7cb0b30dae
- Replace `import logging` with `from aitbc.logging import get_logger` across blockchain-node scripts and coordinator-api modules - Update logger initialization from `logging.getLogger(__name__)` to `get_logger(__name__)` in 30+ files - Add production configuration validators for API keys, HMAC secret, and JWT secret in coordinator config - Enhance coordinator startup with comprehensive initialization logging
182 lines
6.8 KiB
Python
182 lines
6.8 KiB
Python
from __future__ import annotations
|
|
|
|
import base64
|
|
|
|
from aitbc.logging import get_logger
|
|
import base64
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, status, Request
|
|
|
|
from .deps import get_receipt_service, get_keystore, get_ledger
|
|
from .models import (
|
|
ReceiptVerificationListResponse,
|
|
ReceiptVerificationModel,
|
|
ReceiptVerifyResponse,
|
|
SignatureValidationModel,
|
|
WalletCreateRequest,
|
|
WalletCreateResponse,
|
|
WalletListResponse,
|
|
WalletUnlockRequest,
|
|
WalletUnlockResponse,
|
|
WalletSignRequest,
|
|
WalletSignResponse,
|
|
WalletDescriptor,
|
|
from_validation_result,
|
|
)
|
|
from .keystore.service import KeystoreService
|
|
from .ledger_mock import SQLiteLedgerAdapter
|
|
from .receipts.service import ReceiptValidationResult, ReceiptVerifierService
|
|
from .security import RateLimiter, wipe_buffer
|
|
|
|
logger = get_logger(__name__)
|
|
_rate_limiter = RateLimiter(max_requests=30, window_seconds=60)
|
|
|
|
|
|
def _rate_key(action: str, request: Request, wallet_id: Optional[str] = None) -> str:
|
|
host = request.client.host if request.client else "unknown"
|
|
parts = [action, host]
|
|
if wallet_id:
|
|
parts.append(wallet_id)
|
|
return ":".join(parts)
|
|
|
|
|
|
def _enforce_limit(action: str, request: Request, wallet_id: Optional[str] = None) -> None:
|
|
key = _rate_key(action, request, wallet_id)
|
|
if not _rate_limiter.allow(key):
|
|
raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="rate limit exceeded")
|
|
|
|
|
|
router = APIRouter(prefix="/v1", tags=["wallets", "receipts"])
|
|
|
|
|
|
def _result_to_response(result: ReceiptValidationResult) -> ReceiptVerifyResponse:
|
|
payload = from_validation_result(result)
|
|
return ReceiptVerifyResponse(result=payload)
|
|
|
|
|
|
@router.get(
|
|
"/receipts/{job_id}",
|
|
response_model=ReceiptVerifyResponse,
|
|
summary="Verify latest receipt for a job",
|
|
)
|
|
def verify_latest_receipt(
|
|
job_id: str,
|
|
service: ReceiptVerifierService = Depends(get_receipt_service),
|
|
) -> ReceiptVerifyResponse:
|
|
result = service.verify_latest(job_id)
|
|
if result is None:
|
|
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="receipt not found")
|
|
return _result_to_response(result)
|
|
|
|
|
|
@router.get(
|
|
"/receipts/{job_id}/history",
|
|
response_model=ReceiptVerificationListResponse,
|
|
summary="Verify all historical receipts for a job",
|
|
)
|
|
def verify_receipt_history(
|
|
job_id: str,
|
|
service: ReceiptVerifierService = Depends(get_receipt_service),
|
|
) -> ReceiptVerificationListResponse:
|
|
results = service.verify_history(job_id)
|
|
items = [from_validation_result(result) for result in results]
|
|
return ReceiptVerificationListResponse(items=items)
|
|
|
|
|
|
@router.get("/wallets", response_model=WalletListResponse, summary="List wallets")
|
|
def list_wallets(
|
|
keystore: KeystoreService = Depends(get_keystore),
|
|
ledger: SQLiteLedgerAdapter = Depends(get_ledger),
|
|
) -> WalletListResponse:
|
|
descriptors = []
|
|
for record in keystore.list_records():
|
|
ledger_record = ledger.get_wallet(record.wallet_id)
|
|
metadata = ledger_record.metadata if ledger_record else record.metadata
|
|
descriptors.append(
|
|
WalletDescriptor(wallet_id=record.wallet_id, public_key=record.public_key, metadata=metadata)
|
|
)
|
|
|
|
return WalletListResponse(items=descriptors)
|
|
|
|
@router.post("/wallets", response_model=WalletCreateResponse, status_code=status.HTTP_201_CREATED, summary="Create wallet")
|
|
def create_wallet(
|
|
request: WalletCreateRequest,
|
|
http_request: Request,
|
|
keystore: KeystoreService = Depends(get_keystore),
|
|
ledger: SQLiteLedgerAdapter = Depends(get_ledger),
|
|
) -> WalletCreateResponse:
|
|
_enforce_limit("wallet-create", http_request)
|
|
|
|
try:
|
|
secret = base64.b64decode(request.secret_key) if request.secret_key else None
|
|
except Exception as exc:
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid base64 secret") from exc
|
|
|
|
try:
|
|
record = keystore.create_wallet(
|
|
wallet_id=request.wallet_id,
|
|
password=request.password,
|
|
secret=secret,
|
|
metadata=request.metadata,
|
|
)
|
|
except ValueError as exc:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_400_BAD_REQUEST,
|
|
detail={"reason": "password_too_weak", "min_length": 10, "message": str(exc)},
|
|
) from exc
|
|
|
|
ledger.upsert_wallet(record.wallet_id, record.public_key, record.metadata)
|
|
ledger.record_event(record.wallet_id, "created", {"metadata": record.metadata})
|
|
logger.info("Created wallet", extra={"wallet_id": record.wallet_id})
|
|
wallet = WalletDescriptor(wallet_id=record.wallet_id, public_key=record.public_key, metadata=record.metadata)
|
|
return WalletCreateResponse(wallet=wallet)
|
|
|
|
|
|
@router.post("/wallets/{wallet_id}/unlock", response_model=WalletUnlockResponse, summary="Unlock wallet")
|
|
def unlock_wallet(
|
|
wallet_id: str,
|
|
request: WalletUnlockRequest,
|
|
http_request: Request,
|
|
keystore: KeystoreService = Depends(get_keystore),
|
|
ledger: SQLiteLedgerAdapter = Depends(get_ledger),
|
|
) -> WalletUnlockResponse:
|
|
_enforce_limit("wallet-unlock", http_request, wallet_id)
|
|
try:
|
|
secret = bytearray(keystore.unlock_wallet(wallet_id, request.password))
|
|
ledger.record_event(wallet_id, "unlocked", {"success": True})
|
|
logger.info("Unlocked wallet", extra={"wallet_id": wallet_id})
|
|
except (KeyError, ValueError):
|
|
ledger.record_event(wallet_id, "unlocked", {"success": False})
|
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid credentials")
|
|
finally:
|
|
if "secret" in locals():
|
|
wipe_buffer(secret)
|
|
# We don't expose the secret in response
|
|
return WalletUnlockResponse(wallet_id=wallet_id, unlocked=True)
|
|
|
|
|
|
@router.post("/wallets/{wallet_id}/sign", response_model=WalletSignResponse, summary="Sign payload")
|
|
def sign_payload(
|
|
wallet_id: str,
|
|
request: WalletSignRequest,
|
|
http_request: Request,
|
|
keystore: KeystoreService = Depends(get_keystore),
|
|
ledger: SQLiteLedgerAdapter = Depends(get_ledger),
|
|
) -> WalletSignResponse:
|
|
_enforce_limit("wallet-sign", http_request, wallet_id)
|
|
try:
|
|
message = base64.b64decode(request.message_base64)
|
|
except Exception as exc:
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid base64 message") from exc
|
|
|
|
try:
|
|
signature = keystore.sign_message(wallet_id, request.password, message)
|
|
ledger.record_event(wallet_id, "sign", {"success": True})
|
|
logger.debug("Signed payload", extra={"wallet_id": wallet_id})
|
|
except (KeyError, ValueError):
|
|
ledger.record_event(wallet_id, "sign", {"success": False})
|
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid credentials")
|
|
|
|
signature_b64 = base64.b64encode(signature).decode()
|
|
return WalletSignResponse(wallet_id=wallet_id, signature_base64=signature_b64)
|