Use cosmosDB in the gateway and encrypt data with encryption key generated inside the enclave

.github/workflows/manual-deploy-obscuro-gateway.yml

@@ -296,5 +296,5 @@ jobs:
             "${{ env.DOCKER_BUILD_TAG_GATEWAY }}" \
             ego run /home/ten/go-ten/tools/walletextension/main/main \
             -host=0.0.0.0 -port=80 -portWS=81 -nodeHost="${{ env.L2_RPC_URL_VALIDATOR }}" -verbose=true \
-            -logPath=sys_out -dbType=mariaDB -dbConnectionURL="obscurouser:${{ secrets.OBSCURO_GATEWAY_MARIADB_USER_PWD }}@tcp(obscurogateway-mariadb-${{ github.event.inputs.testnet_type }}.uksouth.cloudapp.azure.com:3306)/ogdb" \
+            -logPath=sys_out -dbType=cosmosDB -dbConnectionURL="${{ secrets.COSMOS_DB_CONNECTION_STRING }}" \
             -rateLimitUserComputeTime="${{ env.GATEWAY_RATE_LIMIT_USER_COMPUTE_TIME }}" -rateLimitWindow="${{ env.GATEWAY_RATE_LIMIT_WINDOW }}" -maxConcurrentRequestsPerUser="${{ env.GATEWAY_MAX_CONCURRENT_REQUESTS_PER_USER }}" '

go.mod

@@ -5,6 +5,7 @@ go 1.21.11
 replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos v1.1.0
 	github.com/FantasyJony/openzeppelin-merkle-tree-go v1.1.2
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/andybalholm/brotli v1.1.0
@@ -55,6 +56,9 @@ require (
 
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
 	github.com/VictoriaMetrics/fastcache v1.12.2 // indirect

go.sum

@@ -1,7 +1,19 @@
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
+github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos v1.1.0 h1:c726lgbwpwFBuj+Fyrwuh/vUilqFo+hUAOUNjsKj5DI=
+github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos v1.1.0/go.mod h1:WzFGxuepAtZIZtQbz8/WviJycLMKJHpaEAqcXONxlag=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/DataDog/zstd v1.5.5 h1:oWf5W7GtOLgp6bciQYDmhHHjdhYkALu6S/5Ni9ZgSvQ=
 github.com/DataDog/zstd v1.5.5/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
 github.com/FantasyJony/openzeppelin-merkle-tree-go v1.1.2 h1:oZixv5U6eReqc1COEtng6/bVdAOAAWgtf38Ngn9Squc=
@@ -163,6 +175,8 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
 github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -294,6 +308,8 @@ github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOS
 github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

tools/walletextension/common/common.go

@@ -1,6 +1,7 @@
 package common
 
 import (
+	"crypto/rand"
 	"encoding/json"
 	"fmt"
 
@@ -15,6 +16,8 @@ import (
 	gethlog "github.com/ethereum/go-ethereum/log"
 )
 
+const EncryptionKeySize = 32
+
 // PrivateKeyToCompressedPubKey converts *ecies.PrivateKey to compressed PubKey ([]byte with length 33)
 func PrivateKeyToCompressedPubKey(prvKey *ecies.PrivateKey) []byte {
 	ecdsaPublicKey := prvKey.PublicKey.ExportECDSA()
@@ -76,3 +79,12 @@ func (r *RPCRequest) Clone() *RPCRequest {
 		Params: r.Params,
 	}
 }
+
+func GenerateRandomKey() ([]byte, error) {
+	key := make([]byte, EncryptionKeySize)
+	_, err := rand.Read(key)
+	if err != nil {
+		return nil, err
+	}
+	return key, nil
+}

tools/walletextension/common/db_types.go

@@ -1,12 +1,14 @@
 package common
 
-type AccountDB struct {
-	AccountAddress []byte
-	Signature      []byte
-	SignatureType  int
+type GWUserDB struct {
+	ID         string        `json:"id"` // Required by CosmosDB
+	UserId     []byte        `json:"userId"`
+	PrivateKey []byte        `json:"privateKey"`
+	Accounts   []GWAccountDB `json:"accounts"` // List of Accounts
 }
 
-type UserDB struct {
-	UserID     []byte
-	PrivateKey []byte
+type GWAccountDB struct {
+	AccountAddress []byte `json:"accountAddress"`
+	Signature      []byte `json:"signature"`
+	SignatureType  int    `json:"signatureType"`
 }

tools/walletextension/enclave.Dockerfile

@@ -10,6 +10,12 @@
 
 FROM ghcr.io/edgelesssys/ego-dev:v1.5.3 AS build-base
 
+# Install ca-certificates package and update it
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    && update-ca-certificates
+
+
 # setup container data structure
 RUN mkdir -p /home/ten/go-ten
 

tools/walletextension/encryption/encryption.go

@@ -0,0 +1,55 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+)
+
+type Encryptor struct {
+	gcm cipher.AEAD
+	key []byte
+}
+
+func NewEncryptor(key []byte) (*Encryptor, error) {
+	if len(key) != 32 {
+		return nil, fmt.Errorf("key must be 32 bytes long")
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	return &Encryptor{gcm: gcm, key: key}, nil
+}
+
+func (e *Encryptor) Encrypt(plaintext []byte) ([]byte, error) {
+	nonce := make([]byte, e.gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	return e.gcm.Seal(nonce, nonce, plaintext, nil), nil
+}
+
+func (e *Encryptor) Decrypt(ciphertext []byte) ([]byte, error) {
+	if len(ciphertext) < e.gcm.NonceSize() {
+		return nil, errors.New("ciphertext too short")
+	}
+	nonce, ciphertext := ciphertext[:e.gcm.NonceSize()], ciphertext[e.gcm.NonceSize():]
+	return e.gcm.Open(nil, nonce, ciphertext, nil)
+}
+
+func (e *Encryptor) HashWithHMAC(data []byte) []byte {
+	h := hmac.New(sha256.New, e.key)
+	h.Write(data)
+	return h.Sum(nil)
+}

tools/walletextension/encryption/encryption_test.go

@@ -0,0 +1,115 @@
+package encryption
+
+import (
+	"bytes"
+	"crypto/rand"
+	"testing"
+)
+
+func TestNewEncryptor(t *testing.T) {
+	key := make([]byte, 32) // 256-bit key
+	_, err := rand.Read(key)
+	if err != nil {
+		t.Fatalf("Failed to generate random key: %v", err)
+	}
+
+	encryptor, err := NewEncryptor(key)
+	if err != nil {
+		t.Fatalf("NewEncryptor failed: %v", err)
+	}
+
+	if encryptor == nil {
+		t.Fatal("NewEncryptor returned nil")
+	}
+}
+
+func TestEncryptDecrypt(t *testing.T) {
+	key := make([]byte, 32) // 256-bit key
+	_, err := rand.Read(key)
+	if err != nil {
+		t.Fatalf("Failed to generate random key: %v", err)
+	}
+
+	encryptor, err := NewEncryptor(key)
+	if err != nil {
+		t.Fatalf("NewEncryptor failed: %v", err)
+	}
+
+	plaintext := []byte("Hello, World!")
+
+	ciphertext, err := encryptor.Encrypt(plaintext)
+	if err != nil {
+		t.Fatalf("Encryption failed: %v", err)
+	}
+
+	decrypted, err := encryptor.Decrypt(ciphertext)
+	if err != nil {
+		t.Fatalf("Decryption failed: %v", err)
+	}
+
+	if !bytes.Equal(plaintext, decrypted) {
+		t.Fatalf("Decrypted text does not match original plaintext")
+	}
+}
+
+func TestEncryptDecryptEmptyString(t *testing.T) {
+	key := make([]byte, 32) // 256-bit key
+	_, err := rand.Read(key)
+	if err != nil {
+		t.Fatalf("Failed to generate random key: %v", err)
+	}
+
+	encryptor, err := NewEncryptor(key)
+	if err != nil {
+		t.Fatalf("NewEncryptor failed: %v", err)
+	}
+
+	plaintext := []byte("")
+
+	ciphertext, err := encryptor.Encrypt(plaintext)
+	if err != nil {
+		t.Fatalf("Encryption of empty string failed: %v", err)
+	}
+
+	decrypted, err := encryptor.Decrypt(ciphertext)
+	if err != nil {
+		t.Fatalf("Decryption of empty string failed: %v", err)
+	}
+
+	if !bytes.Equal(plaintext, decrypted) {
+		t.Fatalf("Decrypted empty string does not match original")
+	}
+}
+
+func TestDecryptInvalidCiphertext(t *testing.T) {
+	key := make([]byte, 32) // 256-bit key
+	_, err := rand.Read(key)
+	if err != nil {
+		t.Fatalf("Failed to generate random key: %v", err)
+	}
+
+	encryptor, err := NewEncryptor(key)
+	if err != nil {
+		t.Fatalf("NewEncryptor failed: %v", err)
+	}
+
+	invalidCiphertext := []byte("This is not a valid ciphertext")
+
+	_, err = encryptor.Decrypt(invalidCiphertext)
+	if err == nil {
+		t.Fatal("Decryption of invalid ciphertext should have failed, but didn't")
+	}
+}
+
+func TestNewEncryptorInvalidKeySize(t *testing.T) {
+	invalidKey := make([]byte, 31) // Invalid key size (not 16, 24, or 32 bytes)
+	_, err := rand.Read(invalidKey)
+	if err != nil {
+		t.Fatalf("Failed to generate random key: %v", err)
+	}
+
+	_, err = NewEncryptor(invalidKey)
+	if err == nil {
+		t.Fatal("NewEncryptor should have failed with invalid key size, but didn't")
+	}
+}

tools/walletextension/main/enclave.json

@@ -14,16 +14,8 @@
   ],
   "files": [
     {
-      "source": "../storage/database/mariadb/001_init.sql",
-      "target": "/home/ten/go-ten/tools/walletextension/storage/database/mariadb/001_init.sql"
-    },
-    {
-      "source": "../storage/database/mariadb/002_store_incoming_txs.sql",
-      "target": "/home/ten/go-ten/tools/walletextension/storage/database/mariadb/002_store_incoming_txs.sql"
-    },
-    {
-      "source": "../storage/database/mariadb/003_add_signature_type.sql",
-      "target": "/home/ten/go-ten/tools/walletextension/storage/database/mariadb/003_add_signature_type.sql"
+      "source": "/etc/ssl/certs/ca-certificates.crt",
+      "target": "/etc/ssl/certs/ca-certificates.crt"
     }
   ]
 }

tools/walletextension/rpcapi/gw_user.go

@@ -7,6 +7,7 @@ import (
 	"github.com/ten-protocol/go-ten/go/common/viewingkey"
 
 	"github.com/ethereum/go-ethereum/common"
+	wecommon "github.com/ten-protocol/go-ten/tools/walletextension/common"
 )
 
 var userCacheKeyPrefix = []byte{0x0, 0x1, 0x2, 0x3}
@@ -33,6 +34,28 @@ func (u GWUser) GetAllAddresses() []*common.Address {
 	return accts
 }
 
+func gwUserFromDB(userDB wecommon.GWUserDB, s *Services) (*GWUser, error) {
+	result := &GWUser{
+		userID:   userDB.UserId,
+		services: s,
+		accounts: make(map[common.Address]*GWAccount),
+		userKey:  userDB.PrivateKey,
+	}
+
+	for _, accountDB := range userDB.Accounts {
+		address := common.BytesToAddress(accountDB.AccountAddress)
+		gwAccount := &GWAccount{
+			user:          result,
+			address:       &address,
+			signature:     accountDB.Signature,
+			signatureType: viewingkey.SignatureType(accountDB.SignatureType),
+		}
+		result.accounts[address] = gwAccount
+	}
+
+	return result, nil
+}
+
 func userCacheKey(userID []byte) []byte {
 	var key []byte
 	key = append(key, userCacheKeyPrefix...)
@@ -42,21 +65,11 @@ func userCacheKey(userID []byte) []byte {
 
 func getUser(userID []byte, s *Services) (*GWUser, error) {
 	return withCache(s.Cache, &CacheCfg{CacheType: LongLiving}, userCacheKey(userID), func() (*GWUser, error) {
-		result := GWUser{userID: userID, services: s, accounts: map[common.Address]*GWAccount{}}
-		userPrivateKey, err := s.Storage.GetUserPrivateKey(userID)
+		user, err := s.Storage.GetUser(userID)
 		if err != nil {
 			return nil, fmt.Errorf("user %s not found. %w", hexutils.BytesToHex(userID), err)
 		}
-		result.userKey = userPrivateKey
-		allAccounts, err := s.Storage.GetAccounts(userID)
-		if err != nil {
-			return nil, err
-		}
-
-		for _, account := range allAccounts {
-			address := common.BytesToAddress(account.AccountAddress)
-			result.accounts[address] = &GWAccount{user: &result, address: &address, signature: account.Signature, signatureType: viewingkey.SignatureType(uint8(account.SignatureType))}
-		}
-		return &result, nil
+		result, err := gwUserFromDB(user, s)
+		return result, err
 	})
 }