diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml deleted file mode 100644 index afd829b..0000000 --- a/.github/workflows/container.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Container -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -permissions: - packages: write - contents: read - -jobs: - push_to_registry: - name: Build and push containers image to GitHub Packages - runs-on: ubuntu-latest - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up env - run: echo "repository_owner=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV} - - name: Build and Push Container - uses: docker/build-push-action@v5 - with: - tags: | - ghcr.io/${{env.repository_owner}}/${{ github.event.repository.name }}:latest - matterlabsrobot/${{ github.event.repository.name }}:latest - push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml deleted file mode 100644 index 3412316..0000000 --- a/.github/workflows/go.yml +++ /dev/null @@ -1,40 +0,0 @@ -# This workflow will build a golang project -# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go - -name: Go - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -jobs: - - build: - runs-on: ubuntu-latest - steps: - - name: Prep - run: | - wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add - - sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list' - sudo apt -o Acquire::Retries=3 update - sudo apt -o Acquire::Retries=3 install -y --no-install-recommends \ - libsgx-headers \ - libsgx-enclave-common \ - libsgx-urts \ - libsgx-dcap-quote-verify \ - libsgx-dcap-quote-verify-dev - - - uses: actions/checkout@v4 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: 1.21.4 - - - name: Build - run: go build -v ./... - - - name: Test - run: go test -v ./... diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml new file mode 100644 index 0000000..8a3c721 --- /dev/null +++ b/.github/workflows/nix.yml @@ -0,0 +1,63 @@ +name: nix + +on: + pull_request: + branches: [ "main" ] + push: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25 + with: + extra_nix_config: | + access-tokens = github.com=${{ github.token }} + - run: nix flake check -L --show-trace --keep-going + + fmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25 + with: + extra_nix_config: | + access-tokens = github.com=${{ github.token }} + - run: nix fmt + + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25 + with: + extra_nix_config: | + access-tokens = github.com=${{ github.token }} + - uses: cachix/cachix-action@v14 + continue-on-error: true + with: + name: vault-auth-tee + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + extraPullNames: nixsgx + - name: nix build + run: nix run nixpkgs#nixci + - name: nix docker image + run: | + nix build .#dockerImage + docker load -i result + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and Push Container + uses: docker/build-push-action@v5 + with: + tags: matterlabsrobot/vault-auth-tee:latest + push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} diff --git a/Dockerfile b/Dockerfile index 5e1e5f9..bb3ef4c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,53 +1 @@ -FROM docker.io/ubuntu:20.04 AS pluginbuilder - -ARG VERSION=1.20.4 -ARG CGO_ENABLED=1 -ARG BUILD_TAGS="default" -ENV JOBS=2 -RUN set -eux; \ - DEBIAN_FRONTEND=noninteractive apt-get update -y; \ - DEBIAN_FRONTEND=noninteractive apt-get install -y -q curl; \ - : - -RUN set -eux; \ - curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key; \ - echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list; \ - DEBIAN_FRONTEND=noninteractive apt-get update; \ - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev \ - ; \ - : - -RUN mkdir /goroot && mkdir /go -RUN curl https://storage.googleapis.com/golang/go${VERSION}.linux-amd64.tar.gz \ - | tar xvzf - -C /goroot --strip-components=1 -ENV GOPATH /go -ENV GOROOT /goroot -ENV PATH $GOROOT/bin:$GOPATH/bin:$PATH - -WORKDIR / - -RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/go --mount=type=bind,target=/data \ - set -eux; \ - mkdir -p /go/src/github.com/matter-labs/vault-auth-tee; \ - cd /go/src/github.com/matter-labs/vault-auth-tee; \ - rsync -a --delete-after /data/ ./ ; \ - CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o vault-auth-tee cmd/vault-auth-tee/main.go ; \ - mkdir -p /opt/vault/plugins; \ - cp vault-auth-tee /opt/vault/plugins/vault-auth-tee; \ - : - -FROM scratch -WORKDIR /opt/vault/plugins - -COPY --from=pluginbuilder /opt/vault/plugins/vault-auth-tee /opt/vault/plugins/vault-auth-tee +FROM vault-auth-tee:test diff --git a/flake.lock b/flake.lock index 5a66e9f..33f84e3 100644 --- a/flake.lock +++ b/flake.lock @@ -52,23 +52,18 @@ "type": "github" } }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, + "nix-filter": { "locked": { - "lastModified": 1703887061, - "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", + "lastModified": 1705332318, + "narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "3449dc925982ad46246cfc36469baf66e1b64f17", "type": "github" }, "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", + "owner": "numtide", + "repo": "nix-filter", "type": "github" } }, @@ -111,7 +106,7 @@ }, "root": { "inputs": { - "gitignore": "gitignore", + "nix-filter": "nix-filter", "nixpkgs": "nixpkgs", "nixsgx-flake": "nixsgx-flake" } diff --git a/flake.nix b/flake.nix index 4c8a07e..006e3e1 100644 --- a/flake.nix +++ b/flake.nix @@ -2,47 +2,62 @@ description = "vault auth plugin for remote attestation of TEEs"; inputs = { - # for libsgx-dcap-quote-verify nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + nix-filter.url = "github:numtide/nix-filter"; + nixsgx-flake = { url = "github:matter-labs/nixsgx"; inputs.nixpkgs.follows = "nixpkgs"; }; - - gitignore = { - url = "github:hercules-ci/gitignore.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; - outputs = { self, nixpkgs, gitignore, nixsgx-flake, ... }: + outputs = { self, nixpkgs, nixsgx-flake, nix-filter, ... }: let system = "x86_64-linux"; + filter = nix-filter.lib; pkgs = import nixpkgs { inherit system; overlays = [ nixsgx-flake.overlays.default ]; }; bin = pkgs.buildGoModule { - buildInputs = with pkgs; [ - nixsgx.sgx-sdk - nixsgx.sgx-dcap - nixsgx.sgx-dcap.quote_verify - ]; - - CGO_CFLAGS = - "-I${pkgs.nixsgx.sgx-dcap}/include -I${pkgs.nixsgx.sgx-sdk}/include"; - LDFLAGS = "-L${pkgs.nixsgx.sgx-dcap}/lib"; - - name = "vault-auth-tee"; - src = gitignore.lib.gitignoreSource ./.; - vendorHash = "sha256-lhc4Fs+jGVYnd3vUWWXpebuBsPz6vbr1bCGwdyIPeKU="; - }; - dockerImage = pkgs.dockerTools.buildImage { - name = "vault-auth-tee"; - tag = "latest"; - copyToRoot = [ - bin - # pkgs.vault + buildInputs = with pkgs; [ + nixsgx.sgx-sdk + nixsgx.sgx-dcap + nixsgx.sgx-dcap.quote_verify ]; - #config = { Cmd = [ "${bin}/bin/vault" ]; }; + + name = "vault-auth-tee"; + src = filter { + root = ./.; + include = [ + ./go.mod + ./go.sum + "cmd" + "test-fixtures" + (filter.matchExt "go") + ]; + }; + + vendorHash = "sha256-t59C0yzJzFAXNXYOFbta2g5CYlkfvlukq42cxCwLaGY="; + }; + + dockerImage = pkgs.dockerTools.buildLayeredImage { + name = "vault-auth-tee"; + tag = "test"; + + config.Entrypoint = [ "/bin/sh" ]; + + contents = pkgs.buildEnv { + name = "image-root"; + + paths = with pkgs.dockerTools; [ + bin + pkgs.vault + usrBinEnv + binSh + caCertificates + fakeNss + ]; + pathsToLink = [ "/bin" "/etc" ]; + }; }; in with pkgs; { @@ -53,7 +68,7 @@ }; devShells.x86_64-linux.default = mkShell { inputsFrom = [ bin ]; - buildInputs = with pkgs; [ dive go_1_19 gotools mypkgs.sgx-sdk mypkgs.libsgx-dcap-quote-verify ]; + nativeBuildInputs = with pkgs; [ dive go_1_21 ]; }; }; } diff --git a/go.sum b/go.sum index 3dabff4..00c3de1 100644 --- a/go.sum +++ b/go.sum @@ -827,8 +827,6 @@ github.com/hashicorp/vault-plugin-secrets-openldap v0.12.0 h1:tAGJwjgu/NlHwIJeL/ github.com/hashicorp/vault-plugin-secrets-openldap v0.12.0/go.mod h1:9Jvrdmtc2/f4V1M33wGgtiXHdTtCC6l5pbMfInTurzc= github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3 h1:k5jCx6laFvQHvrQod+TSHSoDqF3ZSIlQB4Yzj6koz0I= github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3/go.mod h1:yqCovAKNUNYnNrs5Wh95aExpsWEU45GB9FV7EquaSbA= -github.com/hashicorp/vault/api v1.11.0 h1:AChWByeHf4/P9sX3Y1B7vFsQhZO2BgQiCMQ2SA1P1UY= -github.com/hashicorp/vault/api v1.11.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck= github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4= github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck= github.com/hashicorp/vault/sdk v0.11.0 h1:KP/tBUywaVcvOebAfMPNCCiXKeCNEbm3JauYmrZd7RI= @@ -1443,8 +1441,6 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1635,8 +1631,6 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= @@ -1645,8 +1639,6 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=