From e34d6b052d7f85421a080b70adbd674bb29fea17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 15 Jan 2026 13:23:20 +0100 Subject: [PATCH 1/6] Update fastpath docker image to use the version supporting anonymous credentials --- tf/environments/dev/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index f023178f..953ce139 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -822,7 +822,7 @@ module "fastpath_builder" { service_name = "fastpath" repo = "ooni/backend" - branch_name = "master" + branch_name = "userauth-dep" buildspec_path = "fastpath/buildspec.yml" trigger_path = "fastpath/**" codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn From 4520fe11d66dce9064db79c58e1068a4183f55dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 15 Jan 2026 16:29:33 +0100 Subject: [PATCH 2/6] Update fastpath docker version --- ansible/roles/fastpath/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/fastpath/tasks/main.yml b/ansible/roles/fastpath/tasks/main.yml index 74ff60d6..c11c8c4e 100644 --- a/ansible/roles/fastpath/tasks/main.yml +++ b/ansible/roles/fastpath/tasks/main.yml @@ -154,7 +154,7 @@ - name: Ensure fastpath is running community.docker.docker_container: name: fastpath - image: ooni/fastpath:v0.88 + image: ooni/fastpath:v0.89 state: started user: "{{user_uid.stdout}}:{{user_gid.stdout}}" # use network mode = host to allow traffic from fastpath to the statsd exporter without From 75a6d44ada895dc42c29711750514719cd4042d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 15 Jan 2026 16:32:56 +0100 Subject: [PATCH 3/6] Set ooniprobe branch to anonymous credentials version --- tf/environments/dev/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 953ce139..090ab33d 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -479,7 +479,7 @@ module "ooniapi_ooniprobe_deployer" { service_name = "ooniprobe" repo = "ooni/backend" - branch_name = "master" + branch_name = "userauth-dep" trigger_path = "ooniapi/services/ooniprobe/**" buildspec_path = "ooniapi/services/ooniprobe/buildspec.yml" codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn From b4c36a2f677b65dc926d05c0b4a09b56c663a463 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 15 Jan 2026 16:55:45 +0100 Subject: [PATCH 4/6] Add settings to deploy anonymous credentials --- tf/environments/dev/main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 090ab33d..2c2cf9c3 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -206,6 +206,11 @@ data "aws_ssm_parameter" "prometheus_metrics_password" { name = "/oonidevops/ooni_services/prometheus_metrics_password" } +# Manually managed with the AWS console +data "aws_ssm_parameter" "anonc_secret_key" { + name = "/oonidevops/secrets/zkp/secret_key" +} + resource "aws_secretsmanager_secret" "oonipg_url" { name = "oonidevops/ooni-tier0-postgres/postgresql_url" tags = local.tags @@ -512,6 +517,7 @@ module "ooniapi_ooniprobe" { JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret_legacy.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_url.arn + ANONC_SECRET_KEY = data.aws_ssm_parameter.anonc_secret_key.arn } task_environment = { @@ -520,6 +526,8 @@ module "ooniapi_ooniprobe" { COLLECTOR_ID = 3 # use a different one in prod CONFIG_BUCKET = aws_s3_bucket.ooni_private_config_bucket.bucket TOR_TARGETS = "tor_targets.json" + ANONC_MANIFEST_BUCKET = aws_s3_bucket.anoncred_manifests + ANONC_MANIFEST_FILE = "manifest.json" } ooniapi_service_security_groups = [ From 4a9422edcf1e7a2ff75c2febe558002121fef071 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 15 Jan 2026 16:57:53 +0100 Subject: [PATCH 5/6] Fix bad bucket config --- tf/environments/dev/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 2c2cf9c3..2d11cba2 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -526,7 +526,7 @@ module "ooniapi_ooniprobe" { COLLECTOR_ID = 3 # use a different one in prod CONFIG_BUCKET = aws_s3_bucket.ooni_private_config_bucket.bucket TOR_TARGETS = "tor_targets.json" - ANONC_MANIFEST_BUCKET = aws_s3_bucket.anoncred_manifests + ANONC_MANIFEST_BUCKET = aws_s3_bucket.anoncred_manifests.bucket ANONC_MANIFEST_FILE = "manifest.json" } From 0e59525e8dda73f587502cec2576607e1ff03c8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Fri, 16 Jan 2026 11:22:01 +0100 Subject: [PATCH 6/6] Add read permissions to ooniprobe to the s3 manifests bucket --- tf/environments/dev/main.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 2d11cba2..a57442a0 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -473,6 +473,18 @@ resource "aws_iam_role_policy" "ooniprobe_role" { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "${aws_s3_bucket.ooni_private_config_bucket.arn}/*" + }, + { + "Sid": "", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "${aws_s3_bucket.anoncred_manifests.arn}/*" + }, + { + "Sid": "", + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "${aws_s3_bucket.anoncred_manifests.arn}/*" } ] }