feat: Scone prod

Author: PierreJeanjacquot

.gitignore

@@ -2,6 +2,7 @@
 
 node_modules
 api/.env
+api/sig
 .tags
 
 cli/dist

api/package.json

@@ -4,9 +4,10 @@
   "main": "index.js",
   "type": "module",
   "scripts": {
-    "start": "tsx --env-file=.env ./src/index.js",
-    "dev": "tsx --env-file=.env --watch ./src/index.js",
-    "dev:pretty": "tsx --env-file=.env --watch ./src/index.js | pino-pretty -tc",
+    "ensure-signing-key": "[ -e 'sig/enclave-key.pem' ] && echo 'using existing signing key' || (mkdir -p sig && openssl genrsa -3 -out sig/enclave-key.pem 3072 && echo 'generated new signing key')",
+    "start": "npm run ensure-signing-key && tsx --env-file=.env ./src/index.js",
+    "dev": "npm run ensure-signing-key && tsx --env-file=.env --watch ./src/index.js",
+    "dev:pretty": "npm run ensure-signing-key && tsx --env-file=.env --watch ./src/index.js | pino-pretty -tc",
     "check-format": "prettier --check .",
     "check-types": "tsc --project tsconfig.json",
     "format": "prettier --write .",

api/src/sconify/sconifyBuild.handler.ts

@@ -28,6 +28,7 @@ const bodySchema = z.object({
     .enum(Object.keys(TEMPLATE_CONFIG) as [TemplateName])
     .default('JavaScript'),
   sconeVersion: z.enum(['v5', 'v5.9']).default('v5'),
+  sconeProd: z.boolean().default(false),
 });
 
 async function handleSconifyRequest(requestObj: object) {
@@ -36,13 +37,15 @@ async function handleSconifyRequest(requestObj: object) {
   let dockerhubPushToken: string;
   let sconeVersion: SconeVersion;
   let template: TemplateName;
+  let sconeProd: boolean;
   try {
     ({
       yourWalletPublicAddress,
       dockerhubImageToSconify,
       dockerhubPushToken,
       sconeVersion,
       template,
+      sconeProd,
     } = bodySchema.parse(requestObj));
   } catch (error) {
     throw fromError(error, {
@@ -58,6 +61,7 @@ async function handleSconifyRequest(requestObj: object) {
       userWalletPublicAddress: yourWalletPublicAddress,
       sconeVersion,
       templateLanguage: template,
+      sconeProd,
     });
   return {
     dockerImage,

api/src/sconify/sconifyBuild.service.ts

@@ -23,6 +23,7 @@ export async function sconify({
   pushToken,
   sconeVersion,
   templateLanguage,
+  sconeProd = false,
 }: {
   /**
    * Examples of valid dockerImageToSconify:
@@ -39,6 +40,7 @@ export async function sconify({
   pushToken: string;
   templateLanguage: TemplateName;
   sconeVersion: SconeVersion;
+  sconeProd?: boolean;
 }): Promise<{
   dockerImage: string;
   dockerImageDigest: string;
@@ -58,6 +60,7 @@ export async function sconify({
       templateLanguage,
       userWalletPublicAddress,
       wsEnabled,
+      sconeProd,
     },
     'New sconify request'
   );
@@ -142,6 +145,7 @@ export async function sconify({
       sconifyVersion,
       entrypoint: appEntrypoint,
       binary: configTemplate.binary,
+      prod: sconeProd,
     });
     logger.info({ sconifiedImageId }, 'Sconified successfully');
   } finally {
@@ -168,7 +172,7 @@ export async function sconify({
 
   const imageRepo = `${dockerUserName}/${imageName}`;
   const sconifiedImageShortId = sconifiedImageId.substring(7, 7 + 12); // extract 12 first chars after the leading "sha256:"
-  const sconifiedImageTag = `${imageTag}-tee-scone-${sconifyVersion}-debug-${sconifiedImageShortId}`; // add digest in tag to avoid replacing previous build
+  const sconifiedImageTag = `${imageTag}-tee-scone-${sconifyVersion}-${sconeProd ? 'prod' : 'debug'}-${sconifiedImageShortId}`; // add digest in tag to avoid replacing previous build
   const sconifiedImage = `${imageRepo}:${sconifiedImageTag}`;
 
   let pushed;

api/src/singleFunction/sconifyImage.ts

@@ -1,3 +1,4 @@
+import { join } from 'node:path';
 import Docker from 'dockerode';
 import { SCONIFY_IMAGE_NAME } from '../constants/constants.js';
 import { logger } from '../utils/logger.js';
@@ -16,6 +17,7 @@ export async function sconifyImage({
   sconifyVersion,
   entrypoint,
   binary,
+  prod = false,
 }: {
   /**
    * image to sconify
@@ -33,34 +35,52 @@ export async function sconifyImage({
    * whitelisted binary
    */
   binary: string;
+  /**
+   * sconify production flag
+   */
+  prod?: boolean;
 }): Promise<string> {
-  logger.info({ fromImage, entrypoint }, 'Running sconify command...');
+  logger.info(
+    { fromImage, entrypoint },
+    `Running sconify command in ${prod ? 'prod' : 'debug'} mode...`
+  );
   const sconifierImage = `${SCONIFY_IMAGE_NAME}:${sconifyVersion}`;
 
   logger.info({ sconifierImage }, 'Pulling sconifier image...');
   await pullSconeImage(sconifierImage);
 
   const toImage = `${fromImage}-tmp-sconified-${Date.now()}`; // create an unique temporary identifier for the target image
   logger.info({ fromImage, toImage }, 'Sconifying...');
+
+  const sconifyBaseCmd = [
+    'sconify_iexec',
+    `--from=${fromImage}`,
+    `--to=${toImage}`,
+    '--binary-fs',
+    '--fs-dir=/app',
+    '--host-path=/etc/hosts',
+    '--host-path=/etc/resolv.conf',
+    `--binary=${binary}`,
+    '--heap=1G',
+    '--dlopen=1',
+    '--no-color',
+    '--verbose',
+    `--command=${entrypoint}`,
+  ];
+
+  const baseBinds = ['/var/run/docker.sock:/var/run/docker.sock'];
+
   const sconifyContainer = await docker.createContainer({
     Image: sconifierImage,
-    Cmd: [
-      'sconify_iexec',
-      `--from=${fromImage}`,
-      `--to=${toImage}`,
-      '--binary-fs',
-      '--fs-dir=/app',
-      '--host-path=/etc/hosts',
-      '--host-path=/etc/resolv.conf',
-      `--binary=${binary}`,
-      '--heap=1G',
-      '--dlopen=1',
-      '--no-color',
-      '--verbose',
-      `--command=${entrypoint}`,
-    ],
+    Cmd: prod
+      ? sconifyBaseCmd.concat('--scone-signer=/sig/enclave-key.pem')
+      : sconifyBaseCmd,
     HostConfig: {
-      Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      Binds: prod
+        ? baseBinds.concat(
+            `${join(process.cwd(), 'sig/enclave-key.pem')}:/sig/enclave-key.pem`
+          ) // mount signing key
+        : baseBinds,
     },
   });
 

cli/src/cmd/debug.ts

@@ -1,6 +1,6 @@
 import { ethers } from 'ethers';
 import { askForWallet } from '../cli-helpers/askForWallet.js';
-import { getIExecDebug } from '../utils/iexec.js';
+import { getIExec } from '../utils/iexec.js';
 import { getSpinner } from '../cli-helpers/spinner.js';
 import * as color from '../cli-helpers/color.js';
 import { handleCliError } from '../cli-helpers/handleCliError.js';
@@ -26,7 +26,7 @@ export async function debug({
     const chainConfig = getChainConfig(chainName);
     spinner.info(`Using chain ${chainName}`);
     const signer = await askForWallet({ spinner });
-    const iexec = getIExecDebug({
+    const iexec = getIExec({
       ...chainConfig,
       signer,
     });

cli/src/cmd/deploy.ts

@@ -15,7 +15,7 @@ import { handleCliError } from '../cli-helpers/handleCliError.js';
 import { getSpinner } from '../cli-helpers/spinner.js';
 import { askForAppSecret } from '../cli-helpers/askForAppSecret.js';
 import { askForWallet } from '../cli-helpers/askForWallet.js';
-import { getIExecDebug } from '../utils/iexec.js';
+import { getIExec } from '../utils/iexec.js';
 import { goToProjectRoot } from '../cli-helpers/goToProjectRoot.js';
 import * as color from '../cli-helpers/color.js';
 import { hintBox } from '../cli-helpers/box.js';
@@ -43,7 +43,7 @@ export async function deploy({ chain }: { chain?: string }) {
     if (useTdx) {
       iexec = getIExecTdx({ ...chainConfig, signer });
     } else {
-      iexec = getIExecDebug({ ...chainConfig, signer });
+      iexec = getIExec({ ...chainConfig, signer });
     }
 
     await ensureBalances({ spinner, iexec });

cli/src/cmd/run.ts

@@ -11,7 +11,7 @@ import {
 import { addRunData } from '../utils/cacheExecutions.js';
 import { getSpinner, type Spinner } from '../cli-helpers/spinner.js';
 import { handleCliError } from '../cli-helpers/handleCliError.js';
-import { getIExecDebug } from '../utils/iexec.js';
+import { getIExec } from '../utils/iexec.js';
 import { extractZipToFolder } from '../utils/extractZipToFolder.js';
 import { askShowResult } from '../cli-helpers/askShowResult.js';
 import { goToProjectRoot } from '../cli-helpers/goToProjectRoot.js';
@@ -104,7 +104,7 @@ export async function runInDebug({
   if (useTdx) {
     iexec = getIExecTdx({ ...chainConfig, signer });
   } else {
-    iexec = getIExecDebug({
+    iexec = getIExec({
       ...chainConfig,
       signer,
     });
@@ -151,7 +151,7 @@ export async function runInDebug({
   // Workerpool Order
   spinner.start('Fetching workerpool order...');
   const workerpoolOrderbook = await iexec.orderbook.fetchWorkerpoolOrderbook({
-    workerpool: useTdx ? WORKERPOOL_TDX : chainConfig.workerpoolDebug,
+    workerpool: useTdx ? WORKERPOOL_TDX : chainConfig.workerpool,
     app: iAppAddress,
     dataset: protectedData || ethers.ZeroAddress,
     minTag: SCONE_TAG,

cli/src/config/config.ts

@@ -3,8 +3,12 @@ import { useExperimentalNetworks } from '../utils/featureFlags.js';
 export const SCONE_TAG = ['tee', 'scone'];
 export const DEFAULT_SCONE_VERSION = 'v5.9';
 
-export const SCONIFY_API_HTTP_URL = 'https://iapp-api.iex.ec';
-export const SCONIFY_API_WS_URL = 'wss://iapp-api.iex.ec';
+// export const SCONIFY_API_HTTP_URL = 'https://iapp-api.iex.ec';
+// export const SCONIFY_API_WS_URL = 'wss://iapp-api.iex.ec';
+
+// TODO use local server for the POC
+export const SCONIFY_API_HTTP_URL = 'http://127.0.0.1:3000';
+export const SCONIFY_API_WS_URL = 'ws://127.0.0.1:3000';
 
 export const CONFIG_FILE = 'iapp.config.json';
 export const TEST_INPUT_DIR = 'input';
@@ -71,36 +75,32 @@ export const WS_RECONNECTION_MAX_ATTEMPTS = Math.floor(
 
 type ChainConfig = {
   rpcHostUrl: string;
-  smsDebugUrl: string;
   ipfsGatewayUrl: string;
   iexecExplorerUrl: string;
-  workerpoolDebug: string;
+  workerpool: string;
 };
 
 export const DEFAULT_CHAIN = 'bellecour';
 
 export const CHAINS_CONFIGURATIONS: Record<string, ChainConfig> = {
   bellecour: {
     rpcHostUrl: 'https://bellecour.iex.ec',
-    smsDebugUrl: 'https://sms.scone-debug.v8-bellecour.iex.ec',
     ipfsGatewayUrl: 'https://ipfs-gateway.v8-bellecour.iex.ec',
     iexecExplorerUrl: 'https://explorer.iex.ec/bellecour',
-    workerpoolDebug: 'debug-v8-learn.main.pools.iexec.eth',
+    workerpool: 'prod-v8-learn.main.pools.iexec.eth',
   },
   'arbitrum-mainnet': {
     rpcHostUrl: 'https://arb1.arbitrum.io/rpc',
-    smsDebugUrl: 'https://sms-debug.arbitrum-mainnet.iex.ec',
     ipfsGatewayUrl: 'https://ipfs-gateway.arbitrum-mainnet.iex.ec',
     iexecExplorerUrl: 'https://explorer.iex.ec/arbitrum-mainnet',
-    workerpoolDebug: '0xAaA90d37034fD1ea27D5eF2879f217fB6fD7F7Ca',
+    workerpool: '0x2c06263943180cc024daffeee15612db6e5fd248',
   },
   ...(useExperimentalNetworks && {
     'arbitrum-sepolia-testnet': {
       rpcHostUrl: 'https://sepolia-rollup.arbitrum.io/rpc',
-      smsDebugUrl: 'https://sms.arbitrum-sepolia-testnet.iex.ec',
       ipfsGatewayUrl: 'https://ipfs-gateway.arbitrum-sepolia-testnet.iex.ec',
       iexecExplorerUrl: 'https://explorer.iex.ec/arbitrum-sepolia-testnet',
-      workerpoolDebug: '0xB967057a21dc6A66A29721d96b8Aa7454B7c383F',
+      workerpool: '0xB967057a21dc6A66A29721d96b8Aa7454B7c383F',
     },
   }),
 };

cli/src/utils/iexec.ts

@@ -3,21 +3,18 @@ import { AbstractSigner } from 'ethers';
 import { IExec } from 'iexec';
 import { useExperimentalNetworks } from './featureFlags.js';
 
-export function getIExecDebug({
+export function getIExec({
   signer,
   rpcHostUrl,
-  smsDebugUrl,
 }: {
   signer: AbstractSigner;
   rpcHostUrl: string;
-  smsDebugUrl: string;
 }): IExec {
   return new IExec(
     {
       ethProvider: signer.connect(new JsonRpcProvider(rpcHostUrl)),
     },
     {
-      smsURL: smsDebugUrl,
       allowExperimentalNetworks: useExperimentalNetworks,
     }
   );