github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-04-08 17:56:17 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge bc06965ec3 into 44ecf41ca6

Browse Source
This commit is contained in:
Sebastion 2026-03-27 09:23:54 -05:00 committed by GitHub
commit daaa88ab56
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
admin/.env.example
View File

@ -15,4 +15,7 @@ REDIS_PORT=6379
# Storage path for NOMAD content (ZIM files, maps, etc.) # Storage path for NOMAD content (ZIM files, maps, etc.)
# On Windows dev, use an absolute path like: C:/nomad-storage # On Windows dev, use an absolute path like: C:/nomad-storage
# On Linux production, use: /opt/project-nomad/storage # On Linux production, use: /opt/project-nomad/storage
NOMAD_STORAGE_PATH=/opt/project-nomad/storage NOMAD_STORAGE_PATH=/opt/project-nomad/storage
# HMAC secret used to sign benchmark submissions to benchmark.projectnomad.us
# Generate with: openssl rand -hex 24
# BENCHMARK_HMAC_SECRET=

16
admin/app/services/benchmark_service.ts
View File

@ -23,16 +23,17 @@ import type {
RepositoryStats, RepositoryStats,
} from '../../types/benchmark.js' } from '../../types/benchmark.js'
import { randomUUID, createHmac } from 'node:crypto' import { randomUUID, createHmac } from 'node:crypto'
import env from '#start/env'
import { DockerService } from './docker_service.js' import { DockerService } from './docker_service.js'
import { SERVICE_NAMES } from '../../constants/service_names.js' import { SERVICE_NAMES } from '../../constants/service_names.js'
import { BROADCAST_CHANNELS } from '../../constants/broadcast.js' import { BROADCAST_CHANNELS } from '../../constants/broadcast.js'
import Dockerode from 'dockerode' import Dockerode from 'dockerode'
// HMAC secret for signing submissions to the benchmark repository // HMAC secret for signing submissions to the benchmark repository.
// This provides basic protection against casual API abuse. // Must be provided via the BENCHMARK_HMAC_SECRET environment variable.
// Note: Since NOMAD is open source, a determined attacker could extract this. // The benchmark server uses this to verify that submissions originate from
// For stronger protection, see challenge-response authentication. // a genuine NOMAD instance. Never commit the real secret to source control.
const BENCHMARK_HMAC_SECRET = '778ba65d0bc0e23119e5ffce4b3716648a7d071f0a47ec3f' const BENCHMARK_HMAC_SECRET = env.get('BENCHMARK_HMAC_SECRET')
// Re-export default weights for use in service // Re-export default weights for use in service
const SCORE_WEIGHTS = { const SCORE_WEIGHTS = {
@ -157,6 +158,11 @@ export class BenchmarkService {
} }
try { try {
// Refuse to submit if the signing secret is not configured
if (!BENCHMARK_HMAC_SECRET) {
throw new Error('Benchmark submission signing secret is not configured. Set the BENCHMARK_HMAC_SECRET environment variable.')
}
// Generate HMAC signature for submission verification // Generate HMAC signature for submission verification
const timestamp = Date.now().toString() const timestamp = Date.now().toString()
const payload = timestamp + JSON.stringify(submission) const payload = timestamp + JSON.stringify(submission)

7
admin/start/env.ts
View File

@ -60,4 +60,11 @@ export default await Env.create(new URL('../', import.meta.url), {
|---------------------------------------------------------- |----------------------------------------------------------
*/ */
NOMAD_API_URL: Env.schema.string.optional(), NOMAD_API_URL: Env.schema.string.optional(),
/*
|----------------------------------------------------------
| Variables for configuring the benchmark submission secret
|----------------------------------------------------------
*/
BENCHMARK_HMAC_SECRET: Env.schema.string.optional(),
}) })