Adding enclave restricted flags

[otherview]

Why this change is needed

https://github.com/ten-protocol/ten-internal/issues/2247

• container/cli.go flags now are either flag.TYPE or flag.RestrictedTYPE
• removed unused flag file test given that there is the default config
• added a new flag package
  • restricted flags are similarly defined as normal flags
  • restricted flags that can only be loaded from env variables and not from CLI ( error will occur )
  • restricted flags can only be read inside the enclave when prepended with EDG_
    -RESTRICTEDMODE is read from the env vars and defines if restricted flag can be read from CLI
• Enclave now has restricted flags
  • Ego signs enclave.json ( RESTRICTEDMODE = true) at build time ( default )
  • Ego signs enclave-test.json ( RESTRICTEDMODE = false) at build time
  • enclave.json has the default values for enclave to be run in testnet
  • local build (testnet launcher) is done with RESTRICTEDMODE = false

[coderabbitai]

Walkthrough

The changes across various files reflect a significant update to a Go project, focusing on the introduction of a new flag handling system that supports both restricted and unrestricted modes. This system is integrated into the enclave application's Dockerfile, CLI parsing, and configuration management. The Dockerfile has been modified to allow building the enclave in different modes based on a build argument. The Go code has been refactored to use the new flag package for parsing command-line arguments and environment variables, with tests added to ensure the functionality works as expected.

Changes

File Path	Change Summary
dockerfiles/enclave.Dockerfile	Added new build stages and RESTRICTEDMODE/TESTMODE argument to support compiling the enclave in different modes. Updated the signing process and documented the final container structure.
go/common/flag/flag.go	Introduced a new flag package with a WrappedFlag struct and functions for creating and parsing flags in restricted and unrestricted modes.
go/common/flag/flag_test.go	Added tests for the new flag package, including scenarios for restricted and unrestricted modes.
go/enclave/container/cli.go	Removed old flag and file-based config parsing, replaced with new flag.Restricted* methods.
testnet/testnet-local-build_images.sh	Modified Docker build command to include --build-arg RESTRICTEDMODE=false or --build-arg TESTMODE=true, affecting the enclave image build process.
go/config/... (enclave_cli_flags.go, enclave_config.go, enclave_config_test.go)	Updated the config package with new functions and global variables for handling enclave flags and configurations based on the new flag system. Added tests for CLI flag parsing and configuration creation.
go/enclave/main/main.go	Updated the main function to fetch and parse flags using the new flag system before creating the enclave configuration. Introduced NewConfigFromFlags method.

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• If you reply to a review comment from CodeRabbit, the bot will automatically respond.
• To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment
• Note: Review comments are made on code diffs or files, not on the PR overview.
• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Note: For conversation with the bot, please use the review comments on code diffs or files.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[coderabbitai]

Review Status

Actionable comments generated: 7

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 1d08a78 and 24afc63.

Files ignored due to filter (5)

• go.sum
• go/enclave/container/test.toml
• go/enclave/main/enclave-test.json
• go/enclave/main/enclave.json
• testnet/docker-compose.local.yml

Files selected for processing (5)

• dockerfiles/enclave.Dockerfile (2 hunks)
• go/common/flag/flag.go (1 hunks)
• go/common/flag/flag_test.go (1 hunks)
• go/enclave/container/cli.go (4 hunks)
• testnet/testnet-local-build_images.sh (1 hunks)

Additional comments: 3

dockerfiles/enclave.Dockerfile (1)

• 50-50: Verify that the default setting of OE_SIMULATION=1 aligns with the security requirements and intended use of the enclave, as this enables simulation mode by default.

go/common/flag/flag.go (1)

• 143-167: Verify if the environment variable prefix "EDG_" used in parseMandatoryFlags is intended to be hardcoded or if it should be configurable.

go/enclave/container/cli.go (1)

• 47-83: > Note: This review was outside the patches, so it was mapped to the patch with the greatest overlap. Original lines [47-114]

The refactoring of the ParseConfig function to use the new flag package and the removal of file-based configuration parsing is a significant change. Ensure that all necessary configuration options are available through the new flag-based mechanism and that the transition does not omit any critical configuration parameters. Additionally, verify that the new restricted flags are indeed restricted as intended and that the flagUsageMap is correctly populated and used.

[coderabbitai]

Consider providing a default value for the RESTRICTEDMODE argument to ensure the Dockerfile can be built even if the argument is not explicitly provided.

ARG RESTRICTEDMODE=false

[coderabbitai]

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 24afc63 and d92704e.

Files selected for processing (1)

• dockerfiles/enclave.Dockerfile (2 hunks)

[coderabbitai]

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between d92704e and 65484b2.

Files selected for processing (2)

• dockerfiles/enclave.Dockerfile (2 hunks)
• go/common/flag/flag.go (1 hunks)

Additional comments: 4

dockerfiles/enclave.Dockerfile (4)

• 13-13: The introduction of the RESTRICTEDMODE argument is a good practice for conditional builds and allows for flexibility in the build process.

• 54-55: The COPY command correctly specifies the destination path with a leading slash, ensuring the binary is copied to the correct location.

• 48-48: The use of variable substitution in the FROM instruction is a clever way to switch between build stages based on the RESTRICTEDMODE argument.

• 58-58: Setting the OE_SIMULATION environment variable to 1 by default is a clear way to indicate that simulation mode is active.

[tudor-malene]

I'm a bit stuck with the review and left a question

[tudor-malene]

I don't quite get it. How are the other values injected?

[otherview]

Are you referring to the other flags that are not restricted ? Those values are injected via the CLI flags.

[tudor-malene]

Also, to replace "Restricted_mode" with "Test_mode" ( and reverse the conditions)

[coderabbitai]

Review Status

Actionable comments generated: 4

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 65484b2 and 394ee33.

Files ignored due to filter (1)

• testnet/docker-compose.local.yml

Files selected for processing (2)

• dockerfiles/enclave.Dockerfile (2 hunks)
• testnet/testnet-local-build_images.sh (1 hunks)

[coderabbitai]

Review Status

Actionable comments generated: 6

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 394ee33 and 7544d42.

Files ignored due to filter (2)

• go/enclave/main/enclave-test.json
• go/enclave/main/enclave.json

Files selected for processing (6)

• dockerfiles/enclave.Dockerfile (2 hunks)
• go/common/flag/flag.go (1 hunks)
• go/config/enclave_cli_flags.go (1 hunks)
• go/config/enclave_config.go (2 hunks)
• go/config/enclave_config_test.go (1 hunks)
• go/enclave/main/main.go (1 hunks)

Additional comments: 10

go/config/enclave_config.go (6)

• 15-16: The summary states that the import for "github.com/ethereum/go-ethereum/common" was removed, but it is still present in the code as an alias "gethcommon". Please verify this discrepancy.

• 108-137: The implementation of FromFlags function correctly handles errors related to flag retrieval and parsing, and it adheres to the summary description.

• 140-174: The implementation of retrieveEnvFlags function correctly handles errors related to environment flag parsing, and it adheres to the summary description.

• 176-210: The implementation of newConfig function correctly sets various fields of the EnclaveConfig based on the provided flags, and it adheres to the summary description.

• 108-137: The FromFlags function correctly returns an EnclaveConfig and an error as described in the summary.

• 108-137: The error handling in the FromFlags function for flag retrieval and parsing is implemented as described in the summary.

go/config/enclave_config_test.go (2)

• 12-20: The backup and restoration of the flag.CommandLine are correctly implemented to ensure test isolation.

• 26-45: The approach of setting flags directly on the flag.CommandLine and then parsing them is correct for simulating command line flag parsing in a test.

go/enclave/main/main.go (2)

• 21-21: Verify if tenflag.Parse() returns an error and ensure it is properly handled if it does.

• 29-29: Verify if container.Serve(enclaveContainer) returns an error and ensure it is properly handled if it does.

[coderabbitai]

Review Status

Actionable comments generated: 3

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 7544d42 and d1d3411.

Files selected for processing (2)

• go/config/enclave_config.go (2 hunks)
• go/config/enclave_config_test.go (1 hunks)

Additional comments: 3

go/config/enclave_config.go (2)

• 3-8: The summary mentions the addition of the "strings" import, but it is not visible in the provided hunk. Please verify if the "strings" import is indeed used and included in the file.

• 108-137: The FromFlags function introduces a new environment variable "EDG_TESTMODE". Ensure that this variable is well-documented and that its usage is clear to the users or operators of the system.

go/config/enclave_config_test.go (1)

• 13-63: The test TestCLIFlagTypes correctly sets up and asserts the values of various flags, ensuring that the flag parsing and configuration creation are functioning as expected.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between d1d3411 and 2da41e0.

Files selected for processing (3)

• go/common/flag/flag.go (1 hunks)
• go/config/enclave_config.go (2 hunks)
• go/config/enclave_config_test.go (1 hunks)

Additional comments: 6

go/common/flag/flag.go (2)

• 49-49: The Value field in NewInt64Flag should be initialized to 0, not false.

-		Value:        false,
+		Value:        int64(0),

• 59-59: The Value field in NewUint64Flag should be initialized to 0, not false.

-		Value:        false,
+		Value:        uint64(0),

go/config/enclave_config.go (1)

• 108-144: The implementation of FromFlags correctly handles the distinction between test mode and normal operation, and the overriding of CLI flags with environment flags is consistent with the intended functionality.

go/config/enclave_config_test.go (3)

• 13-63: The test TestCLIFlagTypes is well-structured and tests the functionality of setting and retrieving different types of flags.

• 65-102:

• 104-137: The test TestRestrictedModeNoCLIDuplication correctly asserts that restricted flags should not be set via the command line and should raise an error if attempted.

[coderabbitai]

Review Status

Actionable comments generated: 2

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 2da41e0 and c01d897.

Files selected for processing (3)

• go/config/enclave_config.go (2 hunks)
• go/config/enclave_config_test.go (1 hunks)
• go/enclave/main/main.go (1 hunks)

Additional comments: 7

go/config/enclave_config.go (3)

• 108-145: The implementation of NewConfigFromFlags correctly checks for the EDG_TESTMODE environment variable to determine if the application is running in test mode and then retrieves environment flags accordingly. It also ensures that restricted flags are not set via the CLI when not in test mode, which aligns with the PR objectives.

• 147-187: The retrieveEnvFlags function enforces that all restricted environment variables must be set, which could lead to errors if some flags are optional. This behavior should be reviewed to ensure it aligns with the intended use of restricted flags, as it may not be desirable for all restricted flags to be mandatory.

• 189-223: The newConfig function uses string literals for flag names when accessing the flags map. It would be more maintainable to define constants for these flag names to reduce the risk of typos and improve code readability.

go/config/enclave_config_test.go (3)

• 3-4: The standard flag package is still being used, which might be intentional for testing compatibility with the new flag package. Confirm that this usage aligns with the intended testing strategy.

• 65-102: The tests for restricted mode appear to correctly set environment variables for restricted flags and assert their values in the configuration, aligning with the PR objectives.

• 104-137: The TestRestrictedModeNoCLIDuplication test correctly asserts that an error is thrown when a restricted flag is set via the command line, which is in line with the PR objectives.

go/enclave/main/main.go (1)

• 23-29: The code changes align with the PR objectives and the summary provided. The new flag handling and configuration logic are implemented as described.

[tudor-malene]

looks good

[tudor-malene]

am I misunderstanding, or is parsing happening below?

[otherview]

You're reading it correctly, creation and parsing of flags are 2 separate actions. The main reason for this is how the go flags package works. Flags must be defined before they can be assigned value.

In the tests:

this errors with no such flag -logPath

// Set the flags as needed for the test.
err := flag.CommandLine.Set(LogPathFlag, "string-value")
require.NoError(t, err)

flags := EnclaveFlags()
err = tenflag.CreateCLIFlags(flags)
require.NoError(t, err)

flag.Parse()

This passes because the flag is defined.

flags := EnclaveFlags()
err = tenflag.CreateCLIFlags(flags)
require.NoError(t, err)

// Set the flags as needed for the test.
err := flag.CommandLine.Set(LogPathFlag, "string-value")
require.NoError(t, err)

flag.Parse()

wdyt ?

[tudor-malene]

let's log and print a warning here.

[otherview]

Added the prints! When you say to log, you mean to use the logger right ? Is it ok if we don't use the logger though? Asking because in the flow of the main application, the logger is only created at the container and I think probably this is ok with just the stdou print ? wdyt ?

[tudor-malene]

yeah, print should be fine

[coderabbitai]

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between c01d897 and d85cad9.

Files selected for processing (2)

• go/config/enclave_cli_flags.go (1 hunks)
• go/config/enclave_config.go (2 hunks)

Files skipped from review as they are similar to previous changes (1)

• go/config/enclave_config.go

Additional comments: 2

go/config/enclave_cli_flags.go (2)

• 78-80: The flags L2BaseFeeFlag, L2CoinbaseFlag, and L2GasLimitFlag are missing descriptions. If this is not intentional, descriptions should be added for consistency and clarity.

• 91-98: The enclaveRestrictedFlags are defined, but it's not clear from this code how these flags are restricted to only be loaded from environment variables or within an enclave when prefixed with EDG_. Please ensure that the implementation elsewhere in the codebase enforces this restriction as per the PR objectives.

[coderabbitai]

There appears to be a copy-paste error in the flag description mapping for AddressFlag. The description is incorrectly using HostAddressFlag's description.

- flag.NewStringFlag(AddressFlag, "", FlagDescriptionMap[HostAddressFlag]),
+ flag.NewStringFlag(AddressFlag, "", FlagDescriptionMap[AddressFlag]),

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	AddressFlag: flag.NewStringFlag(AddressFlag, "", FlagDescriptionMap[HostAddressFlag]),
	AddressFlag: flag.NewStringFlag(AddressFlag, "", FlagDescriptionMap[AddressFlag]),

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between d85cad9 and 4285c60.

Files selected for processing (2)

• go/config/enclave_cli_flags.go (1 hunks)
• go/config/enclave_config.go (2 hunks)

Files skipped from review due to trivial changes (1)

• go/config/enclave_config.go

Additional comments: 1

go/config/enclave_cli_flags.go (1)

• 3-73: The code correctly defines a set of flags and a list of restricted flags, aligning with the PR objective to differentiate between standard and restricted flags. However, the implementation details for ensuring restricted flags are only loaded from environment variables or prefixed with EDG_ are not visible in this hunk. Ensure that the flag package's Parse function and other related logic adhere to these requirements.

[coderabbitai]

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 5087ef5 and 190302d.

Files selected for processing (7)

• go/config/enclave_cli_flags.go (1 hunks)
• go/config/enclave_config.go (2 hunks)
• go/config/enclave_config_test.go (1 hunks)
• go/enclave/main/main.go (1 hunks)
• go/node/config.go (2 hunks)
• integration/common/constants.go (2 hunks)
• integration/simulation/devnetwork/node.go (2 hunks)

Files skipped from review as they are similar to previous changes (2)

• go/config/enclave_cli_flags.go
• go/config/enclave_config_test.go

Additional comments: 15

go/config/enclave_config.go (3)

• 74-83: The PR objectives mention a RESTRICTEDMODE environment variable, but the code checks for EDG_TESTMODE. Please verify if this is correct or if it should be RESTRICTEDMODE.

• 113-153: The implementation of retrieveEnvFlags aligns with the PR objectives of loading restricted flags from environment variables, prefixed with EDG_.

• 155-190: The newConfig function correctly reflects the logic changes mentioned in the summary, creating a configuration object from the provided flags.

go/enclave/main/main.go (3)

• 15-16: The code fetches flags using config.EnclaveFlags and then attempts to create CLI flags with tenflag.CreateCLIFlags(config.EnclaveFlags). Ensure that tenflag.CreateCLIFlags is designed to handle both normal and restricted flags according to the PR objectives, especially since config.EnclaveFlags may contain both types of flags.

• 23-23: The introduction of config.NewConfigFromFlags(flags) aligns with the PR objectives and the summary provided, indicating a change in how the enclave configuration is initialized.

• 28-29: The initialization of enclaveContainer with enclavecontainer.NewEnclaveContainerFromConfig(enclaveConfig) and serving it with container.Serve(enclaveContainer) is consistent with the PR objectives, which aim to impact the initialization process of the enclaveContainer.

go/node/config.go (3)

• 9-12: The addition of the integrationCommon import is consistent with the PR objectives and the summary provided.

• 77-77: The change from config.DefaultEnclaveConfig() to integrationCommon.DefaultEnclaveConfig() is consistent with the PR objectives and the summary provided.

• 76-80: The rest of the changes in this hunk are consistent with the PR objectives and the summary provided.

integration/common/constants.go (3)

• 3-15: The changes in imports reflect the PR's objective to introduce new configurations and handling within the Ten Protocol's enclave component.

• 56-58: The addition of the ERC20Mapping struct aligns with the summary and PR objectives, indicating an expansion of the system's capabilities to map ERC20 tokens across different layers.

• 60-88: The introduction of DefaultEnclaveConfig function is consistent with the PR's objectives to enhance the enclave's configuration system, providing a clear default state for the enclave's settings.

integration/simulation/devnetwork/node.go (3)

• 31-35: The addition of the integrationCommon import and the use of integrationCommon.DefaultEnclaveConfig() instead of config.DefaultEnclaveConfig() is consistent with the PR objectives to refactor flag handling and configuration.

• 163-163: The use of integrationCommon.DefaultEnclaveConfig() to initialize default configuration values is a good practice for maintainability and consistency across different parts of the application.

• 160-166: > Note: This review was outside the patches, so it was mapped to the patch with the greatest overlap. Original lines [165-167]

The assignment of BaseFee, GasLimit, and GasPaymentAddress from defaultCfg ensures that the enclave configuration uses sensible defaults, which is important for consistency and reliability.

[tudor-malene]

lgtm, but let's run the local e2e tests, to make sure everything works

[otherview]

lgtm, but let's run the local e2e tests, to make sure everything works

Successfully ran at https://github.com/ten-protocol/ten-test/actions/runs/7090754526

[tudor-malene]

lgtm