Skip to content

Commit

Permalink
chore: update docker building action
Browse files Browse the repository at this point in the history
  • Loading branch information
@zensh
zensh committed Jul 18, 2024
1 parent 97d4a86 commit 150952a
Show file tree
Hide file tree
Showing 7 changed files with 38 additions and 84 deletions.
8 changes: 8 additions & 0 deletions .github/workflows/build-dockers.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,11 @@ jobs:
LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
TAGS="-t ${IMAGE_TAG} -t ${LATEST_TAG}"
docker buildx build --platform='linux/amd64,linux/arm64' $TAGS --push .
IMAGE_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_arm64:${{ github.ref_name }}"
LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_arm64:latest"
TAGS="-t ${IMAGE_TAG} -t ${LATEST_TAG}"
docker build -f enclave/arm64.Dockerfile $TAGS --push .
IMAGE_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_amd64:${{ github.ref_name }}"
LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_amd64:latest"
TAGS="-t ${IMAGE_TAG} -t ${LATEST_TAG}"
docker build -f enclave/amd64.Dockerfile $TAGS --push .
72 changes: 0 additions & 72 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,20 @@ cargo run -p idempotent-proxy-server

https://docs.marlin.org/user-guides/oyster/instances/quickstart/build

The following steps should be run in AWS Nitro-based instances.

Spin up a new Docker container based on our nitro-cli image and mount the current directory using:
```bash
sudo docker run --rm --privileged --name nitro-cli -v `pwd`:/mnt/my-server marlinorg/nitro-cli
```

In a new terminal, run
```bash
docker build -f enclave/arm64.Dockerfile -t enclave:latest .
cd /mnt/my-server
sudo docker exec -it nitro-cli sh
# or docker pull enclave image
docker build -f enclave/arm64.Dockerfile -t enclave_arm64:latest .
nitro-cli build-enclave --docker-uri enclave_arm64:latest --output-file enclave_arm64.eif
```

### Running as Cloudflare Worker
Expand Down
3 changes: 1 addition & 2 deletions src/idempotent-proxy-server/src/cache/memory.rs
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
use async_trait::async_trait;
use idempotent_proxy_types::unix_ms;
use std::{
collections::{
hash_map::{Entry, HashMap},
BTreeSet,
},
sync::Arc,
};
use structured_logger::unix_ms;
use tokio::{
sync::RwLock,
time::{sleep, Duration},
Expand Down Expand Up @@ -39,7 +39,6 @@ impl MemoryCacher {

kv.remove(&key);
}
()
})
}
}
Expand Down
6 changes: 1 addition & 5 deletions src/idempotent-proxy-types/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,21 +13,17 @@ license.workspace = true
[lib]

[dependencies]
axum = { workspace = true }
http = { workspace = true }
async-trait = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
serde_bytes = { workspace = true }
ciborium = { workspace = true }
anyhow = { workspace = true }
k256 = { workspace = true }
ed25519-dalek = { workspace = true }
base64 = { workspace = true }
sha3 = { workspace = true }
chrono = { workspace = true }

[dev-dependencies]
base64 = { workspace = true }
rand_core = "0.6"
hex = { package = "hex-conservative", version = "0.2", default-features = false, features = [
"alloc",
Expand Down
10 changes: 6 additions & 4 deletions src/idempotent-proxy-types/src/auth.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ use serde::{Deserialize, Serialize};
use serde_bytes::ByteBuf;
use sha3::{Digest, Sha3_256};

use crate::unix_ms;

const PERMITTED_DRIFT: u64 = 10; // seconds

// Token format: [expire_at in seconds, agent, signature]
Expand All @@ -27,7 +29,7 @@ pub fn ed25519_sign(key: &ed25519_dalek::SigningKey, expire_at: u64, agent: Stri

pub fn ed25519_verify(keys: &[ed25519_dalek::VerifyingKey], data: &[u8]) -> Result<Token, String> {
let token: Token = from_reader(data).map_err(|_err| "failed to decode CBOR data")?;
if token.0 + PERMITTED_DRIFT < chrono::Utc::now().timestamp() as u64 {
if token.0 + PERMITTED_DRIFT < unix_ms() / 1000 {
return Err("token expired".to_string());
}
let sig = ed25519_dalek::Signature::from_slice(token.2.as_slice())
Expand Down Expand Up @@ -60,7 +62,7 @@ pub fn ecdsa_sign(key: &ecdsa::SigningKey, expire_at: u64, agent: String) -> Vec
// Secp256k1
pub fn ecdsa_verify(keys: &[ecdsa::VerifyingKey], data: &[u8]) -> Result<Token, String> {
let token: Token = from_reader(data).map_err(|_err| "failed to decode CBOR data")?;
if token.0 + PERMITTED_DRIFT < chrono::Utc::now().timestamp() as u64 {
if token.0 + PERMITTED_DRIFT < unix_ms() / 1000 {
return Err("token expired".to_string());
}
let sig = ecdsa::Signature::try_from(token.2.as_slice())
Expand Down Expand Up @@ -98,7 +100,7 @@ mod test {
let signing_key: ed25519_dalek::SigningKey =
ed25519_dalek::SigningKey::from_bytes(&secret_key);
let agent = "alice".to_string();
let expire_at = chrono::Utc::now().timestamp() as u64 + 3600;
let expire_at = unix_ms() / 1000 + 3600;
let signed = super::ed25519_sign(&signing_key, expire_at, agent.clone());
let token = super::ed25519_verify(&[signing_key.verifying_key()], &signed).unwrap();
assert_eq!(token.0, expire_at);
Expand All @@ -110,7 +112,7 @@ mod test {
fn test_secp256k1_token() {
let signing_key = ecdsa::SigningKey::random(&mut OsRng);
let agent = "alice".to_string();
let expire_at = chrono::Utc::now().timestamp() as u64 + 3600;
let expire_at = unix_ms() / 1000 + 3600;
let signed = super::ecdsa_sign(&signing_key, expire_at, agent.clone());
let token =
super::ecdsa_verify(&[ecdsa::VerifyingKey::from(&signing_key)], &signed).unwrap();
Expand Down
9 changes: 9 additions & 0 deletions src/idempotent-proxy-types/src/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use http::header::HeaderName;
use std::time::{SystemTime, UNIX_EPOCH};

pub mod auth;

Expand All @@ -13,3 +14,11 @@ pub static HEADER_RESPONSE_HEADERS: HeaderName = HeaderName::from_static("respon
pub fn err_string(err: impl std::fmt::Display) -> String {
err.to_string()
}

/// Returns the current unix timestamp in milliseconds.
pub fn unix_ms() -> u64 {
let ts = SystemTime::now()
.duration_since(UNIX_EPOCH)
.expect("system time before Unix epoch");
ts.as_millis() as u64
}

0 comments on commit 150952a

Please sign in to comment.