node: fetch provisioned secrets, auth owner w/ TLS

Author: phlip9

common/src/cli.rs

@@ -17,6 +17,7 @@ use proptest_derive::Arbitrary;
 
 use crate::api::runner::Port;
 use crate::api::UserPk;
+use crate::constants::{NODE_PROVISION_DNS, NODE_RUN_DNS};
 use crate::enclave::{self, MachineId};
 
 pub const DEFAULT_BACKEND_URL: &str = "http://127.0.0.1:3030";
@@ -155,6 +156,11 @@ pub struct RunArgs {
     #[argh(option, default = "DEFAULT_RUNNER_URL.to_owned()")]
     pub runner_url: String,
 
+    /// the DNS name the node enclave should include in its remote attestation
+    /// certificate and the client will expect in its connection
+    #[argh(option, default = "NODE_RUN_DNS.to_owned()")]
+    pub node_dns_name: String,
+
     /// whether to use a mock API client. Only available during development.
     #[argh(switch, short = 'm')]
     pub mock: bool,
@@ -174,6 +180,7 @@ impl Default for RunArgs {
             shutdown_after_sync_if_no_activity: false,
             inactivity_timer_sec: 3600,
             repl: false,
+            node_dns_name: NODE_RUN_DNS.to_owned(),
             backend_url: DEFAULT_BACKEND_URL.to_owned(),
             runner_url: DEFAULT_RUNNER_URL.to_owned(),
             mock: false,
@@ -198,7 +205,9 @@ impl RunArgs {
             .arg("--backend-url")
             .arg(&self.backend_url)
             .arg("--runner-url")
-            .arg(&self.runner_url);
+            .arg(&self.runner_url)
+            .arg("--node-dns-name")
+            .arg(&self.node_dns_name);
 
         if self.shutdown_after_sync_if_no_activity {
             cmd.arg("-s");
@@ -240,7 +249,7 @@ pub struct ProvisionArgs {
 
     /// the DNS name the node enclave should include in its remote attestation
     /// certificate and the client will expect in its connection
-    #[argh(option, default = "String::from(\"provision.lexe.tech\")")]
+    #[argh(option, default = "NODE_PROVISION_DNS.to_owned()")]
     pub node_dns_name: String,
 
     /// protocol://host:port of the node backend.
@@ -534,7 +543,7 @@ mod test {
     fn do_cmd_roundtrip(path_str: String, cmd1: &NodeCommand) {
         let path = Path::new(&path_str);
         // Convert to std::process::Command
-        let std_cmd = cmd1.to_cmd(&path);
+        let std_cmd = cmd1.to_cmd(path);
         // Convert to an iterator over &str args
         let mut args_iter = std_cmd.get_args().filter_map(|s| s.to_str());
         // Pop the first arg which contains the subcommand name e.g. 'run'
@@ -543,7 +552,7 @@ mod test {
         let cmd_args: Vec<&str> = args_iter.collect();
         dbg!(&cmd_args);
         // Deserialize back into struct
-        let cmd2 = NodeCommand::from_args(&[&subcommand], &cmd_args).unwrap();
+        let cmd2 = NodeCommand::from_args(&[subcommand], &cmd_args).unwrap();
         // Assert
         assert_eq!(*cmd1, cmd2);
     }
@@ -572,6 +581,7 @@ mod test {
             repl: false,
             backend_url: "".into(),
             runner_url: "".into(),
+            node_dns_name: "localhost".to_owned(),
             mock: true,
         });
         do_cmd_roundtrip(path_str, &cmd);
@@ -595,6 +605,7 @@ mod test {
             repl: true,
             backend_url: "".into(),
             runner_url: "".into(),
+            node_dns_name: "localhost".to_owned(),
             mock: false,
         });
         do_cmd_roundtrip(path_str, &cmd);

common/src/client/mod.rs

@@ -1,5 +1,94 @@
 // TODO
 
 pub mod certs;
-pub mod provision;
 pub mod tls;
+
+use anyhow::{format_err, Context};
+use bitcoin::secp256k1::PublicKey;
+use serde::{Deserialize, Serialize};
+
+use crate::api::provision::ProvisionRequest;
+use crate::api::UserPk;
+use crate::attest;
+use crate::rng::Crng;
+use crate::root_seed::RootSeed;
+
+#[derive(Debug, Deserialize, Serialize)]
+pub struct NodeInfo {
+    pub node_pk: PublicKey,
+    pub num_channels: usize,
+    pub num_usable_channels: usize,
+    pub local_balance_msat: u64,
+    pub num_peers: usize,
+}
+
+pub struct NodeClient {
+    client: reqwest::Client,
+    provision_url: String,
+    run_url: String,
+}
+
+impl NodeClient {
+    #[allow(clippy::too_many_arguments)]
+    pub fn new<R: Crng>(
+        rng: &mut R,
+        seed: &RootSeed,
+        user_pk: &UserPk,
+        proxy_url: &str,
+        proxy_ca: &rustls::Certificate,
+        attest_verifier: attest::ServerCertVerifier,
+        provision_url: String,
+        run_url: String,
+    ) -> anyhow::Result<Self> {
+        // TODO(phlip9): actual auth in proxy header
+        // TODO(phlip9): https only mode
+
+        let proxy = reqwest::Proxy::https(proxy_url)
+            .context("Invalid proxy url")?
+            // TODO(phlip9): should be bearer auth
+            .basic_auth(&user_pk.to_string(), "");
+
+        let tls = tls::client_tls_config(rng, proxy_ca, seed, attest_verifier)?;
+
+        let client = reqwest::Client::builder()
+            .proxy(proxy)
+            .user_agent("lexe-client")
+            .use_preconfigured_tls(tls)
+            .build()
+            .context("Failed to build client")?;
+
+        Ok(Self {
+            client,
+            provision_url,
+            run_url,
+        })
+    }
+
+    pub async fn provision(&self, req: ProvisionRequest) -> anyhow::Result<()> {
+        let provision_url = &self.provision_url;
+        let url = format!("{provision_url}/provision");
+
+        let resp = self.client.post(url).json(&req).send().await?;
+
+        if resp.status().is_success() {
+            Ok(())
+        } else {
+            let err_txt = resp.text().await?;
+            Err(format_err!("response error: {err_txt}"))
+        }
+    }
+
+    pub async fn node_info(&self) -> anyhow::Result<NodeInfo> {
+        let run_url = &self.run_url;
+        let url = format!("{run_url}/owner/node_info");
+
+        let resp = self.client.get(url).send().await?;
+
+        if resp.status().is_success() {
+            resp.json().await.map_err(Into::into)
+        } else {
+            let err_txt = resp.text().await?;
+            Err(format_err!("response error: {err_txt}"))
+        }
+    }
+}

common/src/client/provision.rs

@@ -1,5 +1,13 @@
 use rcgen::{DistinguishedName, DnType};
 
+/// Fake DNS name used by the node reverse proxy to route owner requests to a
+/// node awaiting provisioning. This DNS name doesn't actually resolve.
+pub const NODE_PROVISION_DNS: &str = "provision.lexe.tech";
+
+/// Fake DNS name used by the node reverse proxy to route owner requests to a
+/// running node. This DNS name doesn't actually resolve.
+pub const NODE_RUN_DNS: &str = "run.lexe.tech";
+
 pub fn lexe_distinguished_name_prefix() -> DistinguishedName {
     let mut name = DistinguishedName::new();
     name.push(DnType::CountryName, "US");

common/src/constants.rs

@@ -80,8 +80,22 @@ impl ApiClient for LexeApiClient {
             user_pk,
             measurement,
         };
-        self.request(Method::GET, Backend, V1, "/instance", req)
-            .await
+        let maybe_instance: Option<Instance> = self
+            .request(Method::GET, Backend, V1, "/instance", req)
+            .await?;
+
+        if let Some(instance) = maybe_instance.as_ref() {
+            if instance.measurement != measurement {
+                let msg = format!(
+                    "returned instance measurement '{}' doesn't match \
+                     requested measurement '{}'",
+                    instance.measurement, measurement,
+                );
+                return Err(ApiError::ResponseError(msg));
+            }
+        }
+
+        Ok(maybe_instance)
     }
 
     async fn get_sealed_seed(

node/src/api/client.rs

@@ -12,45 +12,57 @@ use common::api::runner::UserPorts;
 use common::api::vfs::{Directory, File, FileId};
 use common::api::UserPk;
 use common::enclave::{self, Measurement};
-use common::hex;
+use common::rng::SysRng;
+use common::root_seed::RootSeed;
+use once_cell::sync::Lazy;
+use secrecy::{ExposeSecret, Secret};
 use tokio::sync::mpsc;
 
 use crate::api::{ApiClient, ApiError};
 use crate::lexe::persister;
+use crate::provision::ProvisionedSecrets;
 
 type FileName = String;
 type Data = Vec<u8>;
 
-const HEX_SEED1: [u8; 32] = hex::decode_const(
-    b"39ee00e3e23a9cd7e6509f56ff66daaf021cb5502e4ab3c6c393b522a6782d03",
-);
-const HEX_SEED2: [u8; 32] = hex::decode_const(
-    b"2a784ea82ef7002ec929b435e1af283a1998878575e8ccbad73e5d0cb3a95f59",
-);
+// --- test fixtures --- //
 
-pub fn seed(node_pk: PublicKey) -> Vec<u8> {
-    let node_pk_bytes = node_pk.serialize();
+fn make_seed(bytes: [u8; 32]) -> RootSeed {
+    RootSeed::new(Secret::new(bytes))
+}
+fn make_node_pk(seed: &RootSeed) -> PublicKey {
+    PublicKey::from_keypair(&seed.derive_node_key_pair(&mut SysRng::new()))
+}
+fn make_sealed_seed(seed: &RootSeed) -> Vec<u8> {
+    let seed = make_seed(*seed.expose_secret());
+    let provisioned_secrets = ProvisionedSecrets { root_seed: seed };
+    let sealed_secrets = provisioned_secrets.seal(&mut SysRng::new()).unwrap();
+    sealed_secrets.serialize()
+}
+
+static SEED1: Lazy<RootSeed> = Lazy::new(|| make_seed([0x42; 32]));
+static SEED2: Lazy<RootSeed> = Lazy::new(|| make_seed([0x69; 32]));
 
-    if node_pk_bytes == NODE_PK1 {
-        HEX_SEED1.to_vec()
-    } else if node_pk_bytes == NODE_PK2 {
-        HEX_SEED2.to_vec()
+static NODE_PK1: Lazy<PublicKey> = Lazy::new(|| make_node_pk(&SEED1));
+static NODE_PK2: Lazy<PublicKey> = Lazy::new(|| make_node_pk(&SEED2));
+
+static SEALED_SEED1: Lazy<Vec<u8>> = Lazy::new(|| make_sealed_seed(&SEED1));
+static SEALED_SEED2: Lazy<Vec<u8>> = Lazy::new(|| make_sealed_seed(&SEED2));
+
+pub fn sealed_seed(node_pk: &PublicKey) -> Vec<u8> {
+    if node_pk == &*NODE_PK1 {
+        SEALED_SEED1.clone()
+    } else if node_pk == &*NODE_PK2 {
+        SEALED_SEED2.clone()
     } else {
         todo!("TODO(max): Programmatically generate for new users")
     }
 }
 
-const NODE_PK1: [u8; 33] = hex::decode_const(
-    b"02692f6894d5cb51bb785cc3c54f457889faf674fedea54a906f7ec99e88832d18",
-);
-const NODE_PK2: [u8; 33] = hex::decode_const(
-    b"025336702e1317fcb55cdce19b26bd154b5d5612b87d04ff41f807372513f02b6a",
-);
-
 fn node_pk(user_pk: UserPk) -> PublicKey {
     match user_pk.to_i64() {
-        1 => PublicKey::from_slice(&NODE_PK1).unwrap(),
-        2 => PublicKey::from_slice(&NODE_PK2).unwrap(),
+        1 => *NODE_PK1,
+        2 => *NODE_PK2,
         _ => todo!("TODO(max): Programmatically generate for new users"),
     }
 }
@@ -127,7 +139,7 @@ impl ApiClient for MockApiClient {
             req.measurement,
             req.machine_id,
             req.min_cpusvn,
-            seed(req.node_pk),
+            sealed_seed(&req.node_pk),
         );
         Ok(Some(sealed_seed))
     }

node/src/api/mock.rs

@@ -19,12 +19,18 @@ pub use client::*;
 pub enum ApiError {
     #[error("Reqwest error")]
     Reqwest(#[from] reqwest::Error),
+
     #[error("JSON serialization error")]
     JsonSerialization(#[from] serde_json::Error),
+
     #[error("Query string serialization error")]
     QueryStringSerialization(#[from] serde_qs::Error),
+
     #[error("Server Error: {0}")]
     Server(String),
+
+    #[error("Invalid response: {0}")]
+    ResponseError(String),
 }
 
 #[async_trait]