Introduce CLI for a configurable data-dir (#1331)

* [service/config] add base_dir and make config fields private favoring getters

* pass base_dir into the enclave

* [enclave-runtime] set the base_path

* [service/config] use `pwd()` instead of `std::env::current_dir()`

* [service] rename base-dir to data-dir in the cli

* [enclave-runtime] fix rebase error: re-add env logger init in enclave

* [enclave-runtime] create data-dir if it does not exist

* [service/config] rename base_dir -> data_dir and return a Path instead of a PathBuf

* [service] use data-dir instead of pwd for the sidechain storage

* [service/config] rename forgotten base_dir's to data_dir

* [service/enclave] fix wrongly copied documentation

* [integritee-service] fix: use correct path for purging files

* [integritee-service] fix: unnecessary reference

* [integritee-service] fix: documentation

* [integritee-service] fix tests

* [integritee-service] remove warning in tests

cli/tests/basic_tests.rs

@@ -2,7 +2,7 @@ use clap::Parser;
 use integritee_cli::Cli;
 
 fn init() {
-	env_logger::try_init();
+	let _ = env_logger::try_init();
 }
 
 #[test]

core-primitives/enclave-api/ffi/src/lib.rs

@@ -25,6 +25,8 @@ extern "C" {
 		mu_ra_addr_size: u32,
 		untrusted_worker_addr: *const u8,
 		untrusted_worker_addr_size: u32,
+		encoded_base_dir_str: *const u8,
+		encoded_base_dir_size: u32,
 	) -> sgx_status_t;
 
 	pub fn init_enclave_sidechain_components(

core-primitives/enclave-api/src/enclave_base.rs

@@ -33,7 +33,12 @@ use sp_core::ed25519;
 /// Trait for base/common Enclave API functions
 pub trait EnclaveBase: Send + Sync + 'static {
 	/// Initialize the enclave (needs to be called once at application startup).
-	fn init(&self, mu_ra_addr: &str, untrusted_worker_addr: &str) -> EnclaveResult<()>;
+	fn init(
+		&self,
+		mu_ra_addr: &str,
+		untrusted_worker_addr: &str,
+		base_dir: &str,
+	) -> EnclaveResult<()>;
 
 	/// Initialize the enclave sidechain components.
 	fn init_enclave_sidechain_components(&self) -> EnclaveResult<()>;
@@ -67,11 +72,17 @@ pub trait EnclaveBase: Send + Sync + 'static {
 
 /// EnclaveApi implementation for Enclave struct
 impl EnclaveBase for Enclave {
-	fn init(&self, mu_ra_addr: &str, untrusted_worker_addr: &str) -> EnclaveResult<()> {
+	fn init(
+		&self,
+		mu_ra_addr: &str,
+		untrusted_worker_addr: &str,
+		base_dir: &str,
+	) -> EnclaveResult<()> {
 		let mut retval = sgx_status_t::SGX_SUCCESS;
 
 		let encoded_mu_ra_addr = mu_ra_addr.encode();
 		let encoded_untrusted_worker_addr = untrusted_worker_addr.encode();
+		let encoded_base_dir = base_dir.encode();
 
 		let result = unsafe {
 			ffi::init(
@@ -81,6 +92,8 @@ impl EnclaveBase for Enclave {
 				encoded_mu_ra_addr.len() as u32,
 				encoded_untrusted_worker_addr.as_ptr(),
 				encoded_untrusted_worker_addr.len() as u32,
+				encoded_base_dir.as_ptr(),
+				encoded_base_dir.len() as u32,
 			)
 		};
 

enclave-runtime/Enclave.edl

@@ -39,7 +39,8 @@ enclave {
 		/* define ECALLs here. */
 		public sgx_status_t init(
 			[in, size=mu_ra_addr_size] uint8_t* mu_ra_addr, uint32_t mu_ra_addr_size,
-			[in, size=untrusted_worker_addr_size] uint8_t* untrusted_worker_addr, uint32_t untrusted_worker_addr_size
+			[in, size=untrusted_worker_addr_size] uint8_t* untrusted_worker_addr, uint32_t untrusted_worker_addr_size,
+			[in, size=encoded_base_dir_size] uint8_t* encoded_base_dir_str, uint32_t encoded_base_dir_size
 		);
 
 		public sgx_status_t init_enclave_sidechain_components();

enclave-runtime/src/lib.rs

@@ -106,19 +106,12 @@ pub unsafe extern "C" fn init(
 	mu_ra_addr_size: u32,
 	untrusted_worker_addr: *const u8,
 	untrusted_worker_addr_size: u32,
+	encoded_base_dir_str: *const u8,
+	encoded_base_dir_size: u32,
 ) -> sgx_status_t {
 	// Initialize the logging environment in the enclave.
 	env_logger::init();
 
-	// Todo: This will be changed to be a param of the `init` ecall:
-	// https://github.com/integritee-network/worker/issues/1292
-	//
-	// Until the above task is finished, we just fall back to the
-	// static behaviour, which uses the PWD already.
-	let pwd = std::env::current_dir().expect("Works on all supported platforms; qed");
-	info!("Setting base_dir to pwd: {}", pwd.display());
-	BASE_PATH.set(pwd.clone()).expect("We only init this once here; qed.");
-
 	let mu_ra_url =
 		match String::decode(&mut slice::from_raw_parts(mu_ra_addr, mu_ra_addr_size as usize))
 			.map_err(Error::Codec)
@@ -137,7 +130,21 @@ pub unsafe extern "C" fn init(
 		Err(e) => return e.into(),
 	};
 
-	match initialization::init_enclave(mu_ra_url, untrusted_worker_url, pwd) {
+	let base_dir = match String::decode(&mut slice::from_raw_parts(
+		encoded_base_dir_str,
+		encoded_base_dir_size as usize,
+	))
+	.map_err(Error::Codec)
+	{
+		Ok(b) => b,
+		Err(e) => return e.into(),
+	};
+
+	info!("Setting base_dir to {}", base_dir);
+	let path = PathBuf::from(base_dir);
+	BASE_PATH.set(path.clone()).expect("We only init this once here; qed.");
+
+	match initialization::init_enclave(mu_ra_url, untrusted_worker_url, path) {
 		Err(e) => e.into(),
 		Ok(()) => sgx_status_t::SGX_SUCCESS,
 	}

local-setup/config/one-worker.json

@@ -30,7 +30,9 @@
         "2001",
         "-h",
         "4545",
-        "--ws-external"
+        "--ws-external",
+        "--data-dir",
+        "/tmp/data-dir"
       ],
       "subcommand_flags": [
         "--skip-ra",

local-setup/config/two-workers.json

@@ -30,7 +30,9 @@
         "2001",
         "-h",
         "4545",
-        "--ws-external"
+        "--ws-external",
+        "--data-dir",
+        "/tmp/data-dir"
       ],
       "subcommand_flags": [
         "--skip-ra",
@@ -51,7 +53,9 @@
         "3001",
         "-h",
         "4546",
-        "--ws-external"
+        "--ws-external",
+        "--data-dir",
+        "/tmp/data-dir"
       ],
       "subcommand_flags": [
         "--skip-ra",

service/src/cli.yml

@@ -19,11 +19,16 @@ args:
         takes_value: true
         default_value: "ws://127.0.0.1"
     - node-port:
-        short: p
-        long: node-port
-        help: Set the websocket port to listen for substrate events
-        takes_value: true
-        default_value: "9944"
+          short: p
+          long: node-port
+          help: Set the websocket port to listen for substrate events
+          takes_value: true
+          default_value: "9944"
+    - data-dir:
+          short: d
+          long: data-dir
+          help: Data dir where the worker stores it's keys and other data.
+          takes_value: true
     - ws-external:
         long: ws-external
         help: Set this flag in case the worker should listen to external requests.

service/src/config.rs

@@ -19,7 +19,11 @@ use clap::ArgMatches;
 use itc_rest_client::rest_client::Url;
 use parse_duration::parse;
 use serde::{Deserialize, Serialize};
-use std::time::Duration;
+use std::{
+	fs,
+	path::{Path, PathBuf},
+	time::Duration,
+};
 
 static DEFAULT_NODE_SERVER: &str = "ws://127.0.0.1";
 static DEFAULT_NODE_PORT: &str = "9944";
@@ -31,29 +35,31 @@ static DEFAULT_UNTRUSTED_HTTP_PORT: &str = "4545";
 
 #[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
 pub struct Config {
-	pub node_ip: String,
-	pub node_port: String,
-	pub worker_ip: String,
+	node_ip: String,
+	node_port: String,
+	worker_ip: String,
 	/// Trusted worker address that will be advertised on the parentchain.
-	pub trusted_external_worker_address: Option<String>,
+	trusted_external_worker_address: Option<String>,
 	/// Port to directly communicate with the trusted tls server inside the enclave.
-	pub trusted_worker_port: String,
+	trusted_worker_port: String,
 	/// Untrusted worker address that will be returned by the dedicated trusted ws rpc call.
-	pub untrusted_external_worker_address: Option<String>,
+	untrusted_external_worker_address: Option<String>,
 	/// Port to the untrusted ws of the validateer.
-	pub untrusted_worker_port: String,
+	untrusted_worker_port: String,
 	/// Mutual remote attestation address that will be returned by the dedicated trusted ws rpc call.
-	pub mu_ra_external_address: Option<String>,
+	mu_ra_external_address: Option<String>,
 	/// Port for mutual-remote attestation requests.
-	pub mu_ra_port: String,
+	mu_ra_port: String,
 	/// Enable the metrics server
-	pub enable_metrics_server: bool,
+	enable_metrics_server: bool,
 	/// Port for the metrics server
-	pub metrics_server_port: String,
+	metrics_server_port: String,
 	/// Port for the untrusted HTTP server (e.g. for `is_initialized`)
-	pub untrusted_http_port: String,
+	untrusted_http_port: String,
+	/// Data directory used by all the services.
+	data_dir: PathBuf,
 	/// Config of the 'run' subcommand
-	pub run_config: Option<RunConfig>,
+	run_config: Option<RunConfig>,
 }
 
 #[allow(clippy::too_many_arguments)]
@@ -71,6 +77,7 @@ impl Config {
 		enable_metrics_server: bool,
 		metrics_server_port: String,
 		untrusted_http_port: String,
+		data_dir: PathBuf,
 		run_config: Option<RunConfig>,
 	) -> Self {
 		Self {
@@ -86,6 +93,7 @@ impl Config {
 			enable_metrics_server,
 			metrics_server_port,
 			untrusted_http_port,
+			data_dir,
 			run_config,
 		}
 	}
@@ -131,6 +139,18 @@ impl Config {
 		}
 	}
 
+	pub fn data_dir(&self) -> &Path {
+		self.data_dir.as_path()
+	}
+
+	pub fn run_config(&self) -> &Option<RunConfig> {
+		&self.run_config
+	}
+
+	pub fn enable_metrics_server(&self) -> bool {
+		self.enable_metrics_server
+	}
+
 	pub fn try_parse_metrics_server_port(&self) -> Option<u16> {
 		self.metrics_server_port.parse::<u16>().ok()
 	}
@@ -149,6 +169,25 @@ impl From<&ArgMatches<'_>> for Config {
 		let metrics_server_port = m.value_of("metrics-port").unwrap_or(DEFAULT_METRICS_PORT);
 		let untrusted_http_port =
 			m.value_of("untrusted-http-port").unwrap_or(DEFAULT_UNTRUSTED_HTTP_PORT);
+
+		let data_dir = match m.value_of("data-dir") {
+			Some(d) => {
+				let p = PathBuf::from(d);
+				if !p.exists() {
+					log::info!("Creating new data-directory for the service {}.", p.display());
+					fs::create_dir_all(p.as_path()).unwrap();
+				} else {
+					log::info!("Starting service in existing directory {}.", p.display());
+				}
+				p
+			},
+			None => {
+				log::warn!("[Config] defaulting to data-dir = PWD because it was previous behaviour. This might change soon.\
+				Please pass the data-dir explicitly to ensure nothing breaks in your setup.");
+				pwd()
+			},
+		};
+
 		let run_config = m.subcommand_matches("run").map(RunConfig::from);
 
 		Self::new(
@@ -167,6 +206,7 @@ impl From<&ArgMatches<'_>> for Config {
 			is_metrics_server_enabled,
 			metrics_server_port.to_string(),
 			untrusted_http_port.to_string(),
+			data_dir,
 			run_config,
 		)
 	}
@@ -225,6 +265,10 @@ fn add_port_if_necessary(url: &str, port: &str) -> String {
 	}
 }
 
+pub fn pwd() -> PathBuf {
+	std::env::current_dir().expect("works on all supported platforms; qed.")
+}
+
 #[cfg(test)]
 mod test {
 	use super::*;
@@ -247,6 +291,7 @@ mod test {
 		assert!(config.mu_ra_external_address.is_none());
 		assert!(!config.enable_metrics_server);
 		assert_eq!(config.untrusted_http_port, DEFAULT_UNTRUSTED_HTTP_PORT);
+		assert_eq!(config.data_dir, pwd());
 		assert!(config.run_config.is_none());
 	}
 

service/src/enclave/api.rs

@@ -23,9 +23,11 @@ use itp_settings::files::{ENCLAVE_FILE, ENCLAVE_TOKEN};
 use log::*;
 use sgx_types::*;
 use sgx_urts::SgxEnclave;
-/// keep this api free from chain-specific types!
-use std::io::{Read, Write};
-use std::{fs::File, path::PathBuf};
+use std::{
+	fs::File,
+	io::{Read, Write},
+	path::PathBuf,
+};
 
 pub fn enclave_init(config: &Config) -> EnclaveResult<Enclave> {
 	const LEN: usize = 1024;
@@ -103,7 +105,11 @@ pub fn enclave_init(config: &Config) -> EnclaveResult<Enclave> {
 
 	// create an enclave API and initialize it
 	let enclave_api = Enclave::new(enclave);
-	enclave_api.init(&config.mu_ra_url_external(), &config.untrusted_worker_url_external())?;
+	enclave_api.init(
+		&config.mu_ra_url_external(),
+		&config.untrusted_worker_url_external(),
+		&config.data_dir().display().to_string(),
+	)?;
 
 	Ok(enclave_api)
 }