Merge pull request #2137 from oasisprotocol/kostko/feature/rofl-secre…

…ts-env-meta

rofl-containers: Also expose secrets via env file

rofl-containers/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rofl-containers"
-version = "0.3.0"
+version = "0.3.1"
 edition = "2021"
 
 [dependencies]

rofl-containers/src/containers.rs

@@ -1,3 +1,5 @@
+use std::{process::Command, time::SystemTime};
+
 use anyhow::Result;
 use cmd_lib::run_cmd;
 
@@ -45,8 +47,17 @@ pub async fn start() -> Result<()> {
     // Bring containers up.
     run_cmd!(
         cd "/etc/oasis/containers";
-        podman-compose up --detach --remove-orphans --force-recreate;
+        podman-compose --env-file "/run/podman/secrets.env" up --detach --remove-orphans --force-recreate;
     )?;
 
+    // Follow container logs.
+    let now = SystemTime::now()
+        .duration_since(SystemTime::UNIX_EPOCH)?
+        .as_secs();
+    Command::new("podman-compose")
+        .args(["logs", "--follow", "--since", &format!("{}", now)])
+        .current_dir("/etc/oasis/containers")
+        .spawn()?;
+
     Ok(())
 }

rofl-containers/src/secrets.rs

@@ -1,4 +1,9 @@
-use std::sync::Arc;
+use std::{
+    collections::BTreeSet,
+    fs::{self, File},
+    io::Write,
+    sync::Arc,
+};
 
 use anyhow::Result;
 use cmd_lib::run_cmd;
@@ -16,9 +21,14 @@ pub async fn init<A: App>(
     // Query own app cfg to get encrypted secrets.
     let encrypted_secrets = env.client().app_cfg().await?.secrets;
 
+    // Also generate secrets in an environment file.
+    fs::create_dir_all("/run/podman")?;
+    let mut secrets_env = File::create("/run/podman/secrets.env")?;
+
     // Ensure all secrets are removed.
     run_cmd!(podman secret rm --all)?;
     // Create all requested secrets.
+    let mut existing_env_vars = BTreeSet::new();
     for (pub_name, value) in encrypted_secrets {
         // Decrypt and authenticate secret. In case of failures, the secret is skipped.
         let (name, value) = match kms
@@ -33,10 +43,18 @@ pub async fn init<A: App>(
         };
         // Assume the name and value are always valid strings.
         let name = String::from_utf8_lossy(&name);
+        let name_upper = name.to_uppercase().replace(" ", "_");
         let value = String::from_utf8_lossy(&value);
+
         // Create a new Podman secret in temporary storage on /run to avoid it being persisted.
         let _ = run_cmd!(echo -n $value | podman secret create --driver-opts file=/run/podman/secrets --replace $name -);
 
+        // Also store in the secrets environment file.
+        if !existing_env_vars.contains(&name_upper) {
+            writeln!(&mut secrets_env, "{name_upper}={value}")?;
+            existing_env_vars.insert(name_upper);
+        }
+
         slog::info!(logger, "provisioned secret"; "pub_name" => pub_name);
     }
     Ok(())

runtime-sdk/src/modules/rofl/app/mod.rs

@@ -1,5 +1,5 @@
 //! Wrapper to make development of ROFL components easier.
-use std::sync::Arc;
+use std::{collections::BTreeMap, sync::Arc};
 
 use anyhow::Result;
 use async_trait::async_trait;
@@ -74,6 +74,20 @@ pub trait App: Send + Sync + 'static {
         tx
     }
 
+    /// Fetches custom app instance metadata that is included in its on-chain registration.
+    ///
+    /// This method is called before each registration refresh. Returning an error will not block
+    /// registration, rather it will result in the metadata being cleared.
+    async fn get_metadata(
+        self: Arc<Self>,
+        env: Environment<Self>,
+    ) -> Result<BTreeMap<String, String>>
+    where
+        Self: Sized,
+    {
+        Ok(BTreeMap::new())
+    }
+
     /// Custom post-registration initialization. It runs before any image-specific scripts are
     /// called by the runtime so it can be used to do things like set up custom storage after
     /// successful registration.

runtime-sdk/src/modules/rofl/app/registration.rs

@@ -107,6 +107,15 @@ where
             "epoch" => epoch,
         );
 
+        let metadata = match self.state.app.clone().get_metadata(self.env.clone()).await {
+            Ok(metadata) => metadata,
+            Err(err) => {
+                slog::error!(self.logger, "failed to get instance metadata"; "err" => ?err);
+                // Do not prevent registration, just clear metadata.
+                Default::default()
+            }
+        };
+
         // Refresh registration.
         let ect = self
             .state
@@ -118,6 +127,7 @@ where
             ect,
             expiration: epoch + 2,
             extra_keys: vec![self.env.signer().public_key()],
+            metadata,
         };
 
         let tx = self.state.app.new_transaction("rofl.Register", register);

runtime-sdk/src/modules/rofl/mod.rs

@@ -372,6 +372,7 @@ impl<Cfg: Config> Module<Cfg> {
             rek: body.ect.capability_tee.rek.ok_or(Error::InvalidArgument)?, // REK required.
             expiration: body.expiration,
             extra_keys: body.extra_keys,
+            metadata: body.metadata,
         };
         state::update_registration(registration)?;
 

runtime-sdk/src/modules/rofl/types.rs

@@ -100,6 +100,9 @@ pub struct Register {
     ///
     /// All of these keys need to co-sign the registration transaction to prove ownership.
     pub extra_keys: Vec<PublicKey>,
+    /// Arbitrary app-specific metadata.
+    #[cbor(optional)]
+    pub metadata: BTreeMap<String, String>,
 }
 
 /// Kind of key for derivation.
@@ -151,6 +154,9 @@ pub struct Registration {
     pub expiration: EpochTime,
     /// Extra public keys to endorse (e.g. secp256k1 keys).
     pub extra_keys: Vec<PublicKey>,
+    /// Arbitrary app-specific metadata.
+    #[cbor(optional)]
+    pub metadata: BTreeMap<String, String>,
 }
 
 /// Application-related query.