Enable access control service

1. Put the API access control checks in the frontend service to the access control service; 2. Use casbin as the access control engine; 3. Remove the mesapy-based access control engine as mesapy is no longer maintained.
apache · Jul 7, 2023 · 6a1f256 · 6a1f256
1 parent f556e6c
commit 6a1f256
Show file tree

Hide file tree

Showing 31 changed files with 1,139 additions and 5,905 deletions.
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
@@ -16,7 +16,7 @@
 # under the License.
 
 name: Doc-ubuntu-20.04
-on: [push, pull_request, workflow_dispatch]
+on: [push, workflow_dispatch]
 defaults:
   run:
     shell: bash
@@ -25,7 +25,7 @@ env:
     DOC: 1
 
 jobs:
-  sim-debug-unit:
+  doc:
     runs-on: ubuntu-20.04
     container: teaclave/teaclave-build-ubuntu-2004-sgx-2.17.1:0.2.0
     steps:

diff --git a/.github/workflows/ubuntu2004-test.yml b/.github/workflows/ubuntu2004-test.yml
@@ -107,23 +107,6 @@ jobs:
           . ~/.cargo/env &&
           cd build &&
           make run-examples
-  sim-debug-cancel:
-    runs-on: ubuntu-20.04
-    container: teaclave/teaclave-build-ubuntu-2004-sgx-2.17.1:0.2.0
-    steps:
-      - uses: actions/checkout@v3
-      - name: Build
-        run: |
-          . cmake/scripts/build_in_ci.sh
-      - name: Run cancel test
-        run: |
-          export AS_SPID="00000000000000000000000000000000" &&
-          export AS_KEY="00000000000000000000000000000000" &&
-          export AS_ALGO="sgx_epid" &&
-          export AS_URL="https://api.trustedservices.intel.com:443" &&
-          . ~/.cargo/env &&
-          cd build &&
-          make run-cancel-test
   sim-debug-libos-example:
     runs-on: ubuntu-20.04
     container: teaclave/teaclave-build-ubuntu-2004-sgx-2.17.1:0.2.0

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -27,7 +27,7 @@ if (NOT PkgConfig_FOUND)
 endif()
 find_package(Git)
 find_package(OpenSSL)
-check_exe_dependencies(rustup pypy)
+check_exe_dependencies(rustup)
 pkg_check_modules(INTEL_SGX_SDK QUIET libsgx_urts>=2.17.101.1)
 if(NOT INTEL_SGX_SDK_FOUND)
   message(FATAL_ERROR "Intel SGX SDK (version 2.17.1) is not found or version not matched.")
@@ -47,7 +47,7 @@ option(SGX_SIM_MODE "Turn on/off sgx simulation mode" OFF)
 option(DCAP "Turn on/off DCAP attestation" OFF)
 option(GIT_SUBMODULE "Check submodules during build" ON)
 option(EXECUTOR_BUILTIN "Compile with the Builtin executor" ON)
-option(EXECUTOR_MESAPY "Compile with the MesaPy executor" ON)
+option(EXECUTOR_MESAPY "Compile with the MesaPy executor" OFF)
 option(EXECUTOR_WAMR "Compile with the WebAssembly Micro Runtime executor" ON)
 init_submodules()
 
@@ -174,28 +174,12 @@ foreach(_i RANGE ${SGX_APP_LAST_INDEX})
     ${SGX_APPS_DEPENDS})
 endforeach()
 
-set(MESAPY_OUTPUTS
-  ${TEACLAVE_OUT_DIR}/libpypy-c.a
-  ${TEACLAVE_OUT_DIR}/libffi.a
-  ${TEACLAVE_OUT_DIR}/libsgx_tlibc_ext.a
-  ${TEACLAVE_OUT_DIR}/libsgx_ulibc.a
-  ${TEACLAVE_OUT_DIR}/ffi.o
-)
-
 # WAMR library
 
 set(WAMR_OUTPUTS
   ${TEACLAVE_OUT_DIR}/libvmlib.a
 )
 
-add_custom_command(
-  OUTPUT ${MESAPY_OUTPUTS}
-  COMMAND
-    wget -qN https://github.com/mesatee/mesapy/releases/download/${MESAPY_VERSION}/mesapy-${MESAPY_VERSION}.tar.gz &&
-    tar xzf mesapy-${MESAPY_VERSION}.tar.gz
-  DEPENDS prep
-  WORKING_DIRECTORY ${TEACLAVE_OUT_DIR})
-
 ExternalProject_Add(wamr_teaclave
   SOURCE_DIR ${WAMR_TEACLAVE_ROOT_DIR}
   BINARY_DIR ${WAMR_TEACLAVE_ROOT_DIR}/build
@@ -211,28 +195,10 @@ add_custom_command(
   WORKING_DIRECTORY ${WAMR_TEACLAVE_ROOT_DIR}/build
   )
 
-add_custom_target(mesapy
-  DEPENDS ${MESAPY_OUTPUTS}
-  )
-
 add_custom_target(wamr
   DEPENDS ${WAMR_TEACLAVE_ROOT_DIR}/CMakeLists.txt ${WAMR_OUTPUTS}
   )
 
-# mesapy components
-add_library(pycomponent STATIC ${PROJECT_SOURCE_DIR}/services/access_control/python/acs_py_enclave.c)
-set_target_properties(pycomponent PROPERTIES ARCHIVE_OUTPUT_DIRECTORY
-                                             ${TEACLAVE_OUT_DIR})
-target_compile_definitions(pycomponent PUBLIC SGX)
-if(NOT EXISTS "/usr/lib/pypy/include/Python.h")
-  message(
-    FATAL_ERROR
-      "pypy development package not found\nFor Ubuntu, please run `apt-get install pypy-dev`"
-  )
-endif()
-target_compile_options(pycomponent PUBLIC -UWITH_THREAD -O2 -fPIC -Wimplicit
-                                          -I/usr/lib/pypy/include)
-
 # std Aware Cargo
 set(DEFAULT_STD_PATH ${TRUSTED_TARGET_DIR}/default_std/sysroot/lib/rustlib/${SGX_LIB_TARGET}/lib)
 set(COV_STD_PATH ${TRUSTED_TARGET_DIR}/cov_std/sysroot/lib/rustlib/${SGX_LIB_TARGET}/lib)
@@ -273,7 +239,7 @@ add_custom_target(
 
 # sgx_trusted_lib
 list(LENGTH SGX_LIBS SGX_LIB_LEN)
-set(SGX_LIB_DEPENDS prep mesapy pycomponent)
+set(SGX_LIB_DEPENDS prep)
 math(EXPR SGX_LIB_LAST_INDEX "${SGX_LIB_LEN} - 1")
 foreach(_i RANGE ${SGX_LIB_LAST_INDEX})
   list(GET SGX_LIBS ${_i} _pkg_name)

diff --git a/LICENSE b/LICENSE
@@ -218,4 +218,3 @@ MIT License
 -----------
 
 common/rusty_leveldb_sgx
-https://github.com/mesatee/mesapy/releases/download/v1.0.0-sgx/mesapy-v1.0.0-sgx.tar.gz
diff --git a/cmake/scripts/sgx_link_sign.sh b/cmake/scripts/sgx_link_sign.sh
@@ -44,7 +44,7 @@ if [ ! "$LIBENCLAVE_PATH" -nt "$SIGNED_PATH" ] \
     exit 0
 fi
 
-TEACLAVE_LINK_FLAGS="-L${TEACLAVE_OUT_DIR} -lpycomponent ffi.o -lpypy-c -lsgx_tlibc_ext -lffi"
+TEACLAVE_LINK_FLAGS="-L${TEACLAVE_OUT_DIR}"
 if [ "$TEACLAVE_EXECUTOR_WAMR" == "ON" ]; then
     TEACLAVE_LINK_FLAGS+=" -lvmlib"
 fi

diff --git a/cmake/scripts/test.sh b/cmake/scripts/test.sh
@@ -115,13 +115,13 @@ run_functional_tests() {
   pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
   ./teaclave_authentication_service &
   ./teaclave_storage_service &
-  wait_port 7776 17776 17778 # wait for authentication and storage service
+  ./teaclave_access_control_service &
+  wait_port 7776 17776 17778 17779 # wait for access control, authentication, storage service
   ./teaclave_management_service &
   ./teaclave_scheduler_service &
   wait_port 17777 17780 # wait for management service and scheduler_service
-  ./teaclave_access_control_service &
   ./teaclave_frontend_service &
-  wait_port 17779 7777 # wait for other services
+  wait_port 7777 # wait for other services
   popd
 
   pushd ${TEACLAVE_TEST_INSTALL_DIR}
@@ -185,13 +185,13 @@ run_sdk_tests() {
   pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
   ./teaclave_authentication_service &
   ./teaclave_storage_service &
-  wait_port 7776 17776 17778 # wait for authentication and storage service
+  ./teaclave_access_control_service &
+  wait_port 7776 17776 17778 17779 # wait for access control, authentication, storage service
   ./teaclave_management_service &
   ./teaclave_scheduler_service &
   wait_port 17777 17780 # wait for management service and scheduler_service
-  ./teaclave_access_control_service &
   ./teaclave_frontend_service &
-  wait_port 17779 7777 # wait for other services
+  wait_port 7777 # wait for other services
 
   start_storage_server
 
@@ -281,13 +281,13 @@ run_examples() {
   pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
   ./teaclave_authentication_service &
   ./teaclave_storage_service &
-  wait_port 7776 17776 17778 # wait for authentication and storage service
+  ./teaclave_access_control_service &
+  wait_port 7776 17776 17778 17779 # wait for access control, authentication, storage service
   ./teaclave_management_service &
   ./teaclave_scheduler_service &
   wait_port 17777 17780 # wait for management service and scheduler_service
-  ./teaclave_access_control_service &
   ./teaclave_frontend_service &
-  wait_port 17779 7777 # wait for other services
+  wait_port 7777 # wait for other services
 
   start_storage_server
 
@@ -301,9 +301,6 @@ run_examples() {
   # run builtin examples
   builtin_examples
 
-  # run mesapy examples
-  mesapy_examples
-
   # run wasm examples
   wasm_examples
 
@@ -324,13 +321,13 @@ run_libos_examples() {
   pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
   ./teaclave_authentication_service &
   ./teaclave_storage_service &
-  wait_port 7776 17776 17778 # wait for authentication and storage service
+  ./teaclave_access_control_service &
+  wait_port 7776 17776 17778 17779 # wait for access control, authentication, storage service
   ./teaclave_management_service &
   ./teaclave_scheduler_service &
   wait_port 17777 17780 # wait for management service and scheduler_service
-  ./teaclave_access_control_service &
   ./teaclave_frontend_service &
-  wait_port 17779 7777 # wait for other services
+  wait_port 7777 # wait for other services
 
   start_storage_server
 
@@ -372,13 +369,13 @@ run_cancel_test() {
   pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
   ./teaclave_authentication_service &
   ./teaclave_storage_service &
-  wait_port 7776 17776 17778 # wait for authentication and storage service
+  ./teaclave_access_control_service &
+  wait_port 7776 17776 17778 17779 # wait for access control, authentication, storage service
   ./teaclave_management_service &
   ./teaclave_scheduler_service &
   wait_port 17777 17780 # wait for management service and scheduler_service
-  ./teaclave_access_control_service &
   ./teaclave_frontend_service &
-  wait_port 17779 7777 # wait for other services
+  wait_port 7777 # wait for other services
 
   start_storage_server
 
@@ -450,7 +447,6 @@ case "$1" in
         run_functional_tests
         run_sdk_tests
         run_examples
-        run_cancel_test
         run_libos_examples
         ;;
 esac
Original file line number	Diff line number	Diff line change
Expand Up		@@ -218,4 +218,3 @@ MIT License
		-----------

		common/rusty_leveldb_sgx
		https://github.com/mesatee/mesapy/releases/download/v1.0.0-sgx/mesapy-v1.0.0-sgx.tar.gz