Merge pull request #114 from iExecBlockchainComputing/release/8.5.0

Release/8.5.0

CHANGELOG.md

@@ -2,22 +2,39 @@
 
 All notable changes to this project will be documented in this file.
 
-## [[8.4.0]](https://github.com/iExecBlockchainComputing/tee-worker-post-compute/releases/tag/v8.4.0) 2024-02-29
+## [[8.5.0]](https://github.com/iExecBlockchainComputing/tee-worker-post-compute/releases/tag/v8.5.0) 2024-06-18
 
-### New Features
+### Bug Fixes
 
-- Upload results on IPFS with a `ResultModel` containing the `enclaveSignature`. (#105)
+- Handle malformed result encryption public key. (#112)
+
+### Quality
+
+- Configure Gradle JVM Test Suite Plugin. (#109)
 
 ### Dependency Upgrades
 
-- Upgrade to scone 5.7.6. (#104)
-- Upgrade to `iexec-common` 8.4.0. (#106)
+- Upgrade to Gradle 8.7. (#110)
+- Upgrade to `eclipse-temurin:11.0.22_7-jre-focal`. (#111)
+- Upgrade to `iexec-commons-poco` 4.1.0. (#113)
+- Upgrade to `iexec-common` 8.5.0. (#113)
+
+## [[8.4.0]](https://github.com/iExecBlockchainComputing/tee-worker-post-compute/releases/tag/v8.4.0) 2024-02-29
+
+### New Features
+
+- Upload results on IPFS with a `ResultModel` containing the `enclaveSignature`. (#105)
 
 ### Quality
 
 - Rename `worflow` package to `workflow`. (#102)
 - Rework classes to use `ComputedFile` in methods parameters. (#103)
 
+### Dependency Upgrades
+
+- Upgrade to scone 5.7.6. (#104)
+- Upgrade to `iexec-common` 8.4.0. (#106)
+
 ## [[8.3.0]](https://github.com/iExecBlockchainComputing/tee-worker-post-compute/releases/tag/v8.3.0) 2024-01-12
 
 ### Dependency Upgrade

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:11.0.21_9-jre-focal
+FROM eclipse-temurin:11.0.22_7-jre-focal
 
 ARG jar
 

build.gradle

@@ -1,9 +1,9 @@
 plugins {
     // Apply the application plugin to add support for building a CLI application in Java.
     id 'application'
-    id 'io.freefair.lombok' version '8.2.2'
+    id 'io.freefair.lombok' version '8.6'
     id 'jacoco'
-    id 'org.sonarqube' version '4.2.1.3168'
+    id 'org.sonarqube' version '5.0.0.4638'
     id 'maven-publish'
     id 'com.github.johnrengelman.shadow' version '8.1.1'
 }
@@ -22,7 +22,7 @@ if (!project.hasProperty('gitBranch')) {
     ext.gitBranch = 'git rev-parse --abbrev-ref HEAD'.execute().text.trim()
 }
 
-if (gitBranch != 'main' && gitBranch != 'master' && ! (gitBranch ==~ '(release|hotfix|support)/.*')) {
+if (gitBranch != 'main' && gitBranch != 'master' && !(gitBranch ==~ '(release|hotfix|support)/.*')) {
     version += '-NEXT-SNAPSHOT'
 }
 
@@ -39,22 +39,6 @@ repositories {
     maven { url 'https://jitpack.io' }
 }
 
-sourceSets {
-    itest {
-        compileClasspath += sourceSets.main.output
-        runtimeClasspath += sourceSets.main.output
-    }
-}
-
-configurations {
-    // itest configuration (inherit from test)
-    itestCompile.extendsFrom testCompile
-    itestImplementation.extendsFrom testImplementation
-    // itest configuration (lombok, ..)
-    itestCompileOnly.extendsFrom compileOnly
-    itestAnnotationProcessor.extendsFrom annotationProcessor
-}
-
 dependencies {
     // iexec
     implementation "com.iexec.commons:iexec-commons-poco:$iexecCommonsPocoVersion"
@@ -72,22 +56,6 @@ dependencies {
     //rest template
     implementation 'org.springframework:spring-web:5.2.4.RELEASE'
     implementation 'com.fasterxml.jackson.core:jackson-databind:2.9.4'
-
-    // test
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
-    testRuntimeOnly("org.junit.platform:junit-platform-launcher")
-    testImplementation "uk.org.webcompere:system-stubs-core:$systemStubsVersion"    // activates env var setting
-    testImplementation "uk.org.webcompere:system-stubs-jupiter:$systemStubsVersion" // activates env var setting
-    testImplementation "org.mockito:mockito-core:$mockitoVersion"
-    testImplementation "org.mockito:mockito-junit-jupiter:$mockitoVersion"
-    testImplementation "org.mockito:mockito-inline:$mockitoVersion" // activates mocking final classes/methods
-
-    // itest only
-    itestImplementation "org.testcontainers:testcontainers:${testContainersVersion}"
-    itestImplementation "org.testcontainers:junit-jupiter:${testContainersVersion}"
-    itestImplementation 'com.github.tomakehurst:wiremock-jre8:2.28.1'
-    itestImplementation 'org.awaitility:awaitility:4.1.1'
-
 }
 
 java {
@@ -102,9 +70,37 @@ tasks.withType(Tar).configureEach {
     enabled = false
 }
 
+testing {
+    suites {
+        configureEach {
+            dependencies {
+                implementation "org.mockito:mockito-junit-jupiter:$mockitoVersion"
+                implementation "uk.org.webcompere:system-stubs-core:$systemStubsVersion"    // activates env var setting
+                implementation "uk.org.webcompere:system-stubs-jupiter:$systemStubsVersion" // activates env var setting
+            }
+        }
+        test {
+            useJUnitJupiter()
+            dependencies {
+                implementation 'org.junit.jupiter:junit-jupiter:5.8.2'
+                implementation "org.mockito:mockito-inline:$mockitoVersion" // activates mocking final classes/methods
+            }
+        }
+        itest(JvmTestSuite) {
+            dependencies {
+                implementation project()
+                implementation "com.iexec.common:iexec-common:$iexecCommonVersion"
+                implementation 'com.github.tomakehurst:wiremock-jre8:2.28.1'
+                implementation 'org.awaitility:awaitility:4.1.1'
+                implementation "org.testcontainers:testcontainers:${testContainersVersion}"
+                implementation "org.testcontainers:junit-jupiter:${testContainersVersion}"
+            }
+        }
+    }
+}
+
 tasks.withType(Test).configureEach {
     finalizedBy jacocoTestReport
-    useJUnitPlatform()
 }
 
 // sonarqube code coverage requires jacoco XML report
@@ -134,7 +130,7 @@ shadowJar {
     archiveVersion.set('') // remove version from name
 }
 
-ext.jarPathForOCI  = relativePath(tasks.shadowJar.outputs.files.singleFile)
+ext.jarPathForOCI = relativePath(tasks.shadowJar.outputs.files.singleFile)
 
 tasks.register('buildImage', Exec) {
     group 'Build'
@@ -149,11 +145,3 @@ tasks.register('buildSconeImage', Exec) {
     environment 'IMG_TO', ociTeeImageName
     commandLine 'docker/sconify.sh'
 }
-
-tasks.register('itest', Test) {
-    group 'Verification'
-    description 'Runs the integration tests.'
-    dependsOn buildImage
-    testClassesDirs = sourceSets.itest.output.classesDirs
-    classpath = sourceSets.itest.runtimeClasspath
-}

gradle.properties

@@ -1,6 +1,6 @@
-version=8.4.0
-iexecCommonVersion=8.4.0
-iexecCommonsPocoVersion=3.2.0
+version=8.5.0
+iexecCommonVersion=8.5.0
+iexecCommonsPocoVersion=4.1.0
 
 nexusUser
 nexusPassword

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradlew

@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -144,15 +145,15 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
         # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
         # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -201,11 +202,11 @@ fi
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
-# Collect all arguments for the java command;
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
-#     shell script including quotes and variable substitutions, so put them in
-#     double quotes to make sure that they get re-expanded; and
-#   * put everything else in single quotes, so that it's not re-expanded.
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \

gradlew.bat

@@ -43,11 +43,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
 
-echo.
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 
@@ -57,11 +57,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
 if exist "%JAVA_EXE%" goto execute
 
-echo.
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 

src/main/java/com/iexec/worker/compute/post/web2/EncryptionService.java

@@ -1,13 +1,27 @@
+/*
+ * Copyright 2019-2024 IEXEC BLOCKCHAIN TECH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package com.iexec.worker.compute.post.web2;
 
 import com.iexec.common.security.EncryptionHelper;
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
 public class EncryptionService {
-
     /*
-     *
      * #1: Large file encryption is made with AES
      * #2: AES key is encrypted with RSA key
      *
@@ -17,8 +31,8 @@ public class EncryptionService {
      * after
      * ├── result-0xabc.zip
      * ├── encrypted-result-0xabc
-     * │   ├── aes-key.rsa
-     * │   └── result-0xabc.zip.aes
+     * │   ├── aes-key.rsa
+     * │   └── result-0xabc.zip.aes
      * └── encrypted-result-0xabc.zip (if produceZip)
      *
      * Returns: folder or zip path
@@ -27,29 +41,4 @@ public class EncryptionService {
     public String encryptData(String inDataFilePath, String plainTextRsaPub, boolean produceZip) {
         return EncryptionHelper.encryptData(inDataFilePath, plainTextRsaPub, produceZip);
     }
-
-    /*
-     *
-     * Required: aes-key.rsa file should be found next to encryptedDataFile
-     *
-     * #1: AES key is decrypted with RSA
-     * #2: Data is decrypted with AES key
-     *
-     * before
-     * └── encrypted-result-0xabc.zip
-     * with zip content
-     * ├── aes-key.rsa
-     * └── result-0xabc.zip.aes
-     *
-     * after
-     * ├── encrypted-result-0xabc.zip
-     * └── plain-result-0xabc.zip
-     *
-     * Returns: clear data path (zip here)
-     *
-     * */
-    public String decryptData(String encryptedDataFilePath, String plainTextRsaPriv) {
-        return EncryptionHelper.decryptData(encryptedDataFilePath, plainTextRsaPriv);
-    }
-
 }

src/main/java/com/iexec/worker/compute/post/web2/Web2ResultService.java

@@ -105,19 +105,25 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) {
 
     String eventuallyEncryptResult(String inDataFilePath) throws PostComputeException {
         log.info("Encryption stage started");
-        String fileToUpload;
         boolean shouldEncrypt = booleanFromYesNo(EnvUtils.getEnvVar(RESULT_ENCRYPTION));
 
         if (!shouldEncrypt) {
             log.info("Encryption stage mode: NO_ENCRYPTION");
-            fileToUpload = inDataFilePath;
-        } else {
-            log.info("Encryption stage mode: ENCRYPTION_REQUESTED");
-            String beneficiaryRsaPublicKeyBase64 = EnvUtils.getEnvVarOrThrow(RESULT_ENCRYPTION_PUBLIC_KEY, POST_COMPUTE_ENCRYPTION_PUBLIC_KEY_MISSING);
-            String plainTextBeneficiaryRsaPublicKey = new String(Base64.getDecoder().decode(beneficiaryRsaPublicKeyBase64));
-            fileToUpload = encryptionService.encryptData(inDataFilePath, plainTextBeneficiaryRsaPublicKey, true);
+            return inDataFilePath;
+        }
+
+        log.info("Encryption stage mode: ENCRYPTION_REQUESTED");
+        final String beneficiaryRsaPublicKeyBase64 = EnvUtils.getEnvVarOrThrow(RESULT_ENCRYPTION_PUBLIC_KEY, POST_COMPUTE_ENCRYPTION_PUBLIC_KEY_MISSING);
+        final String plainTextBeneficiaryRsaPublicKey;
+        try {
+            plainTextBeneficiaryRsaPublicKey = new String(Base64.getDecoder().decode(beneficiaryRsaPublicKeyBase64));
+        } catch (Exception e) {
+            final String errorMessage = "Result encryption public key base64 decoding failed";
+            log.error(errorMessage, e);
+            throw new PostComputeException(POST_COMPUTE_MALFORMED_ENCRYPTION_PUBLIC_KEY, errorMessage);
         }
 
+        final String fileToUpload = encryptionService.encryptData(inDataFilePath, plainTextBeneficiaryRsaPublicKey, true);
         if (fileToUpload.isEmpty()) {
             throw new PostComputeException(POST_COMPUTE_ENCRYPTION_FAILED, "Encryption stage failed");
         } else {