needed_group is empty, the action was not found in api.propeties.
+ if [ -n "${needed_group}" ]; then
+ case "${ugroups}" in
+ *${needed_group}*) trace "[verify_group] Access granted"; return 0 ;;
+ esac
+ fi
trace "[verify_group] Access NOT granted"
return 1
diff --git a/api_auth_docker/default.conf b/api_auth_docker/default.conf
index d9da37a..f8b4193 100644
--- a/api_auth_docker/default.conf
+++ b/api_auth_docker/default.conf
@@ -1,12 +1,25 @@
server {
- listen 80;
+ listen 443 ssl;
server_name localhost;
- #include /etc/nginx/conf.d/ip-whitelist.conf;
+ ssl_certificate /etc/ssl/certs/cert.pem;
+ ssl_certificate_key /etc/ssl/private/key.pem;
+
+ location /s/ {
+ auth_request /auth;
+ root /etc/nginx/conf.d;
+ }
location /v0/ {
auth_request /auth;
proxy_pass http://proxy:8888/;
+
+ # Up default 60 second timeout for 3 minutes (OTS stamping can take time)
+ proxy_connect_timeout 180;
+ proxy_send_timeout 180;
+ proxy_read_timeout 180;
+ send_timeout 180;
+
}
location /auth {
diff --git a/api_auth_docker/keys-sample.properties b/api_auth_docker/keys-sample.properties
index 637f0a3..12b3b81 100644
--- a/api_auth_docker/keys-sample.properties
+++ b/api_auth_docker/keys-sample.properties
@@ -1,9 +1,10 @@
# The file keys.properties generated by the installer should look like this.
# kapi_id="id";kapi_key="key";kapi_groups="group1,group2";leave the rest intact
-kapi_id="001";kapi_key="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";kapi_groups="watcher";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
-kapi_id="002";kapi_key="50c5e483b80964595508f214229b014aa6c013594d57d38bcb841093a39f1d83";kapi_groups="watcher";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
-kapi_id="003";kapi_key="b9b8d527a1a27af2ad1697db3521f883760c342fc386dbc42c4efbb1a4d5e0af";kapi_groups="watcher,spender";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
-kapi_id="004";kapi_key="bb0458b705e774c0c9622efaccfe573aa30c82f62386d9435f04e9727cdc26fd";kapi_groups="watcher,spender";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
-kapi_id="005";kapi_key="6c009201b123e8c24c6b74590de28c0c96f3287e88cac9460a2173a53d73fb87";kapi_groups="watcher,spender,admin";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
-kapi_id="006";kapi_key="19e121b698014fac638f772c4ff5775a738856bf6cbdef0dc88971059c69da4b";kapi_groups="watcher,spender,admin";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
+kapi_id="000";kapi_key="eff1eeea370eacdc5cf7e96c2d82340d1568079a5d4d87006ec8788a98883b36";kapi_groups="stats";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
+kapi_id="001";kapi_key="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";kapi_groups="stats,watcher";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
+kapi_id="002";kapi_key="50c5e483b80964595508f214229b014aa6c013594d57d38bcb841093a39f1d83";kapi_groups="stats,watcher";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
+kapi_id="003";kapi_key="b9b8d527a1a27af2ad1697db3521f883760c342fc386dbc42c4efbb1a4d5e0af";kapi_groups="stats,watcher,spender";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
+kapi_id="004";kapi_key="bb0458b705e774c0c9622efaccfe573aa30c82f62386d9435f04e9727cdc26fd";kapi_groups="stats,watcher,spender";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
+kapi_id="005";kapi_key="6c009201b123e8c24c6b74590de28c0c96f3287e88cac9460a2173a53d73fb87";kapi_groups="stats,watcher,spender,admin";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
+kapi_id="006";kapi_key="19e121b698014fac638f772c4ff5775a738856bf6cbdef0dc88971059c69da4b";kapi_groups="stats,watcher,spender,admin";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}
diff --git a/api_auth_docker/statuspage.html b/api_auth_docker/statuspage.html
deleted file mode 100644
index dadca7b..0000000
--- a/api_auth_docker/statuspage.html
+++ /dev/null
@@ -1,58 +0,0 @@
-
-
-
-
-
-
-
-
-
-
Hello World from Cyphernode!
- If you are here, it means you successfully deployed Cyphernode. Congratulations, fellow Cyphernode Operator!
-
-
-
-
The following files have been encrypted with your configuration passphrase and your client keys passphrase, respectively:
-
-
-
This is the status of Cyphernode's installation and running components
-
-