Release/sdk v2.0.0 beta.11 (#391)

## [2.0.0-beta.11]

### Added

- Added `allowDebug` option for `protectData` to allow using the protected data in TEE debug apps (default `false`)

Author: PierreJeanjacquot

packages/sdk/.drone.yml

@@ -226,6 +226,36 @@ steps:
     depends_on:
       - sms
 
+  - name: sms-debug
+    image: iexechub/iexec-sms:7.1.0
+    detach: true
+    environment:
+      TZ: Europe/Paris
+      IEXEC_SMS_BLOCKCHAIN_NODE_ADDRESS: http://bellecour-fork:8545
+      IEXEC_HUB_ADDRESS: '0x3eca1B216A7DF1C7689aEb259fFB83ADFB894E7f'
+      IEXEC_TEE_WORKER_PRE_COMPUTE_IMAGE: docker.io/iexechub/tee-worker-pre-compute:7.1.0-sconify-5.3.15-debug
+      IEXEC_TEE_WORKER_PRE_COMPUTE_FINGERPRINT: 9f0f782d6edc611baa23ca0978f555ee58ea70e092640c961e75c25e9e4b0f22
+      IEXEC_TEE_WORKER_PRE_COMPUTE_HEAP_SIZE_GB: 4
+      IEXEC_TEE_WORKER_POST_COMPUTE_IMAGE: docker.io/iexechub/tee-worker-post-compute:7.1.1-sconify-5.3.15-debug
+      IEXEC_TEE_WORKER_POST_COMPUTE_FINGERPRINT: face1376b97131e2dc75a556381d47a2e03bed9e1bc11e462471f99d1eefae50
+      IEXEC_TEE_WORKER_POST_COMPUTE_HEAP_SIZE_GB: 4
+      IEXEC_IGNORED_SGX_ADVISORIES: INTEL-SA-00161,INTEL-SA-00289,INTEL-SA-00334,INTEL-SA-00381,INTEL-SA-00389,INTEL-SA-00220,INTEL-SA-00270,INTEL-SA-00293,INTEL-SA-00320,INTEL-SA-00329,INTEL-SA-00477
+      IEXEC_SCONE_TOLERATED_INSECURE_OPTIONS: debug-mode,hyperthreading,outdated-tcb
+      IEXEC_SMS_DISPLAY_DEBUG_SESSION: 'true'
+      IEXEC_SCONE_CAS_HOST: foo
+      IEXEC_SMS_IMAGE_LAS_IMAGE: foo
+    expose:
+      - 13300
+    depends_on:
+      - bellecour-fork-healthy
+
+  - name: sms-debug-healthy
+    image: bash
+    commands:
+      - while ! nc -z sms-debug 13300 ; do sleep 1 ; done && echo "sms-debug ready"
+    depends_on:
+      - sms-debug
+
   - name: result-proxy
     image: iexechub/iexec-result-proxy:7.1.0
     detach: true
@@ -329,6 +359,7 @@ steps:
     depends_on:
       - bellecour-fork-healthy
       - sms-healthy
+      - sms-debug-healthy
       - result-proxy-healthy
       - market-api-healthy
       - ipfs-healthy

packages/sdk/CHANGELOG.md

@@ -2,7 +2,11 @@
 
 All notable changes to this project will be documented in this file.
 
-## Next
+## [2.0.0-beta.11] (2025-01-29)
+
+### Added
+
+- Added `allowDebug` option for `protectData` to allow using the protected data in TEE debug apps (default `false`)
 
 ### Changed
 

packages/sdk/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@iexec/dataprotector",
-  "version": "2.0.0-beta.10",
+  "version": "2.0.0-beta.11",
   "description": "This product enables users to confidentially store data–such as mail address, documents, personal information ...",
   "type": "module",
   "types": "dist/src/index.d.ts",

packages/sdk/package.json

@@ -15,6 +15,9 @@ export const DEFAULT_SHARING_CONTRACT_ADDRESS =
 export const DEFAULT_SUBGRAPH_URL =
   'https://thegraph-product.iex.ec/subgraphs/name/bellecour/dataprotector-v2';
 
+export const DEFAULT_DEBUG_SMS_URL =
+  'https://sms.scone-debug.v8-bellecour.iex.ec';
+
 export const WORKERPOOL_ADDRESS = 'prod-v8-bellecour.main.pools.iexec.eth';
 
 export const SCONE_TAG = ['tee', 'scone'];

packages/sdk/src/config/config.ts

@@ -3,6 +3,7 @@ import { GraphQLClient } from 'graphql-request';
 import { IExec } from 'iexec';
 import {
   DEFAULT_CONTRACT_ADDRESS,
+  DEFAULT_DEBUG_SMS_URL,
   DEFAULT_IEXEC_IPFS_NODE,
   DEFAULT_IPFS_GATEWAY,
   DEFAULT_SHARING_CONTRACT_ADDRESS,
@@ -27,6 +28,8 @@ abstract class IExecDataProtectorModule {
 
   protected iexec: IExec;
 
+  protected iexecDebug: IExec;
+
   constructor(
     ethProvider?:
       | AbstractProvider
@@ -46,6 +49,14 @@ abstract class IExecDataProtectorModule {
           ...options?.iexecOptions,
         }
       );
+      this.iexecDebug = new IExec(
+        { ethProvider: ethProvider || 'bellecour' },
+        {
+          ipfsGatewayURL: ipfsGateway,
+          ...options?.iexecOptions,
+          smsURL: options?.iexecOptions?.smsDebugURL || DEFAULT_DEBUG_SMS_URL,
+        }
+      );
     } catch (e) {
       throw new Error(`Unsupported ethProvider, ${e.message}`);
     }

packages/sdk/src/lib/IExecDataProtectorModule.ts

@@ -36,6 +36,7 @@ class IExecDataProtectorCore extends IExecDataProtectorModule {
       ipfsNode: this.ipfsNode,
       ipfsGateway: this.ipfsGateway,
       iexec: this.iexec,
+      iexecDebug: this.iexecDebug,
     });
   }
 

packages/sdk/src/lib/dataProtectorCore/IExecDataProtectorCore.ts

@@ -11,8 +11,8 @@ import {
   handleIfProtocolError,
   WorkflowError,
 } from '../../utils/errors.js';
-import { getLogger } from '../../utils/logger.js';
 import { getEventFromLogs } from '../../utils/getEventFromLogs.js';
+import { getLogger } from '../../utils/logger.js';
 import {
   stringSchema,
   throwIfMissing,
@@ -30,6 +30,7 @@ import {
 import {
   DataProtectorContractConsumer,
   IExecConsumer,
+  IExecDebugConsumer,
 } from '../types/internalTypes.js';
 import { getDataProtectorCoreContract } from './smartContract/getDataProtectorCoreContract.js';
 
@@ -39,13 +40,16 @@ export type ProtectData = typeof protectData;
 
 export const protectData = async ({
   iexec = throwIfMissing(),
+  iexecDebug = throwIfMissing(),
   dataprotectorContractAddress,
   name = DEFAULT_DATA_NAME,
   ipfsNode,
   ipfsGateway,
+  allowDebug = false,
   data,
   onStatusUpdate = () => {},
 }: IExecConsumer &
+  IExecDebugConsumer &
   DataProtectorContractConsumer &
   IpfsNodeAndGateway &
   ProtectDataParams): Promise<ProtectedDataWithSecretProps> => {
@@ -244,6 +248,35 @@ export const protectData = async ({
       },
     });
 
+    if (allowDebug === true) {
+      // share secret with scone debug SMS
+      vOnStatusUpdate({
+        title: 'PUSH_SECRET_TO_DEBUG_SMS',
+        isDone: false,
+        payload: {
+          teeFramework: 'scone',
+        },
+      });
+      await iexecDebug.dataset
+        .pushDatasetSecret(protectedDataAddress, encryptionKey, {
+          teeFramework: 'scone',
+        })
+        .catch((e: Error) => {
+          handleIfProtocolError(e);
+          throw new WorkflowError({
+            message: 'Failed to push protected data encryption key',
+            errorCause: e,
+          });
+        });
+      vOnStatusUpdate({
+        title: 'PUSH_SECRET_TO_DEBUG_SMS',
+        isDone: true,
+        payload: {
+          teeFramework: 'scone',
+        },
+      });
+    }
+
     return {
       name,
       address: protectedDataAddress,

packages/sdk/src/lib/dataProtectorCore/protectData.ts

@@ -69,9 +69,14 @@ export type DataProtectorConfigOptions = {
    * Options specific to iExec integration.
    * If not provided, default iexec options will be used.
    */
-  iexecOptions?: IExecConfigOptions;
+  iexecOptions?: IExecConfigOptionsExtended;
 };
 
+interface IExecConfigOptionsExtended extends IExecConfigOptions {
+  // adds smsDebugURL to possible options, used ton configure an IExec debug instance seamlessly (no JS doc test purpose only)
+  smsDebugURL?: string;
+}
+
 // ---------------------ProtectedData Schema Types------------------------------------
 export type MimeType =
   | 'application/octet-stream'

packages/sdk/src/lib/types/commonTypes.ts

@@ -40,7 +40,8 @@ export type ProtectDataStatuses =
   | 'ENCRYPT_FILE'
   | 'UPLOAD_ENCRYPTED_FILE'
   | 'DEPLOY_PROTECTED_DATA'
-  | 'PUSH_SECRET_TO_SMS';
+  | 'PUSH_SECRET_TO_SMS'
+  | 'PUSH_SECRET_TO_DEBUG_SMS';
 
 export type OneProtectDataStatus = {
   title: ProtectDataStatuses;
@@ -61,6 +62,16 @@ export type ProtectDataParams = {
    */
   name?: string;
 
+  /**
+   * allow to use the protected data in TEE debug apps (default `false`)
+   *
+   * ⚠️ TEE debug apps runs in enclave simulation mode which does not prevent the worker host to inspect data or temper the app output.
+   * You should never set this parameter to `true` with real data, use it for development purpose only.
+   *
+   * setting this parameter to `true` adds a signature request to the protectData workflow, this signature is used to push the protected data encryption key to the debug Secret Management System
+   */
+  allowDebug?: boolean;
+
   /**
    * Callback function that will get called at each step of the process
    */