Merge pull request #164 from iExecBlockchainComputing/release/8.0.0

Release/8.0.0

.gitignore

@@ -26,9 +26,9 @@ build
 /.nb-gradle/
 
 /bin/
+/iexec-sms-library/bin
 .vscode/
 
 ### iExec ###
 
-src/main/resources/iexec-sms-aes.key
-src/main/resources/boot/sms-palaemon-conf.yml
+src/test/resources/iexec-sms-aes.key

CHANGELOG.md

@@ -2,6 +2,32 @@
 
 All notable changes to this project will be documented in this file.
 
+## [[8.0.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.0.0) 2023-03-06
+
+### New Features
+* Support SMS in enclave for Scone TEE tasks.
+* Support Gramine framework for TEE tasks.
+* Add `GET /up` client method in iexec-sms-library.
+* Return a same `SmsClient` from the `SmsClientProvider` of iexec-sms-library when calling a same SMS URL.
+* Add iExec banner at startup.
+* Show application version on banner.
+### Bug Fixes
+* Remove TLS context on server.
+* Remove `GET /secrets` endpoints.
+* Remove non-TEE workflow.
+* Remove enclave entrypoints from Gramine sessions since already present in manifests of applications.
+* Update Scone transformation parameters to enable health checks in SMS in enclave.
+### Quality
+* Refactor secret model.
+* Improve code quality.
+### Dependency Upgrades
+* Upgrade to Spring Boot 2.6.14.
+* Upgrade to Gradle 7.6.
+* Upgrade OkHttp to 4.9.0.
+* Upgrade to Java 11.0.16 patch.
+* Upgrade to `iexec-common` 7.0.0.
+* Upgrade to `jenkins-library` 2.4.0.
+
 ## [[7.3.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v7.3.0) 2023-01-18
 
 * Add endpoint to allow health checks.

Dockerfile

@@ -0,0 +1,15 @@
+FROM openjdk:11.0.16-jre-slim
+
+ARG jar
+
+RUN test -n "$jar"
+
+RUN apt-get update \
+    && apt-get install -y curl \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY $jar /app/iexec-sms.jar
+
+COPY src/main/resources/ssl-keystore-dev.p12 /app/ssl-keystore-dev.p12
+
+ENTRYPOINT [ "/bin/sh", "-c", "java -jar /app/iexec-sms.jar" ]

Jenkinsfile

@@ -1,13 +1,26 @@
-@Library('[email protected]') _
+@Library('[email protected]') _
+
+String repositoryName = 'iexec-sms'
+
+buildInfo = getBuildInfo()
+
 buildJavaProject(
-        buildInfo: getBuildInfo(),
+        buildInfo: buildInfo,
         integrationTestsEnvVars: [],
         shouldPublishJars: true,
         shouldPublishDockerImages: true,
-        dockerfileDir: 'build/resources/main',
-        dockerfileFilename: 'Dockerfile.untrusted',
+        dockerfileDir: '.',
         buildContext: '.',
         preDevelopVisibility: 'iex.ec',
         developVisibility: 'iex.ec',
         preProductionVisibility: 'docker.io',
         productionVisibility: 'docker.io')
+
+sconeBuildUnlocked(
+        nativeImage:     "docker-regis.iex.ec/$repositoryName:$buildInfo.imageTag",
+        imageName:       repositoryName,
+        imageTag:        buildInfo.imageTag,
+        sconifyArgsPath: './docker/sconify.args',
+        sconifyImage:    'sconecuratedimages/iexec-sconify-image',
+        sconifyVersion:  '5.7.0-wal'
+)

README.md

@@ -2,7 +2,12 @@
 
 ## Overview
 
-The iExec Secret Management Service (SMS) stores user secrets and provisions them to authorized Trusted Execution Environment (TEE) applications running on the iExec network.
+The _iExec Secret Management Service_ (SMS) stores user secrets and provisions them to authorized Trusted Execution Environment (TEE) applications running on the iExec network.
+
+Two TEE frameworks for TEE tasks are supported on the iExec platform:
+
+* Scone
+* Gramine
 
 ### Details
 
@@ -16,58 +21,71 @@ The iExec Secret Management Service (SMS) stores user secrets and provisions the
 
 ## Configuration
 
-The iExec Secret Management Service is available as an OCI image on [Docker Hub](https://hub.docker.com/r/iexechub/iexec-sms/tags).
+The _iExec Secret Management Service_ is available as an OCI image on [Docker Hub](https://hub.docker.com/r/iexechub/iexec-sms/tags).
+
+A single _iExec Secret Management Service_ instance supports a single TEE framework.
+To support both Scone and Gramine TEE tasks, two instances of _iExec SMS_ must be configured.
 
-To run properly, the iExec Secret Management Service requires:
+To run properly, the _iExec Secret Management Service_ requires:
 * A blockchain node. iExec smart contracts must be deployed on the blockchain network.
-* A Scontain Configuration and Attestation Service (CAS) to provision secrets to remote enclaves.
-* Valid OCI images configurations for pre-compute and post-compute stages of TEE tasks executions.
-* A valid OCI image configuration of a Scontain Local Attestation Service (LAS).
-  This service will be deployed by an iExec Worker to compute TEE tasks.
+* Valid OCI images configurations for pre-compute and post-compute stages of TEE tasks executions. Exposed images depend on the type of TEE framework supported.
+* A Secret Provisioner instance, in charge of provisioning secrets to remote enclaves. Each TEE framework requires its own type of Secret Provisioner.
+    * for Scone TEE tasks:
+        * a Scontain _Configuration and Attestation Service_ (CAS).
+        * a valid OCI image configuration of a Scontain _Local Attestation Service_ (LAS). This service will be deployed by an iExec Worker to compute TEE tasks.
+    * for Gramine TEE tasks:
+        * an _iExec Secret Provisioner Service_ (_iExec SPS_) instance.
 
-The iExec SMS can be started locally for development purpose.
+The _iExec Secret Management Service_ can be started locally for development purpose.
 It is not advised to use an instance with such configuration in production.
 
-You can configure the SMS with the following properties:
+To support:
+* Scone TEE tasks, set `IEXEC_SMS_TEE_RUNTIME_FRAMEWORK=scone`, then configure the SMS with properties of all following tables.
+* Gramine TEE tasks, set `IEXEC_SMS_TEE_RUNTIME_FRAMEWORK=gramine`, then configure the SMS with properties of following table.
+
+### Environment variables (Scone or Gramine TEE framework)
+
+| Environment variable | Description | Type | Default Scone-configuration value |  Default Gramine-configuration value |
+| --- | --- | --- | --- | --- |
+| `IEXEC_SMS_TEE_RUNTIME_FRAMEWORK` | Define which TEE framework this _iExec SMS_ supports. | `scone` or `gramine` | | |
+| `IEXEC_SMS_PORT` | Server HTTP port. | Positive integer | `13300` | `13300` |
+| `IEXEC_SMS_H2_URL` | JDBC URL of the database. | URL | `jdbc:h2:file:/tmp/h2/sms-h2` |  `jdbc:h2:file:/tmp/h2/sms-h2` |
+| `IEXEC_SMS_H2_CONSOLE` | Whether to enable the H2 console. | Boolean | `false` | `false` |
+| `IEXEC_SMS_STORAGE_ENCRYPTION_AES_KEY_PATH` | Path to the key created and used to encrypt secrets. | String | `src/main/resources/iexec-sms-aes.key` | `src/main/resources/iexec-sms-aes.key` |
+| `IEXEC_CHAIN_ID` | Chain ID of the blockchain network to connect. | Positive integer | `17` |  `17` |
+| `IEXEC_SMS_BLOCKCHAIN_NODE_ADDRESS` | URL to connect to the blockchain node. | URL | `http://localhost:8545` | `http://localhost:8545` |
+| `IEXEC_HUB_ADDRESS` | Proxy contract address to interact with the iExec on-chain protocol. | String | `0xBF6B2B07e47326B7c8bfCb4A5460bef9f0Fd2002` | `0xBF6B2B07e47326B7c8bfCb4A5460bef9f0Fd2002` |
+| `IEXEC_GAS_PRICE_MULTIPLIER` | Transactions will be sent with `networkGasPrice * IEXEC_GAS_PRICE_MULTIPLIER`. | Float | `1.0` | `1.0` |
+| `IEXEC_GAS_PRICE_CAP` | In Wei, will be used for transactions if `networkGasPrice * IEXEC_GAS_PRICE_MULTIPLIER > IEXEC_GAS_PRICE_CAP`. | Integer | `22000000000` | `22000000000` |
+| `IEXEC_IS_SIDECHAIN` | Define if iExec on-chain protocol is built on top of token (`false`) or native currency (`true`). | Boolean | `false` | `false` |
+| `IEXEC_SMS_DISPLAY_DEBUG_SESSION` | Whether to display TEE enclaves sessions configuration in SMS logs. | Boolean | `false` | `false` |
+| `IEXEC_SECRET_PROVISIONER_WEB_HOSTNAME` | Secret provisioner server host for session management. Used to post sessions of secrets. | String | `localhost` | `localhost` |
+| `IEXEC_SECRET_PROVISIONER_WEB_PORT` | Secret provisioner server port for session management. | Positive integer | `8081` | `8080` |
+| `IEXEC_SECRET_PROVISIONER_ENCLAVE_HOSTNAME` | Secret provisioner server host for retrieving secrets from attested enclaves. Typically used by workers to execute TEE tasks. | Positive integer | `localhost` | `localhost` |
+| `IEXEC_SECRET_PROVISIONER_ENCLAVE_PORT`|  Secret provisioner server port for retrieving secrets from attested enclaves. | Positive integer | `18765` | `4433` |
+| `IEXEC_TEE_WORKER_PRE_COMPUTE_IMAGE` | TEE enabled OCI image name for worker pre-compute stage of TEE tasks. | String | | |
+| `IEXEC_TEE_WORKER_PRE_COMPUTE_FINGERPRINT` | Fingerprint (aka mrenclave) of the TEE enabled worker pre-compute image. | String | | |
+| `IEXEC_TEE_WORKER_PRE_COMPUTE_HEAP_SIZE_GB` | Required heap size for a worker pre-compute enclave (in Giga Bytes). | Positive integer | `3` | `3` |
+| `IEXEC_TEE_WORKER_PRE_COMPUTE_ENTRYPOINT` | Command executed when starting a container from the TEE enabled worker pre-compute image. | String | `java -jar /app/app.jar` | `/bin/bash /apploader.sh` |
+| `IEXEC_TEE_WORKER_POST_COMPUTE_IMAGE` | TEE enabled OCI image name for worker post-compute stage of TEE tasks. | String | | |
+| `IEXEC_TEE_WORKER_POST_COMPUTE_FINGERPRINT` | Fingerprint (aka mrenclave) of the TEE enabled worker post-compute image. | String | | |
+| `IEXEC_TEE_WORKER_POST_COMPUTE_HEAP_SIZE_GB` | Required heap size for a worker post-compute enclave (in Giga Bytes). | Positive integer | `3` | `3` |
+| `IEXEC_TEE_WORKER_POST_COMPUTE_ENTRYPOINT` | Command executed when starting a container from the TEE enabled worker post-compute image. | String | `java -jar /app/app.jar` | `/bin/bash /apploader.sh` |
+
+### Scone specific environment variables
 
-| Environment variable | Description | Type | Default value |
+| Environment variable | Description | Type | Default Scone-configuration value |
 | --- | --- | --- | --- |
-| IEXEC_SMS_PORT | Server HTTPS port. | Positive integer | `15443` |
-| IEXEC_SMS_HTTP_ENABLED | Whether to start an http context when starting the SMS. | Boolean | `true` |
-| IEXEC_SMS_HTTP_PORT | Server HTTP port. | Positive integer | `13300` |
-| IEXEC_SMS_SSL_KEYSTORE | Path to the key store that holds the SSL certificate. | String | `src/main/resources/ssl-keystore-dev.p12` |
-| IEXEC_SMS_SSL_KEYSTORE_PASSWORD | Password used to access the key store. | String | `whatever` |
-| IEXEC_SMS_SSL_KEYSTORE_TYPE | Type of the key store. | Positive integer | `PKCS12` |
-| IEXEC_SMS_SSL_KEYSTORE_ALIAS | Alias that identifies the key in the key store. | String | `iexec-core` |
-| IEXEC_SMS_H2_URL | JDBC URL of the database. | URL | `jdbc:h2:file:/tmp/h2/sms-h2` |
-| IEXEC_SMS_H2_CONSOLE | Whether to enable the H2 console. | Boolean | `false` |
-| IEXEC_SMS_STORAGE_ENCRYPTION_AES_KEY_PATH  | Path to the key created and used to encrypt secrets. | String | `src/main/resources/iexec-sms-aes.key` |
-| IEXEC_CHAIN_ID | Chain ID of the blockchain network to connect. | Positive integer | `17` |
-| IEXEC_SMS_BLOCKCHAIN_NODE_ADDRESS | URL to connect to the blockchain node. | URL | `http://localhost:8545` |
-| IEXEC_HUB_ADDRESS | Proxy contract address to interact with the iExec on-chain protocol. | String | `0xBF6B2B07e47326B7c8bfCb4A5460bef9f0Fd2002` |
-| IEXEC_GAS_PRICE_MULTIPLIER | Transactions will be sent with `networkGasPrice * IEXEC_GAS_PRICE_MULTIPLIER`. | Float | `1.0` |
-| IEXEC_GAS_PRICE_CAP | In Wei, will be used for transactions if `networkGasPrice * IEXEC_GAS_PRICE_MULTIPLIER > IEXEC_GAS_PRICE_CAP`. | Integer | `22000000000` |
-| IEXEC_IS_SIDECHAIN | Define if iExec on-chain protocol is built on top of token (`false`) or native currency (`true`). | Boolean | `false` |
-| IEXEC_SCONE_CAS_HOST | CAS service host. | String | `localhost` |
-| IEXEC_SCONE_CAS_PORT | Server port of the CAS client API (session management). | Positive integer | `8081` |
-| IEXEC_SCONE_CAS_PUBLIC_HOST | Server port of the CAS enclave API (remote attestation). Typically used by workers to execute TEE tasks. | Positive integer | `localhost` |
-| IEXEC_SCONE_CAS_ENCLAVE_PORT | Scontain CAS service enclave port, used from worker host to attest applications running within enclaves. | Positive integer | `18765` |
-| IEXEC_PALAEMON_TEMPLATE | Path to the template file used to generate configurations of TEE enclave sessions. | String | `src/main/resources/palaemonTemplate.vm` |
-| IEXEC_SCONE_TOLERATED_INSECURE_OPTIONS | List of hardware or software Scone vulnerabilities to ignore. | String | |
-| IEXEC_IGNORED_SGX_ADVISORIES | List of hardware or software Intel vulnerabilities to ignore. | String | |
-| IEXEC_SMS_IMAGE_LAS_IMAGE | Scontain LAS OCI image to be used by workers to execute TEE tasks. LAS performs local attestation which creates a quote that CAS can verify. | String | |
-| IEXEC_TEE_WORKER_PRE_COMPUTE_IMAGE | TEE enabled OCI image name for worker pre-compute stage of TEE tasks. | String | |
-| IEXEC_TEE_WORKER_PRE_COMPUTE_FINGERPRINT | Fingerprint (aka mrenclave) of the TEE enabled worker pre-compute image. | String | |
-| IEXEC_TEE_WORKER_PRE_COMPUTE_HEAP_SIZE_GB | Required heap size for a worker pre-compute enclave (in Giga Bytes). | Positive integer | `4` |
-| IEXEC_TEE_WORKER_PRE_COMPUTE_ENTRYPOINT | Command executed when starting a container from the TEE enabled worker pre-compute image. | String | `java -jar /app/app.jar` |
-| IEXEC_TEE_WORKER_POST_COMPUTE_IMAGE | TEE enabled OCI image name for worker post-compute stage of TEE tasks. | String | |
-| IEXEC_TEE_WORKER_POST_COMPUTE_FINGERPRINT | Fingerprint (aka mrenclave) of the TEE enabled worker post-compute image. | String | |
-| IEXEC_TEE_WORKER_POST_COMPUTE_HEAP_SIZE_GB | Required heap size for a worker post-compute enclave (in Giga Bytes). | Positive integer | `4` |
-| IEXEC_TEE_WORKER_POST_COMPUTE_ENTRYPOINT | Command executed when starting a container from the TEE enabled worker post-compute image. | String | `java -jar /app/app.jar` |
-| IEXEC_SMS_DISPLAY_DEBUG_SESSION | Whether to display TEE enclaves sessions configuration in SMS logs. | Boolean | `false` |
+| `IEXEC_SMS_SSL_KEYSTORE` | Path to the key store that holds the SSL certificate. | String | `src/main/resources/ssl-keystore-dev.p12` |
+| `IEXEC_SMS_SSL_KEYSTORE_PASSWORD` | Password used to access the key store. | String | `whatever` |
+| `IEXEC_SMS_SSL_KEYSTORE_TYPE` | Type of the key store. | Positive integer | `PKCS12` |
+| `IEXEC_SMS_SSL_KEYSTORE_ALIAS` | Alias that identifies the key in the key store. | String | `iexec-core` |
+| `IEXEC_SCONE_TOLERATED_INSECURE_OPTIONS` | List of hardware or software Scone vulnerabilities to ignore. | String | |
+| `IEXEC_IGNORED_SGX_ADVISORIES` | List of hardware or software Intel vulnerabilities to ignore. | String | |
+| `IEXEC_SMS_IMAGE_LAS_IMAGE` | Scontain LAS OCI image to be used by workers to execute TEE tasks. LAS performs local attestation which creates a quote that CAS can verify. | String | |
 
 ## Health checks
 
-A health endpoint (`/actuator/health`) is enabled by default and can be accessed on the **IEXEC_SMS_HTTP_PORT**.
+A health endpoint (`/actuator/health`) is enabled by default and can be accessed on the `IEXEC_SMS_PORT`.
 This endpoint allows to define health checks in an orchestrator or a [compose file](https://github.com/compose-spec/compose-spec/blob/master/spec.md#healthcheck).
-No default strategy has been implemented in the [Dockerfile](src/main/resources/Dockerfile.untrusted) at the moment.
+No default strategy has been implemented in the [Dockerfile](Dockerfile) at the moment.