Merge pull request openwallet-foundation#3623 from davidchaiken/dc_demo_local_ngrok

AliceGetsAPhone demo works in local docker environment

Author: esune

demo/ngrok-wait.sh

@@ -21,8 +21,13 @@ if ! [ -z "$TAILS_NGROK_NAME" ]; then
     else
         echo "    not found"
     fi
-    export PUBLIC_TAILS_URL=$NGROK_ENDPOINT
-    echo "Fetched ngrok tails server endpoint [$PUBLIC_TAILS_URL]"
+    if [ -z "$NGROK_ENDPOINT" ] || [ "$NGROK_ENDPOINT" = "null" ]; then
+        # setting PUBLIC_TAILS_URL to null confuses the agent because "null" is a truthy value in Python
+        echo "PUBLIC_TAILS_URL not set and ngrok not available"
+    else
+        export PUBLIC_TAILS_URL=$NGROK_ENDPOINT
+        echo "Fetched ngrok tails server endpoint [$PUBLIC_TAILS_URL]"
+    fi
 fi
 
 export AGENT_NAME=$1

demo/run_demo

@@ -221,17 +221,47 @@ else
   export RUNMODE="pwd"
 fi
 
-# check if ngrok is running on our $AGENT_PORT (don't override if AGENT_ENDPOINT is already set)
-if [ -z "$AGENT_ENDPOINT" ] && [ "$RUNMODE" == "docker" ]; then
-  echo "Trying to detect ngrok service endpoint"
+if [ "$RUNMODE" == "docker" ]; then
+  echo "Checking ngrok service endpoints"
   JQ=${JQ:-`which jq`}
   if [ -x "$JQ" ]; then
-    NGROK_ENDPOINT=$(curl --silent localhost:4040/api/tunnels | $JQ -r '.tunnels[0].public_url')
-    if [ -z "$NGROK_ENDPOINT" ] || [ "$NGROK_ENDPOINT" = "null" ]; then
-      echo "ngrok not detected for agent endpoint"
-    else
-      export AGENT_ENDPOINT=$NGROK_ENDPOINT
-      echo "Detected ngrok agent endpoint [$AGENT_ENDPOINT]"
+    NGROK_CURL="curl --silent localhost:4040/api/tunnels"
+    # check if ngrok is running on our $AGENT_PORT (don't override if AGENT_ENDPOINT is already set)
+    if [ -z "$AGENT_ENDPOINT" ]; then
+      # default behavior is to use the first tunnel as the agent endpoint
+      NGROK_ENDPOINT=$($NGROK_CURL | $JQ -r '.tunnels[0].public_url')
+      # ngrok does not guarantee the order that the API returns the tunnels,
+      # so use the named endpoint if it exists.
+      NAMED_ENDPOINT=$($NGROK_CURL | $JQ -r '.tunnels[] | select(.name=="acapy-agent") | .public_url')
+      if ! [ -z "$NAMED_ENDPOINT" ]; then
+        NGROK_ENDPOINT=$NAMED_ENDPOINT  # use the endpoint specified by name
+      fi
+      if [ -z "$NGROK_ENDPOINT" ] || [ "$NGROK_ENDPOINT" = "null" ]; then
+        echo "ngrok not detected for agent endpoint"
+      else
+        export AGENT_ENDPOINT=$NGROK_ENDPOINT
+        echo "Detected ngrok agent endpoint [$AGENT_ENDPOINT]"
+      fi
+    fi
+    # check if ngrok is running for webhooks (don't override if WEBHOOK_TARGET is already set)
+    if [ -z "$WEBHOOK_TARGET"]; then  # webhook target not specified, see if ngrok lists it by name
+      NAMED_ENDPOINT=$($NGROK_CURL | $JQ -r '.tunnels[] | select(.name=="acapy-webhooks") | .public_url')
+      if [ -z "$NAMED_ENDPOINT" ]; then
+        echo "ngrok not detected for webhooks endpoint"
+      else
+        export WEBHOOK_TARGET=${NAMED_ENDPOINT}/webhooks
+        echo "Detected ngrok webhooks endpoint [$WEBHOOK_TARGET]"
+      fi
+    fi
+    # check if ngrok is running for tails-server (don't override if TAILS_NETWORK or PUBLIC_TAILS_URL is already set)
+    if [ -z "$TAILS_NETWORK" ] && [ -z "$PUBLIC_TAILS_URL" ]; then # tails-server not specified, see if ngrok lists it by name
+      NAMED_ENDPOINT=$($NGROK_CURL | $JQ -r '.tunnels[] | select(.name=="tails-server") | .public_url')
+      if [ -z "$NAMED_ENDPOINT" ]; then
+        echo "ngrok not detected for tails-server endpoint"
+      else
+        export PUBLIC_TAILS_URL=${NAMED_ENDPOINT}
+        echo "Detected ngrok tails-server endpoint [$PUBLIC_TAILS_URL]"
+      fi
     fi
   else
     echo "jq not found"

demo/runners/faber.py

@@ -679,12 +679,14 @@ async def main(args):
                     "/present-proof-2.0/create-request", proof_request_web_request
                 )
                 pres_req_id = proof_request["pres_ex_id"]
-                url = (
-                    "http://"
-                    + os.getenv("DOCKERHOST").replace(
-                        "{PORT}", str(faber_agent.agent.admin_port + 1)
-                    )
-                    + "/webhooks/pres_req/"
+                url = ((os.getenv("WEBHOOK_TARGET") or (
+                        "http://"
+                        + os.getenv("DOCKERHOST").replace(
+                            "{PORT}", str(faber_agent.agent.admin_port + 1)
+                        )
+                        + "/webhooks"
+                        ))
+                    + "/pres_req/"
                     + pres_req_id
                     + "/"
                 )

docker/Dockerfile.demo

@@ -5,9 +5,12 @@ ENV ENABLE_PTVSD 0
 ENV ENABLE_PYDEVD_PYCHARM 0
 ENV PYDEVD_PYCHARM_HOST "host.docker.internal"
 
+# jq is required for the ngrok-wait.sh script
 RUN mkdir -p bin && curl -L -o bin/jq \
 	https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
 	chmod ug+x bin/jq
+# some versions of docker put .local/bin in the PATH instead of bin
+RUN mkdir -p .local/bin && ln -s ../../bin/jq .local/bin/jq
 
 # Copy and install Aries Agent code
 RUN pip install --no-cache-dir poetry==2.1.1

docs/demo/AliceGetsAPhone.md

@@ -115,6 +115,7 @@ git clone https://github.com/bcgov/indy-tails-server.git
 cd indy-tails-server/docker
 ./manage build
 ./manage start
+./manage logs
 ```
 
 This will run the required components for the tails server to function and make a tails server available on port 6543.
@@ -128,12 +129,35 @@ ngrok-tails-server_1  | t=2020-05-13T22:51:14+0000 lvl=info msg="started tunnel"
 
 Note the server name in the `url=https://c5789aa0.ngrok.io` parameter (`https://c5789aa0.ngrok.io`) - this is the external url for your tails server. Make sure you use the `https` url!
 
+If you see an "authentication failed" error in the logs like this:
+```bash
+ngrok-tails-server-1  | ERROR:  authentication failed: Usage of ngrok requires a verified account and authtoken.
+ngrok-tails-server-1  | ERROR:
+ngrok-tails-server-1  | ERROR:  Sign up for an account: https://dashboard.ngrok.com/signup
+ngrok-tails-server-1  | ERROR:  Install your authtoken: https://dashboard.ngrok.com/get-started/your-authtoken
+```
+then you'll need to follow the links to set up a ngrok account and get an authentication token.
+When you have the authtoken, hit CTRL-C to exit from the logs and run the following commands,
+replacing `<YOUR AUTHTOKEN>` with the authtoken from ngrok.
+```bash
+./manage logs # run above
+^C
+./manage stop
+cat >>ngrok.yml
+authtoken: <YOUR AUTHTOKEN>
+^D
+./manage start
+./manage logs
+```
+
 #### Running in Play with Docker?
 
 Run the same steps on _PWD_ as you would run locally (see above).  Open a new shell (click on "ADD NEW INSTANCE") to run the tails server.
 
 Note that with _Play with Docker_ it can be challenging to capture the information you need from the log file as it scrolls by, you can try leaving off the `--events` option when you run the Faber agent to reduce the quantity of information logged to the screen.
 
+Also note that _PWD_ enviroments are insecure. If you enter a ngrok authtoken into a _PWD_ session, you should invalidate (reset) the authtoken as soon as you are done using the environment.
+
 ### Run `faber` With Extra Parameters
 
 #### Running locally in a bash shell?
@@ -218,6 +242,12 @@ http://ip10-0-121-4-bquqo816b480a4bfn3kg-8020.direct.play-with-docker.com?c_i=ey
 
 Note that this will use the ngrok endpoint if you are running locally, or your PWD endpoint if you are running on PWD.
 
+When running locally, use the `AGENT_ENDPOINT` environment variable to run the demo so that it puts the public hostname in the QR code:
+```bash
+AGENT_ENDPOINT=https://abc123.ngrok.io LEDGER_URL=http://test.bcovrin.vonx.io ./run_demo faber
+```
+See the Connectionless Proof Request section below for a more complete ngrok configuration that also supports the revocation option.
+
 ## Issue a Credential
 
 We will use the Faber console to issue a credential. This could be done using the Swagger API as we have done in the connection process. We'll leave that as an exercise to the user.
@@ -321,6 +351,28 @@ Then in the faber demo, select option `2a` - Faber will display a QR code which
 
 Behind the scenes, the Faber controller delivers the proof request information (linked from the url encoded in the QR code) directly to your mobile agent, without establishing and agent-to-agent connection first.  If you are interested in the underlying mechanics, you can review the `faber.py` code in the repository.
 
+If you want to use a connectionless proof request with docker running locally, you need to set up ngrok to forward both the agent port (8020) and the webhooks port (8022). If you have a free ngrok account, you need to run a single ngrok agent that forwards all of the necessary ports. Here is an ngrok configuration file that works for this purpose:
+```yaml
+version: "3"
+agent:
+    authtoken: <YOUR AUTHTOKEN>
+tunnels:
+    acapy-agent:
+       proto: http
+       addr: 8020
+    acapy-webhooks:
+       proto: http
+       addr: 8022
+    tails-server:
+       addr: 6543
+       inspect: false
+       proto: http
+```
+When using this approach, leave your ngrok authtoken out of the tails-server ngrok.yml file to prevent the tails-server from starting its own ngrok agent. This trick avoids the following error from ngrok:
+```bash
+ERROR:  authentication failed: Your account is limited to 1 simultaneous ngrok agent sessions.
+```
+
 ## Conclusion
 
 That’s the Faber-Mobile Alice demo. Feel free to play with the Swagger API and experiment further and figure out what an instance of a controller has to do to make things work.