Merge pull request #226 from iExecBlockchainComputing/release/8.4.0

Release/8.4.0
iExecBlockchainComputing · Jan 10, 2024 · d65b4f6 · d65b4f6
2 parents 4138261 + 8adb186
commit d65b4f6
Show file tree

Hide file tree

Showing 27 changed files with 1,799 additions and 251 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,20 +2,55 @@
 
 All notable changes to this project will be documented in this file.
 
+## [[8.4.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.4.0) 2024-01-10
+
+### New Features
+
+- Add a security filter to activate an API Key mechanism on endpoints. (#207)
+- Create admin endpoints foundation. (#208 #209)
+- Add H2 database connection informations and storage ID decoding method. (#210)
+- Add the ability to trigger a backup via a dedicated endpoint. (#211, #215)
+- Add the ability to trigger a database restore via a dedicated endpoint. (#212)
+- Add the ability to trigger a delete via a dedicated endpoint. (#213)
+- Add the ability to trigger a backup replication via a dedicated endpoint. (#214)
+- Add the ability to trigger a backup copy via a dedicated endpoint. (#217)
+- Expose version through prometheus endpoint and through VersionController. (#220 #221)
+
+### Bug Fixes
+
+- Remove MockTeeConfiguration and set scone instead in `TeeTaskComputeSecretIntegrationTests`. (#222)
+- Remove `/up` endpoint. (#224)
+- Fix `README.md` and remove some code smells. (#225)
+
+### Dependency Upgrades
+
+- Upgrade to `eclipse-temurin:11.0.21_9-jre-focal`. (#219)
+- Upgrade to Spring Boot 2.7.17. (#218)
+- Upgrade to Spring Dependency Management Plugin 1.1.4. (#218)
+- Upgrade to Spring Doc OpenAPI 1.7.0. (#220)
+- Upgrade to `jenkins-library` 2.7.4. (#216)
+- Upgrade to `iexec-commons-poco` 3.2.0. (#223)
+- Upgrade to `iexec-common` 8.3.1. (#223)
+
 ## [[8.3.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.3.0) 2023-09-28
 
 ### Bug Fixes
+
 - Fix and harmonize `Dockerfile entrypoint` in all Spring Boot applications. (#194)
 - Check authorization before working with web2 or web3 secrets. (#200)
+
 ### Quality
+
 - Upgrade to Gradle 8.2.1 with up-to-date plugins. (#193)
 - Use `JpaRepository` in all repository classes for improved features. (#195)
 - Remove session display option to prevent information leaks. (#197)
 - Immutable classes for TEE enclaves and sessions manipulations. (#198)
 - Immutable `TeeAppProperties` class with `@Builder` pattern. (#201)
 - Fix Scone generated sessions permissions. (#202)
 - Remove `VersionService#isSnapshot`. (#204)
+
 ### Dependency Upgrades
+
 - Upgrade to `eclipse-temurin` 11.0.20. (#191)
 - Upgrade to Spring Boot 2.7.14. (#192)
 - Upgrade to Spring Dependency Management Plugin 1.1.3. (#192)
@@ -27,58 +62,77 @@ All notable changes to this project will be documented in this file.
 ## [[8.2.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.2.0) 2023-08-11
 
 ### New Features
+
 - Export metrics on secrets counts. (#181)
+
 ### Quality
+
 - Remove `nexus.intra.iex.ec` repository. (#180)
 - Parameterize build of TEE applications while PR is not started. This allows faster builds. (#182 #184)
 - Refactor secrets measures. (#185)
 - Update `sconify.sh` script and use latest `5.7.2-wal` sconifier. (#186 #187 #188)
 - Add `/metrics` endpoint. (#183)
+
 ### Dependency Upgrades
+
 - Upgrade to `jenkins-library` 2.6.0. (#182)
 
 ## [[8.1.2]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.1.2) 2023-06-27
 
 ### Dependency Upgrades
+
 - Upgrade to `iexec-commons-poco` 3.0.5. (#178)
 
 ## [[8.1.1]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.1.1) 2023-06-23
 
 ### Dependency Upgrades
+
 - Upgrade to `iexec-common` 8.2.1. (#176)
 - Upgrade to `iexec-commons-poco` 3.0.4. (#176)
 
 ## [[8.1.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.1.0) 2023-06-07
 
 ### New Features
+
 - Enable Prometheus actuator. (#166)
+
 ### Bug Fixes
+
 - Remove unused dependencies. (#168)
 - Use DatasetAddress in `IEXEC_DATASET_FILENAME` environment variable. (#172)
+
 ### Dependency Upgrades
+
 - Upgrade to `feign` 11.10. (#167)
 - Upgrade to `iexec-common` 8.2.0. (#169 #170 #171 #173)
 - Add new `iexec-commons-poco` 3.0.2 dependency. (#169 #170 #171 #173)
 
 ## [[8.0.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.0.0) 2023-03-06
 
 ### New Features
+
 * Support SMS in enclave for Scone TEE tasks.
 * Support Gramine framework for TEE tasks.
 * Add `GET /up` client method in iexec-sms-library.
 * Return a same `SmsClient` from the `SmsClientProvider` of iexec-sms-library when calling a same SMS URL.
 * Add iExec banner at startup.
 * Show application version on banner.
+
 ### Bug Fixes
+
 * Remove TLS context on server.
 * Remove `GET /secrets` endpoints.
 * Remove non-TEE workflow.
 * Remove enclave entrypoints from Gramine sessions since already present in manifests of applications.
 * Update Scone transformation parameters to enable health checks in SMS in enclave.
+
 ### Quality
+
 * Refactor secret model.
 * Improve code quality.
+
 ### Dependency Upgrades
+
 * Upgrade to Spring Boot 2.6.14.
 * Upgrade to Gradle 7.6.
 * Upgrade OkHttp to 4.9.0.
@@ -121,7 +175,7 @@ All notable changes to this project will be documented in this file.
 
 * Add TEE pre-compute stage for iExec Workers (confidential tasks inputs).
 * Enable confidential task on iExec Workers with production enclave mode.
- (pre-compute, compute and post-compute stages).
+  (pre-compute, compute and post-compute stages).
 * Expose trusted TEE configuration for iExec Workers.
 * Add custom options for security policies.
 * Disable requester post-compute.

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM eclipse-temurin:11.0.20_8-jre-focal
+FROM eclipse-temurin:11.0.21_9-jre-focal
 
 ARG jar
 

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,8 +1,10 @@
-@Library('global-jenkins-library@2.7.3') _
+@Library('global-jenkins-library@2.7.4') _
 
 String repositoryName = 'iexec-sms'
 
-buildInfo = getBuildInfo()
+buildInfo = buildJavaProject(
+        shouldPublishJars: true,
+        shouldPublishDockerImages: true)
 
 // add parameters for non-PR builds when branch is not develop or production branch
 boolean addParameters = !buildInfo.isPullRequestBuild && !buildInfo.isDevelopBranch && !buildInfo.isProductionBranch
@@ -15,14 +17,6 @@ if (addParameters) {
   ])
 }
 
-buildJavaProject(
-        buildInfo: buildInfo,
-        integrationTestsEnvVars: [],
-        shouldPublishJars: true,
-        shouldPublishDockerImages: true,
-        dockerfileDir: '.',
-        buildContext: '.')
-
 // BUILD_TEE parameter only exists if addParameters is true
 // If BUILD_TEE is false, TEE builds won't be executed and we return here
 if (addParameters && !params.BUILD_TEE) {

diff --git a/README.md b/README.md
@@ -49,9 +49,11 @@ To support:
 | --- | --- | --- | --- | --- |
 | `IEXEC_SMS_TEE_RUNTIME_FRAMEWORK` | Define which TEE framework this _iExec SMS_ supports. | `scone` or `gramine` | | |
 | `IEXEC_SMS_PORT` | Server HTTP port. | Positive integer | `13300` | `13300` |
-| `IEXEC_SMS_H2_URL` | JDBC URL of the database. | URL | `jdbc:h2:file:/tmp/h2/sms-h2` |  `jdbc:h2:file:/tmp/h2/sms-h2` |
+| `IEXEC_SMS_H2_URL` | JDBC URL of the database. | URL | `jdbc:h2:file:/data/sms-h2` | `jdbc:h2:file:/data/sms-h2` |
 | `IEXEC_SMS_H2_CONSOLE` | Whether to enable the H2 console. | Boolean | `false` | `false` |
 | `IEXEC_SMS_STORAGE_ENCRYPTION_AES_KEY_PATH` | Path to the key created and used to encrypt secrets. | String | `src/main/resources/iexec-sms-aes.key` | `src/main/resources/iexec-sms-aes.key` |
+| `IEXEC_SMS_ADMIN_API_KEY` | API key used to authorize calls to `/admin` endpoints. | String | | |
+| `IEXEC_SMS_ADMIN_STORAGE_LOCATION` | Storage location where to persist replicated backups. It must be an absolute directory path. | String | `/backup` | `/backup` |
 | `IEXEC_CHAIN_ID` | Chain ID of the blockchain network to connect. | Positive integer | `134` |  `134` |
 | `IEXEC_IS_SIDECHAIN` | Define whether iExec on-chain protocol is built on top of token (`false`) or native currency (`true`). | Boolean | `true` | `true` |
 | `IEXEC_SMS_BLOCKCHAIN_NODE_ADDRESS` | URL to connect to the blockchain node. | URL | `https://bellecour.iex.ec` | `https://bellecour.iex.ec` |

diff --git a/build.gradle b/build.gradle
@@ -1,8 +1,8 @@
 plugins {
     id 'java'
     id 'io.freefair.lombok' version '8.2.2'
-    id 'org.springframework.boot' version '2.7.14'
-    id 'io.spring.dependency-management' version '1.1.3'
+    id 'org.springframework.boot' version '2.7.17'
+    id 'io.spring.dependency-management' version '1.1.4'
     id 'jacoco'
     id 'org.sonarqube' version '4.2.1.3168'
     id 'maven-publish'
@@ -37,8 +37,10 @@ allprojects {
     }
     java {
         toolchain {
-            languageVersion.set(JavaLanguageVersion.of(11))
+            languageVersion.set(JavaLanguageVersion.of(17))
         }
+        sourceCompatibility = "11"
+        targetCompatibility = "11"
     }
 }
 
@@ -71,10 +73,10 @@ dependencies {
     implementation 'org.springframework.retry:spring-retry'
     // H2
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-    runtimeOnly 'com.h2database:h2:2.2.222'
+    implementation 'com.h2database:h2:2.2.222'
 
     // Spring Doc
-    implementation 'org.springdoc:springdoc-openapi-ui:1.6.3'
+    implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
 
     //ssl
     implementation 'org.apache.httpcomponents:httpclient'
@@ -101,7 +103,7 @@ springBoot {
 tasks.named("bootJar") {
     manifest {
         attributes("Implementation-Title": "iExec Secret Management Service",
-                   "Implementation-Version": project.version)
+                "Implementation-Version": project.version)
     }
 }
 
@@ -110,7 +112,7 @@ test {
 }
 
 tasks.register('itest', Test) {
-    group       'Verification'
+    group 'Verification'
     description 'Runs the integration tests.'
     testClassesDirs = sourceSets.integrationTest.output.classesDirs
     classpath = sourceSets.integrationTest.runtimeClasspath
@@ -124,7 +126,7 @@ jacocoTestReport {
         xml.required = true
     }
 }
-tasks.test.finalizedBy    tasks.jacocoTestReport
+tasks.test.finalizedBy tasks.jacocoTestReport
 tasks.sonarqube.dependsOn tasks.jacocoTestReport
 
 publishing {
@@ -145,28 +147,21 @@ publishing {
     }
 }
 
-ext.jarPathForOCI  = relativePath(tasks.bootJar.outputs.files.singleFile)
+ext.jarPathForOCI = relativePath(tasks.bootJar.outputs.files.singleFile)
 ext.gitShortCommit = 'git rev-parse --short=8 HEAD'.execute().text.trim()
-ext.ociImageName   = 'local/' + ['bash', '-c', 'basename $(git config --get remote.origin.url) .git'].execute().text.trim()
+ext.ociImageName = 'local/' + ['bash', '-c', 'basename $(git config --get remote.origin.url) .git'].execute().text.trim()
 
 tasks.register('buildImage', Exec) {
-    group       'Build'
+    group 'Build'
     description 'Builds an OCI image from a Dockerfile.'
-    dependsOn   bootJar
-    commandLine ('sh', '-c', "docker build --build-arg jar=$jarPathForOCI"
-            + " -t $ociImageName:$gitShortCommit . && docker tag $ociImageName:$gitShortCommit $ociImageName:dev")
-    standardOutput = new ByteArrayOutputStream()
-
-    ext.output = {
-        println standardOutput
-        return standardOutput.toString()
-    }
+    dependsOn bootJar
+    commandLine 'docker', 'build', '--build-arg', 'jar=' + jarPathForOCI, '-t', ociImageName + ':dev', '.'
 }
 
 tasks.register('buildSconeImage', Exec) {
-    group       "Build"
+    group "Build"
     description "Build an OCI image compatible with scontain TEE framework"
-    dependsOn   buildImage
+    dependsOn buildImage
     commandLine "docker/sconify.sh"
     environment "IMG_FROM", "$ociImageName:dev"
     environment "IMG_TO", "$ociImageName-unlocked:dev"

diff --git a/gradle.properties b/gradle.properties
@@ -1,6 +1,6 @@
-version=8.3.0
-iexecCommonVersion=8.3.0
-iexecCommonsPocoVersion=3.1.0
+version=8.4.0
+iexecCommonVersion=8.3.1
+iexecCommonsPocoVersion=3.2.0
 
 nexusUser
 nexusPassword
diff --git a/iexec-sms-library/build.gradle b/iexec-sms-library/build.gradle
@@ -15,6 +15,8 @@ dependencies {
 }
 
 java {
+    sourceCompatibility = "11"
+    targetCompatibility = "11"
     withJavadocJar()
     withSourcesJar()
 }

diff --git a/iexec-sms-library/src/main/java/com/iexec/sms/api/SmsClient.java b/iexec-sms-library/src/main/java/com/iexec/sms/api/SmsClient.java
@@ -31,13 +31,11 @@
  * Interface allowing to instantiate a Feign client targeting SMS REST endpoints.
  * <p>
  * To create the client, see the related builder.
+ *
  * @see SmsClientBuilder
  */
 public interface SmsClient {
 
-    @RequestLine("GET /up")
-    String isUp();
-
     // region Secrets
     @RequestLine("POST /apps/{appAddress}/secrets/1")
     @Headers("Authorization: {authorization}")

diff --git a/src/itest/java/com/iexec/sms/MockTeeConfiguration.java b/src/itest/java/com/iexec/sms/MockTeeConfiguration.java
diff --git a/src/itest/java/com/iexec/sms/secret/compute/TeeTaskComputeSecretIntegrationTests.java b/src/itest/java/com/iexec/sms/secret/compute/TeeTaskComputeSecretIntegrationTests.java
@@ -47,12 +47,11 @@
 
 import static com.iexec.commons.poco.utils.SignatureUtils.signMessageHashAndGetSignature;
 import static com.iexec.sms.MockChainConfiguration.MOCK_CHAIN_PROFILE;
-import static com.iexec.sms.MockTeeConfiguration.MOCK_TEE_PROFILE;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @Slf4j
-@ActiveProfiles({MOCK_TEE_PROFILE, MOCK_CHAIN_PROFILE, "test"})
+@ActiveProfiles({"scone", MOCK_CHAIN_PROFILE, "test"})
 public class TeeTaskComputeSecretIntegrationTests extends CommonTestSetup {
     private static final String APP_ADDRESS = "0xabcd1339ec7e762e639f4887e2bfe5ee8023e23e";
     private static final String UPPER_CASE_APP_ADDRESS = "0xABCD1339EC7E762E639F4887E2BFE5EE8023E23E";

diff --git a/src/main/java/com/iexec/sms/AppController.java b/src/main/java/com/iexec/sms/AppController.java