Adding enclave restricted flags (#1668)

* Adding enclave restricted flags * fixes * comments * changing docker restricted mode to test mode * PR comments * tests * Restricted flags cannot be used outside testmode * nit * pr comments * pr comments * pr comments * pr comments
ten-protocol · Dec 5, 2023 · ca7f91b · ca7f91b
1 parent 4551c81
commit ca7f91b
Show file tree

Hide file tree

Showing 18 changed files with 601 additions and 669 deletions.
diff --git a/dockerfiles/enclave.Dockerfile b/dockerfiles/enclave.Dockerfile
@@ -4,6 +4,14 @@
 # deploy = copies over only the enclave executable without the source
 #          in a lightweight base image specialized for deployment and prepares the /data/ folder.
 
+# Final container folder structure:
+#   /home/obscuro/data                          contains working files for the enclave
+#   /home/obscuro/go-obscuro/go/enclave/main    contains the executable for the enclave
+#
+
+# Defaults to restricted flag mode
+ARG TESTMODE=false
+
 FROM ghcr.io/edgelesssys/ego-dev:v1.3.0 AS build-base
 
 # setup container data structure
@@ -26,19 +34,25 @@ WORKDIR /home/obscuro/go-obscuro/go/enclave/main
 RUN --mount=type=cache,target=/root/.cache/go-build \
     ego-go build
 
+# New build stage for compiling the enclave with restricted flags mode
+FROM build-enclave as build-enclave-testmode-false
 # Sign the enclave executable
-RUN ego sign main
+RUN ego sign enclave.json
+
+# New build stage for compiling the enclave without restricted flags mode
+FROM build-enclave as build-enclave-testmode-true
+# Sign the enclave executable
+RUN ego sign enclave-test.json
+
+# Tag the restricted mode as the current build
+FROM build-enclave-testmode-${TESTMODE} as build-enclave
 
-# Final container folder structure:
-#   /home/obscuro/data                          contains working files for the enclave
-#   /home/obscuro/go-obscuro/go/enclave/main    contains the executable for the enclave
-#
 # Trigger a new build stage and use the smaller ego version:
 FROM ghcr.io/edgelesssys/ego-deploy:v1.3.0
 
 # Copy just the binary for the enclave into this build stage
 COPY --from=build-enclave \
-    /home/obscuro/go-obscuro/go/enclave/main home/obscuro/go-obscuro/go/enclave/main
+    /home/obscuro/go-obscuro/go/enclave/main /home/obscuro/go-obscuro/go/enclave/main
 
 WORKDIR /home/obscuro/go-obscuro/go/enclave/main
 

diff --git a/go.sum b/go.sum
diff --git a/go/common/flag/flag.go b/go/common/flag/flag.go
@@ -0,0 +1,133 @@
+package flag
+
+import (
+	"flag"
+	"fmt"
+)
+
+type TenFlag struct {
+	Name         string
+	Value        any
+	FlagType     string
+	Description  string
+	DefaultValue any
+}
+
+func NewStringFlag(name, defaultValue, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        "",
+		FlagType:     "string",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewIntFlag(name string, defaultValue int, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        0,
+		FlagType:     "int",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewBoolFlag(name string, defaultValue bool, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        false,
+		FlagType:     "bool",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewInt64Flag(name string, defaultValue int64, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        false,
+		FlagType:     "int64",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewUint64Flag(name string, defaultValue uint64, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        false,
+		FlagType:     "uint64",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func (f TenFlag) String() string {
+	if ptrVal, ok := f.Value.(*string); ok {
+		return *ptrVal
+	}
+	return f.Value.(string)
+}
+
+func (f TenFlag) Int() int {
+	if ptrVal, ok := f.Value.(*int); ok {
+		return *ptrVal
+	}
+	return f.Value.(int)
+}
+
+func (f TenFlag) Int64() int64 {
+	if ptrVal, ok := f.Value.(*int64); ok {
+		return *ptrVal
+	}
+	return f.Value.(int64)
+}
+
+func (f TenFlag) Uint64() uint64 {
+	if ptrVal, ok := f.Value.(*uint64); ok {
+		return *ptrVal
+	}
+	return f.Value.(uint64)
+}
+
+func (f TenFlag) Bool() bool {
+	if ptrVal, ok := f.Value.(*bool); ok {
+		return *ptrVal
+	}
+	return f.Value.(bool)
+}
+
+func (f TenFlag) IsSet() bool {
+	found := false
+	flag.Visit(func(fl *flag.Flag) {
+		if fl.Name == f.Name {
+			found = true
+		}
+	})
+	return found
+}
+
+func CreateCLIFlags(flags map[string]*TenFlag) error {
+	for _, tflag := range flags {
+		switch tflag.FlagType {
+		case "string":
+			tflag.Value = flag.String(tflag.Name, tflag.DefaultValue.(string), tflag.Description)
+		case "bool":
+			tflag.Value = flag.Bool(tflag.Name, tflag.DefaultValue.(bool), tflag.Description)
+		case "int":
+			tflag.Value = flag.Int(tflag.Name, tflag.DefaultValue.(int), tflag.Description)
+		case "int64":
+			tflag.Value = flag.Int64(tflag.Name, tflag.DefaultValue.(int64), tflag.Description)
+		case "uint64":
+			tflag.Value = flag.Uint64(tflag.Name, tflag.DefaultValue.(uint64), tflag.Description)
+		default:
+			return fmt.Errorf("unexpected flag type %s", tflag.FlagType)
+		}
+	}
+	return nil
+}
+
+func Parse() {
+	flag.Parse()
+}
diff --git a/go/config/enclave_cli_flags.go b/go/config/enclave_cli_flags.go
@@ -0,0 +1,74 @@
+package config
+
+import (
+	"github.com/ten-protocol/go-ten/go/common"
+	"github.com/ten-protocol/go-ten/go/common/flag"
+)
+
+// Flag names.
+const (
+	HostIDFlag                    = "hostID"
+	HostAddressFlag               = "hostAddress"
+	AddressFlag                   = "address"
+	NodeTypeFlag                  = "nodeType"
+	L1ChainIDFlag                 = "l1ChainID"
+	ObscuroChainIDFlag            = "obscuroChainID"
+	WillAttestFlag                = "willAttest"
+	ValidateL1BlocksFlag          = "validateL1Blocks"
+	ManagementContractAddressFlag = "managementContractAddress"
+	LogLevelFlag                  = "logLevel"
+	LogPathFlag                   = "logPath"
+	UseInMemoryDBFlag             = "useInMemoryDB"
+	EdgelessDBHostFlag            = "edgelessDBHost"
+	SQLiteDBPathFlag              = "sqliteDBPath"
+	ProfilerEnabledFlag           = "profilerEnabled"
+	MinGasPriceFlag               = "minGasPrice"
+	MessageBusAddressFlag         = "messageBusAddress"
+	SequencerIDFlag               = "sequencerID"
+	ObscuroGenesisFlag            = "obscuroGenesis"
+	DebugNamespaceEnabledFlag     = "debugNamespaceEnabled"
+	MaxBatchSizeFlag              = "maxBatchSize"
+	MaxRollupSizeFlag             = "maxRollupSize"
+	L2BaseFeeFlag                 = "l2BaseFee"
+	L2CoinbaseFlag                = "l2Coinbase"
+	L2GasLimitFlag                = "l2GasLimit"
+)
+
+// EnclaveFlags are the flags that the enclave can receive
+var EnclaveFlags = map[string]*flag.TenFlag{
+	HostIDFlag:                    flag.NewStringFlag(HostIDFlag, "", "The 20 bytes of the address of the Obscuro host this enclave serves"),
+	HostAddressFlag:               flag.NewStringFlag(HostAddressFlag, "127.0.0.1:10000", "The peer-to-peer IP address of the Obscuro host this enclave serves"),
+	AddressFlag:                   flag.NewStringFlag(AddressFlag, "127.0.0.1:11000", "The address on which to serve the Obscuro enclave service"),
+	NodeTypeFlag:                  flag.NewStringFlag(NodeTypeFlag, common.Sequencer.String(), "The node's type (e.g. sequencer, validator)"),
+	WillAttestFlag:                flag.NewBoolFlag(WillAttestFlag, false, "Whether the enclave will produce a verified attestation report"),
+	ValidateL1BlocksFlag:          flag.NewBoolFlag(ValidateL1BlocksFlag, false, "Whether to validate incoming blocks using the hardcoded L1 genesis.json config"),
+	ManagementContractAddressFlag: flag.NewStringFlag(ManagementContractAddressFlag, "", "The management contract address on the L1"),
+	LogLevelFlag:                  flag.NewIntFlag(LogLevelFlag, 3, "The verbosity level of logs. (Defaults to Info)"),
+	LogPathFlag:                   flag.NewStringFlag(LogPathFlag, "stdout", "The path to use for the enclave service's log file"),
+	EdgelessDBHostFlag:            flag.NewStringFlag(EdgelessDBHostFlag, "", "Host address for the edgeless DB instance (can be empty if useInMemoryDB is true or if not using attestation"),
+	SQLiteDBPathFlag:              flag.NewStringFlag(SQLiteDBPathFlag, "", "Filepath for the sqlite DB persistence file (can be empty if a throwaway file in /tmp/ is acceptable or if using InMemory DB or if using attestation/EdgelessDB)"),
+	MinGasPriceFlag:               flag.NewInt64Flag(MinGasPriceFlag, 1, "The minimum gas price for mining a transaction"),
+	MessageBusAddressFlag:         flag.NewStringFlag(MessageBusAddressFlag, "", "The address of the L1 message bus contract owned by the management contract."),
+	SequencerIDFlag:               flag.NewStringFlag(SequencerIDFlag, "", "The 20 bytes of the address of the sequencer for this network"),
+	MaxBatchSizeFlag:              flag.NewUint64Flag(MaxBatchSizeFlag, 1024*25, "The maximum size a batch is allowed to reach uncompressed"),
+	MaxRollupSizeFlag:             flag.NewUint64Flag(MaxRollupSizeFlag, 1024*64, "The maximum size a rollup is allowed to reach"),
+	L2BaseFeeFlag:                 flag.NewUint64Flag(L2BaseFeeFlag, 1, ""),
+	L2CoinbaseFlag:                flag.NewStringFlag(L2CoinbaseFlag, "0xd6C9230053f45F873Cb66D8A02439380a37A4fbF", ""),
+	L2GasLimitFlag:                flag.NewUint64Flag(L2GasLimitFlag, 9e18, ""),
+	ObscuroGenesisFlag:            flag.NewStringFlag(ObscuroGenesisFlag, "", "The json string with the obscuro genesis"),
+	L1ChainIDFlag:                 flag.NewInt64Flag(L1ChainIDFlag, 1337, "An integer representing the unique chain id of the Ethereum chain used as an L1 (default 1337)"),
+	ObscuroChainIDFlag:            flag.NewInt64Flag(ObscuroChainIDFlag, 443, "An integer representing the unique chain id of the Obscuro chain (default 443)"),
+	UseInMemoryDBFlag:             flag.NewBoolFlag(UseInMemoryDBFlag, true, "Whether the enclave will use an in-memory DB rather than persist data"),
+	ProfilerEnabledFlag:           flag.NewBoolFlag(ProfilerEnabledFlag, false, "Runs a profiler instance (Defaults to false)"),
+	DebugNamespaceEnabledFlag:     flag.NewBoolFlag(DebugNamespaceEnabledFlag, false, "Whether the debug namespace is enabled"),
+}
+
+// enclaveRestrictedFlags are the flags that the enclave can receive ONLY over the Ego signed enclave.json
+var enclaveRestrictedFlags = []string{
+	L1ChainIDFlag,
+	ObscuroChainIDFlag,
+	ObscuroGenesisFlag,
+	UseInMemoryDBFlag,
+	ProfilerEnabledFlag,
+	DebugNamespaceEnabledFlag,
+}