diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
new file mode 100644
index 0000000000000000000000000000000000000000..7cb7cde17b180dceb9c0f80d81bbf9325fbe56f8
--- /dev/null
+++ b/nixos/modules/issuer.nix
@@ -0,0 +1,64 @@
+# A NixOS module which can run a Ristretto-based issuer for PrivacyStorage
+# ZKAPs.
+{ lib, pkgs, config, ... }: let
+ pspkgs = pkgs.callPackage ./pspkgs.nix { };
+ zkapissuer = pspkgs.callPackage ../pkgs/zkapissuer.nix { };
+ cfg = config.services.private-storage-issuer;
+in {
+ options = {
+ services.private-storage-issuer.enable = lib.mkEnableOption "PrivateStorage ZKAP Issuer Service";
+ services.private-storage-issuer.package = lib.mkOption {
+ default = zkapissuer.components.exes."PaymentServer-exe";
+ type = lib.types.package;
+ example = lib.literalExample "pkgs.zkapissuer.components.exes.\"PaymentServer-exe\"";
+ description = ''
+ The package to use for the ZKAP issuer.
+ '';
+ };
+ services.private-storage-issuer.issuer = lib.mkOption {
+ default = "Ristretto";
+ type = lib.types.str;
+ example = lib.literalExample "Trivial";
+ description = ''
+ The issuer algorithm to use. Either Trivial for a fake no-crypto
+ algorithm or Ristretto for Ristretto-flavored PrivacyPass.
+ '';
+ };
+ services.private-storage-issuer.ristrettoSigningKey = lib.mkOption {
+ default = null;
+ type = lib.types.str;
+ description = ''
+ The Ristretto signing key to use. Required if the issuer is
+ ``Ristretto``.
+ '';
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ # Add a systemd service to run PaymentServer.
+ systemd.services.zkapissuer = {
+ enable = true;
+ description = "ZKAP Issuer";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ serviceConfig = {
+ ExecStart =
+ let
+ # Compute the right command line arguments to pass to it. The
+ # signing key is only supplied when using the Ristretto issuer.
+ args =
+ if cfg.issuer == "Trivial"
+ then "--issuer Trivial"
+ else "--issuer Ristretto --signing-key ${cfg.ristrettoSigningKey}";
+ in
+ "${cfg.package}/bin/PaymentServer-exe ${args}";
+ Type = "simple";
+ # It really shouldn't ever exit on its own! If it does, it's a bug
+ # we'll have to fix. Restart it and hope it doesn't happen too much
+ # before we can fix whatever the issue is.
+ Restart = "always";
+ };
+ };
+ };
+}
diff --git a/nixos/modules/overlays.nix b/nixos/modules/overlays.nix
index ad41b406e3f7629f1e0765a9230a17c85fdba577..779384ab6914ea4858970f7190780a7543702913 100644
--- a/nixos/modules/overlays.nix
+++ b/nixos/modules/overlays.nix
@@ -1,11 +1,39 @@
+let
+ # Define a Python packageOverride that puts our version of Twisted into
+ # python27Packages.
+ pythonTwistedOverride = python-self: python-super: {
+ # Get our Twisted derivation. Pass in the old one so it can have pieces
+ # overridden. It needs to be passed in explicitly because callPackage is
+ # specially crafted to always pull attributes from the fixed-point. That
+ # is, `python-self.callPackage` and `python-super.callPackage` will *both*
+ # try to pass `python-self.twisted`. So we take it upon ourselves to pass
+ # the "correct" Twisted (it is correct because we call its override method
+ # and that never converges if it is the fixed point Twisted).
+ twisted = python-self.callPackage ../pkgs/twisted.nix {
+ inherit (python-super) twisted;
+ };
+ };
+in
self: super: {
- privatestorage = super.python27.buildEnv.override
+ # Use self.python27 to get the fixed point of all packages (that is, to
+ # respect all of the overrides). This is important since we want the
+ # overridden Twisted as a dependency of this env, not the original one.
+ #
+ # This might seem to violate the advice to use super for "library
+ # functionality" but python27.buildEnv should be considered a derivation
+ # instead because it implies a whole mess of derivations (all of the Python
+ # modules available).
+ privatestorage = self.python27.buildEnv.override
{ extraLibs =
- [ super.python27Packages.tahoe-lafs
- super.python27Packages.zkapauthorizer
+ [ self.python27Packages.tahoe-lafs
+ self.python27Packages.zkapauthorizer
];
- # Twisted's dropin.cache always collides between different
- # plugin-providing packages.
- ignoreCollisions = true;
};
+
+ # Using super.python27 here causes us to define a python27 that overrides
+ # the value from the previously overlay, not from the fixed point. This is
+ # important because this override never converges.
+ python27 = super.python27.override (old: {
+ packageOverrides = super.lib.composeExtensions old.packageOverrides pythonTwistedOverride;
+ });
}
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index d2db7dd661a8a923c04e245e45cad30305ebfe68..58f4ba36bedac2b7b2de626132b831d8cdbdc142 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -2,16 +2,7 @@
# preferred configuration for the Private Storage grid.
{ pkgs, lib, config, ... }:
let
- # Derive a brand new version of pkgs which has our overlay applied. The
- # overlay defines a new version of Tahoe-LAFS and some of its dependencies
- # and maybe other useful Private Storage customizations.
- pspkgs = import pkgs.path
- { overlays = [
- # needs fetchFromGitHub to check out zkapauthorizer
- (pkgs.callPackage ./zkap-overlay.nix { })
- (import ./overlays.nix)
- ];
- };
+ pspkgs = pkgs.callPackage ./pspkgs.nix { };
# Grab the configuration for this module for convenient access below.
cfg = config.services.private-storage;
in
diff --git a/nixos/modules/pspkgs.nix b/nixos/modules/pspkgs.nix
new file mode 100644
index 0000000000000000000000000000000000000000..851f4e71783c3c1dcc9fc596b37722866fef7331
--- /dev/null
+++ b/nixos/modules/pspkgs.nix
@@ -0,0 +1,10 @@
+# Derive a brand new version of pkgs which has our overlays applied. This
+# includes the ZKAPAuthorizer overlay which defines some Python overrides as
+# well as our own which defines the `privatestorage` derivation.
+{ pkgs }:
+import pkgs.path {
+ overlays = [
+ (import ./zkap-overlay.nix)
+ (import ./overlays.nix)
+ ];
+}
diff --git a/nixos/modules/tests/exercise-storage.py b/nixos/modules/tests/exercise-storage.py
new file mode 100755
index 0000000000000000000000000000000000000000..d56232a4919e415c3331b7c8fc105016ca260b46
--- /dev/null
+++ b/nixos/modules/tests/exercise-storage.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+
+#
+# Create a new file via the web interface of a Tahoe-LAFS client node and then
+# retrieve the contents of that file. Exit with success if the retrieved
+# contents match what was uploaded originally.
+#
+
+from sys import argv
+from os import urandom
+from subprocess import check_output
+from io import BytesIO
+
+import requests
+
+def main():
+ (clientDir,) = argv[1:]
+
+ someData = urandom(2 ** 16)
+
+ api_root = get_api_root(clientDir)
+ cap = put(api_root, someData)
+ dataReadBack = get(api_root, cap)
+
+ assert someData == dataReadBack
+
+
+def get_api_root(path):
+ with open(path + u"/node.url") as f:
+ return f.read().strip()
+
+
+def put(api_root, data):
+ response = requests.put(api_root + u"uri", BytesIO(data))
+ response.raise_for_status()
+ return response.text
+
+
+def get(api_root, cap):
+ response = requests.get(api_root + u"uri/" + cap, stream=True)
+ response.raise_for_status()
+ return response.raw.read()
+
+
+if __name__ == u'__main__':
+ main()
diff --git a/nixos/modules/tests/get-passes.py b/nixos/modules/tests/get-passes.py
new file mode 100755
index 0000000000000000000000000000000000000000..ac5cf790fd95d8ce5295879a04d4c19026bf2dba
--- /dev/null
+++ b/nixos/modules/tests/get-passes.py
@@ -0,0 +1,200 @@
+#!/usr/bin/env python3
+
+#
+# Get a paid voucher and tell the Tahoe-LAFS client node to redeem it for some
+# ZKAPs from an issuer. Exit with success when the Tahoe-LAFS client node
+# reports that the voucher has been redeemed.
+#
+
+from sys import argv
+from requests import post, get, put
+from json import dumps
+from time import sleep
+
+def main():
+ clientAPIRoot, issuerAPIRoot = argv[1:]
+
+ # Construct a voucher that's acceptable to various parts of the system.
+ voucher = "a" * 44
+
+ zkapauthz = clientAPIRoot + "/storage-plugins/privatestorageio-zkapauthz-v1"
+
+ # Simulate a payment for a voucher.
+ post(
+ issuerAPIRoot + "/v1/stripe/webhook",
+ dumps(charge_succeeded_json(voucher)),
+ headers={"content-type": "application/json"},
+ )
+
+ # Tell the client to redeem the voucher.
+ response = put(
+ zkapauthz + "/voucher",
+ dumps({"voucher": voucher}),
+ )
+ if response.status_code // 100 != 2:
+ print("Unexpected response: {}".format(response.content))
+ response.raise_for_status()
+
+ # Poll the vouchers list for a while to see it get redeemed.
+ expected = {"version": 1, "number": voucher, "redeemed": True}
+ def find_redeemed_voucher():
+ response = get(zkapauthz + "/voucher/" + voucher)
+ response.raise_for_status()
+ actual = response.json()
+ print("Actual response: {}".format(actual))
+ return expected == actual
+
+ retry(
+ "find redeemed voucher",
+ find_redeemed_voucher,
+ )
+
+
+def retry(description, f):
+ for i in range(60):
+ print("trying to {}...".format(description))
+ if f():
+ print("{} succeeded".format(description))
+ return
+ sleep(1.0)
+ raise ValueError("failed to {} after many tries".format(description))
+
+
+def charge_succeeded_json(voucher):
+ # This structure copy/pasted from Stripe webhook web interface.
+ base_payload = {
+ "id": "evt_1FKSX2DeTd13VRuuhPaUDA2f",
+ "object": "event",
+ "api_version": "2016-07-06",
+ "created": 1568910660,
+ "data": {
+ "object": {
+ "id": "ch_1FKSX2DeTd13VRuuG9BXbqji",
+ "object": "charge",
+ "amount": 999,
+ "amount_refunded": 0,
+ "application": None,
+ "application_fee": None,
+ "application_fee_amount": None,
+ "balance_transaction": "txn_1FKSX2DeTd13VRuuqO1CJZ1e",
+ "billing_details": {
+ "address": {
+ "city": None,
+ "country": None,
+ "line1": None,
+ "line2": None,
+ "postal_code": None,
+ "state": None
+ },
+ "email": None,
+ "name": None,
+ "phone": None
+ },
+ "captured": True,
+ "created": 1568910660,
+ "currency": "usd",
+ "customer": None,
+ "description": None,
+ "destination": None,
+ "dispute": None,
+ "failure_code": None,
+ "failure_message": None,
+ "fraud_details": {
+ },
+ "invoice": None,
+ "livemode": False,
+ "metadata": {
+ "Voucher": None,
+ },
+ "on_behalf_of": None,
+ "order": None,
+ "outcome": {
+ "network_status": "approved_by_network",
+ "reason": None,
+ "risk_level": "normal",
+ "risk_score": 44,
+ "seller_message": "Payment complete.",
+ "type": "authorized"
+ },
+ "paid": True,
+ "payment_intent": None,
+ "payment_method": "card_1FKSX2DeTd13VRuus5VEjmjG",
+ "payment_method_details": {
+ "card": {
+ "brand": "visa",
+ "checks": {
+ "address_line1_check": None,
+ "address_postal_code_check": None,
+ "cvc_check": None
+ },
+ "country": "US",
+ "exp_month": 9,
+ "exp_year": 2020,
+ "fingerprint": "HTJeRR4MXhAAkctF",
+ "funding": "credit",
+ "last4": "4242",
+ "three_d_secure": None,
+ "wallet": None
+ },
+ "type": "card"
+ },
+ "receipt_email": None,
+ "receipt_number": None,
+ "receipt_url": "https://pay.stripe.com/receipts/acct_198xN4DeTd13VRuu/ch_1FKSX2DeTd13VRuuG9BXbqji/rcpt_Fq8oAItSiNmcm0beiie6lUYin920E7a",
+ "refunded": False,
+ "refunds": {
+ "object": "list",
+ "data": [
+ ],
+ "has_more": False,
+ "total_count": 0,
+ "url": "/v1/charges/ch_1FKSX2DeTd13VRuuG9BXbqji/refunds"
+ },
+ "review": None,
+ "shipping": None,
+ "source": {
+ "id": "card_1FKSX2DeTd13VRuus5VEjmjG",
+ "object": "card",
+ "address_city": None,
+ "address_country": None,
+ "address_line1": None,
+ "address_line1_check": None,
+ "address_line2": None,
+ "address_state": None,
+ "address_zip": None,
+ "address_zip_check": None,
+ "brand": "Visa",
+ "country": "US",
+ "customer": None,
+ "cvc_check": None,
+ "dynamic_last4": None,
+ "exp_month": 9,
+ "exp_year": 2020,
+ "fingerprint": "HTJeRR4MXhAAkctF",
+ "funding": "credit",
+ "last4": "4242",
+ "metadata": {
+ },
+ "name": None,
+ "tokenization_method": None
+ },
+ "source_transfer": None,
+ "statement_descriptor": None,
+ "statement_descriptor_suffix": None,
+ "status": "succeeded",
+ "transfer_data": None,
+ "transfer_group": None
+ }
+ },
+ "livemode": False,
+ "pending_webhooks": 2,
+ "request": "req_5ozjOIAcOkvVUK",
+ "type": "charge.succeeded"
+ }
+ # Indicate the voucher the payment references.
+ base_payload["data"]["object"]["metadata"]["Voucher"] = voucher
+ return base_payload
+
+
+if __name__ == '__main__':
+ main()
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 30818b3301fc46c1d7f307ef48e11e9ddcdabd27..fd1730b5eb0ef0c4e24c428e4061b69a2835fee6 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -1,9 +1,19 @@
let
- pkgs = import <nixpkgs> { };
+ pkgs = (import <nixpkgs> { });
+ pspkgs = import ../pspkgs.nix { inherit pkgs; };
+
+ # Separate helper programs so we can write as little perl inside a string
+ # inside a nix expression as possible.
+ run-introducer = ./run-introducer.py;
+ run-client = ./run-client.py;
+ get-passes = ./get-passes.py;
+ exercise-storage = ./exercise-storage.py;
+
# Here are the preconstructed secrets which we can assign to the introducer.
# This is a lot easier than having the introducer generate them and then
# discovering and configuring the other nodes with them.
pemFile = ./node.pem;
+
tubID = "rr7y46ixsg6qmck4jkkc7hke6xe4sv5f";
swissnum = "2k6p3wrabat5jrj7otcih4cjdema4q3m";
introducerPort = 35151;
@@ -19,6 +29,7 @@ let
# I thought we might need to statically asssign IPs but we can just use
# the node names, "introducer", etc, instead.
networking.firewall.enable = false;
+ networking.dhcpcd.enable = false;
};
in
# https://nixos.org/nixos/manual/index.html#sec-nixos-tests
@@ -29,8 +40,12 @@ import <nixpkgs/nixos/tests/make-test.nix> {
client =
{ config, pkgs, ... }:
{ environment.systemPackages = [
- pkgs.tahoe-lafs
pkgs.daemonize
+ # A Tahoe-LAFS configuration capable of using the right storage
+ # plugin.
+ pspkgs.privatestorage
+ # Support for the tests we'll run.
+ (pkgs.python3.withPackages (ps: [ ps.requests ]))
];
} // networkConfig;
@@ -46,7 +61,24 @@ import <nixpkgs/nixos/tests/make-test.nix> {
services.private-storage.enable = true;
services.private-storage.publicIPv4 = "storage";
services.private-storage.introducerFURL = introducerFURL;
+ services.private-storage.issuerRootURL = "http://issuer:8081/";
} // networkConfig;
+
+ # Operate an issuer as well.
+ issuer =
+ { config, pkgs, ... }:
+ { imports =
+ [ ../issuer.nix
+ ];
+ services.private-storage-issuer = {
+ enable = true;
+ issuer = "Ristretto";
+ # Notionally, this is a secret key. This is only the value for this
+ # system test though so I don't care if it leaks to the world at
+ # large.
+ ristrettoSigningKey = "wumQAfSsJlQKDDSaFN/PZ3EbgBit8roVgfzllfCK2gQ=";
+ };
+ } // networkConfig;
};
# Test the machines with a Perl program (sobbing).
@@ -55,35 +87,18 @@ import <nixpkgs/nixos/tests/make-test.nix> {
# Start booting all the VMs in parallel to speed up operations down below.
startAll;
- #
# Set up a Tahoe-LAFS introducer.
- #
- my ($code, $version) = $introducer->execute("tahoe --version");
- $introducer->log($version);
-
- $introducer->succeed(
- 'tahoe create-introducer ' .
- '--port tcp:${toString introducerPort} ' .
- '--location tcp:introducer:${toString introducerPort} ' .
- '/tmp/introducer'
- );
$introducer->copyFileFromHost(
'${pemFile}',
- '/tmp/introducer/private/node.pem'
- );
- $introducer->copyFileFromHost(
- '${introducerFURLFile}',
- '/tmp/introducer/private/introducer.furl'
- );
- $introducer->succeed(
- 'daemonize ' .
- '-e /tmp/stderr ' .
- '-o /tmp/stdout ' .
- '$(type -p tahoe) run /tmp/introducer'
+ '/tmp/node.pem'
);
eval {
- $introducer->waitForOpenPort(${toString introducerPort});
+ $introducer->succeed(
+ 'set -eo pipefail; ' .
+ '${run-introducer} /tmp/node.pem ${toString introducerPort} ${introducerFURL} | ' .
+ systemd-cat'
+ );
# Signal success. :/
1;
} or do {
@@ -96,7 +111,7 @@ import <nixpkgs/nixos/tests/make-test.nix> {
#
# Get a Tahoe-LAFS storage server up.
#
- my ($code, $version) = $storage->execute("tahoe --version");
+ my ($code, $version) = $storage->execute('tahoe --version');
$storage->log($version);
# The systemd unit should reach the running state.
@@ -114,39 +129,31 @@ import <nixpkgs/nixos/tests/make-test.nix> {
#
# Storage appears to be working so try to get a client to speak with it.
#
- my ($code, $version) = $client->execute("tahoe --version");
- $client->log($version);
-
- # Create a Tahoe-LAFS client on it.
- $client->succeed(
- 'tahoe create-client ' .
- '--shares-needed 1 ' .
- '--shares-happy 1 ' .
- '--shares-total 1 ' .
- '--introducer ${introducerFURL} /tmp/client'
- );
-
- # Launch it
- $client->succeed(
- 'daemonize ' .
- '-e /tmp/stderr ' .
- '-o /tmp/stdout ' .
- '$(type -p tahoe) run /tmp/client'
- );
+ $client->succeed('set -eo pipefail; ${run-client} ${introducerFURL} | systemd-cat');
$client->waitForOpenPort(3456);
- my ($code, $out) = $client->execute(
- 'tahoe -d /tmp/client ' .
- 'put /etc/issue'
- );
- ($code == 0) or do {
- my ($code, $log) = $client->execute('cat /tmp/stdout /tmp/stderr');
- $client->log($log);
- die "put failed";
+ # Get some ZKAPs from the issuer.
+ eval {
+ $client->succeed('set -eo pipefail; ${get-passes} http://127.0.0.1:3456 http://issuer:8081 | systemd-cat');
+ # succeed() is not success but 1 is.
+ 1;
+ } or do {
+ my $error = $@ || 'Unknown failure';
+ my ($code, $log) = $client->execute('cat /tmp/stdout /tmp/stderr');
+ $client->log($log);
+ die $@;
};
- $client->succeed(
- 'tahoe -d /tmp/client ' .
- "get $out"
- );
- '';
+
+ # The client should be prepped now. Make it try to use some storage.
+ eval {
+ $client->succeed('set -eo pipefail; ${exercise-storage} /tmp/client | systemd-cat');
+ # nothing succeeds like ... 1.
+ 1;
+ } or do {
+ my $error = $@ || 'Unknown failure';
+ my ($code, $log) = $client->execute('cat /tmp/stdout /tmp/stderr');
+ $client->log($log);
+ die $@;
+ };
+ '';
}
diff --git a/nixos/modules/tests/run-client.py b/nixos/modules/tests/run-client.py
new file mode 100755
index 0000000000000000000000000000000000000000..a246a737232007c95cd364ce5f6566843050a882
--- /dev/null
+++ b/nixos/modules/tests/run-client.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+#
+# Create a PrivateStorage.io-enabled Tahoe-LAFS client node and run it as a
+# daemon. Exit with success when we think we've started it.
+#
+
+from os import environ
+from sys import argv
+from shutil import which
+from subprocess import check_output
+from configparser import ConfigParser
+
+def main():
+ (introducerFURL,) = argv[1:]
+
+ # PYTHONHOME set for Python 3 for this script breaks Python 2 used by
+ # Tahoe. :/ This is kind of a NixOS Python packaging bug.
+ del environ["PYTHONHOME"]
+
+ run(["tahoe", "--version"])
+ run([
+ "tahoe", "create-client",
+ "--shares-needed", "1",
+ "--shares-happy", "1",
+ "--shares-total", "1",
+ "--introducer", introducerFURL,
+ "/tmp/client",
+ ])
+
+ # Add necessary ZKAPAuthorizer configuration bits.
+ config = ConfigParser()
+ with open("/tmp/client/tahoe.cfg") as cfg:
+ config.read_file(cfg)
+
+ config.set(u"client", u"storage.plugins", u"privatestorageio-zkapauthz-v1")
+ config.add_section(u"storageclient.plugins.privatestorageio-zkapauthz-v1")
+ config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v1", u"redeemer", u"ristretto")
+
+ with open("/tmp/client/tahoe.cfg", "wt") as cfg:
+ config.write(cfg)
+
+ run([
+ "daemonize",
+ "-o", "/tmp/stdout",
+ "-e", "/tmp/stderr",
+ which("tahoe"), "run", "/tmp/client",
+ ])
+
+def run(argv):
+ print("{}: {}".format(argv, check_output(argv)))
+
+
+if __name__ == '__main__':
+ main()
diff --git a/nixos/modules/tests/run-introducer.py b/nixos/modules/tests/run-introducer.py
new file mode 100755
index 0000000000000000000000000000000000000000..7a69bdb8240b5dc6b347b960762dd4e2ef0cdde1
--- /dev/null
+++ b/nixos/modules/tests/run-introducer.py
@@ -0,0 +1,75 @@
+#!/usr/bin/env python3
+
+#
+# Create a Tahoe-LAFS introducer node and run it as a daemon. Exit with
+# success when it is accepting introducer client connections.
+#
+
+from sys import argv
+from os import environ, makedirs, rename
+from shutil import which
+from subprocess import check_output
+from socket import socket
+from time import sleep
+
+log = print
+
+def main():
+ pemFile, introducerPort, introducerFURL = argv[1:]
+
+ # PYTHONHOME set for Python 3 for this script breaks Python 2 used by
+ # Tahoe. :/ This is kind of a NixOS Python packaging bug.
+ del environ["PYTHONHOME"]
+
+ run(["tahoe", "--version"])
+ run([
+ "tahoe", "create-introducer",
+ "--port", "tcp:" + introducerPort,
+ "--location", "tcp:introducer:" + introducerPort,
+ "/tmp/introducer",
+ ])
+ rename(pemFile, "/tmp/introducer/private/node.pem")
+ with open("/tmp/introducer/private/introducer.furl", "w") as f:
+ f.write(introducerFURL)
+ run([
+ "daemonize",
+ "-o", "/tmp/stdout",
+ "-e", "/tmp/stderr",
+ which("tahoe"), "run", "/tmp/introducer",
+ ])
+
+ retry(
+ "waiting for open introducer port",
+ lambda: checkOpen(int(introducerPort)),
+ )
+
+
+def checkOpen(portNumber):
+ s = socket()
+ try:
+ s.connect(("127.0.0.1", portNumber))
+ except:
+ return False
+ else:
+ return True
+ finally:
+ s.close()
+
+
+def retry(description, f):
+ for i in range(60):
+ log("trying to {}...".format(description))
+ if f():
+ log("{} succeeded".format(description))
+ return
+ sleep(1.0)
+ raise ValueError("failed to {} after many tries".format(description))
+
+
+def run(argv):
+ log("Running {}".format(argv))
+ log("{}: {}".format(argv, check_output(argv)))
+
+
+if __name__ == '__main__':
+ main()
diff --git a/nixos/modules/zkap-overlay.nix b/nixos/modules/zkap-overlay.nix
index 75433f0fc10663aecbd16593fea9ba40073281fa..c606b47bcfa267fba29c23fb4577ea79fd2de03b 100644
--- a/nixos/modules/zkap-overlay.nix
+++ b/nixos/modules/zkap-overlay.nix
@@ -1,5 +1,4 @@
-{ fetchFromGitHub }:
let
- zkapauthorizer = import ../pkgs/zkapauthorizer-repo.nix { inherit fetchFromGitHub; };
+ zkapauthorizer = import ../pkgs/zkapauthorizer-repo.nix;
in
import "${zkapauthorizer}/overlays.nix"
diff --git a/nixos/pkgs/twisted.nix b/nixos/pkgs/twisted.nix
new file mode 100644
index 0000000000000000000000000000000000000000..efa56cd0c924880559f554636f7ea5975e8df56e
--- /dev/null
+++ b/nixos/pkgs/twisted.nix
@@ -0,0 +1,11 @@
+{ twisted }:
+twisted.overrideAttrs (old: {
+ prePatch = old.patchPhase;
+ patchPhase = null;
+ # Add a patch which adds more logging to a namer resolver failure case. The
+ # NixOS system test harness might be setting up a weird semi-broken system
+ # that provokes a weird behavior out of getaddrinfo() that Twisted doesn't
+ # normally handle. The logging can help with debugging this case. We
+ # should think about upstreaming something related to this.
+ patches = (if old ? "patches" then old.patches else []) ++ [ ./twisted.patch ];
+})
diff --git a/nixos/pkgs/twisted.patch b/nixos/pkgs/twisted.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9f50368c8cffe60a819306687b5f78df228d4b61
--- /dev/null
+++ b/nixos/pkgs/twisted.patch
@@ -0,0 +1,23 @@
+diff --git a/src/twisted/internet/_resolver.py b/src/twisted/internet/_resolver.py
+index 1c16174a2..8c8249db4 100644
+--- a/src/twisted/internet/_resolver.py
++++ b/src/twisted/internet/_resolver.py
+@@ -74,6 +74,8 @@ class GAIResolver(object):
+ L{getaddrinfo} in a thread.
+ """
+
++ _log = Logger()
++
+ def __init__(self, reactor, getThreadPool=None, getaddrinfo=getaddrinfo):
+ """
+ Create a L{GAIResolver}.
+@@ -124,6 +126,9 @@ class GAIResolver(object):
+ socketType)
+ except gaierror:
+ return []
++ except Exception as e:
++ self._log.failure("Problem resolving {hostName}", hostName=hostName)
++ return []
+ d = deferToThreadPool(self._reactor, pool, get)
+ resolution = HostResolution(hostName)
+ resolutionReceiver.resolutionBegan(resolution)
diff --git a/nixos/pkgs/zkapauthorizer-repo.nix b/nixos/pkgs/zkapauthorizer-repo.nix
index dc50d589f36da17d6bf24fbb6b441fc326b6d13f..44947fc2ba9c3e49c0f97d15a5a0b7b7b92ed45b 100644
--- a/nixos/pkgs/zkapauthorizer-repo.nix
+++ b/nixos/pkgs/zkapauthorizer-repo.nix
@@ -1,7 +1,9 @@
-{ fetchFromGitHub }:
-fetchFromGitHub {
- owner = "PrivateStorageio";
- repo = "ZKAPAuthorizer";
- rev = "36dd4c2cffa2e9df651dda4c9ac8977bafe2ed64";
- sha256 = "sha256:1i5nli73gk56r5brmimcd97dkf7wd4mf6viw4vbcssa7xj6s84af";
-}
+let
+ pkgs = import <nixpkgs> {};
+in
+ pkgs.fetchFromGitHub {
+ owner = "PrivateStorageio";
+ repo = "ZKAPAuthorizer";
+ rev = "00387ea1d02a5800ff4480a3a177ecc87b34532f";
+ sha256 = "053bzpq68fz1y0qzyryxjmbpvpzshhxhkp404pviqdi18xyqgzyc";
+ }
\ No newline at end of file
diff --git a/nixos/pkgs/zkapauthorizer.nix b/nixos/pkgs/zkapauthorizer.nix
index fe12cb60a0ad4edaf6e499be0b581a6d70fb5996..95fc177419e26a88cb0156e1ad32fe2127746ef9 100644
--- a/nixos/pkgs/zkapauthorizer.nix
+++ b/nixos/pkgs/zkapauthorizer.nix
@@ -1,5 +1,5 @@
-{ fetchFromGitHub, python27Packages }:
+{ python27Packages }:
let
- zkapauthorizer = import ./zkapauthorizer-repo.nix { inherit fetchFromGitHub; };
+ zkapauthorizer = import ./zkapauthorizer-repo.nix;
in
python27Packages.callPackage "${zkapauthorizer}/zkapauthorizer.nix" { }
diff --git a/nixos/pkgs/zkapissuer.nix b/nixos/pkgs/zkapissuer.nix
new file mode 100644
index 0000000000000000000000000000000000000000..2cee8ea49f242adf31f8114a2a7d688d6cb87c17
--- /dev/null
+++ b/nixos/pkgs/zkapissuer.nix
@@ -0,0 +1,10 @@
+{ fetchFromGitHub, callPackage }:
+let
+ paymentServer = fetchFromGitHub {
+ owner = "PrivateStorageio";
+ repo = "PaymentServer";
+ rev = "6fbaac7a14d2a03b74e10a4a82b1147ee1dd7d49";
+ sha256 = "0z8mqmns3fqbjy765830s5q6lhz3lxmslxahjc155jsv5b46gjip";
+ };
+in
+ (callPackage "${paymentServer}/nix" { }).PaymentServer