chore: Merge branch 'release/4.9.0'

.github/workflows/ci.yml

@@ -41,6 +41,9 @@ jobs:
   python_and_docker:
     uses: ./.github/workflows/python_and_docker.yml
 
+  sgx_docker:
+    uses: ./.github/workflows/docker_kms_sgx.yml
+
   ##############################################################################
   ### Releases
   ##############################################################################

.github/workflows/docker_kms_sgx.yml

@@ -0,0 +1,67 @@
+---
+name: Docker KMS SGX
+
+on:
+  workflow_call:
+
+env:
+  REGISTRY: ghcr.io
+  REGISTRY_IMAGE: ghcr.io/cosmian/enclave-kms-insecure
+
+jobs:
+  build-and-push-image:
+    runs-on: [self-hosted, sgx]
+    defaults:
+      run:
+        working-directory: ci/sgx/
+    container: docker:19.03.15
+
+    steps:
+
+      - uses: actions/checkout@v1
+
+      - name: Login to GitHub Packages
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REGISTRY_IMAGE }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # Specify staging features to use Let's Encrypt staging environment in order to be able to request more than 5 certificates by week
+      # Documentation : https://letsencrypt.org/docs/duplicate-certificate-limit/
+      - name: Build and tag docker container
+        uses: docker/build-push-action@v3
+        with:
+          file: ./ci/sgx/Dockerfile.sgx
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          network: host
+          build-args: |
+            FEATURES=--features staging
+
+    outputs:
+      image-tag: ${{ steps.meta.outputs.version }}
+
+  tests:
+        needs:
+          - build-and-push-image
+        uses: ./.github/workflows/docker_kms_sgx_tests.yml
+        secrets: inherit
+        with:
+          kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}

.github/workflows/docker_kms_sgx_tests.yml

@@ -0,0 +1,63 @@
+---
+name: KMS SGX tests
+
+env:
+  KMS_USE_BOOTSTRAP_SERVER: true
+  KMS_USE_CERTBOT: true
+  KMS_CERTBOT_HOSTNAME: kms.sgx.ci.cosmian.dev
+  KMS_CERTBOT_EMAIL: [email protected]
+  KMS_CERTBOT_USE_TEE_KEY: abcdef0123456789    
+
+on:
+  workflow_call:
+    inputs:
+      kms-version:
+        required: true
+        type: string
+
+jobs:
+
+  run_and_test:
+
+    services:
+      kms:
+        image: ghcr.io/cosmian/enclave-kms-insecure:${{ inputs.kms-version }}
+
+    runs-on: [self-hosted, sgx]
+    steps:
+      - name: Docker start container
+        run: |
+          docker run \
+            --device /dev/sgx_enclave \
+            --device /dev/sgx_provision \
+            -e KMS_USE_BOOTSTRAP_SERVER="${{ env.KMS_USE_BOOTSTRAP_SERVER }}" \
+            -e KMS_USE_CERTBOT="${{ env.KMS_USE_CERTBOT }}" \
+            -e KMS_CERTBOT_HOSTNAME="${{ env.KMS_CERTBOT_HOSTNAME }}" \
+            -e KMS_CERTBOT_EMAIL="${{ env.KMS_CERTBOT_EMAIL }}" \
+            -e KMS_CERTBOT_USE_TEE_KEY="${{ env.KMS_CERTBOT_USE_TEE_KEY }}" \
+            -v /var/run/aesmd:/var/run/aesmd/ \
+            -v /opt/cosmian-internal:/opt/cosmian-internal \
+            -p 80:80 \
+            -p 9998:9998 \
+            -d --rm --name enclave-kms-insecure ghcr.io/cosmian/enclave-kms-insecure:${{ inputs.kms-version }}
+          
+      - name: Install Rust toolchain
+        uses: actions-rs/toolchain@v1
+
+      - name: Install ckms
+        run: cargo install --locked --path crate/cli
+
+      - name: Bootstrap
+        run: |
+          KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms bootstrap-start --sqlite-path private_data/  --database-type sqlite
+          sleep 20
+      
+      - name: Verify
+        run: KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms verify
+
+      - name: Symmetric key create
+        run: KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms sym keys create
+
+      - name: Docker stop container
+        if: success() || failure()
+        run: docker stop enclave-kms-insecure

.github/workflows/python_and_docker.yml

@@ -67,6 +67,7 @@ jobs:
     secrets: inherit
     with:
       kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
+      branch: develop
 
   cloudproof_js:
     needs:
@@ -86,7 +87,7 @@ jobs:
       - pyo3
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_java_in_docker.yml@develop
     with:
-      branch: v6.0.0
+      branch: develop
       target: x86_64-unknown-linux-gnu
       extension: so
       destination: linux-x86-64
@@ -101,7 +102,7 @@ jobs:
       - pyo3
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_python.yml@develop
     with:
-      branch: v4.1.0
+      branch: develop
       target: x86_64-unknown-linux-gnu
       kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
       copy_fresh_build: true

.github/workflows/python_tests.yml

@@ -7,6 +7,9 @@ on:
       kms-version:
         required: true
         type: string
+      branch:
+        required: true
+        type: string
 
 jobs:
   pyo3-test-linux:
@@ -24,19 +27,37 @@ jobs:
         run: |
           docker run --rm ghcr.io/cosmian/kms:${{ inputs.kms-version }} --help
 
+      - uses: actions/checkout@v3
+        with:
+          repository: Cosmian/cloudproof_python
+          ref: ${{ inputs.branch }}
+
+      - name: Install cloudproof python deps
+        env:
+          COVER_CRYPT_TAG: last_build
+          FINDEX_TAG: last_build
+        run: |
+          scripts/ci_install_pyo3_builds.sh
+
       - uses: actions/checkout@v3
 
       - uses: actions/download-artifact@v3
       - run: find .
 
-      - name: Test KMS python client on KMS server
+      - name: Install KMS python
         run: |
           # Check python code
           pip install kms_python_linux/*manylinux*.whl
           pip install -r crate/pyo3/python/requirements.txt
+
+      - name: Test KMS python client on KMS server
+        run: |
+          # Check python code
           mypy crate/pyo3/python/scripts/test_kms.py
           python3 crate/pyo3/python/scripts/test_kms.py
-          # Check that the lib version is the same as the server
+
+      - name: Check that the lib version is the same as the server
+        run: |
           cargo install cargo-get
           diff <(cargo get --entry crate/pyo3 package.version) <(cargo get --entry crate/server package.version) || (echo "Update the version in crate/pyo3/Cargo.toml"; exit
             1)

.pre-commit-config.yaml

@@ -132,7 +132,7 @@ repos:
         entry: bash -c 'cd documentation && mkdocs build --strict'
 
   - repo: https://github.com/Cosmian/git-hooks.git
-    rev: v1.0.16
+    rev: v1.0.20
     hooks:
       - id: cargo-format
       # - id: cargo-upgrade
@@ -148,3 +148,4 @@ repos:
       - id: clippy-autofix-others
       - id: clippy-all-targets-all-features
       - id: cargo-format # in last du to clippy fixes
+      - id: docker-compose-down

CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.9.0] - 2023-11-10
+
+### Bug Fixes
+
+- fix: migrate to num-bigint-dig for bigint (#85)
+
+### Ci
+
+- Test KMS inside a SGX machine
+
+### Features
+
+- Update Covercrypt version to support Policy V2 ([#63])
+- Generalize bulk operations using KMIP `Messages` structure
+
 ## [4.8.2] - 2023-10-31
 
 ### Bug Fixes
@@ -12,7 +27,7 @@ All notable changes to this project will be documented in this file.
 
 ### Bug Fixes
 
-Fix for [#64](https://github.com/Cosmian/kms/issues/64)
+- Fix for [#64](https://github.com/Cosmian/kms/issues/64)
 
 ## [4.8.0] - 2023-10-07