nologies/cycles-quartz
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: input admin secret to gramine as env var (#238)

Browse source 
Co-authored-by: hu55a1n1 <sufialhussaini@gmail.com>
This commit is contained in:
Daniel Gushchyan 2024-10-04 05:41:59 -07:00 committed by GitHub
parent f42154f967
commit 634bc6a8f3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 54 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
.github/workflows/rust.yml vendored
View file

@ -5,19 +5,18 @@ on:
- .github/workflows/rust.yml - .github/workflows/rust.yml
- Cargo.lock - Cargo.lock
- Cargo.toml - Cargo.toml
- core/** - crates/**
- relayer/** - examples/**
- utils/** - "!examples/transfers/frontend/**"
push: push:
branches: master branches: main
paths: paths:
- .github/workflows/rust.yml - .github/workflows/rust.yml
- .gitmodules
- Cargo.lock - Cargo.lock
- Cargo.toml - Cargo.toml
- core/** - crates/**
- relayer/** - examples/**
- utils/** - "!examples/transfers/frontend/**"
env: env:
CARGO_INCREMENTAL: 0 CARGO_INCREMENTAL: 0

8
crates/cli/src/cli.rs
View file

@ -223,10 +223,6 @@ pub struct EnclaveStartArgs {
#[arg(long)] #[arg(long)]
pub unsafe_trust_latest: bool, pub unsafe_trust_latest: bool,
/// file containing the secret key of the tx-sender for the enclave
#[arg(long)]
pub sk_file: PathBuf,
/// FMSPC (Family-Model-Stepping-Platform-Custom SKU); required if `MOCK_SGX` is not set /// FMSPC (Family-Model-Stepping-Platform-Custom SKU); required if `MOCK_SGX` is not set
#[arg(long)] #[arg(long)]
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
@ -264,10 +260,6 @@ pub struct DevArgs {
#[command(flatten)] #[command(flatten)]
pub enclave_build: EnclaveBuildArgs, pub enclave_build: EnclaveBuildArgs,
/// file containing the secret key of the tx-sender for the enclave
#[arg(long)]
pub sk_file: PathBuf,
/// FMSPC (Family-Model-Stepping-Platform-Custom SKU); required if `MOCK_SGX` is not set /// FMSPC (Family-Model-Stepping-Platform-Custom SKU); required if `MOCK_SGX` is not set
#[arg(long)] #[arg(long)]
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]

7
crates/cli/src/handler/dev.rs
View file

@ -170,7 +170,6 @@ async fn dev_driver(
fn spawn_enclave_start(args: &DevRequest, config: &Config) -> Result<(), Error> { fn spawn_enclave_start(args: &DevRequest, config: &Config) -> Result<(), Error> {
// In separate process, launch the enclave // In separate process, launch the enclave
let enclave_start = EnclaveStartRequest { let enclave_start = EnclaveStartRequest {
sk_file: args.sk_file.clone(),
unsafe_trust_latest: args.unsafe_trust_latest, unsafe_trust_latest: args.unsafe_trust_latest,
fmspc: args.fmspc.clone(), fmspc: args.fmspc.clone(),
tcbinfo_contract: args.tcbinfo_contract.clone(), tcbinfo_contract: args.tcbinfo_contract.clone(),
@ -180,9 +179,11 @@ fn spawn_enclave_start(args: &DevRequest, config: &Config) -> Result<(), Error>
let config_cpy = config.clone(); let config_cpy = config.clone();
tokio::spawn(async move { tokio::spawn(async move {
let res = enclave_start.handle(config_cpy).await?; if let Err(e) = enclave_start.handle(config_cpy).await {
eprintln!("Error running enclave start.\n {}", e);
}
Ok::<Response, Error>(res) Ok::<(), Error>(())
}); });
Ok(()) Ok(())

9
crates/cli/src/handler/enclave_start.rs
View file

@ -76,6 +76,12 @@ impl Handler for EnclaveStartRequest {
)); ));
}; };
if let Err(_) = std::env::var("ADMIN_SK") {
return Err(Error::GenericErr(
"ADMIN_SK environment variable is not set".to_string(),
));
};
let enclave_dir = fs::canonicalize(config.app_dir.join("enclave"))?; let enclave_dir = fs::canonicalize(config.app_dir.join("enclave"))?;
// gramine private key // gramine private key
@ -92,7 +98,6 @@ impl Handler for EnclaveStartRequest {
&config.chain_id, &config.chain_id,
quartz_dir_canon, quartz_dir_canon,
&enclave_dir, &enclave_dir,
&self.sk_file,
fmspc, fmspc,
tcbinfo_contract, tcbinfo_contract,
dcap_verifier_contract, dcap_verifier_contract,
@ -194,7 +199,6 @@ async fn gramine_manifest(
chain_id: &Id, chain_id: &Id,
quartz_dir: &Path, quartz_dir: &Path,
enclave_dir: &Path, enclave_dir: &Path,
sk_file: &Path,
fmspc: Fmspc, fmspc: Fmspc,
tcbinfo_contract: AccountId, tcbinfo_contract: AccountId,
dcap_verifier_contract: AccountId, dcap_verifier_contract: AccountId,
@ -225,7 +229,6 @@ async fn gramine_manifest(
.arg(format!("-Dquartz_dir={}", quartz_dir.display())) .arg(format!("-Dquartz_dir={}", quartz_dir.display()))
.arg(format!("-Dtrusted_height={}", trusted_height)) .arg(format!("-Dtrusted_height={}", trusted_height))
.arg(format!("-Dtrusted_hash={}", trusted_hash)) .arg(format!("-Dtrusted_hash={}", trusted_hash))
.arg(format!("-Dsk_file={}", sk_file.display()))
.arg(format!("-Dfmspc={}", hex::encode(fmspc))) .arg(format!("-Dfmspc={}", hex::encode(fmspc)))
.arg(format!("-Dnode_url={}", node_url)) .arg(format!("-Dnode_url={}", node_url))
.arg(format!("-Dws_url={}", ws_url)) .arg(format!("-Dws_url={}", ws_url))

2
crates/cli/src/request.rs
View file

@ -48,7 +48,6 @@ impl TryFrom<Command> for Request {
label: args.contract_deploy.label, label: args.contract_deploy.label,
contract_manifest: args.contract_deploy.contract_manifest, contract_manifest: args.contract_deploy.contract_manifest,
release: args.enclave_build.release, release: args.enclave_build.release,
sk_file: args.sk_file,
fmspc: args.fmspc, fmspc: args.fmspc,
tcbinfo_contract: args.tcbinfo_contract, tcbinfo_contract: args.tcbinfo_contract,
dcap_verifier_contract: args.dcap_verifier_contract, dcap_verifier_contract: args.dcap_verifier_contract,
@ -102,7 +101,6 @@ impl TryFrom<EnclaveCommand> for Request {
EnclaveCommand::Build(_) => Ok(EnclaveBuildRequest {}.into()), EnclaveCommand::Build(_) => Ok(EnclaveBuildRequest {}.into()),
EnclaveCommand::Start(args) => Ok(EnclaveStartRequest { EnclaveCommand::Start(args) => Ok(EnclaveStartRequest {
unsafe_trust_latest: args.unsafe_trust_latest, unsafe_trust_latest: args.unsafe_trust_latest,
sk_file: args.sk_file,
fmspc: args.fmspc, fmspc: args.fmspc,
tcbinfo_contract: args.tcbinfo_contract, tcbinfo_contract: args.tcbinfo_contract,
dcap_verifier_contract: args.dcap_verifier_contract, dcap_verifier_contract: args.dcap_verifier_contract,

1
crates/cli/src/request/dev.rs
View file

@ -13,7 +13,6 @@ pub struct DevRequest {
pub label: String, pub label: String,
pub contract_manifest: PathBuf, pub contract_manifest: PathBuf,
pub release: bool, pub release: bool,
pub sk_file: PathBuf,
pub fmspc: Option<Fmspc>, pub fmspc: Option<Fmspc>,
pub tcbinfo_contract: Option<AccountId>, pub tcbinfo_contract: Option<AccountId>,
pub dcap_verifier_contract: Option<AccountId>, pub dcap_verifier_contract: Option<AccountId>,

3
crates/cli/src/request/enclave_start.rs
View file

@ -1,5 +1,3 @@
use std::path::PathBuf;
use cosmrs::AccountId; use cosmrs::AccountId;
use quartz_common::enclave::types::Fmspc; use quartz_common::enclave::types::Fmspc;
use tendermint::{block::Height, Hash}; use tendermint::{block::Height, Hash};
@ -13,7 +11,6 @@ use crate::{
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub struct EnclaveStartRequest { pub struct EnclaveStartRequest {
pub unsafe_trust_latest: bool, pub unsafe_trust_latest: bool,
pub sk_file: PathBuf,
pub fmspc: Option<Fmspc>, pub fmspc: Option<Fmspc>,
pub tcbinfo_contract: Option<AccountId>, pub tcbinfo_contract: Option<AccountId>,
pub dcap_verifier_contract: Option<AccountId>, pub dcap_verifier_contract: Option<AccountId>,

3
crates/enclave/core/src/server.rs
View file

@ -1,7 +1,6 @@
use std::{ use std::{
convert::Infallible, convert::Infallible,
net::SocketAddr, net::SocketAddr,
path::PathBuf,
sync::{Arc, Mutex}, sync::{Arc, Mutex},
time::Duration, time::Duration,
}; };
@ -87,7 +86,7 @@ pub struct WsListenerConfig {
pub tx_sender: String, pub tx_sender: String,
pub trusted_hash: Hash, pub trusted_hash: Hash,
pub trusted_height: Height, pub trusted_height: Height,
pub sk_file: PathBuf, pub admin_sk: String,
} }
/// A trait for wrapping a tonic service with the gRPC server handler /// A trait for wrapping a tonic service with the gRPC server handler

1
crates/utils/cw-client/data/admin.sk
View file

@ -1 +0,0 @@
ffc4d3c9119e9e8263de08c0f6e2368ac5c2dacecfeb393f6813da7d178873d2

40
crates/utils/cw-client/src/grpc.rs
View file

@ -1,4 +1,4 @@
use std::{error::Error, fs::File, io::Read, path::PathBuf}; use std::error::Error;
use anyhow::anyhow; use anyhow::anyhow;
use cosmos_sdk_proto::{ use cosmos_sdk_proto::{
@ -31,15 +31,14 @@ use serde::de::DeserializeOwned;
use crate::CwClient; use crate::CwClient;
#[derive(Clone, Debug)]
pub struct GrpcClient { pub struct GrpcClient {
sk_file: PathBuf, sk: SigningKey,
url: Url, url: Url,
} }
impl GrpcClient { impl GrpcClient {
pub fn new(sk_file: PathBuf, url: Url) -> Self { pub fn new(sk: SigningKey, url: Url) -> Self {
Self { sk_file, url } Self { sk, url }
} }
} }
@ -91,16 +90,7 @@ impl CwClient for GrpcClient {
msg: M, msg: M,
_fees: &str, _fees: &str,
) -> Result<String, Self::Error> { ) -> Result<String, Self::Error> {
let secret = { let tm_pubkey = self.sk.public_key();
let mut secret_hex = String::new();
let mut sk_file = File::open(self.sk_file.clone())?;
sk_file.read_to_string(&mut secret_hex)?;
let secret = hex::decode(secret_hex)?;
SigningKey::from_slice(&secret)
.map_err(|e| anyhow!("failed to read secret key: {}", e))?
};
let tm_pubkey = secret.public_key();
let sender = tm_pubkey let sender = tm_pubkey
.account_id("neutron") .account_id("neutron")
.map_err(|e| anyhow!("failed to create AccountId from pubkey: {}", e))?; .map_err(|e| anyhow!("failed to create AccountId from pubkey: {}", e))?;
@ -122,7 +112,7 @@ impl CwClient for GrpcClient {
denom: "untrn".parse().expect("hardcoded denom"), denom: "untrn".parse().expect("hardcoded denom"),
}; };
let tx_bytes = tx_bytes( let tx_bytes = tx_bytes(
&secret, &self.sk,
amount, amount,
gas, gas,
tm_pubkey, tm_pubkey,
@ -221,18 +211,22 @@ mod tests {
use serde_json::json; use serde_json::json;
use transfers_contract::msg::{execute::Request, QueryMsg::GetRequests}; use transfers_contract::msg::{execute::Request, QueryMsg::GetRequests};
use crate::{CwClient, GrpcClient}; use crate::{grpc::GrpcClient, CwClient};
#[tokio::test] #[tokio::test]
#[ignore] #[ignore]
async fn test_query() -> Result<(), Box<dyn Error>> { async fn test_query() -> Result<(), Box<dyn Error>> {
let sk_file = "../data/admin.sk".parse().unwrap(); let sk = hex::decode("ffc4d3c9119e9e8263de08c0f6e2368ac5c2dacecfeb393f6813da7d178873d2")
.unwrap()
.as_slice()
.try_into()
.unwrap();
let url = "https://grpc-falcron.pion-1.ntrn.tech:80".parse().unwrap(); let url = "https://grpc-falcron.pion-1.ntrn.tech:80".parse().unwrap();
let contract = "neutron15ruzx9wvrupt9cffzsp6868uad2svhfym2nsgxm2skpeqr3qrd4q4uwk83" let contract = "neutron15ruzx9wvrupt9cffzsp6868uad2svhfym2nsgxm2skpeqr3qrd4q4uwk83"
.parse() .parse()
.unwrap(); .unwrap();
let cw_client = GrpcClient::new(sk_file, url); let cw_client = GrpcClient::new(sk, url);
let resp: Vec<Request> = cw_client let resp: Vec<Request> = cw_client
.query_smart(&contract, json!(GetRequests {})) .query_smart(&contract, json!(GetRequests {}))
.await?; .await?;
@ -244,14 +238,18 @@ mod tests {
#[tokio::test] #[tokio::test]
#[ignore] #[ignore]
async fn test_execute() -> Result<(), Box<dyn Error>> { async fn test_execute() -> Result<(), Box<dyn Error>> {
let sk_file = "data/admin.sk".parse().unwrap(); let sk = hex::decode("ffc4d3c9119e9e8263de08c0f6e2368ac5c2dacecfeb393f6813da7d178873d2")
.unwrap()
.as_slice()
.try_into()
.unwrap();
let url = "https://grpc-falcron.pion-1.ntrn.tech:80".parse().unwrap(); let url = "https://grpc-falcron.pion-1.ntrn.tech:80".parse().unwrap();
let contract = "neutron15ruzx9wvrupt9cffzsp6868uad2svhfym2nsgxm2skpeqr3qrd4q4uwk83" let contract = "neutron15ruzx9wvrupt9cffzsp6868uad2svhfym2nsgxm2skpeqr3qrd4q4uwk83"
.parse() .parse()
.unwrap(); .unwrap();
let chain_id = "pion-1".parse().unwrap(); let chain_id = "pion-1".parse().unwrap();
let cw_client = GrpcClient::new(sk_file, url); let cw_client = GrpcClient::new(sk, url);
let tx_hash = cw_client let tx_hash = cw_client
.tx_execute( .tx_execute(
&contract, &contract,

4
examples/transfers/enclave/quartz.manifest.template
View file

@ -20,6 +20,7 @@ loader.env.RA_TLS_EPID_API_KEY = { passthrough = true }
loader.env.MYAPP_DATA = { passthrough = true } loader.env.MYAPP_DATA = { passthrough = true }
loader.env.QUARTZ_PORT = { passthrough = true } loader.env.QUARTZ_PORT = { passthrough = true }
loader.env.SSL_CERT_FILE = { passthrough = true } loader.env.SSL_CERT_FILE = { passthrough = true }
loader.env.ADMIN_SK = { passthrough = true }
loader.insecure__use_host_env = true loader.insecure__use_host_env = true
loader.argv = ["quartz-app-transfers-enclave", loader.argv = ["quartz-app-transfers-enclave",
@ -39,7 +40,6 @@ fs.mounts = [
{ uri = "file:{{ arch_libdir }}", path = "{{ arch_libdir }}" }, { uri = "file:{{ arch_libdir }}", path = "{{ arch_libdir }}" },
{ uri = "file:/usr/{{ arch_libdir }}", path = "/usr{{ arch_libdir }}" }, { uri = "file:/usr/{{ arch_libdir }}", path = "/usr{{ arch_libdir }}" },
{ uri = "file:{{ quartz_dir }}", path = "{{ quartz_dir }}" }, { uri = "file:{{ quartz_dir }}", path = "{{ quartz_dir }}" },
{ uri = "file:{{ quartz_dir }}/../../crates/utils/cw-client/data/admin.sk", path = "/admin.sk" },
{ uri = "file:/etc/ssl/certs/ca-certificates.crt", path = "/etc/ssl/certs/ca-certificates.crt" }, { uri = "file:/etc/ssl/certs/ca-certificates.crt", path = "/etc/ssl/certs/ca-certificates.crt" },
{ uri = "file:/usr/lib/ssl/cert.pem", path = "/usr/lib/ssl/cert.pem" }, { uri = "file:/usr/lib/ssl/cert.pem", path = "/usr/lib/ssl/cert.pem" },
] ]
@ -60,11 +60,9 @@ sgx.trusted_files = [
"file:{{ arch_libdir }}/", "file:{{ arch_libdir }}/",
"file:/usr/{{ arch_libdir }}/", "file:/usr/{{ arch_libdir }}/",
"file:/etc/ssl/certs/ca-certificates.crt", "file:/etc/ssl/certs/ca-certificates.crt",
"file:{{ quartz_dir }}/../../crates/utils/cw-client/data/admin.sk",
] ]
sgx.allowed_files = [ sgx.allowed_files = [
"file:admin.sk",
"file:/etc/nsswitch.conf", "file:/etc/nsswitch.conf",
"file:/etc/host.conf", "file:/etc/host.conf",
"file:/etc/ethers", "file:/etc/ethers",

5
examples/transfers/enclave/src/cli.rs
View file

@ -1,4 +1,4 @@
use std::{env, net::SocketAddr, path::PathBuf}; use std::{env, net::SocketAddr};
use clap::Parser; use clap::Parser;
use color_eyre::eyre::{eyre, Result}; use color_eyre::eyre::{eyre, Result};
@ -76,9 +76,6 @@ pub struct Cli {
#[clap(long, default_value = "admin")] #[clap(long, default_value = "admin")]
pub tx_sender: String, pub tx_sender: String,
#[clap(long, default_value = "admin.sk")]
pub sk_file: PathBuf,
} }
fn default_rpc_addr() -> SocketAddr { fn default_rpc_addr() -> SocketAddr {

4
examples/transfers/enclave/src/main.rs
View file

@ -41,6 +41,8 @@ use crate::wslistener::WsListener;
async fn main() -> Result<(), Box<dyn std::error::Error>> { async fn main() -> Result<(), Box<dyn std::error::Error>> {
let args = Cli::parse(); let args = Cli::parse();
let admin_sk = std::env::var("ADMIN_SK")?;
let light_client_opts = LightClientOpts::new( let light_client_opts = LightClientOpts::new(
args.chain_id.clone(), args.chain_id.clone(),
args.trusted_height.into(), args.trusted_height.into(),
@ -80,7 +82,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
trusted_hash: args.trusted_hash, trusted_hash: args.trusted_hash,
trusted_height: args.trusted_height, trusted_height: args.trusted_height,
chain_id: args.chain_id, chain_id: args.chain_id,
sk_file: args.sk_file, admin_sk,
}; };
let sk = Arc::new(Mutex::new(None)); let sk = Arc::new(Mutex::new(None));

16
examples/transfers/enclave/src/wslistener.rs
View file

@ -169,8 +169,11 @@ where
A: Attestor, A: Attestor,
A::RawAttestation: for<'de> Deserialize<'de>, A::RawAttestation: for<'de> Deserialize<'de>,
{ {
let chain_id = &ChainId::from_str(&ws_config.chain_id)?; let sk = hex::decode(ws_config.admin_sk.clone())?
let cw_client = GrpcClient::new(ws_config.sk_file.clone(), ws_config.grpc_url.clone()); .as_slice()
.try_into()
.map_err(|e| anyhow!("failed to read/parse sk: {}", e))?;
let cw_client = GrpcClient::new(sk, ws_config.grpc_url.clone());
// Query contract state // Query contract state
let requests: Vec<TransferRequest> = cw_client let requests: Vec<TransferRequest> = cw_client
@ -243,6 +246,7 @@ where
}); });
// Post response to chain // Post response to chain
let chain_id = &ChainId::from_str(&ws_config.chain_id)?;
let output = cw_client let output = cw_client
.tx_execute( .tx_execute(
contract, contract,
@ -269,8 +273,11 @@ where
A: Attestor, A: Attestor,
A::RawAttestation: for<'de> Deserialize<'de>, A::RawAttestation: for<'de> Deserialize<'de>,
{ {
let chain_id = &ChainId::from_str(&ws_config.chain_id)?; let sk = hex::decode(ws_config.admin_sk.clone())?
let cw_client = GrpcClient::new(ws_config.sk_file.clone(), ws_config.grpc_url.clone()); .as_slice()
.try_into()
.map_err(|e| anyhow!("failed to read/parse sk: {}", e))?;
let cw_client = GrpcClient::new(sk, ws_config.grpc_url.clone());
// Query contract state // Query contract state
let state: HexBinary = cw_client let state: HexBinary = cw_client
@ -309,6 +316,7 @@ where
}); });
// Post response to chain // Post response to chain
let chain_id = &ChainId::from_str(&ws_config.chain_id)?;
let output = cw_client let output = cw_client
.tx_execute( .tx_execute(
contract, contract,