0.7.2 • Published 7 months ago

autodefender v0.7.2

Weekly downloads
-
License
MIT
Repository
github
Last release
7 months ago

Plug-in-templates for Defender as Code

This repository contains templates and tooling to setup web3 monitoring on OpenZeppelin Defender without hassle.

Structure of this codebase is made with plug-in-ability in mind, so adding new templates is very easy as well!

Why use it?

  • Generate monitoring configuration with current on-chain data as source of truth
  • Manage only one configuration file and reuse code with use of templates
  • Combine matchiing logic templates with monitoring templates to get what you need.
  • Run this in CI/CD pipeline to automatically keep up to date with any new deployments
  • Typescript support for configuring Defender

Installing and using as package

pnpm add autodefender

or

yarn add autodefender

then create config file defender.config.js:

const {getProcessEnv, getSlackNotifyChannel} = require('autodefender/utils');
const polygonRPC = getProcessEnv(false, 'POLYGON_RPC_URL');
const mainnerRPC = getProcessEnv(false, 'MAINNET_RPC_URL');
const {
  generateOwnableMonitor,
} = require('autodefender/templates/monitors/ownership');
const {all} = require('autodefender/templates/matchers/all');

/** @type import('autodefender/src/types').DefenderConfigType */
const config = {
  projectName: 'WORKSHOP1',
  ssot: false,
  // path: 'https://api.github.com/repos/thesandboxgame/sandbox-smart-contracts/contents/packages/core/deployments',
  path: './deployments',
  networks: {
    matic: {rpc: polygonRPC, directoryName: 'polygon'},
    mainnet: {rpc: mainnerRPC, directoryName: 'mainnet'},
  },
  monitors: {
    Ownership: {
      filter: all(),
      monitor: generateOwnableMonitor(),
      notification: {
        channels: [getSlackNotifyChannel(getProcessEnv(false, 'SLACK_URL'))],
      },
    },
  },
  outDir: './out',
  extractedAccountsMonitoring: {},
  excludeDeployments: ['Old_*'],
  excludeAccounts: ['0x000000000000AAeB6D7670E522A718067333cd4E'],
};
module.exports = config;

To deploy contracts:

yarn autodefender contracts --config defender.config.js

To deploy monitors:

yarn autodefender monitors --config defender.config.js

Setting up dev enviroment:

Run

pnpm install && pnpm types

Open or create new defender.config.ts in root of this repository.

{
  projectName: '', //StackName
  path: // url or path to directory that contains /<network>/<contractName>.json. File must contain {abi, address} properties.
  networks: { // these are needded for matchers that require web3 connection
    matic: {rpc: polygonRPC, directoryName: 'polygon'}, // RPC URL and directory names in path ^^
    mainnet: {rpc: mainnerRPC, directoryName: 'mainnet'},
  },
  monitors: {
    'Large-Mint-ERC20': { //Custom name, create as amany as you like
      notification: { // Notifyconfig
        channels: [getSlackNotifyChannel(getProcessEnv(false, 'SLACK_URL'))], //availible getters in /src/templates/notifications
      },
      filter: findERC20Contracts(), //see availible matchers in src/templates/matchers
      monitor: mintMonitor('ERC20', '100'), //see availible monitors in src/templates/monitors
      //ToDo: Add trigger templates here
    },
  },
  outDir: './out', //Directory where serverless resources will be generated in form of json files. You don't need to commit these, but if you want to work with typescript-serverless bypassing this config file - you can use those output files.
  extractedAccountsMonitoring: { //These are same as monitors, but the addres space supplied to them is a union of all relatedAccounts that all matchers of monitors have found. Use this to setup monitoring over owner accounts, admins etc.
    EthBalance: {
      monitor: accountEthMonitor('10'),
      filter: all(), //Use additional filtering to narrow down address space for priveledged accounts in particular template
      notification: {
        channels: [getSlackNotifyChannel(getProcessEnv(false, 'SLACK_URL'))],
      },
    },
  excludeDeployments: [ //Exclude glob pattern files from path
    'QUICKSWAP_SAND_MATIC',
    'FXCHILD*',
    'CHILD_CHAIN_MANAGER',
    '*_Implementation',
    '*_Proxy',
    'TRUSTED_FORWARDER',
    'PolygonLand_V1',
    'FAKE*',
    'DAIMedianize',
  ],
  excludeAccounts: ['0x000000000000AAeB6D7670E522A718067333cd4E'], //Exclude accounts from all monitoring
};

Generating & Deploying

Export env variables

export DEFENDER_SECRET = ""
export DEFENDER_KEY = ""
export POLYGON_RPC_URL="url"
export SLACK_URL="url"
export MAINNET_RPC_URL="url"

NB: Im not a fun of using dotenv. Use export keyword in env files/variables and source <your_env_file> or add sorucing to yarn commands, or add dotenv if you like using it.

yarn contracts
yarn monitors

Kinds of Templates

Create new file in /templates/. Add it to index.

Follow typing definitions of DefenderConfigType

Matchers

Matchers are the templates intended to take some given address space, provider already connected to network and any extra arguments, and it must return array of MatcherFindings. Each finding has address of finding and relatedAccounts[] array (i.e. roles in AccessControl contracts)

Monitors

Findings from Matcher function are passed to Monitor Getter template along with other arguments and generate a monitoring template that consists of Monitor itself, and optional dependencies. Dependencies might be: (trigger/condition) Functions, connected to them Relayers and Secrets.

Messages

md files that must be parsed in to strings and be returned from Monitor template

Notifications

Templates to generate YNotification

Functions

Functions are javascript templates that are ready to be deployed in Defender scripts. They are intended to run in the Defender Node enviroment and therefore best practice is to rollup or use webpack to genetrate them.

Convinient development way is to create your template in src/templates directory and then add it to the build process in rollup.config.js. Then by simply running yarn prebuild your function will be added to templates/functions.

Creating a new monitor

Monitor getter

Monitor getters are described by

TSentinelGetter<Record<string, string | never>, Record<string, string | never>>;

where inputs are

contractAddresses: string[]// - array of addresses to monitor for
provider: JsonRpcProvider // For convinience of reading chain during generation you have provider availible (running on future monitors network)
networkName: Network //Network name in Defender naming convention

and return is Promise of TSentinelOutput which consists of

export interface TSentinelOutput<T, K> {
  newMonitor: TSentinel; //Template for the monitor
  defaultMessage: string; //Default message to send as notificaiton
  actionsParams?: ActionsParams<T, K>; //Extra parameters such as secrets or relay definitions
}

Adding functions

Simply add in your templates newMonitor properties: autotask-condition or autotask-trigger with path from repo root to compiled template.

Connecting functions to relays

If your functions require relay to operate you can use either default relay for read operations generated automatically, or specify key for custom relay. In second case you must specify relay configuration in your config file with same key.

To add relay return object must contain actionsParams object. I.e. connecting to default relay in same network as Monitor is run for conditional autotask may look like this:

return {
  //Return object from monitor template
  newMonitor, //Monitor object itself
  defaultMessage, //Notification message (string)
  actionsParams: {
    condition: {
      relayNetwork: sentinelNetwork, //Specifying relayNetwork will automatically add default_reader relay on that network
      customRelay: 'myRelayer', //Adding this will use your custom defined relayer from config file instead of default
    },
    trigger: trigger //if trigger is defined it will require relay in trigger autotask.
      ? {relayNetwork: trigger.params.relayNetwork, secrets: trigger.params}
      : undefined,
  },
};

Specifying secrets

In the example above, monitoring template actually requires LOW_ETH_THRESHOLD secret to exist in Defender stack. In order to add id, pass required key-values as actionsParams.condition or actionsParams.trigger. Having trigger/conditon differentiator will allow that secret to be used in scoped secrets workflow

return {
  newMonitor,
  defaultMessage,
  actionsParams: {
    condition: {
      relayNetwork: sentinelNetwork,
      secrets: {LOW_ETH_THRESHOLD: threshold}, //This is custom parameter that autotask needs to consume from secrets
      customRelay: 'myRelayer',
    },
    trigger: trigger
      ? {relayNetwork: trigger.params.relayNetwork, secrets: trigger.params}
      : undefined,
  },
};

Using scoped secrets

If you need to pass some argument from the configuration to function, this is possible to do with scoped secrets defined in src/templates/utils

Scoped secrets use secret name and function visible name to combine it to a secret key that can be red from enviroment.

Function getter

Are not yet supported but it's easy to implement. Add your PR ;)

@openzeppelin/contracts@openzeppelin/defender-base-client@openzeppelin/defender-serverless@rollup/plugin-commonjs@rollup/plugin-json@rollup/plugin-node-resolve@rollup/plugin-yaml@sandbox-smart-contracts/core@serverless/typescript@typechain/ethers-v5@types/js-yaml@types/node@typescript-eslint/eslint-plugin@typescript-eslint/parserbuiltin-modulescross-env@openzeppelin/defender-autotask-utils@openzeppelin/defender-relay-clientdotenvdotenv-clieslinteslint-config-prettiereslint-plugin-jsoneslint-plugin-mochaeslint-plugin-prettierethershardhatjs-yamllodashminimatchprettiersemverserverlesssolcsolc-typed-astts-nodetypechaintypescriptyargs
@everything-registry/sub-chunk-1186
0.7.2

7 months ago

0.6.2

7 months ago

0.6.1

7 months ago

0.6.0

7 months ago

0.5.0

7 months ago

0.4.0

7 months ago

0.3.4

7 months ago

0.3.3

7 months ago

0.3.2

7 months ago

0.3.1

7 months ago

0.3.0

7 months ago

0.2.2

7 months ago

0.2.1

7 months ago

0.2.0

7 months ago