Merge pull request #283 from iExecBlockchainComputing/release/8.7.0

Release/8.7.0

Author: jbern0rd

CHANGELOG.md

@@ -2,6 +2,33 @@
 
 All notable changes to this project will be documented in this file.
 
+## [[8.7.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.7.0) 2024-12-23
+
+### New Features
+
+- Accept scheduler default result-proxy as a web2 secret to fallback on it when no proxy
+  is specified in deal parameters. (#273)
+- Configure the SMS at startup to generate Scone sessions in Hardware or MAA mode. (#275)
+- Add configurable cron job to delete expired tasks TEE challenges and Ethereum credentials. (#278)
+- Use new `FileHashUtils` API. (#280)
+- When undefined, set final deadline after `retention-duration` for up to `batch-size` TEE challenges during cleanup. (#281)
+
+### Quality
+
+- Use `WorkerpoolAuthorization#getHash` instead of `AuthorizationService#getChallengeForWorker`. (#272)
+- Reorder static and final keywords. (#274)
+- Update methods visibility and remove redundant checks in `SecretSessionBaseService`. (#276)
+- Refactor `SecretSessionBaseService` to use `dealParams` instead of deprecated `TaskDescription` fields. (#277)
+- Fix code quality issues in several test classes. (#279)
+
+### Dependency Upgrades
+
+- Upgrade to `eclipse-temurin:11.0.24_8-jre-focal`. (#270)
+- Upgrade to Gradle 8.10.2. (#271)
+- Upgrade to H2 database 2.2.224. (#281)
+- Upgrade to `iexec-commons-poco` 4.2.0. (#282)
+- Upgrade to `iexec-common` 8.6.0. (#282)
+
 ## [[8.6.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.6.0) 2024-06-18
 
 ### New Features
@@ -22,7 +49,7 @@ All notable changes to this project will be documented in this file.
 - Upgrade to Spring Boot 2.7.18. (#262)
 - Upgrade to sconify tools and Scone runtime 5.8.8 for SGX enclaves. (#263)
 - Upgrade to `iexec-commons-poco` 4.1.0. (#266)
-- Upgrade to `iexce-common` 8.5.0. (#266)
+- Upgrade to `iexec-common` 8.5.0. (#266)
 
 ## [[8.5.1]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.5.1) 2024-04-02
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:11.0.22_7-jre-focal
+FROM eclipse-temurin:11.0.24_8-jre-focal
 
 ARG jar
 

README.md

@@ -65,6 +65,9 @@ To support:
 | `IEXEC_SECRET_PROVISIONER_WEB_PORT` | Secret provisioner server port for session management. | Positive integer | `8081` | `8080` |
 | `IEXEC_SECRET_PROVISIONER_ENCLAVE_HOSTNAME` | Secret provisioner server host for retrieving secrets from attested enclaves. Typically used by workers to execute TEE tasks. | Positive integer | `localhost` | `localhost` |
 | `IEXEC_SECRET_PROVISIONER_ENCLAVE_PORT`|  Secret provisioner server port for retrieving secrets from attested enclaves. | Positive integer | `18765` | `4433` |
+| `IEXEC_TEE_CHALLENGE_CLEANUP_CRON` | Cron expression to configure TEE challenges cleanup policy. | String | `@hourly` | `@hourly` |
+| `IEXEC_TEE_CHALLENGE_CLEANUP_MAX_BATCH_SIZE` | Max number of TEE challenges whose missing deadline could be set at a given time. | Integer | `500` | `500` |
+| `IEXEC_TEE_CHALLENGE_CLEANUP_RETENTION_DURATION` | Retention duration when setting missing final deadline. | Duration | `P5D` | `P5D` |
 | `IEXEC_TEE_WORKER_PRE_COMPUTE_IMAGE` | TEE enabled OCI image name for worker pre-compute stage of TEE tasks. | String | | |
 | `IEXEC_TEE_WORKER_PRE_COMPUTE_FINGERPRINT` | Fingerprint (aka mrenclave) of the TEE enabled worker pre-compute image. | String | | |
 | `IEXEC_TEE_WORKER_PRE_COMPUTE_HEAP_SIZE_GB` | Required heap size for a worker pre-compute enclave (in Giga Bytes). | Positive integer | `3` | `3` |
@@ -84,6 +87,8 @@ To support:
 | `IEXEC_SMS_SSL_KEYSTORE_ALIAS` | Alias that identifies the key in the key store. | String | `iexec-core` |
 | `IEXEC_SCONE_TOLERATED_INSECURE_OPTIONS` | List of hardware or software Scone vulnerabilities to ignore. | String | |
 | `IEXEC_IGNORED_SGX_ADVISORIES` | List of hardware or software Intel vulnerabilities to ignore. | String | |
+| `TEE_SCONE_ATTESTATION_MODE` | Attestation mode used for TEE tasks Scone session generation. | String | `maa` |
+| `TEE_SCONE_ATTESTATION_URL` | URL of the Microsoft Azure Attestation service used for TEE tasks Scone session generation. | URL | `https://sharedweu.weu.attest.azure.net` |
 | `IEXEC_SMS_IMAGE_LAS_IMAGE` | Scontain LAS OCI image to be used by workers to execute TEE tasks. LAS performs local attestation which creates a quote that CAS can verify. | String | |
 
 ## Health checks

build.gradle

@@ -1,10 +1,10 @@
 plugins {
     id 'java'
-    id 'io.freefair.lombok' version '8.6'
+    id 'io.freefair.lombok' version '8.10.2'
     id 'org.springframework.boot' version '2.7.18'
-    id 'io.spring.dependency-management' version '1.1.4'
+    id 'io.spring.dependency-management' version '1.1.6'
     id 'jacoco'
-    id 'org.sonarqube' version '5.0.0.4638'
+    id 'org.sonarqube' version '5.1.0.4882'
     id 'maven-publish'
 }
 
@@ -57,7 +57,7 @@ dependencies {
     implementation 'org.springframework.retry:spring-retry'
     // H2
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-    implementation 'com.h2database:h2:2.2.222'
+    implementation 'com.h2database:h2:2.2.224'
 
     // Spring Doc
     implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'

gradle.properties

@@ -1,6 +1,6 @@
-version=8.6.0
-iexecCommonVersion=8.5.0
-iexecCommonsPocoVersion=4.1.0
+version=8.7.0
+iexecCommonVersion=8.6.0
+iexecCommonsPocoVersion=4.2.0
 
 nexusUser
 nexusPassword

gradle/wrapper/gradle-wrapper.jar

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradle/wrapper/gradle-wrapper.properties

@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# SPDX-License-Identifier: Apache-2.0
+#
 
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

gradlew

@@ -13,6 +13,8 @@
 @rem See the License for the specific language governing permissions and
 @rem limitations under the License.
 @rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
 
 @if "%DEBUG%"=="" @echo off
 @rem ##########################################################################

gradlew.bat

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,14 +16,15 @@
 
 package com.iexec.sms.secret;
 
-public class ReservedSecretKeyName {
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
 
-    //result encryption
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class ReservedSecretKeyName {
+    // result encryption
     public static final String IEXEC_RESULT_ENCRYPTION_PUBLIC_KEY = "iexec-result-encryption-public-key";
-    //result storage
+    // result storage
     public static final String IEXEC_RESULT_DROPBOX_TOKEN = "iexec-result-dropbox-token";
     public static final String IEXEC_RESULT_IEXEC_IPFS_TOKEN = "iexec-result-iexec-ipfs-token";
-
-    private ReservedSecretKeyName() {}
-
+    public static final String IEXEC_RESULT_IEXEC_RESULT_PROXY_URL = "iexec-result-iexec-result-proxy-url";
 }