From 7f2cab79fe863a6e310bb7e26c250c7711074a4b Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Mon, 11 Nov 2024 17:05:50 -0600 Subject: [PATCH 01/11] Fix Makefile to call the same lints, remove old helper script which does not compile --- Makefile | 4 +- src/Makefile | 4 ++ src/integration/src/bin/gen_att_doc.rs | 79 -------------------------- src/qos_net/src/proxy_stream.rs | 6 +- 4 files changed, 9 insertions(+), 84 deletions(-) delete mode 100644 src/integration/src/bin/gen_att_doc.rs diff --git a/Makefile b/Makefile index 91e4dac9..fce3b90d 100644 --- a/Makefile +++ b/Makefile @@ -18,11 +18,11 @@ test: out/.common-loaded .PHONY: lint lint: out/.common-loaded - $(call run,cargo clippy -- -D warnings) + $(call run,make -C src lint) .PHONY: format format: out/.common-loaded - $(call run,rustfmt) + $(call run,make -C src fmt) .PHONY: docs docs: out/.common-loaded diff --git a/src/Makefile b/src/Makefile index f4d53eab..c171fbab 100644 --- a/src/Makefile +++ b/src/Makefile @@ -144,6 +144,10 @@ lint: .PHONY: clippy clippy: + cargo clippy -- -D warnings + +.PHONY: clippy-fix +clippy-fix: cargo clippy --fix --allow-dirty .PHONY: fmt diff --git a/src/integration/src/bin/gen_att_doc.rs b/src/integration/src/bin/gen_att_doc.rs deleted file mode 100644 index 6853b698..00000000 --- a/src/integration/src/bin/gen_att_doc.rs +++ /dev/null @@ -1,79 +0,0 @@ -//! Helper script to generate a mock attestation document that works for the -//! boot_e2e. -//! -//! Rough use instructions: -//! -//! 1) On the aws host run `make image`, `build-enclave` and then run the -//! enclave, ensuring that debug mode is not enabled. Debug mode will lead to -//! the PCRs being zeroed out. -//! -//! 2) Take the PCRs output from `build-enclave` and update the hardcoded values -//! in the boot e2e test. -//! -//! 3) Run the test and log the value of the manifest hash. -//! -//! 4) Update `MOCK_USER_DATA_NSM_ATTESTATION_DOCUMENT` with the manifest hash. -//! -//! 5) Run this script (the enclave should be running from step 1). -//! -//! 6) Commit the updated files. - -#[tokio::main] -async fn main() { - #[cfg(feature = "mock")] - { - use std::{fs, path::Path}; - - use qos_client::request; - use qos_core::{hex, protocol::msg::ProtocolMsg}; - use qos_crypto::RsaPair; - use qos_nsm::{ - mock::MOCK_USER_DATA_NSM_ATTESTATION_DOCUMENT, - types::{NsmRequest, NsmResponse}, - }; - - const EPHEMERAL_KEY_RELATIVE_PATH: &str = - "./qos_core/src/protocol/attestor/static/boot_e2e_mock_eph.secret"; - - let uri = "http://127.0.0.1:3000/message"; - - let eph_path = Path::new(EPHEMERAL_KEY_RELATIVE_PATH); - // Create / read in mock ephemeral key - let eph_pair = if eph_path.exists() { - RsaPair::from_pem_file(&eph_path).unwrap() - } else { - let pair = RsaPair::generate().unwrap(); - fs::write(&eph_path, pair.private_key_to_pem().unwrap()).unwrap(); - - pair - }; - - // Create an nsm attestation request - let manifest_hash = - hex::decode(MOCK_USER_DATA_NSM_ATTESTATION_DOCUMENT).unwrap(); - let nsm_request = NsmRequest::Attestation { - user_data: Some(manifest_hash), - nonce: None, - public_key: Some(eph_pair.public_key_to_pem().unwrap()), - }; - let req = ProtocolMsg::NsmRequest { nsm_request }; - - println!("Making request to {uri} ..."); - let cose_sign1 = match request::post(uri, &req).unwrap() { - ProtocolMsg::NsmResponse { - nsm_response: NsmResponse::Attestation { document }, - } => document, - r => panic!("Unexpected response: {:?}", r), - }; - - let att_path = - "./qos_core/src/protocol/attestor/static/boot_e2e_mock_attestation_doc"; - fs::write(&att_path, cose_sign1).unwrap(); - - println!("Done"); - } - #[cfg(not(feature = "mock"))] - { - panic!("qos_test's \"mock\" feature must be enabled to run this binary") - } -} diff --git a/src/qos_net/src/proxy_stream.rs b/src/qos_net/src/proxy_stream.rs index 81b7fee4..9c7e7631 100644 --- a/src/qos_net/src/proxy_stream.rs +++ b/src/qos_net/src/proxy_stream.rs @@ -31,10 +31,10 @@ impl ProxyStream { /// # Arguments /// /// * `addr` - the USOCK or VSOCK to connect to (this socket should be bound - /// to a qos_net proxy) `timeout` is the timeout applied to the socket + /// to a qos_net proxy) `timeout` is the timeout applied to the socket /// * `timeout` - the timeout to connect with /// * `hostname` - the hostname to connect to (the remote qos_net proxy will - /// resolve DNS) + /// resolve DNS) /// * `port` - the port the remote qos_net proxy should connect to /// (typically: 80 or 443 for http/https) /// * `dns_resolvers` - array of resolvers to use to resolve `hostname` @@ -80,7 +80,7 @@ impl ProxyStream { /// /// # Arguments /// * `addr` - the USOCK or VSOCK to connect to (this socket should be bound - /// to a qos_net proxy) `timeout` is the timeout applied to the socket + /// to a qos_net proxy) `timeout` is the timeout applied to the socket /// * `timeout` - the timeout to connect with /// * `ip` - the IP the remote qos_net proxy should connect to /// * `port` - the port the remote qos_net proxy should connect to From d40c288d95c098fda80f1c78551ea024a88a0184 Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Mon, 11 Nov 2024 17:14:50 -0600 Subject: [PATCH 02/11] Add make to common containerfile --- src/images/common/Containerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/images/common/Containerfile b/src/images/common/Containerfile index b723b21a..6f2e6620 100644 --- a/src/images/common/Containerfile +++ b/src/images/common/Containerfile @@ -22,6 +22,7 @@ FROM stagex/pcsc-lite:sx2024.03.0@sha256:e720e1795706c7c8c1db14bf730b10521e3ff42 FROM stagex/pkgconf:sx2024.03.0@sha256:31ce4eddaf4e777ddb51f01923089f3321ec5272ca0aa834d475f644279209b8 AS pkgconf FROM stagex/rust:sx2024.03.0@sha256:fe22a0fcdb569cb70b8147378463fb6ff800e642be9d50542f8e25a38d90ec7f AS rust FROM stagex/zlib:sx2024.03.0@sha256:de8f56f3ece28b14d575329bead53fc5318962ae3cb8f161a2d69710f7ec51f4 AS zlib +FROM stagex/make:4.4@sha256:df43f0cf3ac1ad91bf91baefb539e8df42c11b0954a6e2498322a5467deb81e3 AS make FROM scratch as base ENV TARGET=x86_64-unknown-linux-musl @@ -48,6 +49,7 @@ COPY --from=llvm . / COPY --from=pcsc-lite . / COPY --from=file . / COPY --from=gcc . / +COPY --from=make . / COPY --from=linux-nitro /bzImage . COPY --from=linux-nitro /nsm.ko . COPY --from=linux-nitro /linux.config . From e11c6562bb3784a1e19c96b9400b156fcd0552c4 Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Mon, 11 Nov 2024 17:15:52 -0600 Subject: [PATCH 03/11] Call src Makefile for test runs --- Makefile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Makefile b/Makefile index fce3b90d..36e5904d 100644 --- a/Makefile +++ b/Makefile @@ -10,11 +10,7 @@ default: \ .PHONY: test test: out/.common-loaded - $(call run,\ - cargo build --all; \ - cargo test; \ - cargo test -p qos_core; \ - ) + $(call run,make -C src test) .PHONY: lint lint: out/.common-loaded From 3a7f7dd0c8ccad910f0f004730f76ad763cd8a6f Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Mon, 11 Nov 2024 17:22:14 -0600 Subject: [PATCH 04/11] No need to switch to src folder. We're already in. --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 36e5904d..985a9160 100644 --- a/Makefile +++ b/Makefile @@ -10,15 +10,15 @@ default: \ .PHONY: test test: out/.common-loaded - $(call run,make -C src test) + $(call run,make test) .PHONY: lint lint: out/.common-loaded - $(call run,make -C src lint) + $(call run,make lint) .PHONY: format format: out/.common-loaded - $(call run,make -C src fmt) + $(call run,make fmt) .PHONY: docs docs: out/.common-loaded From da4aa1e1c2d14a53bafe1fe108dc1223e84025ee Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Mon, 11 Nov 2024 17:54:55 -0600 Subject: [PATCH 05/11] Use Rust 1.81 on common container, stop using nightly features for formatting --- Makefile | 4 +- src/Makefile | 3 +- src/images/common/Containerfile | 4 +- src/integration/src/bin/pivot_remote_tls.rs | 5 +- src/qos_client/src/cli/mod.rs | 10 ++-- src/qos_client/src/cli/services.rs | 35 ++++++++------ src/qos_core/src/parser.rs | 13 +++-- src/qos_core/src/protocol/services/genesis.rs | 26 +++++----- src/qos_core/src/protocol/services/key.rs | 22 ++++++--- src/qos_hex/src/lib.rs | 2 +- src/qos_host/src/lib.rs | 11 +++-- src/qos_net/src/proxy.rs | 7 ++- src/qos_net/src/proxy_stream.rs | 48 ++++++++++++------- src/rustfmt.toml | 8 ++-- 14 files changed, 118 insertions(+), 80 deletions(-) diff --git a/Makefile b/Makefile index 985a9160..9c676c5a 100644 --- a/Makefile +++ b/Makefile @@ -77,5 +77,5 @@ out/common/index.json: \ $(call build,common) out/.common-loaded: out/common/index.json - env -C ./out/common tar -cf - . | docker load - touch out/.common-loaded + cd ./out/common && tar -cf - . | docker load + touch ./out/.common-loaded diff --git a/src/Makefile b/src/Makefile index c171fbab..3f6d365a 100644 --- a/src/Makefile +++ b/src/Makefile @@ -152,8 +152,7 @@ clippy-fix: .PHONY: fmt fmt: - cargo +nightly version - cargo +nightly fmt + cargo fmt .PHONY: test test: diff --git a/src/images/common/Containerfile b/src/images/common/Containerfile index 6f2e6620..28e9a485 100644 --- a/src/images/common/Containerfile +++ b/src/images/common/Containerfile @@ -20,11 +20,11 @@ FROM stagex/musl-obstack:sx2024.03.0@sha256:4b6737815460908f666fa7a8e91138610d0a FROM stagex/openssl:sx2024.03.0@sha256:1a2f656ced34d1ade99279c5663fcf0ec4f6526bcc50142079ef8adc080be3a9 AS openssl FROM stagex/pcsc-lite:sx2024.03.0@sha256:e720e1795706c7c8c1db14bf730b10521e3ff42e4bed90addc590f7446aac8af AS pcsc-lite FROM stagex/pkgconf:sx2024.03.0@sha256:31ce4eddaf4e777ddb51f01923089f3321ec5272ca0aa834d475f644279209b8 AS pkgconf -FROM stagex/rust:sx2024.03.0@sha256:fe22a0fcdb569cb70b8147378463fb6ff800e642be9d50542f8e25a38d90ec7f AS rust +FROM stagex/rust:1.81.0@sha256:b7c834268a81bfcc473246995c55b47fe18414cc553e3293b6294fde4e579163 AS rust FROM stagex/zlib:sx2024.03.0@sha256:de8f56f3ece28b14d575329bead53fc5318962ae3cb8f161a2d69710f7ec51f4 AS zlib FROM stagex/make:4.4@sha256:df43f0cf3ac1ad91bf91baefb539e8df42c11b0954a6e2498322a5467deb81e3 AS make -FROM scratch as base +FROM scratch AS base ENV TARGET=x86_64-unknown-linux-musl ENV RUSTFLAGS="-C target-feature=+crt-static" ENV CARGOFLAGS="--locked --no-default-features --release --target ${TARGET}" diff --git a/src/integration/src/bin/pivot_remote_tls.rs b/src/integration/src/bin/pivot_remote_tls.rs index 3d041bfd..f5f8eca0 100644 --- a/src/integration/src/bin/pivot_remote_tls.rs +++ b/src/integration/src/bin/pivot_remote_tls.rs @@ -58,9 +58,8 @@ impl RequestProcessor for Processor { .unwrap(); let mut tls = rustls::Stream::new(&mut conn, &mut stream); - let http_request = format!( - "GET {path} HTTP/1.1\r\nHost: {host}\r\nConnection: close\r\n\r\n" - ); + let http_request = + format!("GET {path} HTTP/1.1\r\nHost: {host}\r\nConnection: close\r\n\r\n"); tls.write_all(http_request.as_bytes()).unwrap(); diff --git a/src/qos_client/src/cli/mod.rs b/src/qos_client/src/cli/mod.rs index 437fd714..417210d4 100644 --- a/src/qos_client/src/cli/mod.rs +++ b/src/qos_client/src/cli/mod.rs @@ -499,11 +499,11 @@ impl Command { } fn display_type_token() -> Token { Token::new( - DISPLAY_TYPE, - "The type contained in the file (manifest, manifest-envelope, genesis-output)." - ) - .takes_value(true) - .required(true) + DISPLAY_TYPE, + "The type contained in the file (manifest, manifest-envelope, genesis-output).", + ) + .takes_value(true) + .required(true) } fn dr_key_path_token() -> Token { Token::new(DR_KEY_PATH, "Path to a DR key certificate") diff --git a/src/qos_client/src/cli/services.rs b/src/qos_client/src/cli/services.rs index a1d01f78..f240c41a 100644 --- a/src/qos_client/src/cli/services.rs +++ b/src/qos_client/src/cli/services.rs @@ -547,7 +547,10 @@ pub(crate) fn verify_genesis>( let genesis_output_path = namespace_dir.as_ref().join(GENESIS_OUTPUT_FILE); let genesis_output = GenesisOutput::try_from_slice( &fs::read(genesis_output_path).expect("Failed to read genesis output file"), - ).expect("Failed to deserialize genesis output - check that qos_client and qos_core version line up"); + ) + .expect( + "Failed to deserialize genesis output - check that qos_client and qos_core version line up", + ); let master_seed_hex = fs::read_to_string(&master_seed_path) .expect("Failed to read master seed to string"); @@ -1167,8 +1170,10 @@ pub(crate) fn get_attestation_doc>( }) => (document, manifest_envelope), Ok(ProtocolMsg::LiveAttestationDocResponse { nsm_response: _, - manifest_envelope: None - }) => panic!("ManifestEnvelope does not exist in enclave - likely waiting for boot instruction"), + manifest_envelope: None, + }) => panic!( + "ManifestEnvelope does not exist in enclave - likely waiting for boot instruction" + ), r => panic!("Unexpected response: {r:?}"), }; @@ -1391,7 +1396,9 @@ where approvers.sort(); let approvers = approvers.join("\n"); - let prompt = format!("The following manifest set members approved:\n{approvers}\nIs this ok? (yes/no)"); + let prompt = format!( + "The following manifest set members approved:\n{approvers}\nIs this ok? (yes/no)" + ); if !prompter.prompt_is_yes(&prompt) { return false; @@ -1888,15 +1895,12 @@ fn find_approvals>( boot_dir: P, manifest: &Manifest, ) -> Vec { - let approvals: Vec<_> = find_file_paths(&boot_dir) + let approvals: Vec<_> = find_file_paths(&boot_dir) .iter() .filter_map(|path| { let file_name = split_file_name(path); // Only look at files with the approval extension - if file_name - .last() - .map_or(true, |s| s.as_str() != APPROVAL_EXT) - { + if file_name.last().map_or(true, |s| s.as_str() != APPROVAL_EXT) { return None; }; @@ -1907,7 +1911,8 @@ fn find_approvals>( assert!( manifest.manifest_set.members.contains(&approval.member), - "Found approval from member ({:?}) not included in the Manifest Set", approval.member.alias + "Found approval from member ({:?}) not included in the Manifest Set", + approval.member.alias ); let pub_key = P256Public::from_bytes(&approval.member.pub_key) @@ -2554,10 +2559,7 @@ mod tests { )); let output = String::from_utf8(vec_out).unwrap(); - assert_eq!( - &output, - "Is this the correct namespace name: test-namespace? (yes/no)\n" - ); + assert_eq!(&output, "Is this the correct namespace name: test-namespace? (yes/no)\n"); } #[test] @@ -2806,7 +2808,10 @@ mod tests { let output = String::from_utf8(vec_out).unwrap(); let output: Vec<_> = output.trim().split('\n').collect(); - assert_eq!(output.last().unwrap(), &"Does this AWS IAM role belong to the intended organization: pr3? (yes/no)"); + assert_eq!( + output.last().unwrap(), + &"Does this AWS IAM role belong to the intended organization: pr3? (yes/no)" + ); } #[test] diff --git a/src/qos_core/src/parser.rs b/src/qos_core/src/parser.rs index 895179d8..3e34effc 100644 --- a/src/qos_core/src/parser.rs +++ b/src/qos_core/src/parser.rs @@ -27,9 +27,16 @@ impl fmt::Display for ParserError { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { match self { Self::UnexpectedInput(u) => write!(f, "found {u}, which was not an expected argument"), - Self::DuplicateInput(i) => write!(f, "found argument {i} more then once, but only one instance was expected"), - Self::MutuallyExclusiveInput(y, z) => write!(f, "arguments {y} and {z} are mutually exclusive and cannot be used at the same time"), - Self::MissingValue(i) => write!(f, "found argument {i}, which requires a value, but no value was given"), + Self::DuplicateInput(i) => { + write!(f, "found argument {i} more then once, but only one instance was expected") + } + Self::MutuallyExclusiveInput(y, z) => write!( + f, + "arguments {y} and {z} are mutually exclusive and cannot be used at the same time" + ), + Self::MissingValue(i) => { + write!(f, "found argument {i}, which requires a value, but no value was given") + } Self::MissingInput(i) => write!(f, "argument {i} is required but was not found"), } } diff --git a/src/qos_core/src/protocol/services/genesis.rs b/src/qos_core/src/protocol/services/genesis.rs index 0a20e960..383acd53 100644 --- a/src/qos_core/src/protocol/services/genesis.rs +++ b/src/qos_core/src/protocol/services/genesis.rs @@ -129,21 +129,19 @@ pub(in crate::protocol) fn boot_genesis( genesis_set.threshold as usize, ); - let member_outputs: Result, _> = - zip(shares, genesis_set.members.iter().cloned()) - .map(|(share, share_set_member)| -> Result{ - // 1) encrypt the share to quorum key - let personal_pub = P256Public::from_bytes(&share_set_member.pub_key)?; - let encrypted_quorum_key_share = - personal_pub.encrypt(&share)?; - - Ok(GenesisMemberOutput { - share_set_member, - encrypted_quorum_key_share, - share_hash: sha_512(&share), - }) + let member_outputs: Result, _> = zip(shares, genesis_set.members.iter().cloned()) + .map(|(share, share_set_member)| -> Result { + // 1) encrypt the share to quorum key + let personal_pub = P256Public::from_bytes(&share_set_member.pub_key)?; + let encrypted_quorum_key_share = personal_pub.encrypt(&share)?; + + Ok(GenesisMemberOutput { + share_set_member, + encrypted_quorum_key_share, + share_hash: sha_512(&share), }) - .collect(); + }) + .collect(); let dr_key_wrapped_quorum_key = if let Some(dr_key) = maybe_dr_key { let dr_public = P256Public::from_bytes(&dr_key) diff --git a/src/qos_core/src/protocol/services/key.rs b/src/qos_core/src/protocol/services/key.rs index be7b5fcb..c9601d9f 100644 --- a/src/qos_core/src/protocol/services/key.rs +++ b/src/qos_core/src/protocol/services/key.rs @@ -447,7 +447,8 @@ mod test { let ephemeral_file: PathWrapper = "/tmp/boot_key_rejects_manifest_if_not_enough_approvals.secret" .into(); - let manifest_file: PathWrapper = "/tmp/boot_key_rejects_manifest_if_not_enough_approvals.manifest".into(); + let manifest_file: PathWrapper = + "/tmp/boot_key_rejects_manifest_if_not_enough_approvals.manifest".into(); let handles = Handles::new( ephemeral_file.deref().to_string(), @@ -524,9 +525,13 @@ mod test { fn rejects_manifest_with_bad_approval_signature() { let TestArgs { mut manifest_envelope, pivot, .. } = get_test_args(); - let pivot_file: PathWrapper = "/tmp/boot_key_rejects_rejects_manifest_with_bad_approval_signature.pivot".into(); - let ephemeral_file: PathWrapper = "/tmp/boot_key_rejects_rejects_manifest_with_bad_approval_signature.secret".into(); - let manifest_file: PathWrapper = "/tmp/boot_key_rejects_rejects_manifest_with_bad_approval_signature.manifest".into(); + let pivot_file: PathWrapper = + "/tmp/boot_key_rejects_rejects_manifest_with_bad_approval_signature.pivot".into(); + let ephemeral_file: PathWrapper = + "/tmp/boot_key_rejects_rejects_manifest_with_bad_approval_signature.secret".into(); + let manifest_file: PathWrapper = + "/tmp/boot_key_rejects_rejects_manifest_with_bad_approval_signature.manifest" + .into(); let handles = Handles::new( ephemeral_file.deref().to_string(), @@ -578,9 +583,12 @@ mod test { member: non_member, }; - let pivot_file: PathWrapper = "/tmp/boot_key_reject_manifest_with_approval_from_non_memberpivot".into(); - let ephemeral_file: PathWrapper = "/tmp/boot_key_reject_manifest_with_approval_from_non_membersecret".into(); - let manifest_file: PathWrapper = "/tmp/boot_key_reject_manifest_with_approval_from_non_membermanifest".into(); + let pivot_file: PathWrapper = + "/tmp/boot_key_reject_manifest_with_approval_from_non_memberpivot".into(); + let ephemeral_file: PathWrapper = + "/tmp/boot_key_reject_manifest_with_approval_from_non_membersecret".into(); + let manifest_file: PathWrapper = + "/tmp/boot_key_reject_manifest_with_approval_from_non_membermanifest".into(); let handles = Handles::new( ephemeral_file.deref().to_string(), diff --git a/src/qos_hex/src/lib.rs b/src/qos_hex/src/lib.rs index 90f96888..216fec08 100644 --- a/src/qos_hex/src/lib.rs +++ b/src/qos_hex/src/lib.rs @@ -115,7 +115,7 @@ pub fn decode(raw_s: &str) -> Result, HexError> { verify_ascii(&sanitized_s_bytes[i])?; verify_ascii(&sanitized_s_bytes[i + 1])?; - let s = std::str::from_utf8(&sanitized_s_bytes[i..i+2]) + let s = std::str::from_utf8(&sanitized_s_bytes[i..i + 2]) .expect("We ensure that input slice represents ASCII above. qed."); u8::from_str_radix(s, 16).map_err(Into::into) }) diff --git a/src/qos_host/src/lib.rs b/src/qos_host/src/lib.rs index d4ba6816..ef3e15c6 100644 --- a/src/qos_host/src/lib.rs +++ b/src/qos_host/src/lib.rs @@ -250,9 +250,11 @@ impl HostServer { let enc_manifest_envelope_resp = state .enclave_client .send(&enc_manifest_envelope_req) - .map_err(|e| - Error(format!("error while trying to send manifest envelope socket request to enclave: {e:?}")) - )?; + .map_err(|e| { + Error(format!( + "error while trying to send manifest envelope socket request to enclave: {e:?}" + )) + })?; let manifest_envelope_resp = ProtocolMsg::try_from_slice( &enc_manifest_envelope_resp, @@ -311,7 +313,8 @@ impl HostServer { match state.enclave_client.send(&encoded_request) { Ok(encoded_response) => (StatusCode::OK, encoded_response), Err(e) => { - let msg = format!("Error while trying to send request over socket to enclave: {e:?}"); + let msg = + format!("Error while trying to send request over socket to enclave: {e:?}"); eprint!("{msg}"); ( diff --git a/src/qos_net/src/proxy.rs b/src/qos_net/src/proxy.rs index 6018ece2..cfb36895 100644 --- a/src/qos_net/src/proxy.rs +++ b/src/qos_net/src/proxy.rs @@ -106,7 +106,9 @@ impl Proxy { let remote_ip = conn.ip.clone(); match self.save_connection(conn) { Ok(()) => { - println!("Connection to {hostname} established and saved as ID {connection_id}"); + println!( + "Connection to {hostname} established and saved as ID {connection_id}" + ); ProxyMsg::ConnectResponse { connection_id, remote_ip } } Err(e) => { @@ -323,7 +325,8 @@ mod test { panic!("test failure: msg is not ConnectResponse") } }; - let http_request = "GET / HTTP/1.1\r\nHost: api.turnkey.com\r\nConnection: close\r\n\r\n".to_string(); + let http_request = + "GET / HTTP/1.1\r\nHost: api.turnkey.com\r\nConnection: close\r\n\r\n".to_string(); let request = borsh::to_vec(&ProxyMsg::WriteRequest { connection_id, diff --git a/src/qos_net/src/proxy_stream.rs b/src/qos_net/src/proxy_stream.rs index 9c7e7631..6b691f0a 100644 --- a/src/qos_net/src/proxy_stream.rs +++ b/src/qos_net/src/proxy_stream.rs @@ -139,9 +139,9 @@ impl Read for ProxyStream { let stream: Stream = Stream::connect(&self.addr, self.timeout) .map_err(|e| { std::io::Error::new( - ErrorKind::NotConnected, - format!("Error while connecting to socket (sending read request): {:?}", e), - ) + ErrorKind::NotConnected, + format!("Error while connecting to socket (sending read request): {:?}", e), + ) })?; let req = borsh::to_vec(&ProxyMsg::ReadRequest { @@ -172,7 +172,14 @@ impl Read for ProxyStream { )); } if data.len() > buf.len() { - return Err(std::io::Error::new(ErrorKind::InvalidData, format!("overflow: cannot read {} bytes into a buffer of {} bytes", data.len(), buf.len()))); + return Err(std::io::Error::new( + ErrorKind::InvalidData, + format!( + "overflow: cannot read {} bytes into a buffer of {} bytes", + data.len(), + buf.len() + ), + )); } // Copy data into buffer @@ -203,9 +210,9 @@ impl Write for ProxyStream { let stream: Stream = Stream::connect(&self.addr, self.timeout) .map_err(|e| { std::io::Error::new( - ErrorKind::NotConnected, - format!("Error while connecting to socket (sending read request): {:?}", e), - ) + ErrorKind::NotConnected, + format!("Error while connecting to socket (sending read request): {:?}", e), + ) })?; let req = borsh::to_vec(&ProxyMsg::WriteRequest { @@ -222,9 +229,9 @@ impl Write for ProxyStream { let resp_bytes = stream.recv().map_err(|e| { std::io::Error::new( - ErrorKind::Other, - format!("QOS IOError receiving bytes from stream after WriteRequest: {:?}", e), - ) + ErrorKind::Other, + format!("QOS IOError receiving bytes from stream after WriteRequest: {:?}", e), + ) })?; match ProxyMsg::try_from_slice(&resp_bytes) { @@ -254,9 +261,9 @@ impl Write for ProxyStream { let stream: Stream = Stream::connect(&self.addr, self.timeout) .map_err(|e| { std::io::Error::new( - ErrorKind::NotConnected, - format!("Error while connecting to socket (sending read request): {:?}", e), - ) + ErrorKind::NotConnected, + format!("Error while connecting to socket (sending read request): {:?}", e), + ) })?; let req = borsh::to_vec(&ProxyMsg::FlushRequest { @@ -273,9 +280,9 @@ impl Write for ProxyStream { let resp_bytes = stream.recv().map_err(|e| { std::io::Error::new( - ErrorKind::Other, - format!("QOS IOError receiving bytes from stream after FlushRequest: {:?}", e), - ) + ErrorKind::Other, + format!("QOS IOError receiving bytes from stream after FlushRequest: {:?}", e), + ) })?; match ProxyMsg::try_from_slice(&resp_bytes) { @@ -470,7 +477,14 @@ mod test { )); } if data.len() > buf.len() { - return Err(std::io::Error::new(ErrorKind::InvalidData, format!("overflow: cannot read {} bytes into a buffer of {} bytes", data.len(), buf.len()))); + return Err(std::io::Error::new( + ErrorKind::InvalidData, + format!( + "overflow: cannot read {} bytes into a buffer of {} bytes", + data.len(), + buf.len() + ), + )); } // Copy data into buffer diff --git a/src/rustfmt.toml b/src/rustfmt.toml index a416aea0..f0bfed14 100644 --- a/src/rustfmt.toml +++ b/src/rustfmt.toml @@ -6,13 +6,15 @@ tab_spaces = 4 # Line wrapping use_small_heuristics = "Max" -wrap_comments = true max_width = 80 +# Not a stable feature yet, can't use consistently on StageX builds +# wrap_comments = true # Imports -imports_granularity = "Crate" reorder_imports = true -group_imports = "StdExternalCrate" +# Not a stable feature yet, can't use consistently on StageX builds +# imports_granularity = "Crate" +# group_imports = "StdExternalCrate" # Random use_field_init_shorthand = true From 4c53237253bc9af23e379663dafa882c62ac47ed Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Tue, 12 Nov 2024 10:42:23 -0600 Subject: [PATCH 06/11] Add TODO to rustfmt --- src/rustfmt.toml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/rustfmt.toml b/src/rustfmt.toml index f0bfed14..5a928459 100644 --- a/src/rustfmt.toml +++ b/src/rustfmt.toml @@ -7,15 +7,16 @@ tab_spaces = 4 # Line wrapping use_small_heuristics = "Max" max_width = 80 -# Not a stable feature yet, can't use consistently on StageX builds -# wrap_comments = true # Imports reorder_imports = true -# Not a stable feature yet, can't use consistently on StageX builds -# imports_granularity = "Crate" -# group_imports = "StdExternalCrate" # Random use_field_init_shorthand = true newline_style = "Unix" + +# These lints are not available on stable Rust toolchains, hence can't be used on StageX builds. +# TODO: consider re-enabling them when they've made their way to stable rustfmt +# wrap_comments = true +# imports_granularity = "Crate" +# group_imports = "StdExternalCrate" From 116472bda49a1d9934f69b5e58b0ac7fe463e34d Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Tue, 12 Nov 2024 11:12:02 -0600 Subject: [PATCH 07/11] Upgrade Rust and other stagex images to recent versions --- src/images/common/Containerfile | 48 ++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/src/images/common/Containerfile b/src/images/common/Containerfile index 28e9a485..2a43b0a2 100644 --- a/src/images/common/Containerfile +++ b/src/images/common/Containerfile @@ -1,27 +1,31 @@ -FROM stagex/bash:sx2024.03.0@sha256:d1cbbb56847e6b1e7b879214aa6926b6fdfa210e9b42a2f612a6aea850ddeefc AS bash -FROM stagex/binutils:sx2024.03.0@sha256:3af41227e1fe6a8f9b3df9916ef4876840f33eaa172168e1db1d8f457ba011d5 AS binutils -FROM stagex/ca-certificates:sx2024.03.0@sha256:6746d2d203be3455bfc5ffd5a051c8edb73ecfd7be77c3da5a2973003a30794f AS ca-certificates -FROM stagex/coreutils:sx2024.03.0@sha256:cf4032ca6b5f912a8b9d572d527d388401b68a0c9224cc086173e46bc4e1eabe AS coreutils -FROM stagex/eif_build:sx2024.03.0@sha256:6f3fed0aeaf9f9eebb43a370a5495fab92fcb21119fc23e261f0f24e1174009c AS eif_build -FROM stagex/file:sx2024.03.0@sha256:7fd68d1e7d5e1d3b1e52433bb6709f28d3e362ea89c9e13586b852ca0412f640 AS file -FROM stagex/filesystem:sx2024.03.0@sha256:42c8353db508ac79599df38c684502e50167352de2cddc5aea9b89486e7f8498 AS filesystem -FROM stagex/findutils:sx2024.03.0@sha256:475ea3488840297454f0f20b58e1b8292bf9b3944f901e3fce432fa4afeaa4cd AS findutils -FROM stagex/gcc:sx2024.03.0@sha256:25798fdde278a9f1f27e4092a1668e93d2766d4f8b089fba38d4684b20a9b0f7 AS gcc -FROM stagex/gen_initramfs:sx2024.03.0@sha256:a51c840a1c82dbc00c0a813964195d4f4bcb20463701083999320f826ffa49bf AS gen_initramfs -FROM stagex/git:sx2024.03.0@sha256:2c11f2daf9b8c1738cbd966b6de5dd0bcfaf81b675c2d268d30f972ddab9d9df AS git -FROM stagex/grep:sx2024.03.0@sha256:589465adc0125128c21534eb560299c335a41935e0ce182a632f4b739bf25c60 AS grep -FROM stagex/libunwind:sx2024.03.0@sha256:e74819e47c79f68a008302927ef02a5aa39cf12e859a8dfeccf9d1b4769b4833 AS libunwind -FROM stagex/linux-nitro:sx2024.03.0@sha256:073c4603686e3bdc0ed6755fee3203f6f6f1512e0ded09eaea8866b002b04264 AS linux-nitro -FROM stagex/llvm13:sx2024.03.0@sha256:97d0f3d32f58dca648cd70b0d58364d9bea5170bb99054c0a0b19ef57a7da7b1 AS llvm13 -FROM stagex/llvm:sx2024.03.0@sha256:8e361f1da92e956d947e37b6fc0a3951fcc1130863e2d3a9b4fca40ab4fd07f6 AS llvm -FROM stagex/musl-fts:sx2024.03.0@sha256:73c3c4647010f7151c711ed5005ef946c7c1a19c6e8921e057b5dbc15ef9559a AS musl-fts -FROM stagex/musl:sx2024.03.0@sha256:7db05e6817058a512a66ea82f3b99163069424c281363c2e9a48091d0d1d3bd9 AS musl -FROM stagex/musl-obstack:sx2024.03.0@sha256:4b6737815460908f666fa7a8e91138610d0a0909c408165a575ffb42bf21cd66 AS musl-obstack -FROM stagex/openssl:sx2024.03.0@sha256:1a2f656ced34d1ade99279c5663fcf0ec4f6526bcc50142079ef8adc080be3a9 AS openssl +FROM stagex/bash:5.2.21@sha256:cb58f55d268fbe7ef629cda86e3a8af893066e4af7f26ef54748b6ad47bdaa66 AS bash +FROM stagex/binutils:2.43.1@sha256:30a1bd110273894fe91c3a4a2103894f53eaac43cf12a035008a6982cb0e6908 AS binutils +FROM stagex/ca-certificates:sx2024.11.0@sha256:a84695f983a448a82acfe78af11f33c6a66b27124266e1fdc3ecfb8dc5852573 AS ca-certificates +FROM stagex/coreutils:9.4@sha256:1955f532d8923b5e17f60635c994bd9577bb3e6bccb5da702a69e79070bae0a9 AS coreutils +FROM stagex/eif_build:0.2.2@sha256:9d086a2743f9df4eddf934c7b68c9dee4a7fb131b6465a24237a67f6c359dfb0 AS eif_build +FROM stagex/file:5.45@sha256:f1053114ea2ef35dc04bd1d1f1572c3f1b86e3d57dffda99faac9e191bd7ab5d AS file +FROM stagex/filesystem:sx2024.11.0@sha256:d03195563f548c3ac8f34acf777b7e86f0d0d049a9430d715e5774eb7cc93302 AS filesystem +FROM stagex/findutils:4.9.0@sha256:d92494daaf08999aac0a277327d240a0149494716707fbce93381df058f693e2 AS findutils +FROM stagex/gcc:13.1.0@sha256:439bf36289ef036a934129d69dd6b4c196427e4f8e28bc1a3de5b9aab6e062f0 AS gcc +FROM stagex/gen_initramfs:6.8@sha256:f5b9271cca6003e952cbbb9ef041ffa92ba328894f563d1d77942e6b5cdeac1a AS gen_initramfs +FROM stagex/git:2.9.5@sha256:29a02c423a4b55fa72cf2fce89f3bbabd1defea86d251bb2aea84c056340ab22 AS git +FROM stagex/grep:3.11@sha256:576288125a7ecda969285e5edfaedef479c4bc18cba8230c0502000fdf2586c1 AS grep +FROM stagex/libunwind:1.7.2@sha256:97ee6068a8e8c9f1c74409f80681069c8051abb31f9559dedf0d0d562d3bfc82 AS libunwind + +FROM stagex/linux-nitro:5.19.6@sha256:e6c8a861f9b18edfad56b1aa130feb822a25987c71e2b2932b020750dd7325bc AS linux-nitro +FROM stagex/llvm13:13.0.1@sha256:aa60e2883ecf2070c7591fc29622a578c8ea24a14a2b7fcce95d3e5d9c00b101 AS llvm13 +FROM stagex/llvm:18.1.8@sha256:30517a41af648305afe6398af5b8c527d25545037df9d977018c657ba1b1708f AS llvm +FROM stagex/musl-fts:1.2.7@sha256:87edcc648085e8fd6cd8a6ebc94a9464181c3035a00266c621c6450f5d7c66d8 AS musl-fts +FROM stagex/musl:1.2.4@sha256:ad351b875f26294562d21740a3ee51c23609f15e6f9f0310e0994179c4231e1d AS musl +FROM stagex/musl-obstack:1.2.3@sha256:2a308833441b46a64a1fa5cf90d0bb75dec4807d5a15035776165db88ca661fd AS musl-obstack +FROM stagex/openssl:3.0.12@sha256:2c1a9d8fcc6f52cb11a206f380b17d74c1079f04cbb08071a4176648b4df52c1 AS openssl +# This is using an old version of pcsc-lite since upgrading to v2.2.3 broke +# static builds. Once we have confirmed an updated pcsc-lite has fixed this +# issue, we should upgrade this again. FROM stagex/pcsc-lite:sx2024.03.0@sha256:e720e1795706c7c8c1db14bf730b10521e3ff42e4bed90addc590f7446aac8af AS pcsc-lite -FROM stagex/pkgconf:sx2024.03.0@sha256:31ce4eddaf4e777ddb51f01923089f3321ec5272ca0aa834d475f644279209b8 AS pkgconf +FROM stagex/pkgconf:1.6.3@sha256:ba7fce4108b721e8bf1a0d993a5f9be9b65eceda8ba073fe7e8ebca2a31b1494 AS pkgconf FROM stagex/rust:1.81.0@sha256:b7c834268a81bfcc473246995c55b47fe18414cc553e3293b6294fde4e579163 AS rust -FROM stagex/zlib:sx2024.03.0@sha256:de8f56f3ece28b14d575329bead53fc5318962ae3cb8f161a2d69710f7ec51f4 AS zlib +FROM stagex/zlib:1.3.1@sha256:96b4100550760026065dac57148d99e20a03d17e5ee20d6b32cbacd61125dbb6 AS zlib FROM stagex/make:4.4@sha256:df43f0cf3ac1ad91bf91baefb539e8df42c11b0954a6e2498322a5467deb81e3 AS make FROM scratch AS base From 8992a0aee461ffb617c37467ecebf8af17c8fca2 Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Tue, 12 Nov 2024 11:34:43 -0600 Subject: [PATCH 08/11] Lint fixes --- src/qos_client/src/cli/mod.rs | 8 ++++---- src/qos_client/src/cli/services.rs | 6 +++--- src/qos_core/src/protocol/error.rs | 6 +++--- src/qos_core/src/protocol/services/boot.rs | 4 ++-- src/qos_host/src/cli.rs | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/qos_client/src/cli/mod.rs b/src/qos_client/src/cli/mod.rs index 417210d4..f6ef16c0 100644 --- a/src/qos_client/src/cli/mod.rs +++ b/src/qos_client/src/cli/mod.rs @@ -203,13 +203,13 @@ pub enum Command { ExportKey, /// Inject a quorum key into a non-fully provisioned enclave InjectKey, - /// Verify a signature from qos_p256 pair. + /// Verify a signature from `qos_p256` pair. P256Verify, /// Sign with a p256 signature. P256Sign, - /// Encrypt to a qos_p256 public key. + /// Encrypt to a `qos_p256` public key. P256AsymmetricEncrypt, - /// Decrypt a payload encrypted to a qos_p256 public key. + /// Decrypt a payload encrypted to a `qos_p256` public key. P256AsymmetricDecrypt, } @@ -979,7 +979,7 @@ impl ClientOpts { } fn secret_path(&self) -> Option { - self.parsed.single(SECRET_PATH).map(String::clone) + self.parsed.single(SECRET_PATH).cloned() } fn share_path(&self) -> String { diff --git a/src/qos_client/src/cli/services.rs b/src/qos_client/src/cli/services.rs index f240c41a..bee01c6f 100644 --- a/src/qos_client/src/cli/services.rs +++ b/src/qos_client/src/cli/services.rs @@ -2783,7 +2783,7 @@ mod tests { )); let output = String::from_utf8(vec_out).unwrap(); - let output: Vec<_> = output.trim().split('\n').collect(); + let output: Vec<_> = output.lines().collect(); assert_eq!( output.last().unwrap(), &"Is this the correct namespace nonce: 2? (yes/no)" @@ -2807,7 +2807,7 @@ mod tests { )); let output = String::from_utf8(vec_out).unwrap(); - let output: Vec<_> = output.trim().split('\n').collect(); + let output: Vec<_> = output.lines().collect(); assert_eq!( output.last().unwrap(), &"Does this AWS IAM role belong to the intended organization: pr3? (yes/no)" @@ -2831,7 +2831,7 @@ mod tests { )); let output = String::from_utf8(vec_out).unwrap(); - let output: Vec<_> = output.trim().split('\n').collect(); + let output: Vec<_> = output.lines().collect(); assert_eq!( output[3], diff --git a/src/qos_core/src/protocol/error.rs b/src/qos_core/src/protocol/error.rs index 74e5f4bb..767ef63e 100644 --- a/src/qos_core/src/protocol/error.rs +++ b/src/qos_core/src/protocol/error.rs @@ -22,7 +22,7 @@ pub enum ProtocolError { /// Cryptography error /// Approval was not valid for a manifest. InvalidManifestApproval(boot::Approval), - /// [boot::ManifestEnvelope] did not have approvals + /// [`boot::ManifestEnvelope`] did not have approvals NotEnoughApprovals, /// Protocol Message could not be matched against an available route. /// Ensure the executor is in the correct phase. @@ -93,9 +93,9 @@ pub enum ProtocolError { BadShareSetApprovals, /// Could not verify a message against an approval CouldNotVerifyApproval, - /// Not a member of the [boot::ShareSet]. + /// Not a member of the [`boot::ShareSet`]. NotShareSetMember, - /// Not a member of the [boot::ManifestSet]. + /// Not a member of the [`boot::ManifestSet`]. NotManifestSetMember, /// `qos_p256` Error wrapper. P256Error(qos_p256::P256Error), diff --git a/src/qos_core/src/protocol/services/boot.rs b/src/qos_core/src/protocol/services/boot.rs index 3bf30a9c..0341a448 100644 --- a/src/qos_core/src/protocol/services/boot.rs +++ b/src/qos_core/src/protocol/services/boot.rs @@ -154,7 +154,7 @@ pub struct QuorumMember { /// cryptographically guaranteed and thus should not be trusted without /// verification. pub alias: String, - /// P256Public as bytes + /// `P256Public` as bytes #[serde(with = "qos_hex::serde")] pub pub_key: Vec, } @@ -272,7 +272,7 @@ pub struct PatchSet { #[cfg_attr(any(feature = "mock", test), derive(Default))] pub struct Namespace { /// The namespace. This should be unique relative to other namespaces the - /// organization running QuorumOs has. + /// organization running `QuorumOs` has. pub name: String, /// A monotonically increasing value, used to identify the order in which /// manifests for this namespace have been created. This is used to prevent diff --git a/src/qos_host/src/cli.rs b/src/qos_host/src/cli.rs index 47a2bd29..818d2e30 100644 --- a/src/qos_host/src/cli.rs +++ b/src/qos_host/src/cli.rs @@ -138,7 +138,7 @@ impl HostOpts { } fn base_path(&self) -> Option { - self.parsed.single(ENDPOINT_BASE_PATH).map(Clone::clone) + self.parsed.single(ENDPOINT_BASE_PATH).cloned() } #[cfg(feature = "vm")] From dd546948a2dd234912c538dca8ceaf9ab189d0bf Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Tue, 12 Nov 2024 14:28:50 -0600 Subject: [PATCH 09/11] Fix Harakiri server to use Drop and fd --- src/qos_core/src/handles.rs | 2 +- src/qos_core/src/io/stream.rs | 48 ++++++++++++++++++++++------------- 2 files changed, 31 insertions(+), 19 deletions(-) diff --git a/src/qos_core/src/handles.rs b/src/qos_core/src/handles.rs index 89ccb411..679ecbc6 100644 --- a/src/qos_core/src/handles.rs +++ b/src/qos_core/src/handles.rs @@ -305,7 +305,7 @@ mod test { let ephemeral_file: PathWrapper = "put_quorum_key_is_read_only_write_eph.secret".into(); let quorum_file: PathWrapper = - "put_pivot_is_read_only_write_quor.secret".into(); + "put_quorum_key_is_read_only_write_quor.secret".into(); let manifest_file: PathWrapper = "put_quorum_key_is_read_only_write.manifest".into(); diff --git a/src/qos_core/src/io/stream.rs b/src/qos_core/src/io/stream.rs index a695694a..44ba7536 100644 --- a/src/qos_core/src/io/stream.rs +++ b/src/qos_core/src/io/stream.rs @@ -385,43 +385,53 @@ mod test { // Then it kills itself. pub struct HarakiriPongServer { path: String, + fd: Option, } impl HarakiriPongServer { pub fn new(path: String) -> Self { - Self { path } + Self { path, fd: None } } pub fn start(&mut self) { let listener = UnixListener::bind(&self.path).unwrap(); - let path = self.path.clone(); - thread::spawn(move || { - let (mut stream, _peer_addr) = listener.accept().unwrap(); + self.fd = Some(listener.as_raw_fd()); - // Read 4 bytes ("PING") - let mut buf = [0u8; 4]; - stream.read_exact(&mut buf).unwrap(); + let (mut stream, _peer_addr) = listener.accept().unwrap(); - // Send "PONG" if "PING" was sent - if from_utf8(&buf).unwrap() == "PING" { - let _ = stream.write(b"PONG").unwrap(); - } + // Read 4 bytes ("PING") + let mut buf = [0u8; 4]; + stream.read_exact(&mut buf).unwrap(); + + // Send "PONG" if "PING" was sent + if from_utf8(&buf).unwrap() == "PING" { + let _ = stream.write(b"PONG").unwrap(); + } + } + } - // Then shutdown the server - let _ = shutdown(listener.as_raw_fd(), Shutdown::Both); - let _ = close(listener.as_raw_fd()); + impl Drop for HarakiriPongServer { + fn drop(&mut self) { + if let Some(fd) = &self.fd { + // Cleanup server fd if we have access to one + let _ = shutdown(fd.to_owned(), Shutdown::Both); + let _ = close(fd.to_owned()); - let server_socket = Path::new(&path); + let server_socket = Path::new(&self.path); if server_socket.exists() { drop(std::fs::remove_file(server_socket)); } - }); + println!("HarakiriPongServer dropped successfully.") + } else { + println!( + "HarakiriPongServer dropped without a fd set. All done." + ) + } } } #[test] fn stream_integration_test() { - // Ensure concurrent tests are not attempting to listen at the same - // address + // Ensure concurrent tests do not listen at the same path let unix_addr = nix::sys::socket::UnixAddr::new("./stream_integration_test.sock") .unwrap(); @@ -446,6 +456,8 @@ mod test { // request let mut server = HarakiriPongServer::new(socket_server_path.to_string()); + + // Start the server in its own thread thread::spawn(move || { server.start(); }); From 47cec5d6a676219daadbdae3e572b4154058df38 Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Wed, 13 Nov 2024 17:58:58 -0600 Subject: [PATCH 10/11] Align version on mono, this time completely --- src/images/common/Containerfile | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/images/common/Containerfile b/src/images/common/Containerfile index 2a43b0a2..d55f2016 100644 --- a/src/images/common/Containerfile +++ b/src/images/common/Containerfile @@ -1,9 +1,9 @@ FROM stagex/bash:5.2.21@sha256:cb58f55d268fbe7ef629cda86e3a8af893066e4af7f26ef54748b6ad47bdaa66 AS bash FROM stagex/binutils:2.43.1@sha256:30a1bd110273894fe91c3a4a2103894f53eaac43cf12a035008a6982cb0e6908 AS binutils -FROM stagex/ca-certificates:sx2024.11.0@sha256:a84695f983a448a82acfe78af11f33c6a66b27124266e1fdc3ecfb8dc5852573 AS ca-certificates +FROM stagex/ca-certificates:sx2024.09.0@sha256:33787f1feb634be4232a6dfe77578c1a9b890ad82a2cf18c11dd44507b358803 AS ca-certificates FROM stagex/coreutils:9.4@sha256:1955f532d8923b5e17f60635c994bd9577bb3e6bccb5da702a69e79070bae0a9 AS coreutils -FROM stagex/eif_build:0.2.2@sha256:9d086a2743f9df4eddf934c7b68c9dee4a7fb131b6465a24237a67f6c359dfb0 AS eif_build -FROM stagex/file:5.45@sha256:f1053114ea2ef35dc04bd1d1f1572c3f1b86e3d57dffda99faac9e191bd7ab5d AS file +FROM stagex/eif_build:0.2.2@sha256:291653f1ca528af48fd05858749c443300f6b24d2ffefa7f5a3a06c27c774566 AS eif_build +FROM stagex/file:5.45@sha256:b43a7f0bd50419a39d91d77a316bb888ed87c94aeb6f9eb11f12efd275ca4ab8 AS file FROM stagex/filesystem:sx2024.11.0@sha256:d03195563f548c3ac8f34acf777b7e86f0d0d049a9430d715e5774eb7cc93302 AS filesystem FROM stagex/findutils:4.9.0@sha256:d92494daaf08999aac0a277327d240a0149494716707fbce93381df058f693e2 AS findutils FROM stagex/gcc:13.1.0@sha256:439bf36289ef036a934129d69dd6b4c196427e4f8e28bc1a3de5b9aab6e062f0 AS gcc @@ -11,10 +11,12 @@ FROM stagex/gen_initramfs:6.8@sha256:f5b9271cca6003e952cbbb9ef041ffa92ba328894f5 FROM stagex/git:2.9.5@sha256:29a02c423a4b55fa72cf2fce89f3bbabd1defea86d251bb2aea84c056340ab22 AS git FROM stagex/grep:3.11@sha256:576288125a7ecda969285e5edfaedef479c4bc18cba8230c0502000fdf2586c1 AS grep FROM stagex/libunwind:1.7.2@sha256:97ee6068a8e8c9f1c74409f80681069c8051abb31f9559dedf0d0d562d3bfc82 AS libunwind - -FROM stagex/linux-nitro:5.19.6@sha256:e6c8a861f9b18edfad56b1aa130feb822a25987c71e2b2932b020750dd7325bc AS linux-nitro +# This is using an old version of linux-nitro on a recommendation from Lance +# Once we've confirmed the new version work we should upgrade this again. +FROM stagex/linux-nitro:sx2024.03.0@sha256:073c4603686e3bdc0ed6755fee3203f6f6f1512e0ded09eaea8866b002b04264 AS linux-nitro FROM stagex/llvm13:13.0.1@sha256:aa60e2883ecf2070c7591fc29622a578c8ea24a14a2b7fcce95d3e5d9c00b101 AS llvm13 FROM stagex/llvm:18.1.8@sha256:30517a41af648305afe6398af5b8c527d25545037df9d977018c657ba1b1708f AS llvm +FROM stagex/make:4.4@sha256:df43f0cf3ac1ad91bf91baefb539e8df42c11b0954a6e2498322a5467deb81e3 AS make FROM stagex/musl-fts:1.2.7@sha256:87edcc648085e8fd6cd8a6ebc94a9464181c3035a00266c621c6450f5d7c66d8 AS musl-fts FROM stagex/musl:1.2.4@sha256:ad351b875f26294562d21740a3ee51c23609f15e6f9f0310e0994179c4231e1d AS musl FROM stagex/musl-obstack:1.2.3@sha256:2a308833441b46a64a1fa5cf90d0bb75dec4807d5a15035776165db88ca661fd AS musl-obstack @@ -26,7 +28,6 @@ FROM stagex/pcsc-lite:sx2024.03.0@sha256:e720e1795706c7c8c1db14bf730b10521e3ff42 FROM stagex/pkgconf:1.6.3@sha256:ba7fce4108b721e8bf1a0d993a5f9be9b65eceda8ba073fe7e8ebca2a31b1494 AS pkgconf FROM stagex/rust:1.81.0@sha256:b7c834268a81bfcc473246995c55b47fe18414cc553e3293b6294fde4e579163 AS rust FROM stagex/zlib:1.3.1@sha256:96b4100550760026065dac57148d99e20a03d17e5ee20d6b32cbacd61125dbb6 AS zlib -FROM stagex/make:4.4@sha256:df43f0cf3ac1ad91bf91baefb539e8df42c11b0954a6e2498322a5467deb81e3 AS make FROM scratch AS base ENV TARGET=x86_64-unknown-linux-musl From f2702c3dbb6d3ed9268f22da720a59bb388d3b0c Mon Sep 17 00:00:00 2001 From: Arnaud Brousseau Date: Wed, 13 Nov 2024 22:24:56 -0600 Subject: [PATCH 11/11] Fix fetch_remote_tls_content test --- src/integration/tests/remote_tls.rs | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/integration/tests/remote_tls.rs b/src/integration/tests/remote_tls.rs index b468d989..4c8a14f1 100644 --- a/src/integration/tests/remote_tls.rs +++ b/src/integration/tests/remote_tls.rs @@ -1,11 +1,13 @@ use std::{process::Command, str}; +use borsh::BorshDeserialize; use integration::{PivotRemoteTlsMsg, PIVOT_REMOTE_TLS_PATH, QOS_NET_PATH}; use qos_core::{ client::Client, io::{SocketAddress, TimeVal, TimeValLike}, protocol::ENCLAVE_APP_SOCKET_CLIENT_TIMEOUT_SECS, }; + use qos_test_primitives::ChildWrapper; const REMOTE_TLS_TEST_NET_PROXY_SOCKET: &str = "/tmp/remote_tls_test.net.sock"; @@ -40,7 +42,13 @@ fn fetch_remote_tls_content() { .unwrap(); let response = enclave_client.send(&app_request).unwrap(); - let response_text = str::from_utf8(&response).unwrap(); + let response_text = + match PivotRemoteTlsMsg::try_from_slice(&response).unwrap() { + PivotRemoteTlsMsg::RemoteTlsResponse(s) => s, + PivotRemoteTlsMsg::RemoteTlsRequest { host: _, path: _ } => { + panic!("unexpected RemoteTlsRequest sent as response") + } + }; assert!(response_text.contains("Content fetched successfully")); assert!(response_text.contains("HTTP/1.1 200 OK")); @@ -53,7 +61,13 @@ fn fetch_remote_tls_content() { .unwrap(); let response = enclave_client.send(&app_request).unwrap(); - let response_text = str::from_utf8(&response).unwrap(); + let response_text = + match PivotRemoteTlsMsg::try_from_slice(&response).unwrap() { + PivotRemoteTlsMsg::RemoteTlsResponse(s) => s, + PivotRemoteTlsMsg::RemoteTlsRequest { host: _, path: _ } => { + panic!("unexpected RemoteTlsRequest sent as response") + } + }; assert!(response_text.contains("Content fetched successfully")); assert!(response_text.contains("HTTP/1.1 200 OK"));