shifted to public CAS by generating random sessions

.gitignore

@@ -54,6 +54,7 @@ avalon-scone/client.crt
 avalon-scone/kme_session.yml
 avalon-scone/Dockerfile-scone-kme
 avalon-scone/Dockerfile-scone-worker
+avalon-scone/myenv
 tc/sgx/common/build/
 tc/sgx/trusted_worker_manager/enclave/build/
 tc/sgx/trusted_worker_manager/enclave/deps/

BUILD.md

@@ -22,7 +22,7 @@ _CAS image is not available in SCONE free tier, hence the user must upgrade to S
 	```
 - After successful login you can access the SCONE images required for Hyperledger Avalon and test the workflows.
 
-## RUN in Hardware Mode with File System and Network Shields enabled by public SCONE CAS (Secure)
+## RUN in Hardware Mode with File System and Network Shields enabled by SCONE CAS (Secure)
 
 - To run the in Secure Hardware Mode, get the latest code from master branch:
 
@@ -36,7 +36,7 @@ _CAS image is not available in SCONE free tier, hence the user must upgrade to S
   ./scone-demo.sh start
   ./scone-demo.sh stop
   ```
-  It automatically starts SCONE CAS and LAS, then it creates images for SCONE KME and SCONE Workers. You can change the number of workers in config/scone_config.toml and docker-compose-scone-avalon.yaml files. In basic demo there are 5 SCONE workers which have some pre-existing examples too. 
+  It automatically starts SCONE CAS and LAS, then it creates images for SCONE KME and SCONE Workers. You can change the number of workers in config/scone_config.toml and docker-compose-scone-avalon.yaml files. In basic demo there are 3 SCONE workers which have some pre-existing examples too. 
 
 
 ### Examples

README.md

@@ -64,7 +64,7 @@ For demo of the applications running with SCONE workers, see
 
 _CAS image is not available in SCONE free tier, hence the user must upgrade to Standard or Business edition if private CAS is desired in the cluster._
 
-To build Hyperledger Avalon, follow instructions in the
+To build Hyperledger Avalon with SCONE, follow instructions in the
 [build document](BUILD.md).
 
 ## Documentation

avalon-scone/Dockerfile

@@ -1,4 +1,4 @@
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/README.md

@@ -68,7 +68,7 @@ This app has a redis data store and python backend. We use SCONE curated redis a
   ./scone-demo.sh start
   ./scone-demo.sh stop
   ```
-  This will create 5 worker containers registered with Avalon Manager waiting for the requests.
+  This will create 3 worker containers registered with Avalon Manager waiting for the requests.
 
 ### Test SCONE workers in secure mode using Avalon
 

avalon-scone/create_image.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -42,12 +42,14 @@ function cleanup {
 export AVALON_SCONE_IMAGE_NAME="avalon-scone-dev"
 export KME_IMAGE_NAME="avalon-scone-kme-dev"
 export WORKER_IMAGE_NAME="avalon-scone-worker-dev"
-export SCONE_CAS_EXTERNAL_ADDR="localhost:8082"
-export SCONE_CAS_ADDR="cas"
+export SCONE_CAS_EXTERNAL_ADDR="4-2-1.scone-cas.cf:8081"
+export SCONE_CAS_ADDR="4-2-1.scone-cas.cf"
 export DEVICE="/dev/sgx"
 export KME_ALIAS="scone-kme"
+export KME_SESSION_NAME="scone-kme-$RANDOM-$RANDOM-$RANDOM"
+#export KME_SESSION_NAME="scone-kme"
 export AVALON_NETWORK="avalon-network"
-export CAS_MRENCLAVE="309e23ffab10255e7332c92b230d2208dcbc5db0408c3af26093c830033bc2e4"
+export CAS_MRENCLAVE="4cd0fe54d3d8d787553b7dac7347012682c402220acd062e4d0da3bbe10a1c2c"
 export SCONE_RUNTIME_IMAGE="registry.scontain.com:5050/sconecuratedimages/crosscompilers:runtime-alpine3.7-scone4"
 export CLI_IMAGE="registry.scontain.com:5050/sconecuratedimages/kubernetes:hello-k8s-scone0.1"
 
@@ -125,6 +127,7 @@ ENV LD_LIBRARY_PATH="/project/custom-libressl/lib/:/project/custom-libffi/lib"
 ENV PATH="\$PATH:/project/custom-python/bin:/project/custom-python/lib:/project/muslusr/lib"
 ENV PYTHONHOME=/project/custom-python
 ENV TCF_HOME=/project/avalon
+ENV SCONE_CAS_ADDR=$SCONE_CAS_ADDR
 WORKDIR /project/avalon
 EOF
 
@@ -134,19 +137,26 @@ docker build -f Dockerfile-scone-kme -t $KME_IMAGE_NAME .
 # creating lightweight Dockerfile for Worker by copying FS created in previous step
 cat > Dockerfile-scone-worker <<EOF
 FROM $SCONE_RUNTIME_IMAGE
-COPY scone_worker/wait-for.sh /wait-for.sh
+COPY scone_worker/entrypoint.sh /entrypoint.sh
 COPY worker-fs/protected-files /project
 ENV LD_LIBRARY_PATH="/project/custom-libressl/lib/:/project/custom-libffi/lib:/project/muslusr/lib"
 ENV PATH="\$PATH:/project/custom-python/bin:/project/custom-python/lib:/project/muslusr/lib"
 ENV PYTHONHOME=/project/custom-python
 ENV TCF_HOME=/project/avalon
+ENV SCONE_CAS_ADDR=$SCONE_CAS_ADDR
 RUN apk add curl
 WORKDIR /project/avalon
 EOF
 
 # create a image with encrypted scone worker code and authenticated libraries
 docker build -f Dockerfile-scone-worker -t $WORKER_IMAGE_NAME .
 
+export KME_MREnclave=$(docker run --device=/dev/isgx -it avalon-scone-kme-dev sh -c "SCONE_MODE=HW SCONE_HASH=1 SCONE_ALPINE=1 SCONE_VERSION=1 SCONE_HEAP=4G SCONE_ALLOW_DLOPEN=1 python3") 
+export Worker_MREnclave=$(docker run --device=/dev/isgx -it avalon-scone-worker-dev sh -c "SCONE_MODE=HW SCONE_HASH=1 SCONE_ALPINE=1 SCONE_VERSION=1 SCONE_HEAP=4G SCONE_ALLOW_DLOPEN=1 python3")
+
+export KME_MREnclave=`echo $KME_MREnclave | sed 's/\\r//g'`
+export Worker_MREnclave=`echo $Worker_MREnclave | sed 's/\\r//g'`
+
 
 # ensure that we have self-signed client certificate
 
@@ -166,20 +176,21 @@ export WORKER_SCONE_FSPF_TAG=$(cat $(pwd)/worker-fs/native-files/keytag | awk '{
 
 echo "Writing session file"
 cat > kme_session.yml <<EOF
-name: $KME_ALIAS
+name: $KME_SESSION_NAME
 version: "0.3"
 
 services:
   - name: certificate-generation
     image_name: kme_image
-    mrenclaves: [c9f7c9d89a1ff120a78a27cf0c9c2f572f0c7df7553cafea5de5b7a78bdc4718]
+    mrenclaves: [$KME_MREnclave]
     command: python3 key_manager.py
     environment:
       TCF_HOME: "/project/avalon"
       PYTHONHOME: "/project/custom-python"
       LD_LIBRARY_PATH: "/project/custom-libressl/lib/:/project/custom-libffi/lib"
       WORKER_FS_KEY: "$WORKER_SCONE_FSPF_KEY"
       WORKER_FS_TAG: "$WORKER_SCONE_FSPF_TAG"
+      WORKER_MRENCLAVE: "$Worker_MREnclave"
     pwd: /project/avalon
     fspf_tag: $KME_SCONE_FSPF_TAG
     fspf_key: $KME_SCONE_FSPF_KEY
@@ -221,6 +232,10 @@ security:
 
 EOF
 
+cat > myenv << EOF
+export KME_SESSION_NAME="$KME_SESSION_NAME"
+EOF
+
 curl -v -s --cacert cas-ca.pem --cert client.crt  --key client-key.key  --data-binary @kme_session.yml -X POST https://$SCONE_CAS_EXTERNAL_ADDR/session
 
 cleanup

avalon-scone/key_management_enclave/avalon_key_manager/key_manager.py

@@ -1,4 +1,4 @@
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -21,13 +21,16 @@
 import toml
 import json
 import random
+import string
 from flask import Flask
 from OpenSSL import crypto, SSL
-
+ 
 
 app = Flask(__name__)
 
 tcf_home = os.environ.get("TCF_HOME", "/project/avalon")
+scone_workers_list=[]
+
 
 def generate_self_signed_certs(
     commonName="www.scontain.com",
@@ -81,24 +84,28 @@ def main(args=None):
 
 @app.route('/scone_workers')
 def get_workers():
-    """
-    Constructor to generate worker signing and encryption keys.
-    """
-    f = open("workers_added.txt", "r")
-    workers_file=f.read()
-    f.close()
-    workers_file=workers_file[:-1]
-    workers_array = workers_file.split(",")
-    workers_json = json.dumps(workers_array)
+    workers_json = json.dumps([ob.__dict__ for ob in scone_workers_list])
     return workers_json
 
+@app.route('/scone_worker_session/<worker_id>')
+def get_worker_session(worker_id):
+    worker_session_id='invalid'
+    for valid_worker in scone_workers_list:
+        if valid_worker.worker_id==worker_id:
+            worker_session_id=valid_worker.worker_session_id   
+    return worker_session_id
+
+class Avalon_Scone_Workers:  
+    def __init__(self, worker_id, worker_session_id):  
+        self.worker_id = worker_id  
+        self.worker_session_id = worker_session_id
+
 class KeyManager():
 
     def __init__(self):
         """
         Constructor to generate worker signing and encryption keys.
         """
-        self.scone_workers_list = ""
         self._upload_worker_sessions()
 
     def _upload_worker_sessions(self):
@@ -111,6 +118,7 @@ def _upload_worker_sessions(self):
             # Get worker encryption tags
             fspf_key=os.environ["WORKER_FS_KEY"]
             fspf_tag=os.environ["WORKER_FS_TAG"]
+            Worker_MREnclave=os.environ["WORKER_MRENCLAVE"]
             # Generate worker signing key
             print("Generate worker signing and encryption keys")
             num_of_enclaves = int(config["EnclaveModule"]["num_of_enclaves"])
@@ -120,6 +128,9 @@ def _upload_worker_sessions(self):
                 count = count + 1
                 worker_id_template = config["WorkerConfig"]["worker_id_template"]
                 worker_id = worker_id_template.replace("-n", "-" + str(count))
+                letters_and_digits = string.ascii_letters + string.digits
+                #worker_session_id=worker_id
+                worker_session_id=''.join((random.choice(letters_and_digits) for i in range(10)))
                 print("worker_id ", worker_id)
                 sign = worker_signing.WorkerSign()
                 sign.generate_signing_key()
@@ -143,8 +154,9 @@ def _upload_worker_sessions(self):
                 session_file=session_file.replace("signing_private_key_value","\""+worker_private_sign_key.decode("utf-8")+"\"")
                 session_file=session_file.replace("signing_public_key_value","\""+worker_public_sign_key.decode("utf-8")+"\"")
                 session_file=session_file.replace("encryption_key_signature_value","\""+worker_public_enc_key_sign.hex()+"\"")
-                session_file=session_file.replace("MR_ENCLAVE", config["EnclaveManager"]["mrenclave_worker"])
-                session_file=session_file.replace("WORKER_ID", worker_id)
+                # Uploading expected MREnclave of worker in KME session
+                session_file=session_file.replace("MR_ENCLAVE", Worker_MREnclave)
+                session_file=session_file.replace("WORKER_ID", worker_session_id)
                 session_file=session_file.replace("WORKER_FSPF_TAG", fspf_tag)
                 session_file=session_file.replace("WORKER_FSPF_KEY", fspf_key)
 
@@ -156,15 +168,11 @@ def _upload_worker_sessions(self):
 
                 if p.text.find("\"hash\":")>=0:
                     print ('Session uploaded for : ', worker_id)
-                    self.scone_workers_list=self.scone_workers_list+worker_id+","
+                    scone_workers_list.append( Avalon_Scone_Workers(worker_id, worker_session_id) )
                 else:
                     print("Error in session uploading")
                     print(p.text)
 
-            f = open("workers_added.txt", "a")
-            f.write(self.scone_workers_list)
-            f.close()
-
         except Exception as e:
             print(str(e))
             sys.exit(-1)

avalon-scone/key_management_enclave/avalon_key_manager/test_worker_encryption.py

@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/key_management_enclave/avalon_key_manager/worker_encryption.py

@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 
 # Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/key_management_enclave/avalon_key_manager/worker_hash.py

@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 
 # Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/key_management_enclave/fspf.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/scone_worker/avalon_worker/work_order_processor.py

@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 
 # Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/scone_worker/avalon_worker/worker_encryption.py

@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 
 # Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/scone_worker/avalon_worker/worker_signing.py

@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 
 # Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/scone_worker/avalon_worker/workload/hospital.py

@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/scone_worker/avalon_worker/workload/openvino.py

@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/scone_worker/avalon_worker/workload/transaction.py

@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

avalon-scone/scone_worker/entrypoint.sh

@@ -0,0 +1,27 @@
+#!/bin/ash
+
+# Copyright 2020 Mujtaba Idrees
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kme_api_url="https://scone-kme:5000/scone_worker_session/"
+
+while true ; do
+	result=$(curl -k -s $kme_api_url$1)
+	if [[ ${#result} -gt 0 ]] ; then
+		echo "Worker is starting!"
+		SCONE_MODE=HW SCONE_ALPINE=1 SCONE_VERSION=1 SCONE_HEAP=4G SCONE_ALLOW_DLOPEN=1 SCONE_CONFIG_ID=$result/avalon-scone-worker-session python3
+		exit 0
+	fi
+    sleep 2
+done

avalon-scone/scone_worker/fspf.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2020 Intel Corporation
+# Copyright 2020 Mujtaba Idrees
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.