Merge pull request #45 from matter-labs/nix_fmt_clippy

ci: use `crane` flake to build with nix

.github/workflows/lint.yml

@@ -16,18 +16,38 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - name: Setup Rust toolchain
+      - uses: cachix/install-nix-action@v26
-        run: rustup show
+        with:
-      - run: cargo fmt --all -- --check
+          extra_nix_config: |
+            access-tokens = github.com=${{ github.token }}
+      - uses: cachix/cachix-action@v14
+        with:
+          name: nixsgx
+          extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: cargo fmt
+        run: nix build -L .#cargoFmt
 
   deny:
     name: cargo deny
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - uses: EmbarkStudios/cargo-deny-action@v1
+      - uses: cachix/install-nix-action@v26
         with:
-          arguments: --workspace
+          extra_nix_config: |
+            access-tokens = github.com=${{ github.token }}
+      - uses: cachix/cachix-action@v14
+        with:
+          name: nixsgx
+          extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: cargo deny
+        run: nix build -L .#cargoDeny
 
   check-spdx-headers:
     runs-on: ubuntu-latest

.github/workflows/nix.yml

@@ -11,21 +11,6 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - uses: cachix/install-nix-action@v26
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ github.token }}
-      - uses: cachix/cachix-action@v14
-        with:
-          name: nixsgx
-          extraPullNames: vault-auth-tee
-
-      - run: nix flake check -L --show-trace --keep-going
-
   fmt:
     runs-on: ubuntu-latest
     steps:
@@ -37,7 +22,10 @@ jobs:
       - uses: cachix/cachix-action@v14
         with:
           name: nixsgx
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
           extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
 
       - run: nix fmt . -- --check
 
@@ -52,14 +40,35 @@ jobs:
       - uses: cachix/cachix-action@v14
         with:
           name: nixsgx
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
           extraPullNames: vault-auth-tee
       - name: Enable magic Nix cache
         uses: DeterminateSystems/magic-nix-cache-action@main
 
       - name: cargo clippy
-        run: nix develop -L --ignore-environment -c cargo clippy --all
+        run: nix build -L .#cargoClippy
+
+  check:
+    needs: clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: cachix/install-nix-action@v26
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ github.token }}
+      - uses: cachix/cachix-action@v14
+        with:
+          name: nixsgx
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - run: nix flake check -L --show-trace --keep-going
 
   build:
+    needs: check
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4

Cargo.lock

@@ -1824,18 +1824,18 @@ dependencies = [
 
 [[package]]
 name = "pin-project"
-version = "1.1.4"
+version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0302c4a0442c456bd56f841aee5c3bfd17967563f6fadc9ceb9f9c23cf3807e0"
+checksum = "b6bf43b791c5b9e34c3d182969b4abb522f9343702850a2e57f460d00d09b4b3"
 dependencies = [
  "pin-project-internal",
 ]
 
 [[package]]
 name = "pin-project-internal"
-version = "1.1.4"
+version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "266c042b60c9c76b8d53061e52b2e0d1116abc57cefc8c5cd671619a56ac3690"
+checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965"
 dependencies = [
  "proc-macro2",
  "quote",

Cargo.toml

@@ -1,56 +1,6 @@
-[package]
-name = "teepot"
-description = "TEE secret manager"
-# no MIT license, because of copied code from:
-# * https://github.com/enarx/enarx
-# * https://github.com/enarx/sgx
-license = "Apache-2.0"
-version.workspace = true
-edition.workspace = true
-authors.workspace = true
-repository.workspace = true
-
-[dependencies]
-actix-http.workspace = true
-actix-web.workspace = true
-anyhow.workspace = true
-awc.workspace = true
-bytemuck.workspace = true
-bytes.workspace = true
-clap.workspace = true
-const-oid.workspace = true
-enumset.workspace = true
-futures-core.workspace = true
-getrandom.workspace = true
-hex.workspace = true
-intel-tee-quote-verification-rs.workspace = true
-num-integer.workspace = true
-num-traits.workspace = true
-p256.workspace = true
-pgp.workspace = true
-pkcs8.workspace = true
-rand.workspace = true
-rsa.workspace = true
-rustls.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-serde_with.workspace = true
-sha2.workspace = true
-signature.workspace = true
-thiserror.workspace = true
-tracing.workspace = true
-webpki-roots.workspace = true
-x509-cert.workspace = true
-zeroize.workspace = true
-
-[dev-dependencies]
-anyhow.workspace = true
-base64.workspace = true
-hex.workspace = true
-testaso.workspace = true
-
 [workspace]
 members = ["crates/*", "bin/*"]
+resolver = "2"
 
 [workspace.package]
 version = "0.1.0"
@@ -78,7 +28,7 @@ enumset = { version = "1.1", features = ["serde", "std"] }
 futures-core = { version = "0.3.30", features = ["alloc"], default-features = false }
 getrandom = "0.2.12"
 hex = { version = "0.4.3", features = ["std"], default-features = false }
-intel-tee-quote-verification-rs = { path = "crates/intel-tee-quote-verification-rs", version = "0.2.1" }
+intel-tee-quote-verification-rs = { path = "crates/intel-tee-quote-verification-rs" }
 intel-tee-quote-verification-sys = { version = "0.2.1" }
 k256 = "0.13"
 log = "0.4"
@@ -99,7 +49,7 @@ serde_json = "1"
 serde_with = { version = "3.6", features = ["base64", "hex"] }
 sha2 = "0.10.8"
 signature = "2.2.0"
-teepot = { path = "." }
+teepot = { path = "crates/teepot" }
 testaso = "0.1.0"
 thiserror = "1.0.57"
 tokio = { version = "1", features = ["sync", "macros", "rt-multi-thread", "fs", "time"] }

bin/tee-vault-admin/src/main.rs

@@ -117,7 +117,7 @@ mod tests {
     use serde_json::json;
     use teepot::json::http::{VaultCommand, VaultCommands};
 
-    const TEST_DATA: &str = include_str!("../../../tests/data/test.json");
+    const TEST_DATA: &str = include_str!("../../../crates/teepot/tests/data/test.json");
 
     #[test]
     fn test_vault_commands() {

crates/teepot/Cargo.toml

@@ -0,0 +1,50 @@
+[package]
+name = "teepot"
+description = "TEE secret manager"
+# no MIT license, because of copied code from:
+# * https://github.com/enarx/enarx
+# * https://github.com/enarx/sgx
+license = "Apache-2.0"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+repository.workspace = true
+
+[dependencies]
+actix-http.workspace = true
+actix-web.workspace = true
+anyhow.workspace = true
+awc.workspace = true
+bytemuck.workspace = true
+bytes.workspace = true
+clap.workspace = true
+const-oid.workspace = true
+enumset.workspace = true
+futures-core.workspace = true
+getrandom.workspace = true
+hex.workspace = true
+intel-tee-quote-verification-rs.workspace = true
+num-integer.workspace = true
+num-traits.workspace = true
+p256.workspace = true
+pgp.workspace = true
+pkcs8.workspace = true
+rand.workspace = true
+rsa.workspace = true
+rustls.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+serde_with.workspace = true
+sha2.workspace = true
+signature.workspace = true
+thiserror.workspace = true
+tracing.workspace = true
+webpki-roots.workspace = true
+x509-cert.workspace = true
+zeroize.workspace = true
+
+[dev-dependencies]
+anyhow.workspace = true
+base64.workspace = true
+hex.workspace = true
+testaso.workspace = true

crates/teepot/src/sgx/sign.rs

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023 Matter Labs
+// Copyright (c) 2023-2024 Matter Labs
 
 // Copyright (c) The Enarx Project Developers https://github.com/enarx/sgx
 
@@ -357,6 +357,7 @@ mod test {
     }
 
     #[test]
+    #[allow(clippy::unusual_byte_groupings)]
     fn author_instantiation() {
         let author = Author::new(0x2000_03_30, 0u32);
         assert_eq!(author.header1, Author::HEADER1);

deny.toml

@@ -29,7 +29,7 @@ allow = [
   "Unlicense",
   "MPL-2.0",
   "Unicode-DFS-2016",
-  "CC0-1.0",
+  #  "CC0-1.0", # not yet seen
   "BSD-2-Clause",
   "BSD-3-Clause",
   "OpenSSL",
@@ -65,12 +65,9 @@ skip-tree = []
 unknown-registry = "warn"
 unknown-git = "warn"
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-allow-git = [
+# allow-git = []
-  # we need the mio override to disable eventfd for SGX
-  "https://github.com/tokio-rs/mio?rev=ec0776f5af29548e4e1f48f86f5fa123a46caa07#ec0776f5af29548e4e1f48f86f5fa123a46caa07",
-]
 
 [sources.allow-org]
-github = [""]
+#github = [""]
-gitlab = [""]
+#gitlab = [""]
-bitbucket = [""]
+#bitbucket = [""]

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709610799,
+        "narHash": "sha256-5jfLQx0U9hXbi2skYMGodDJkIgffrjIOgMRjZqms2QE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "81c393c776d5379c030607866afef6406ca1be57",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -287,6 +307,7 @@
     },
     "root": {
       "inputs": {
+        "crane": "crane",
         "nixpkgs": "nixpkgs",
         "nixsgx-flake": "nixsgx-flake",
         "rust-overlay": "rust-overlay",

flake.nix

@@ -1,6 +1,13 @@
 {
   description = "teepot";
 
+  nixConfig.extra-substituters = [
+    "https://nixsgx.cachix.org"
+  ];
+  nixConfig.extra-trusted-public-keys = [
+    "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="
+  ];
+
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
 
@@ -23,6 +30,11 @@
       url = "github:oxalica/rust-overlay?rev=3ad32bb27c700b59306224e285b66577e3532dfc";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    crane = {
+      url = "github:ipetkov/crane";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs:
@@ -49,6 +61,16 @@
 
       outputs-builder = channels: {
         formatter = channels.nixpkgs.nixpkgs-fmt;
+
+        checks = {
+          inherit
+            (channels.nixpkgs.teepot) cargoFmt;
+          inherit
+            (channels.nixpkgs.teepot) cargoClippy;
+          inherit
+            (channels.nixpkgs.teepot) cargoDeny;
+        };
+
       };
     };
 }

packages/cargoClippy/default.nix

@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+{ lib
+, inputs
+, makeRustPlatform
+, nixsgx
+, pkg-config
+, rust-bin
+, pkgs
+, callPackage
+, ...
+}@args:
+let
+  teepotCrate = import ../teepot/teepot.nix args;
+in
+teepotCrate.craneLib.cargoClippy (
+  teepotCrate.commonArgs // {
+    pname = "teepot";
+    inherit (teepotCrate) cargoArtifacts NIX_OUTPATH_USED_AS_RANDOM_SEED;
+  }
+)

packages/cargoDeny/default.nix

@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+{ lib
+, inputs
+, makeRustPlatform
+, nixsgx
+, pkg-config
+, rust-bin
+, pkgs
+, callPackage
+, ...
+}@args:
+let
+  teepotCrate = import ../teepot/teepot.nix args;
+in
+teepotCrate.craneLib.cargoDeny (
+  teepotCrate.commonArgs // {
+    pname = "teepot";
+  }
+)

packages/cargoFmt/default.nix

@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+{ lib
+, inputs
+, makeRustPlatform
+, nixsgx
+, pkg-config
+, rust-bin
+, pkgs
+, callPackage
+, ...
+}@args:
+let
+  teepotCrate = import ../teepot/teepot.nix args;
+in
+teepotCrate.craneLib.cargoFmt (
+  teepotCrate.commonArgs // {
+    pname = "teepot";
+  }
+)

packages/teepot/default.nix

@@ -1,77 +1,58 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Matter Labs
 { lib
+, inputs
 , makeRustPlatform
 , nixsgx
 , pkg-config
 , rust-bin
-}:
+, pkgs
+, ...
+}@args:
 let
-  cargoToml = builtins.fromTOML (builtins.readFile ../../Cargo.toml);
+  teepotCrate = import ./teepot.nix args;
-  rustVersion = rust-bin.fromRustupToolchainFile ../../rust-toolchain.toml;
-  rustPlatform = makeRustPlatform {
-    cargo = rustVersion;
-    rustc = rustVersion;
-  };
 in
-rustPlatform.buildRustPackage {
+teepotCrate.craneLib.buildPackage (
-  pname = cargoToml.package.name;
+  teepotCrate.commonArgs // {
-  inherit (cargoToml.workspace.package) version;
+    pname = "teepot";
+    inherit (teepotCrate) cargoArtifacts
+      NIX_OUTPATH_USED_AS_RANDOM_SEED;
 
-  nativeBuildInputs = [
-    pkg-config
-    rustPlatform.bindgenHook
-  ];
 
-  buildInputs = [
+    passthru = {
-    nixsgx.sgx-sdk
+      inherit (teepotCrate) rustPlatform
-    nixsgx.sgx-dcap
+        rustVersion
-    nixsgx.sgx-dcap.quote_verify
+        commonArgs
-  ];
+        craneLib
+        cargoArtifacts;
+      NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+    };
 
-  src = with lib.fileset; toSource {
+    outputs = [
-    root = ./../..;
+      "out"
-    fileset = unions [
+      "tee_key_preexec"
-      ../../Cargo.lock
+      "tee_ratls_preexec"
-      ../../Cargo.toml
+      "tee_self_attestation_test"
-      ../../bin
+      "tee_stress_client"
-      ../../crates
+      "tee_vault_admin"
-      ../../rust-toolchain.toml
+      "tee_vault_unseal"
-      ../../src
+      "teepot_read"
-      ../../tests
+      "teepot_write"
+      "vault_admin"
+      "vault_unseal"
+      "verify_attestation"
     ];
-  };
 
-  RUSTFLAGS = "--cfg mio_unsupported_force_waker_pipe";
+    postInstall = ''
-  cargoBuildFlags = "--all";
+      mkdir -p $out/nix-support
-  checkType = "debug";
+      for i in $outputs; do
-  cargoLock = {
+        [[ $i == "out" ]] && continue
-    lockFile = ../../Cargo.lock;
+        mkdir -p "''${!i}/bin"
-  };
+        echo "''${!i}" >> $out/nix-support/propagated-user-env-packages
+        binname=''${i//_/-}
+        mv "$out/bin/$binname" "''${!i}/bin/"
+      done
+    '';
+  }
+)
 
-  outputs = [
-    "out"
-    "tee_key_preexec"
-    "tee_ratls_preexec"
-    "tee_self_attestation_test"
-    "tee_stress_client"
-    "tee_vault_admin"
-    "tee_vault_unseal"
-    "teepot_read"
-    "teepot_write"
-    "vault_admin"
-    "vault_unseal"
-    "verify_attestation"
-  ];
-
-  postInstall = ''
-    mkdir -p $out/nix-support
-    for i in $outputs; do
-      [[ $i == "out" ]] && continue
-      mkdir -p "''${!i}/bin"
-      echo "''${!i}" >> $out/nix-support/propagated-user-env-packages
-      binname=''${i//_/-}
-      mv "$out/bin/$binname" "''${!i}/bin/"
-    done
-  '';
-}

packages/teepot/teepot.nix

@@ -0,0 +1,61 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+{ lib
+, inputs
+, makeRustPlatform
+, nixsgx
+, pkg-config
+, rust-bin
+, pkgs
+, ...
+}:
+let
+  rustVersion = rust-bin.fromRustupToolchainFile ../../rust-toolchain.toml;
+  rustPlatform = makeRustPlatform {
+    cargo = rustVersion;
+    rustc = rustVersion;
+  };
+  craneLib = (inputs.crane.mkLib pkgs).overrideToolchain rustVersion;
+  commonArgs = {
+    nativeBuildInputs = [
+      pkg-config
+      rustPlatform.bindgenHook
+    ];
+
+    buildInputs = [
+      nixsgx.sgx-sdk
+      nixsgx.sgx-dcap
+      nixsgx.sgx-dcap.quote_verify
+    ];
+
+    strictDeps = true;
+    src = with lib.fileset; toSource {
+      root = ../../.;
+      fileset = unions [
+        ../../Cargo.lock
+        ../../Cargo.toml
+        ../../bin
+        ../../crates
+        ../../rust-toolchain.toml
+        ../../deny.toml
+        ../../taplo.toml
+      ];
+    };
+
+    RUSTFLAGS = "--cfg mio_unsupported_force_waker_pipe";
+    checkType = "debug";
+  };
+  cargoArtifacts = craneLib.buildDepsOnly (commonArgs // {
+    pname = "teepot-workspace";
+    inherit NIX_OUTPATH_USED_AS_RANDOM_SEED;
+  });
+  NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+in
+{
+  inherit rustPlatform
+    rustVersion
+    commonArgs
+    craneLib
+    cargoArtifacts;
+  NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+}