From fc119d3c771645f2a059b4d3a5b53c7924a3a652 Mon Sep 17 00:00:00 2001 From: Luca Rospocher Date: Mon, 7 Apr 2025 17:45:51 +0200 Subject: [PATCH 1/3] docs: Add public key update tutorial --- README.md | 4 +++ docs/public-key-refresh.md | 50 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 docs/public-key-refresh.md diff --git a/README.md b/README.md index b1be2be..5197939 100644 --- a/README.md +++ b/README.md @@ -574,3 +574,7 @@ or directly: ## Comprehensive tutorial how to onboard new bot Step-by-step guide, how to create a simple bot for Roman - [onboarding.md](docs/onboarding.md). + +## Comprehensive tutorial how to update the public key after the certificate renewal + +Step-by-step guide, how to update bots public key manually - [public-key-refresh.md](docs/public-key-refresh.md). diff --git a/docs/public-key-refresh.md b/docs/public-key-refresh.md new file mode 100644 index 0000000..12c29a5 --- /dev/null +++ b/docs/public-key-refresh.md @@ -0,0 +1,50 @@ +# Update bot public key + +When registering a service with the Wire backend, the service needs to specify with certificate it will use for incoming TLS connections. The Wire backend will verify that the certificates match when making TLS requests to the service, and otherwise abort any connection if it doesn’t match. + +Periodically, the certificates need to be updated. + +## Requirements + +- Wire Team account with admin permissions. +- Roman instance *(you can use public Roman running [here](https://proxy.services.wire.com/))*, in this guide we will be + using [internal staging Roman](https://roman.integrations.zinfra.io/swagger) with URL `https://roman.integrations.zinfra.io`. + - Please note that Wire Staging environment is accessible only for the Wire development team and if you create the bot here, you won't + be able to use it unless you have access to that environment. +- A bot already fully onboarded and running. If you don't have one, please check the [onboarding guide](onboarding.md). + +You will need to make some API calls, use your favourite tool for that, e.g. [Postman](https://www.postman.com/) or [curl](https://curl.se/). +The following examples will use `curl` commands, but you can easily adapt them to your tool of choice. + +## Commands +```bash +curl --request POST \ + --url https://prod-nginz-https.wire.com/v6/provider/login \ + --header 'content-type: application/json' \ + --data '{ + "email": "$PROVIDER_EMAIL", + "password": "$PROVIDER_PASSWORD" +}' +``` +Then take the `Set-cookie` value from the response headers and call: + + +```bash +curl --request GET \ +--url https://prod-nginz-https.wire.com/v6/provider/services \ +--header 'cookie: $COOKIE' +``` +This will give you the list of services you have on the provider you have registered. + +Then for each service you want to update with a new public key: +```bash +curl --request PUT \ +--url https://prod-nginz-https.wire.com/v6/provider/services/${SERVICE_ID}/connection \ +--header 'content-type: application/json' \ +--header 'cookie: $COOKIE' \ +--data '{ +"password": "$PROVIDER_PASSWORD", +"public_keys": [ +"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3xtHqyZPlb0lxlnP0rNA\nJVmAjB1Tenl11brkkKihcJNRAYrnrT/6sPX4u2lVn/aPncUTjN8omL47MBct7qYV\n1VY4a5beOyNiVL0ZjZMuh07aL9Z2A4cu67tKZrCoGttn3jpSVlqoOtwEgW+Tpgpm\nKojcRC4DDXEZTEvRoi0RLzAyWCH/8hwWzXR7J082zmn0Ur211QVbOJN/62PAIWyj\nl5bLglp00AY5OnBHgRNwwRkBJIJLwgNm8u9+0ZplqmMGd3C/QFNngCOeRvFe+5g4\nqfO4/FOlbkM2kYFAi5KUowfG7cdMQELI+fe4v7yNsgrbMKhnIiLtDIU4wiQIRjbr\nZwIDAQAB\n-----END PUBLIC KEY-----\n" +] +``` From 2fe4cc27d7408daaaef7365c65f4bd277256cde0 Mon Sep 17 00:00:00 2001 From: Luca Rospocher Date: Tue, 8 Apr 2025 09:15:45 +0200 Subject: [PATCH 2/3] Fix account type --- docs/public-key-refresh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/public-key-refresh.md b/docs/public-key-refresh.md index 12c29a5..45bd091 100644 --- a/docs/public-key-refresh.md +++ b/docs/public-key-refresh.md @@ -6,7 +6,7 @@ Periodically, the certificates need to be updated. ## Requirements -- Wire Team account with admin permissions. +- Wire Provider account. - Roman instance *(you can use public Roman running [here](https://proxy.services.wire.com/))*, in this guide we will be using [internal staging Roman](https://roman.integrations.zinfra.io/swagger) with URL `https://roman.integrations.zinfra.io`. - Please note that Wire Staging environment is accessible only for the Wire development team and if you create the bot here, you won't From e5c63e215276c369b537e724a8efd8e9b198adef Mon Sep 17 00:00:00 2001 From: Luca Rospocher Date: Tue, 8 Apr 2025 09:34:56 +0200 Subject: [PATCH 3/3] fix: update deprecateed docker-compose commands --- Makefile | 2 +- test.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index e833eb4..9921cf4 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ docker-run-tests: ./test.sh db: - docker-compose up -d db + docker compose up -d db docker-build: docker build -t eu.gcr.io/wire-bot/roman . diff --git a/test.sh b/test.sh index 135e718..7fd23cf 100755 --- a/test.sh +++ b/test.sh @@ -2,13 +2,13 @@ set -x echo "1/4) Starting test environment..." -docker-compose up -d db +docker compose up -d db echo "2/4) Running tests..." DOCKER_BUILDKIT=1 docker build --network host --target export-stage --output backend/target/reports -f Dockerfile.UnitTests . echo "3/4) Cleaning up test environment..." -docker-compose stop +docker compose stop echo "4/4) Evaluating tests result exit status..." EXIT_CODE=`cat backend/target/reports/test.result`