tee-worker initial implementation

.dockerignore

@@ -0,0 +1,3 @@
+./tee/private.pem
+contracts/node_modules
+bin/

.github/workflows/images.yml

@@ -0,0 +1,70 @@
+---
+    name: 'build container images'
+
+    on:
+      push:
+        branches:
+          - master
+          - main
+        tags:
+          - '*'
+    concurrency:
+      group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }}
+      cancel-in-progress: true
+    jobs:
+      docker:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Checkout
+            uses: actions/checkout@v4
+
+          - name: Prepare
+            id: prep
+            run: |
+              DOCKER_IMAGE=masaengineering/tee-worker
+              # Use branch name as default
+              VERSION=${GITHUB_REF#refs/heads/}
+              BINARY_VERSION=$(git describe --always --tags --dirty)
+              SHORTREF=${GITHUB_SHA::8}
+              # If this is git tag, use the tag name as a docker tag
+              if [[ $GITHUB_REF == refs/tags/* ]]; then
+                VERSION=${GITHUB_REF#refs/tags/}
+              fi
+              TAGS="${DOCKER_IMAGE}:${VERSION},${DOCKER_IMAGE}:${SHORTREF}"
+              # If the VERSION looks like a version number, assume that
+              # this is the most recent version of the image and also
+              # tag it 'latest'.
+              if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+                TAGS="$TAGS,${DOCKER_IMAGE}:latest"
+              fi
+              # Set output parameters.
+              echo ::set-output name=binary_version::${BINARY_VERSION}
+              echo ::set-output name=tags::${TAGS}
+              echo ::set-output name=docker_image::${DOCKER_IMAGE}
+          - name: Set up QEMU
+            uses: docker/setup-qemu-action@master
+            with:
+              platforms: all
+
+          - name: Set up Docker Buildx
+            id: buildx
+            uses: docker/setup-buildx-action@master
+
+          - name: Login to DockerHub
+            if: github.event_name != 'pull_request'
+            uses: docker/login-action@v3
+            with:
+              username: ${{ secrets.DOCKER_USERNAME }}
+              password: ${{ secrets.DOCKER_PASSWORD }}
+
+          - name: Build
+            uses: docker/build-push-action@v6
+            with:
+              builder: ${{ steps.buildx.outputs.name }}
+              build-args: |
+                VERSION=${{ steps.prep.outputs.binary_version }}
+              context: ./
+              file: ./Dockerfile
+              platforms: linux/amd64,linux/arm64
+              push: true
+              tags: ${{ steps.prep.outputs.tags }}

.github/workflows/tests.yml

@@ -0,0 +1,24 @@
+name: Run Go Tests
+
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    branches:
+      - '**'
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Run tests
+      run: |
+        make test
+        sudo mv coverage/coverage.txt coverage.txt
+        sudo chmod 777 coverage.txt
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v4
+      with:
+        token: ${{ secrets.CODECOV_TOKEN }}

.gitignore

@@ -0,0 +1,78 @@
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+*.log
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+.env
+.idea/**
+.vscode/**
+*.log
+.DS_Store
+
+private.key
+masa-oracle
+
+tools/tools
+tools/*.json
+tools/*.bin
+bin/
+
+# smart contracts
+node_modules
+
+# Hardhat files
+/cache
+/artifacts
+
+# TypeChain files
+/typechain
+/typechain-types
+
+# solidity-coverage files
+/coverage
+/coverage.json
+
+# masa-keys generated and used with Docker
+.masa-keys
+yarn.lock
+/pkg/masacrypto/cert.pem
+/pkg/masacrypto/key.pem
+/pkg/masacrypto/testCert.pem
+/pkg/masacrypto/testKey.pem
+CACHE/
+
+cmd/masa-node-cli/key.txt
+cmd/masa-node-cli/elabkey.txt
+cmd/masa-node-cli/output.mp3
+cmd/masa-node-cli/log.txt
+output.mp3
+docs/api-reference.md
+./masa-node
+transcription.txt
+snippets.txt
+.env copy
+
+# Build result of goreleaser
+dist/
+bp-todo.md
+
+# TEE
+tee/private.pem

Dockerfile

@@ -0,0 +1,37 @@
+ARG egover=1.5.4
+ARG baseimage=ghcr.io/edgelesssys/ego-deploy:v${egover}
+ARG VERSION
+# Build the Go binary in a separate stage utilizing Makefile
+FROM ghcr.io/edgelesssys/ego-dev:v${egover} AS builder
+
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+
+ENV VERSION=${VERSION}
+
+RUN make build
+
+RUN --mount=type=secret,id=private_key,dst=/app/tee/private.pem make sign
+
+RUN make bundle
+
+# Use the official Ubuntu 22.04 image as a base for the final image
+FROM ${baseimage} AS base
+
+COPY --from=builder /app/bin/masa-tee-worker /usr/bin/masa-tee-worker
+
+# Create the 'masa' user and set up the home directory
+RUN useradd -m -s /bin/bash masa && mkdir -p /home/masa && chown -R masa:masa /home/masa
+
+# Switch to user 'masa' for following commands
+USER masa
+
+WORKDIR /home/masa
+
+# Expose necessary ports
+EXPOSE 8080
+
+# Set default command to start the Go application
+CMD ego run /usr/bin/masa-tee-worker

Makefile

@@ -0,0 +1,38 @@
+VERSION?=$(shell git describe --tags --abbrev=0)
+PWD:=$(shell pwd)
+IMAGE?=masa-tee-worker:latest
+
+print-version:
+	@echo "Version: ${VERSION}"
+
+clean:
+	@rm -rf bin
+
+docker-compose-up:
+	@docker compose up --build
+
+build:
+	@ego-go build -v -gcflags=all="-N -l" -ldflags '-linkmode=external -extldflags=-static' -ldflags "-X github.com/masa-finance/tee-worker/internal/versioning.ApplicationVersion=${VERSION}" -o ./bin/masa-tee-worker ./cmd/tee-worker
+
+sign: tee/private.pem
+	@ego sign ./tee/masa-tee-worker.json
+
+bundle:
+	@ego bundle ./bin/masa-tee-worker
+
+run-simulate: docker-build
+	@docker run --net host -e OE_SIMULATION=1 --rm -v $(PWD)/.masa:/home/masa -ti $(IMAGE)
+
+run-sgx: docker-build
+	@docker run --device /dev/sgx_enclave --device /dev/sgx_provision --net host --rm -v $(PWD)/.masa:/home/masa -ti $(IMAGE)
+
+## TEE bits
+tee/private.pem:
+	@openssl genrsa -out tee/private.pem -3 3072
+
+docker-build: tee/private.pem
+	@docker build --secret id=private_key,src=./tee/private.pem  -t $(IMAGE) -f Dockerfile .
+
+test: tee/private.pem
+	@docker build --build-arg baseimage=builder --secret id=private_key,src=./tee/private.pem -t $(IMAGE) -f Dockerfile .
+	@docker run --user root -v $(PWD)/coverage:/app/coverage --rm --workdir /app $(IMAGE) go test -coverprofile=coverage/coverage.txt -covermode=atomic -v ./...

api/types/encrypted.go

@@ -0,0 +1,9 @@
+package types
+
+type EncryptedRequest struct {
+	EncryptedResult string `json:"encrypted_result"`
+}
+
+type JobError struct {
+	Error string `json:"error"`
+}

api/types/job.go

@@ -0,0 +1,32 @@
+package types
+
+import "encoding/json"
+
+type JobResponse struct {
+	UID string `json:"uid"`
+}
+
+type JobArguments map[string]interface{}
+
+type JobResult struct {
+	Error string      `json:"error"`
+	Data  interface{} `json:"data"`
+}
+
+func (jr JobResult) Success() bool {
+	return jr.Error == ""
+}
+
+type Job struct {
+	Type      string       `json:"type"`
+	Arguments JobArguments `json:"arguments"`
+	UUID      string       `json:"-"`
+}
+
+func (ja JobArguments) Unmarshal(i interface{}) error {
+	dat, err := json.Marshal(ja)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(dat, i)
+}

cmd/tee-worker/main.go

@@ -0,0 +1,11 @@
+package main
+
+import (
+	"context"
+
+	"github.com/masa-finance/tee-worker/internal/api"
+)
+
+func main() {
+	api.Start(context.Background(), ":8080")
+}

go.mod

@@ -0,0 +1,32 @@
+module github.com/masa-finance/tee-worker
+
+go 1.22.2
+
+require (
+	github.com/edgelesssys/ego v1.5.4
+	github.com/google/uuid v1.6.0
+	github.com/labstack/echo/v4 v4.12.0
+	github.com/onsi/ginkgo/v2 v2.20.2
+	github.com/onsi/gomega v1.34.2
+)
+
+require (
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
+	github.com/labstack/gommon v0.4.2 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasttemplate v1.2.2 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)