Merge pull request #302 from iExecBlockchainComputing/release/9.0.0

Release 9.0.0

Author: Natchica

CHANGELOG.md

@@ -2,6 +2,38 @@
 
 All notable changes to this project will be documented in this file.
 
+## [[9.0.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v9.0.0) 2025-03-28
+
+### New Features
+
+- SMS can now be configured with a list of TEE-ready pre/post-compute applications for SGX tasks. (#286)
+- Add `getTeeServicesPropertiesVersion` endpoint to retrieve a specific pre/post-compute configuration pair version. (#287)
+- Add `teeFrameworkVersion` field to `TeeServicesProperties`. (#289)
+- Refactor `TeeWorkerInternalConfiguration` and related services to use `Map<String, TeeServicesProperties>`. (#290 #291)
+- Add enclave challenge private key, worker address and task ID related tokens in pre-compute session. (#296)
+
+### Quality
+
+- Refactor `SslConfig` and `TwoWaySslClient` to use HttpClient 5 and improve ssl handling. (#285)
+- Remove references to Ownable Smart Contract wrapper in integration test. (#288)
+- Rename `blockchain` package to `chain` and `BlockchainConfig` class to `ChainConfig`. (#294)
+- Fix several SonarQube Cloud issues. (#295)
+- Stop using `TestUtils` in `AuthorizationServiceTests.java`. (#300)
+
+### Breaking API changes
+
+- Remove deprecated code from `AppComputeSecretController` and `SmsClient`. (#293)
+- Replace custom yes/no boolean serialization with standard Java boolean strings in TEE sessions. (#297)
+- Harmonize YML internal variables to proper case. (#299)
+
+### Dependency Upgrades
+
+- Upgrade to `eclipse-temurin:17.0.13_11-jre-focal`. (#285)
+- Upgrade to Spring Doc OpenAPI 2.6.0. (#285)
+- Upgrade to Spring Boot 3.3.8. (#292)
+- Upgrade to `iexec-common` 9.0.0. (#301)
+- Upgrade to `iexec-commons-poco` 5.0.0. (#301)
+
 ## [[8.7.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.7.0) 2024-12-23
 
 ### New Features

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:11.0.24_8-jre-focal
+FROM eclipse-temurin:17.0.13_11-jre-focal
 
 ARG jar
 

README.md

@@ -56,7 +56,7 @@ To support:
 | `IEXEC_SMS_ADMIN_STORAGE_LOCATION` | Storage location where to persist replicated backups. It must be an absolute directory path. | String | `/backup` | `/backup` |
 | `IEXEC_CHAIN_ID` | Chain ID of the blockchain network to connect. | Positive integer | `134` |  `134` |
 | `IEXEC_IS_SIDECHAIN` | Define whether iExec on-chain protocol is built on top of token (`false`) or native currency (`true`). | Boolean | `true` | `true` |
-| `IEXEC_SMS_BLOCKCHAIN_NODE_ADDRESS` | URL to connect to the blockchain node. | URL | `https://bellecour.iex.ec` | `https://bellecour.iex.ec` |
+| `IEXEC_BLOCKCHAIN_NODE_ADDRESS` | URL to connect to the blockchain node. | URL | `https://bellecour.iex.ec` | `https://bellecour.iex.ec` |
 | `IEXEC_HUB_ADDRESS` | Proxy contract address to interact with the iExec on-chain protocol. | String | `0x3eca1B216A7DF1C7689aEb259fFB83ADFB894E7f` | `0x3eca1B216A7DF1C7689aEb259fFB83ADFB894E7f` |
 | `IEXEC_BLOCK_TIME` | Duration between consecutive blocks on the blockchain network. | String | `PT5S` | `PT5S` |
 | `IEXEC_GAS_PRICE_MULTIPLIER` | Transactions will be sent with `networkGasPrice * IEXEC_GAS_PRICE_MULTIPLIER`. | Float | `1.0` | `1.0` |
@@ -68,14 +68,57 @@ To support:
 | `IEXEC_TEE_CHALLENGE_CLEANUP_CRON` | Cron expression to configure TEE challenges cleanup policy. | String | `@hourly` | `@hourly` |
 | `IEXEC_TEE_CHALLENGE_CLEANUP_MAX_BATCH_SIZE` | Max number of TEE challenges whose missing deadline could be set at a given time. | Integer | `500` | `500` |
 | `IEXEC_TEE_CHALLENGE_CLEANUP_RETENTION_DURATION` | Retention duration when setting missing final deadline. | Duration | `P5D` | `P5D` |
-| `IEXEC_TEE_WORKER_PRE_COMPUTE_IMAGE` | TEE enabled OCI image name for worker pre-compute stage of TEE tasks. | String | | |
-| `IEXEC_TEE_WORKER_PRE_COMPUTE_FINGERPRINT` | Fingerprint (aka mrenclave) of the TEE enabled worker pre-compute image. | String | | |
-| `IEXEC_TEE_WORKER_PRE_COMPUTE_HEAP_SIZE_GB` | Required heap size for a worker pre-compute enclave (in Giga Bytes). | Positive integer | `3` | `3` |
-| `IEXEC_TEE_WORKER_PRE_COMPUTE_ENTRYPOINT` | Command executed when starting a container from the TEE enabled worker pre-compute image. | String | `java -jar /app/app.jar` | `/bin/bash /apploader.sh` |
-| `IEXEC_TEE_WORKER_POST_COMPUTE_IMAGE` | TEE enabled OCI image name for worker post-compute stage of TEE tasks. | String | | |
-| `IEXEC_TEE_WORKER_POST_COMPUTE_FINGERPRINT` | Fingerprint (aka mrenclave) of the TEE enabled worker post-compute image. | String | | |
-| `IEXEC_TEE_WORKER_POST_COMPUTE_HEAP_SIZE_GB` | Required heap size for a worker post-compute enclave (in Giga Bytes). | Positive integer | `3` | `3` |
-| `IEXEC_TEE_WORKER_POST_COMPUTE_ENTRYPOINT` | Command executed when starting a container from the TEE enabled worker post-compute image. | String | `java -jar /app/app.jar` | `/bin/bash /apploader.sh` |
+| `TEE_WORKER_PIPELINES_0_VERSION` | Worker pipeline version | String | `v5` | `v5` |
+| `TEE_WORKER_PIPELINES_0_PRECOMPUTE_IMAGE` | TEE enabled OCI image name for worker pre-compute stage | String | | |
+| `TEE_WORKER_PIPELINES_0_PRECOMPUTE_FINGERPRINT` | Fingerprint (mrenclave) of the TEE enabled worker pre-compute image | String | | |
+| `TEE_WORKER_PIPELINES_0_PRECOMPUTE_HEAPSIZE` | Required heap size for a worker pre-compute enclave using units like KB, MB, GB | DataSize | `3GB` | `3GB` |
+| `TEE_WORKER_PIPELINES_0_PRECOMPUTE_ENTRYPOINT` | Command executed when starting a container from the TEE enabled worker pre-compute image | String | `java -jar /app/app.jar` | `/bin/bash /apploader.sh` |
+| `TEE_WORKER_PIPELINES_0_POSTCOMPUTE_IMAGE` | TEE enabled OCI image name for worker post-compute stage | String | | |
+| `TEE_WORKER_PIPELINES_0_POSTCOMPUTE_FINGERPRINT` | Fingerprint (mrenclave) of the TEE enabled worker post-compute image | String | | |
+| `TEE_WORKER_PIPELINES_0_POSTCOMPUTE_HEAPSIZE` | Required heap size for a worker post-compute enclave using units like KB, MB, GB | DataSize | `3GB` | `3GB` |
+| `TEE_WORKER_PIPELINES_0_POSTCOMPUTE_ENTRYPOINT` | Command executed when starting a container from the TEE enabled worker post-compute image | String | `java -jar /app/app.jar` | `/bin/bash /apploader.sh` |
+
+## Heap Size Configuration
+The heap size configuration supports the following units:
+
+- **B** for bytes
+- **KB** for kilobytes
+- **MB** for megabytes
+- **GB** for gigabytes
+- **TB** for terabytes
+
+### Example Values
+- `3GB`
+- `4096MB`
+- `1TB`
+
+### Conversion Table
+| Unit | Bytes Equivalent            |
+|------|-----------------------------|
+| 1 KB | 1,024 B                     |
+| 1 MB | 1,024 KB (1,048,576 B)      |
+| 1 GB | 1,024 MB (1,073,741,824 B)  |
+| 1 TB | 1,024 GB (1,099,511,627,776 B) |
+
+### Required Pipeline Configuration
+
+The TEE worker pipeline configurations (`application-gramine.yml` and `application-scone.yml`) **no longer provide default values** for pre-compute and post-compute settings.
+The configuration must be set by SMS operator.
+
+#### **Example Configuration (to be provided by SMS operator)**
+```yaml
+- version: v5
+  pre-compute:
+    image: iexechub/tee-worker-pre-compute:<version>-sconify-<scone-version>-production
+    fingerprint: <tee-worker-pre-compute-fingerprint>
+    heap-size: 3GB
+    entrypoint: java -jar /app/app.jar
+  post-compute:
+    image: iexechub/tee-worker-post-compute:<version>-sconify-<scone-version>-production
+    fingerprint: <tee-worker-post-compute-fingerprint>
+    heap-size: 3GB
+    entrypoint: java -jar /app/app.jar
+```
 
 ### Scone specific environment variables
 

build.gradle

@@ -1,17 +1,13 @@
 plugins {
     id 'java'
     id 'io.freefair.lombok' version '8.10.2'
-    id 'org.springframework.boot' version '2.7.18'
+    id 'org.springframework.boot' version '3.3.8'
     id 'io.spring.dependency-management' version '1.1.6'
     id 'jacoco'
     id 'org.sonarqube' version '5.1.0.4882'
     id 'maven-publish'
 }
 
-ext {
-    openFeignVersion = '11.10'
-}
-
 if (!project.hasProperty('gitBranch')) {
     ext.gitBranch = 'git rev-parse --abbrev-ref HEAD'.execute().text.trim()
 }
@@ -39,8 +35,12 @@ allprojects {
         toolchain {
             languageVersion.set(JavaLanguageVersion.of(17))
         }
-        sourceCompatibility = "11"
-        targetCompatibility = "11"
+        sourceCompatibility = JavaVersion.VERSION_17
+        targetCompatibility = JavaVersion.VERSION_17
+    }
+
+    tasks.withType(JavaCompile).configureEach {
+        options.compilerArgs.add('-parameters')
     }
 }
 
@@ -55,23 +55,20 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-validation'
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.springframework.retry:spring-retry'
+
     // H2
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'com.h2database:h2:2.2.224'
 
     // Spring Doc
-    implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
+    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
 
-    //ssl
-    implementation 'org.apache.httpcomponents:httpclient'
+    // ssl
+    implementation 'org.apache.httpcomponents.client5:httpclient5'
 
     // observability
     runtimeOnly 'io.micrometer:micrometer-registry-prometheus'
 
-    // feign
-    implementation "io.github.openfeign:feign-jackson:$openFeignVersion"
-    implementation "io.github.openfeign:feign-slf4j:$openFeignVersion"
-
     // expiring map
     implementation "net.jodah:expiringmap:0.5.11"
 }

gradle.properties

@@ -1,6 +1,6 @@
-version=8.7.0
-iexecCommonVersion=8.6.0
-iexecCommonsPocoVersion=4.2.0
+version=9.0.0
+iexecCommonVersion=9.0.0
+iexecCommonsPocoVersion=5.0.0
 
 nexusUser
 nexusPassword

iexec-sms-library/build.gradle

@@ -6,25 +6,30 @@ plugins {
 }
 
 dependencies {
+    implementation platform("org.springframework.boot:spring-boot-dependencies:3.3.8")
+
     implementation "com.iexec.commons:iexec-commons-poco:$iexecCommonsPocoVersion"
     implementation "com.iexec.common:iexec-common:$iexecCommonVersion"
 }
 
 java {
-    sourceCompatibility = "11"
-    targetCompatibility = "11"
+    sourceCompatibility = JavaVersion.VERSION_17
+    targetCompatibility = JavaVersion.VERSION_17
     withJavadocJar()
     withSourcesJar()
 }
 
+tasks.withType(JavaCompile).configureEach {
+    options.compilerArgs.add('-parameters')
+}
+
 testing {
     suites {
         test {
             useJUnitJupiter()
             dependencies {
-                implementation "org.assertj:assertj-core:3.22.0"
-                implementation 'org.junit.jupiter:junit-jupiter:5.8.2'
-                implementation 'org.mockito:mockito-junit-jupiter:4.7.0'
+                implementation "org.assertj:assertj-core"
+                implementation 'org.mockito:mockito-junit-jupiter'
             }
         }
     }

iexec-sms-library/src/main/java/com/iexec/sms/api/SmsClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2024 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,16 +49,6 @@ ApiResponseBody<String, List<String>> addAppDeveloperAppComputeSecret(
             String secretValue
     );
 
-    /**
-     * @deprecated Call {@code isAppDeveloperAppComputeSecretPresent(appAddress)}
-     */
-    @Deprecated(forRemoval = true)
-    @RequestLine("HEAD /apps/{appAddress}/secrets/{secretIndex}")
-    ApiResponseBody<String, List<String>> isAppDeveloperAppComputeSecretPresent(
-            @Param("appAddress") String appAddress,
-            @Param("secretIndex") String secretIndex
-    );
-
     @RequestLine("HEAD /apps/{appAddress}/secrets")
     ApiResponseBody<String, List<String>> isAppDeveloperAppComputeSecretPresent(
             @Param("appAddress") String appAddress
@@ -119,13 +109,6 @@ String setWeb3Secret(
 
     // region TEE
 
-    /**
-     * @deprecated use {@link SmsClient#generateTeeChallenge(String, String)}
-     */
-    @Deprecated(forRemoval = true)
-    @RequestLine("POST /tee/challenges/{chainTaskId}")
-    String generateTeeChallenge(@Param("chainTaskId") String chainTaskId);
-
     @Headers("Authorization: {authorization}")
     @RequestLine("POST /tee/challenges/{chainTaskId}")
     String generateTeeChallenge(@Param("authorization") String authorization, @Param("chainTaskId") String chainTaskId);
@@ -140,8 +123,17 @@ ApiResponseBody<TeeSessionGenerationResponse, TeeSessionGenerationError> generat
     @RequestLine("GET /tee/framework")
     TeeFramework getTeeFramework();
 
+    /**
+     * @deprecated Use {@link #getTeeServicesPropertiesVersion(TeeFramework, String)} instead.
+     * This endpoint will be removed in future versions.
+     */
+    @Deprecated(since = "8.7.0", forRemoval = true)
     @RequestLine("GET /tee/properties/{teeFramework}")
     <T extends TeeServicesProperties> T getTeeServicesProperties(@Param("teeFramework") TeeFramework teeFramework);
+
+    @RequestLine("GET /tee/properties/{teeFramework}/{version}")
+    <T extends TeeServicesProperties> T getTeeServicesPropertiesVersion(@Param("teeFramework") TeeFramework teeFramework,
+                                                                        @Param("version") String version);
     // endregion
 
     // region Metrics

iexec-sms-library/src/main/java/com/iexec/sms/api/TeeSessionGenerationError.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2024 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,13 @@ public enum TeeSessionGenerationError {
     EXECUTION_NOT_AUTHORIZED_INVALID_SIGNATURE,
     // endregion
 
+    // region Signature token retrieval
+    GET_SIGNATURE_TOKENS_FAILED_EMPTY_WORKER_ADDRESS,
+    GET_SIGNATURE_TOKENS_FAILED_EMPTY_PUBLIC_ENCLAVE_CHALLENGE,
+    GET_SIGNATURE_TOKENS_FAILED_EMPTY_TEE_CHALLENGE,
+    GET_SIGNATURE_TOKENS_FAILED_EMPTY_TEE_CREDENTIALS,
+    // endregion
+
     // region Pre-compute
     PRE_COMPUTE_GET_DATASET_SECRET_FAILED,
     // endregion
@@ -39,19 +46,12 @@ public enum TeeSessionGenerationError {
     // region Post-compute
     POST_COMPUTE_GET_ENCRYPTION_TOKENS_FAILED_EMPTY_BENEFICIARY_KEY,
     POST_COMPUTE_GET_STORAGE_TOKENS_FAILED,
-
-    POST_COMPUTE_GET_SIGNATURE_TOKENS_FAILED_EMPTY_WORKER_ADDRESS,
-    POST_COMPUTE_GET_SIGNATURE_TOKENS_FAILED_EMPTY_PUBLIC_ENCLAVE_CHALLENGE,
-    POST_COMPUTE_GET_SIGNATURE_TOKENS_FAILED_EMPTY_TEE_CHALLENGE,
-    POST_COMPUTE_GET_SIGNATURE_TOKENS_FAILED_EMPTY_TEE_CREDENTIALS,
     // endregion
 
     // region Secure session generation
     SECURE_SESSION_STORAGE_CALL_FAILED,
     SECURE_SESSION_GENERATION_FAILED,
     SECURE_SESSION_NO_TEE_FRAMEWORK,
-    @Deprecated(forRemoval = true)
-    SECURE_SESSION_NO_TEE_PROVIDER,
     // endregion
 
     // region Miscellaneous

iexec-sms-library/src/main/java/com/iexec/sms/api/config/GramineServicesProperties.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,9 +24,23 @@
 @Getter
 public class GramineServicesProperties extends TeeServicesProperties {
 
-    @JsonCreator
+    /**
+     * GramineServicesProperties constructor.
+     *
+     * @deprecated This method is no longer acceptable to create a GramineServicesProperties object since we need the
+     * TEE framework version also now.
+     * Use {@link GramineServicesProperties(String, TeeAppProperties, TeeAppProperties)} instead.
+     */
+    @Deprecated(since = "8.7.0", forRemoval = true)
     public GramineServicesProperties(@JsonProperty("preComputeProperties") TeeAppProperties preComputeProperties,
                                      @JsonProperty("postComputeProperties") TeeAppProperties postComputeProperties) {
-        super(TeeFramework.GRAMINE, preComputeProperties, postComputeProperties);
+        super(TeeFramework.GRAMINE, "", preComputeProperties, postComputeProperties);
+    }
+
+    @JsonCreator
+    public GramineServicesProperties(@JsonProperty("teeFrameworkVersion") String teeFrameworkVersion,
+                                     @JsonProperty("preComputeProperties") TeeAppProperties preComputeProperties,
+                                     @JsonProperty("postComputeProperties") TeeAppProperties postComputeProperties) {
+        super(TeeFramework.GRAMINE, teeFrameworkVersion, preComputeProperties, postComputeProperties);
     }
 }

iexec-sms-library/src/main/java/com/iexec/sms/api/config/SconeServicesProperties.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,11 +25,27 @@
 public class SconeServicesProperties extends TeeServicesProperties {
     private final String lasImage;
 
-    @JsonCreator
+    /**
+     * SconeServicesProperties constructor.
+     *
+     * @deprecated This method is no longer acceptable to create a SconeServicesProperties object since we need the
+     * TEE framework version also now.
+     * Use {@link SconeServicesProperties(String, TeeAppProperties, TeeAppProperties, String)} instead.
+     */
+    @Deprecated(since = "8.7.0", forRemoval = true)
     public SconeServicesProperties(@JsonProperty("preComputeProperties") TeeAppProperties preComputeProperties,
                                    @JsonProperty("postComputeProperties") TeeAppProperties postComputeProperties,
                                    @JsonProperty("lasImage") String lasImage) {
-        super(TeeFramework.SCONE, preComputeProperties, postComputeProperties);
+        super(TeeFramework.SCONE, "", preComputeProperties, postComputeProperties);
+        this.lasImage = lasImage;
+    }
+
+    @JsonCreator
+    public SconeServicesProperties(@JsonProperty("teeFrameworkVersion") String teeFrameworkVersion,
+                                   @JsonProperty("preComputeProperties") TeeAppProperties preComputeProperties,
+                                   @JsonProperty("postComputeProperties") TeeAppProperties postComputeProperties,
+                                   @JsonProperty("lasImage") String lasImage) {
+        super(TeeFramework.SCONE, teeFrameworkVersion, preComputeProperties, postComputeProperties);
         this.lasImage = lasImage;
     }
 }