Adding enclave restricted flags

dockerfiles/enclave.Dockerfile

@@ -4,6 +4,14 @@
 # deploy = copies over only the enclave executable without the source
 #          in a lightweight base image specialized for deployment and prepares the /data/ folder.
 
+# Final container folder structure:
+#   /home/obscuro/data                          contains working files for the enclave
+#   /home/obscuro/go-obscuro/go/enclave/main    contains the executable for the enclave
+#
+
+# Defaults to restricted flag mode
+ARG TESTMODE=false
+
 FROM ghcr.io/edgelesssys/ego-dev:v1.3.0 AS build-base
 
 # setup container data structure
@@ -26,19 +34,25 @@ WORKDIR /home/obscuro/go-obscuro/go/enclave/main
 RUN --mount=type=cache,target=/root/.cache/go-build \
     ego-go build
 
+# New build stage for compiling the enclave with restricted flags mode
+FROM build-enclave as build-enclave-testmode-false
 # Sign the enclave executable
-RUN ego sign main
+RUN ego sign enclave.json
+
+# New build stage for compiling the enclave without restricted flags mode
+FROM build-enclave as build-enclave-testmode-true
+# Sign the enclave executable
+RUN ego sign enclave-test.json
+
+# Tag the restricted mode as the current build
+FROM build-enclave-testmode-${TESTMODE} as build-enclave
 
-# Final container folder structure:
-#   /home/obscuro/data                          contains working files for the enclave
-#   /home/obscuro/go-obscuro/go/enclave/main    contains the executable for the enclave
-#
 # Trigger a new build stage and use the smaller ego version:
 FROM ghcr.io/edgelesssys/ego-deploy:v1.3.0
 
 # Copy just the binary for the enclave into this build stage
 COPY --from=build-enclave \
-    /home/obscuro/go-obscuro/go/enclave/main home/obscuro/go-obscuro/go/enclave/main
+    /home/obscuro/go-obscuro/go/enclave/main /home/obscuro/go-obscuro/go/enclave/main
 
 WORKDIR /home/obscuro/go-obscuro/go/enclave/main
 

go/common/flag/flag.go

@@ -0,0 +1,133 @@
+package flag
+
+import (
+	"flag"
+	"fmt"
+)
+
+type TenFlag struct {
+	Name         string
+	Value        any
+	FlagType     string
+	Description  string
+	DefaultValue any
+}
+
+func NewStringFlag(name, defaultValue, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        "",
+		FlagType:     "string",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewIntFlag(name string, defaultValue int, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        0,
+		FlagType:     "int",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewBoolFlag(name string, defaultValue bool, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        false,
+		FlagType:     "bool",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewInt64Flag(name string, defaultValue int64, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        false,
+		FlagType:     "int64",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func NewUint64Flag(name string, defaultValue uint64, description string) *TenFlag {
+	return &TenFlag{
+		Name:         name,
+		Value:        false,
+		FlagType:     "uint64",
+		Description:  description,
+		DefaultValue: defaultValue,
+	}
+}
+
+func (f TenFlag) String() string {
+	if ptrVal, ok := f.Value.(*string); ok {
+		return *ptrVal
+	}
+	return f.Value.(string)
+}
+
+func (f TenFlag) Int() int {
+	if ptrVal, ok := f.Value.(*int); ok {
+		return *ptrVal
+	}
+	return f.Value.(int)
+}
+
+func (f TenFlag) Int64() int64 {
+	if ptrVal, ok := f.Value.(*int64); ok {
+		return *ptrVal
+	}
+	return f.Value.(int64)
+}
+
+func (f TenFlag) Uint64() uint64 {
+	if ptrVal, ok := f.Value.(*uint64); ok {
+		return *ptrVal
+	}
+	return f.Value.(uint64)
+}
+
+func (f TenFlag) Bool() bool {
+	if ptrVal, ok := f.Value.(*bool); ok {
+		return *ptrVal
+	}
+	return f.Value.(bool)
+}
+
+func (f TenFlag) IsSet() bool {
+	found := false
+	flag.Visit(func(fl *flag.Flag) {
+		if fl.Name == f.Name {
+			found = true
+		}
+	})
+	return found
+}
+
+func CreateCLIFlags(flags map[string]*TenFlag) error {
+	for _, tflag := range flags {
+		switch tflag.FlagType {
+		case "string":
+			tflag.Value = flag.String(tflag.Name, tflag.DefaultValue.(string), tflag.Description)
+		case "bool":
+			tflag.Value = flag.Bool(tflag.Name, tflag.DefaultValue.(bool), tflag.Description)
+		case "int":
+			tflag.Value = flag.Int(tflag.Name, tflag.DefaultValue.(int), tflag.Description)
+		case "int64":
+			tflag.Value = flag.Int64(tflag.Name, tflag.DefaultValue.(int64), tflag.Description)
+		case "uint64":
+			tflag.Value = flag.Uint64(tflag.Name, tflag.DefaultValue.(uint64), tflag.Description)
+		default:
+			return fmt.Errorf("unexpected flag type %s", tflag.FlagType)
+		}
+	}
+	return nil
+}
+
+func Parse() {
+	flag.Parse()
+}

go/config/enclave_cli_flags.go

@@ -0,0 +1,98 @@
+package config
+
+import "github.com/ten-protocol/go-ten/go/common/flag"
+
+// EnclaveFlags are the flags that the enclave can receive
+func EnclaveFlags() map[string]*flag.TenFlag {
+	return map[string]*flag.TenFlag{
+		HostIDFlag:                    flag.NewStringFlag(HostIDFlag, "", FlagDescriptionMap[HostIDFlag]),
+		HostAddressFlag:               flag.NewStringFlag(HostAddressFlag, "", FlagDescriptionMap[HostAddressFlag]),
+		AddressFlag:                   flag.NewStringFlag(AddressFlag, "", FlagDescriptionMap[HostAddressFlag]),
+		NodeTypeFlag:                  flag.NewStringFlag(NodeTypeFlag, "", FlagDescriptionMap[NodeTypeFlag]),
+		WillAttestFlag:                flag.NewBoolFlag(WillAttestFlag, false, FlagDescriptionMap[WillAttestFlag]),
+		ValidateL1BlocksFlag:          flag.NewBoolFlag(ValidateL1BlocksFlag, false, FlagDescriptionMap[ValidateL1BlocksFlag]),
+		ManagementContractAddressFlag: flag.NewStringFlag(ManagementContractAddressFlag, "", FlagDescriptionMap[ManagementContractAddressFlag]),
+		LogLevelFlag:                  flag.NewIntFlag(LogLevelFlag, 0, FlagDescriptionMap[LogLevelFlag]),
+		LogPathFlag:                   flag.NewStringFlag(LogPathFlag, "", FlagDescriptionMap[LogPathFlag]),
+		EdgelessDBHostFlag:            flag.NewStringFlag(EdgelessDBHostFlag, "", FlagDescriptionMap[EdgelessDBHostFlag]),
+		SQLiteDBPathFlag:              flag.NewStringFlag(SQLiteDBPathFlag, "", FlagDescriptionMap[SQLiteDBPathFlag]),
+		MinGasPriceFlag:               flag.NewInt64Flag(MinGasPriceFlag, 0, FlagDescriptionMap[MinGasPriceFlag]),
+		MessageBusAddressFlag:         flag.NewStringFlag(MessageBusAddressFlag, "", FlagDescriptionMap[MessageBusAddressFlag]),
+		SequencerIDFlag:               flag.NewStringFlag(SequencerIDFlag, "", FlagDescriptionMap[SequencerIDFlag]),
+		MaxBatchSizeFlag:              flag.NewUint64Flag(MaxBatchSizeFlag, 0, FlagDescriptionMap[MaxBatchSizeFlag]),
+		MaxRollupSizeFlag:             flag.NewUint64Flag(MaxRollupSizeFlag, 0, FlagDescriptionMap[MaxRollupSizeFlag]),
+		L2BaseFeeFlag:                 flag.NewUint64Flag(L2BaseFeeFlag, 0, ""),
+		L2CoinbaseFlag:                flag.NewStringFlag(L2CoinbaseFlag, "", ""),
+		L2GasLimitFlag:                flag.NewUint64Flag(L2GasLimitFlag, 0, ""),
+		ObscuroGenesisFlag:            flag.NewStringFlag(ObscuroGenesisFlag, "", FlagDescriptionMap[ObscuroGenesisFlag]),
+		L1ChainIDFlag:                 flag.NewInt64Flag(L1ChainIDFlag, 0, FlagDescriptionMap[L1ChainIDFlag]),
+		ObscuroChainIDFlag:            flag.NewInt64Flag(ObscuroChainIDFlag, 0, FlagDescriptionMap[ObscuroChainIDFlag]),
+		UseInMemoryDBFlag:             flag.NewBoolFlag(UseInMemoryDBFlag, false, FlagDescriptionMap[UseInMemoryDBFlag]),
+		ProfilerEnabledFlag:           flag.NewBoolFlag(ProfilerEnabledFlag, false, FlagDescriptionMap[ProfilerEnabledFlag]),
+		DebugNamespaceEnabledFlag:     flag.NewBoolFlag(DebugNamespaceEnabledFlag, false, FlagDescriptionMap[DebugNamespaceEnabledFlag]),
+	}
+}
+
+// enclaveRestrictedFlags are the flags that the enclave can receive ONLY over the Ego signed enclave.json
+var enclaveRestrictedFlags = map[string]*flag.TenFlag{
+	L1ChainIDFlag:             flag.NewInt64Flag(L1ChainIDFlag, 0, FlagDescriptionMap[L1ChainIDFlag]),
+	ObscuroChainIDFlag:        flag.NewInt64Flag(ObscuroChainIDFlag, 0, FlagDescriptionMap[ObscuroChainIDFlag]),
+	ObscuroGenesisFlag:        flag.NewStringFlag(ObscuroGenesisFlag, "", FlagDescriptionMap[ObscuroGenesisFlag]),
+	UseInMemoryDBFlag:         flag.NewBoolFlag(UseInMemoryDBFlag, false, FlagDescriptionMap[UseInMemoryDBFlag]),
+	ProfilerEnabledFlag:       flag.NewBoolFlag(ProfilerEnabledFlag, false, FlagDescriptionMap[ProfilerEnabledFlag]),
+	DebugNamespaceEnabledFlag: flag.NewBoolFlag(DebugNamespaceEnabledFlag, false, FlagDescriptionMap[DebugNamespaceEnabledFlag]),
+}
+
+// Flag names.
+const (
+	HostIDFlag                    = "hostID"
+	HostAddressFlag               = "hostAddress"
+	AddressFlag                   = "address"
+	NodeTypeFlag                  = "nodeType"
+	L1ChainIDFlag                 = "l1ChainID"
+	ObscuroChainIDFlag            = "obscuroChainID"
+	WillAttestFlag                = "willAttest"
+	ValidateL1BlocksFlag          = "validateL1Blocks"
+	ManagementContractAddressFlag = "managementContractAddress"
+	LogLevelFlag                  = "logLevel"
+	LogPathFlag                   = "logPath"
+	UseInMemoryDBFlag             = "useInMemoryDB"
+	EdgelessDBHostFlag            = "edgelessDBHost"
+	SQLiteDBPathFlag              = "sqliteDBPath"
+	ProfilerEnabledFlag           = "profilerEnabled"
+	MinGasPriceFlag               = "minGasPrice"
+	MessageBusAddressFlag         = "messageBusAddress"
+	SequencerIDFlag               = "sequencerID"
+	ObscuroGenesisFlag            = "obscuroGenesis"
+	DebugNamespaceEnabledFlag     = "debugNamespaceEnabled"
+	MaxBatchSizeFlag              = "maxBatchSize"
+	MaxRollupSizeFlag             = "maxRollupSize"
+	L2BaseFeeFlag                 = "l2BaseFee"
+	L2CoinbaseFlag                = "l2Coinbase"
+	L2GasLimitFlag                = "l2GasLimit"
+)
+
+var FlagDescriptionMap = map[string]string{
+	HostIDFlag:                    "The 20 bytes of the address of the Obscuro host this enclave serves",
+	HostAddressFlag:               "The peer-to-peer IP address of the Obscuro host this enclave serves",
+	AddressFlag:                   "The address on which to serve the Obscuro enclave service",
+	NodeTypeFlag:                  "The node's type (e.g. sequencer, validator)",
+	L1ChainIDFlag:                 "An integer representing the unique chain id of the Ethereum chain used as an L1 (default 1337)",
+	ObscuroChainIDFlag:            "An integer representing the unique chain id of the Obscuro chain (default 443)",
+	WillAttestFlag:                "Whether the enclave will produce a verified attestation report",
+	ValidateL1BlocksFlag:          "Whether to validate incoming blocks using the hardcoded L1 genesis.json config",
+	ManagementContractAddressFlag: "The management contract address on the L1",
+	LogLevelFlag:                  "The verbosity level of logs. (Defaults to Info)",
+	LogPathFlag:                   "The path to use for the enclave service's log file",
+	UseInMemoryDBFlag:             "Whether the enclave will use an in-memory DB rather than persist data",
+	EdgelessDBHostFlag:            "Host address for the edgeless DB instance (can be empty if useInMemoryDB is true or if not using attestation",
+	SQLiteDBPathFlag:              "Filepath for the sqlite DB persistence file (can be empty if a throwaway file in /tmp/ is acceptable or if using InMemory DB or if using attestation/EdgelessDB)",
+	ProfilerEnabledFlag:           "Runs a profiler instance (Defaults to false)",
+	MinGasPriceFlag:               "The minimum gas price for mining a transaction",
+	MessageBusAddressFlag:         "The address of the L1 message bus contract owned by the management contract.",
+	SequencerIDFlag:               "The 20 bytes of the address of the sequencer for this network",
+	ObscuroGenesisFlag:            "The json string with the obscuro genesis",
+	DebugNamespaceEnabledFlag:     "Whether the debug namespace is enabled",
+	MaxBatchSizeFlag:              "The maximum size a batch is allowed to reach uncompressed",
+	MaxRollupSizeFlag:             "The maximum size a rollup is allowed to reach",
+}