feat: migrate to Scone prod (#224)

* feat: Scone prod

* ci: use enclave-key from server

* fix: remove useless sconification option "command"

* fix: check enclave key read access before mounting

* docs: add enclave signing key doc

* fix: log warn deprecated sconeProd === false

Author: PierreJeanjacquot

.github/workflows/reusable-api-deploy.yml

@@ -58,6 +58,27 @@ jobs:
           fi
         shell: bash
 
+      - name: Check configuration files on server
+        run: |
+          ssh -o StrictHostKeyChecking=no \
+              -i ~/.ssh/ghrunnerci \
+              ${{ secrets.host }} << 'EOF'
+            cd /opt/iapp-api
+            missing=0
+            if [ ! -f .env.app ]; then
+              echo ".env.app file not found on remote server"
+              missing=1
+            fi
+            if [ ! -f sig/enclave-key.pem ]; then
+              echo "sig/enclave-key.pem not found on remote server"
+              missing=1
+            fi
+            if [ "$missing" -ne 0 ]; then
+              exit 1
+            fi
+          EOF
+        shell: bash
+
       - name: Prepare .env for Compose
         run: |
           printf "IMAGE_NAME=%s\nIMAGE_TAG=%s\n" "${{ env.IMAGE_NAME }}" "${{ inputs.tag }}"> .env

.gitignore

@@ -2,6 +2,7 @@
 
 node_modules
 api/.env
+api/sig
 .tags
 
 cli/dist

api/README.md

@@ -29,8 +29,9 @@ The API is composed of:
 - Node 20
 - docker installed locally with support for linux/amd64 architecture (either
   native or emulated)
-- Scontain account whit pull access to docker repository
+- Scontain account with pull access to docker repository
   `registry.scontain.com/scone-production/iexec-sconify-image`
+- An enclave signing key to sign Scone production images
 
 Create a `.env` file see [`.env.template`](.env.template)
 
@@ -39,6 +40,18 @@ cp .env.template .env
 # fill in the .env file
 ```
 
+Create or provide your own enclave signing key in `sig/enclave-key.pem` to sign
+Scone production images
+
+> The enclave signing key should be a PEM formatted RSA key 3072 bits
+>
+> A valid signing key can be generated with openssl by running
+> `openssl genrsa -3 3072`
+
+```sh
+npm run ensure-signing-key
+```
+
 ## run locally
 
 ```sh

api/docker-compose.yml

@@ -8,7 +8,9 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       # .env.app already on the server
-      - ./.env.app:/app/.env
+      - ./.env.app:/app/.env:ro
+      # enclave key already on the server in sig/enclave-key.pem
+      - ./sig/:/app/sig/:ro
     healthcheck:
       test: ['CMD', 'curl', '-f', 'http://localhost:3000/health']
       interval: 30s

api/package.json

@@ -4,9 +4,10 @@
   "main": "index.js",
   "type": "module",
   "scripts": {
-    "start": "tsx --env-file=.env ./src/index.js",
-    "dev": "tsx --env-file=.env --watch ./src/index.js",
-    "dev:pretty": "tsx --env-file=.env --watch ./src/index.js | pino-pretty -tc",
+    "ensure-signing-key": "[ -e 'sig/enclave-key.pem' ] && echo 'using existing signing key' || (mkdir -p sig && openssl genrsa -3 -out sig/enclave-key.pem 3072 && echo 'generated new signing key')",
+    "start": "npm run ensure-signing-key && tsx --env-file=.env ./src/index.js",
+    "dev": "npm run ensure-signing-key && tsx --env-file=.env --watch ./src/index.js",
+    "dev:pretty": "npm run ensure-signing-key && tsx --env-file=.env --watch ./src/index.js | pino-pretty -tc",
     "check-format": "prettier --check .",
     "check-types": "tsc --project tsconfig.json",
     "format": "prettier --write .",

api/src/sconify/deprecated_sconify.service.ts

@@ -131,7 +131,6 @@ export async function deprecated_sconify({
     sconifiedImageId = await sconifyImage({
       fromImage: dockerImageToSconify,
       sconifyVersion,
-      entrypoint: appEntrypoint,
       binary: configTemplate.binary,
     });
     logger.info({ sconifiedImageId }, 'Sconified successfully');

api/src/sconify/sconifyBuild.handler.ts

@@ -29,6 +29,7 @@ const bodySchema = z.object({
     .enum(Object.keys(TEMPLATE_CONFIG) as [TemplateName])
     .default('JavaScript'),
   sconeVersion: z.enum(['v5', 'v5.9']).default('v5'),
+  sconeProd: z.boolean().default(false),
 });
 
 async function handleSconifyRequest(requestObj: object) {
@@ -37,13 +38,15 @@ async function handleSconifyRequest(requestObj: object) {
   let dockerhubPushToken: string;
   let sconeVersion: SconeVersion;
   let template: TemplateName;
+  let sconeProd: boolean;
   try {
     ({
       yourWalletPublicAddress,
       dockerhubImageToSconify,
       dockerhubPushToken,
       sconeVersion,
       template,
+      sconeProd,
     } = bodySchema.parse(requestObj));
   } catch (error) {
     throw fromError(error, {
@@ -58,6 +61,9 @@ async function handleSconifyRequest(requestObj: object) {
   if (sconeVersion === 'v5') {
     logger.warn('Deprecated feature hit: sconeVersion === "v5"');
   }
+  if (sconeProd === false) {
+    logger.warn('Deprecated feature hit: sconeProd === false');
+  }
 
   const { dockerImage, dockerImageDigest, fingerprint, entrypoint } =
     await sconify({
@@ -66,6 +72,7 @@ async function handleSconifyRequest(requestObj: object) {
       userWalletPublicAddress: yourWalletPublicAddress,
       sconeVersion,
       templateLanguage: template,
+      sconeProd,
     });
   return {
     dockerImage,

api/src/sconify/sconifyBuild.service.ts

@@ -23,6 +23,7 @@ export async function sconify({
   pushToken,
   sconeVersion,
   templateLanguage,
+  sconeProd = false,
 }: {
   /**
    * Examples of valid dockerImageToSconify:
@@ -39,6 +40,7 @@ export async function sconify({
   pushToken: string;
   templateLanguage: TemplateName;
   sconeVersion: SconeVersion;
+  sconeProd?: boolean;
 }): Promise<{
   dockerImage: string;
   dockerImageDigest: string;
@@ -58,6 +60,7 @@ export async function sconify({
       templateLanguage,
       userWalletPublicAddress,
       wsEnabled,
+      sconeProd,
     },
     'New sconify request'
   );
@@ -140,8 +143,8 @@ export async function sconify({
     sconifiedImageId = await sconifyImage({
       fromImage: dockerImageToSconify,
       sconifyVersion,
-      entrypoint: appEntrypoint,
       binary: configTemplate.binary,
+      prod: sconeProd,
     });
     logger.info({ sconifiedImageId }, 'Sconified successfully');
   } finally {
@@ -168,7 +171,7 @@ export async function sconify({
 
   const imageRepo = `${dockerUserName}/${imageName}`;
   const sconifiedImageShortId = sconifiedImageId.substring(7, 7 + 12); // extract 12 first chars after the leading "sha256:"
-  const sconifiedImageTag = `${imageTag}-tee-scone-${sconifyVersion}-debug-${sconifiedImageShortId}`; // add digest in tag to avoid replacing previous build
+  const sconifiedImageTag = `${imageTag}-tee-scone-${sconifyVersion}-${sconeProd ? 'prod' : 'debug'}-${sconifiedImageShortId}`; // add digest in tag to avoid replacing previous build
   const sconifiedImage = `${imageRepo}:${sconifiedImageTag}`;
 
   let pushed;

api/src/singleFunction/sconifyImage.ts

@@ -1,3 +1,5 @@
+import { join } from 'node:path';
+import { access, constants } from 'node:fs/promises';
 import Docker from 'dockerode';
 import { SCONIFY_IMAGE_NAME } from '../constants/constants.js';
 import { logger } from '../utils/logger.js';
@@ -8,14 +10,16 @@ import { removeContainer } from './removeContainer.js';
 
 const docker = new Docker();
 
+const ENCLAVE_KEY_PATH = join(process.cwd(), 'sig/enclave-key.pem');
+
 /**
  * Sconifies an iapp docker image
  */
 export async function sconifyImage({
   fromImage,
   sconifyVersion,
-  entrypoint,
   binary,
+  prod = false,
 }: {
   /**
    * image to sconify
@@ -25,42 +29,66 @@ export async function sconifyImage({
    * sconifier version
    */
   sconifyVersion: string;
-  /**
-   * command to run the app (whitelisted)
-   */
-  entrypoint: string;
   /**
    * whitelisted binary
    */
   binary: string;
+  /**
+   * sconify production flag
+   */
+  prod?: boolean;
 }): Promise<string> {
-  logger.info({ fromImage, entrypoint }, 'Running sconify command...');
+  logger.info(
+    { fromImage },
+    `Running sconify command in ${prod ? 'prod' : 'debug'} mode...`
+  );
   const sconifierImage = `${SCONIFY_IMAGE_NAME}:${sconifyVersion}`;
 
   logger.info({ sconifierImage }, 'Pulling sconifier image...');
   await pullSconeImage(sconifierImage);
 
+  if (prod) {
+    // check signing key can be read on host
+    try {
+      await access(ENCLAVE_KEY_PATH, constants.R_OK);
+    } catch (error) {
+      logger.error(
+        { error, path: ENCLAVE_KEY_PATH },
+        'Cannot read enclave key from host'
+      );
+      throw new Error('Cannot read enclave key from host');
+    }
+  }
+
   const toImage = `${fromImage}-tmp-sconified-${Date.now()}`; // create an unique temporary identifier for the target image
   logger.info({ fromImage, toImage }, 'Sconifying...');
+
+  const sconifyBaseCmd = [
+    'sconify_iexec',
+    `--from=${fromImage}`,
+    `--to=${toImage}`,
+    '--binary-fs',
+    '--fs-dir=/app',
+    '--host-path=/etc/hosts',
+    '--host-path=/etc/resolv.conf',
+    `--binary=${binary}`,
+    '--heap=1G',
+    '--dlopen=1',
+    '--no-color',
+    '--verbose',
+  ];
+
+  const baseBinds = ['/var/run/docker.sock:/var/run/docker.sock'];
+
   const sconifyContainer = await docker.createContainer({
     Image: sconifierImage,
-    Cmd: [
-      'sconify_iexec',
-      `--from=${fromImage}`,
-      `--to=${toImage}`,
-      '--binary-fs',
-      '--fs-dir=/app',
-      '--host-path=/etc/hosts',
-      '--host-path=/etc/resolv.conf',
-      `--binary=${binary}`,
-      '--heap=1G',
-      '--dlopen=1',
-      '--no-color',
-      '--verbose',
-      `--command=${entrypoint}`,
-    ],
+    Cmd: prod
+      ? sconifyBaseCmd.concat('--scone-signer=/sig/enclave-key.pem')
+      : sconifyBaseCmd,
     HostConfig: {
-      Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      Binds: prod
+        ? baseBinds.concat(`${ENCLAVE_KEY_PATH}:/sig/enclave-key.pem:ro`) // mount signing key
+        : baseBinds,
     },
   });
 

cli/src/cmd/debug.ts

@@ -1,6 +1,6 @@
 import { ethers } from 'ethers';
 import { askForWallet } from '../cli-helpers/askForWallet.js';
-import { getIExecDebug } from '../utils/iexec.js';
+import { getIExec } from '../utils/iexec.js';
 import { getSpinner } from '../cli-helpers/spinner.js';
 import * as color from '../cli-helpers/color.js';
 import { handleCliError } from '../cli-helpers/handleCliError.js';
@@ -26,7 +26,7 @@ export async function debug({
     const chainConfig = getChainConfig(chainName);
     spinner.info(`Using chain ${chainName}`);
     const signer = await askForWallet({ spinner });
-    const iexec = getIExecDebug({
+    const iexec = getIExec({
       ...chainConfig,
       signer,
     });