fix: merge conflict

Author: jot2re

.github/workflows/common-nitro-enclave.yml

@@ -162,24 +162,14 @@ jobs:
 
       - name: Create EIF file
         uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 #v3
-        env:
-          EIF_OUTPUT_DIR: ${{ env.EIF_OUTPUT_DIR }}
-          DOCKER_SOCK_PATH: ${{ env.DOCKER_SOCK_PATH}}
-          IMAGE_NAME: ${{ inputs.image-name }}
-          DOCKER_TAG: ${{ needs.determine-tag.outputs.docker_tag }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           image: amazonlinux@sha256:5fe11d17e56571a26e20df3fa1493bdf9139fb9f2cb6d84fad13104c7b869217 # 2023.5.20240916.0
-          options: -v ${EIF_OUTPUT_DIR}:/output -v ${DOCKER_SOCK_PATH}:/var/run/docker.sock
+          options: -v ${{ env.EIF_OUTPUT_DIR }}:/output -v ${{ env.DOCKER_SOCK_PATH}}:/var/run/docker.sock # zizmor: ignore[template-injection]
           run: |
             dnf install aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel docker -y
-
-            echo ${GITHUB_TOKEN} | docker login ghcr.io -u USERNAME --password-stdin
-
-            docker pull --platform=linux/amd64 ghcr.io/zama-ai/${IMAGE_NAME}:${DOCKER_TAG}
-
-            nitro-cli build-enclave --docker-uri ghcr.io/zama-ai/${IMAGE_NAME}:${DOCKER_TAG}} --name ${IMAGE_NAME} --output-file /output/enclave.eif
-
+            echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u USERNAME --password-stdin # zizmor: ignore[template-injection]
+            docker pull --platform=linux/amd64 ghcr.io/zama-ai/${{ inputs.image-name }}:${{ needs.determine-tag.outputs.docker_tag }} # zizmor: ignore[template-injection]
+            nitro-cli build-enclave --docker-uri ghcr.io/zama-ai/${{ inputs.image-name }}:${{ needs.determine-tag.outputs.docker_tag }} --name ${{ inputs.image-name }} --output-file /output/enclave.eif # zizmor: ignore[template-injection]
             nitro-cli describe-eif --eif-path /output/enclave.eif > /output/eif-info.txt
 
 

.github/workflows/common-testing-big-instance.yml

@@ -68,6 +68,12 @@ on:
         required: true
       AWS_SECRET_KEY_S3_USER:
         required: true
+      SLACK_CHANNEL:
+        required: true
+      BOT_USERNAME:
+        required: true
+      SLACK_WEBHOOK:
+        required: true
 
 env:
   CARGO_TERM_COLOR: always
@@ -102,6 +108,9 @@ jobs:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
     with:
       runs-on: ${{ needs.start-runner.outputs.label }}
       build-publish-docs: ${{ inputs.build-publish-docs }}

.github/workflows/common-testing.yml

@@ -64,6 +64,12 @@ on:
         required: true
       AWS_SECRET_KEY_S3_USER:
         required: true
+      SLACK_CHANNEL:
+        required: true
+      BOT_USERNAME:
+        required: true
+      SLACK_WEBHOOK:
+        required: true
 
 env:
   CARGO_TERM_COLOR: always
@@ -271,6 +277,7 @@ jobs:
 
       # Test execution
       - name: Run Tests
+        id: tests
         if: ${{ ! inputs.test-coverage || !contains(github.event.pull_request.labels.*.name, 'coverage') }}
         env:
           # some integration tests run docker compose
@@ -295,6 +302,30 @@ jobs:
           cat ~/.aws/config &&
           RUST_BACKTRACE=full cargo test ${ARGS_TESTS:+$ARGS_TESTS}
 
+      - name: Set Slack color
+        id: slack_color
+        env:
+          JOB_RESULT: ${{ steps.tests.outcome }}
+        run: |
+          if [ "${JOB_RESULT}" = "success" ]; then
+            echo "color=good" >> "$GITHUB_OUTPUT"
+          else
+            echo "color=danger" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Post nightly tests results in a channel
+        if: always() && github.event_name == 'schedule'
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+          SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_ICON_EMOJI: ":github-octocat:"
+          SLACK_TITLE: "Nightly Tests Result"
+          SLACK_COLOR: ${{ steps.slack_color.outputs.color }}
+          SLACK_MESSAGE: "${{ steps.tests.outcome }} \nFor args: ${{ inputs.args-tests }}"
+
       - name: Generate unique ID
         id: unique-id
         run: echo "id=$(date "+%s%N" | md5sum | head -c 8)" >> "$GITHUB_OUTPUT"

.github/workflows/global-common-workflow.yml

@@ -169,6 +169,9 @@ jobs:
       JOB_SECRET: ${{ secrets.JOB_SECRET }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
   ############################################################################
   # Core Client Pipeline
@@ -228,6 +231,9 @@ jobs:
       JOB_SECRET: ${{ secrets.JOB_SECRET }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
   # Builds Docker image for core-client
   # Only runs on main/release branches after successful tests
@@ -281,6 +287,9 @@ jobs:
       JOB_SECRET: ${{ secrets.JOB_SECRET }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
   ############################################################################
   # Core Service Pipeline
@@ -359,6 +368,9 @@ jobs:
       JOB_SECRET: ${{ secrets.JOB_SECRET }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
   # Builds the core service Docker image
   # Only runs on main/release branches after successful tests
@@ -450,6 +462,9 @@ jobs:
       JOB_SECRET: ${{ secrets.JOB_SECRET }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
   # Runs extended threshold tests on main/release branches
   # Includes Redis integration and all test suites
@@ -472,6 +487,9 @@ jobs:
       JOB_SECRET: ${{ secrets.JOB_SECRET }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
   # Simplified build process for Dependabot PRs
   # Only runs library tests without integration components
@@ -490,6 +508,9 @@ jobs:
       BLOCKCHAIN_ACTIONS_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
 
   ############################################################################

.github/workflows/npm-release.yml

@@ -29,3 +29,6 @@ jobs:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

charts/kms-core/Chart.yaml

@@ -1,6 +1,6 @@
 name: kms-service
 description: A helm chart to distribute and deploy the Zama KMS application stack
-version: 1.0.5
+version: 1.0.7
 apiVersion: v2
 keywords:
   - kms-service

charts/kms-core/templates/kms-gen-keys-configmap.yaml

@@ -86,10 +86,6 @@ data:
     echo "kmsGenKey.forceRecreate is enabled, deleting existing configmap"
     kubectl delete configmap "$CONFIGMAP_NAME"
     {{- end }}
-    if [ ! -z "$(cat /keygen/key_id)" ]; then
-      echo "Key ID found, skipping configmap creation"
-      exit 0
-    fi
     echo "creating kubernetes configmap: $CONFIGMAP_NAME"
     kubectl create configmap "$CONFIGMAP_NAME" \
       --from-literal=KMS_BUCKET_URL="$(cat /keygen/bucket_url)" \

charts/kms-core/templates/kms-gen-keys-job.yaml

@@ -35,8 +35,11 @@ spec:
             - name: S3_ENDPOINT
               value: "http://minio:9000/{{ .Values.kmsCore.publicVault.s3.bucket }}/{{ .Values.kmsCore.publicVault.s3.path }}"
             {{- else }}
-            - name: S3_ENDPOINT
-              value: "https://{{ .Values.kmsCore.publicVault.s3.bucket }}.s3.{{ .Values.kmsCore.aws.region }}.amazonaws.com{{ if .Values.kmsCore.publicVault.s3.path }}/{{ .Values.kmsCore.publicVault.s3.path }}{{ end }}"
+            - name: CORE_CLIENT__S3_ENDPOINT
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Values.kmsCore.envFrom.configmap.name }}
+                  key: {{ .Values.kmsCore.envFrom.configmap.key.coreClientS3Endpoint }}
             {{- end }}
             - name: OBJECT_FOLDER
               {{- if .Values.kmsCore.thresholdMode.peersList }}

core-client/src/lib.rs

@@ -17,7 +17,7 @@ use kms_grpc::kms::v1::{
 use kms_grpc::kms_service::v1::core_service_endpoint_client::CoreServiceEndpointClient;
 use kms_grpc::rpc_types::{protobuf_to_alloy_domain, InternalCustodianRecoveryOutput, PubDataType};
 use kms_grpc::{KeyId, RequestId};
-use kms_lib::client::{Client, ParsedUserDecryptionRequest};
+use kms_lib::client::{client_wasm::Client, user_decryption_wasm::ParsedUserDecryptionRequest};
 use kms_lib::consts::{DEFAULT_PARAM, SIGNING_KEY_ID, TEST_PARAM};
 use kms_lib::engine::base::{compute_external_pubdata_message_hash, compute_pt_message_hash};
 use kms_lib::util::file_handling::{read_element, write_element};
@@ -954,7 +954,7 @@ fn check_external_decryption_signature(
     for response in responses {
         let payload = response.payload.as_ref().unwrap();
         check_ext_pt_signature(
-            response.external_signature(),
+            &response.external_signature,
             &payload.plaintexts,
             external_handles.to_owned(),
             domain.clone(),

core/grpc/proto/kms-service-insecure.v1.proto

@@ -3,77 +3,51 @@ package kms_service.v1;
 
 import "kms.v1.proto";
 
+// WARNING: This service is insecure and should not be used in production.
+//
+// Since this is the insecure endpoint, we do not duplicate
+// the documentation. Please see the documentation of the secure endpoint.
+// All insecure RPCs (i.e., the ones that have `Insecure` in the prefix)
+// have the same semantics as the secure ones.
 service CoreServiceEndpoint {
-  // Perform the threshold KMS initialization.
-  // This call returns an error on the centralized KMS.
   rpc Init(kms.v1.InitRequest) returns (kms.v1.Empty);
 
-  // Start generating preprocessing materials for key generation asynchronously.
-  // This call returns an error on the centralized KMS.
   rpc KeyGenPreproc(kms.v1.KeyGenPreprocRequest) returns (kms.v1.Empty);
 
-  // This call returns an error on the centralized KMS.
   rpc GetKeyGenPreprocResult(kms.v1.RequestId) returns (kms.v1.KeyGenPreprocResult);
 
-  // Generate new keys asynchronously.
   rpc KeyGen(kms.v1.KeyGenRequest) returns (kms.v1.Empty);
 
-  // Return a URI where they can be accessed.
-  // The keys at the URI contains signature and authentication information.
-  // NOTE: Unprivileged and insecure call
   rpc GetKeyGenResult(kms.v1.RequestId) returns (kms.v1.KeyGenResult);
 
-  // Generate new keys asynchronously.
   rpc InsecureKeyGen(kms.v1.KeyGenRequest) returns (kms.v1.Empty);
 
-  // Return a URI where they can be accessed.
-  // The keys at the URI contains signature and authentication information.
-  // NOTE: Unprivileged and insecure call
   rpc GetInsecureKeyGenResult(kms.v1.RequestId) returns (kms.v1.KeyGenResult);
 
-  // Perform public decryption of a ciphertext and return the signed plaintext.
   rpc PublicDecrypt(kms.v1.PublicDecryptionRequest) returns (kms.v1.Empty);
 
-  // Get the public decryption result.
-  // This query fails if the result is not available yet.
   rpc GetPublicDecryptionResult(kms.v1.RequestId) returns (kms.v1.PublicDecryptionResponse);
 
-  // Perform user decryption of a ciphertext under a user-specified key and return a signcrypted
-  // share of the decrypted plaintext.
   rpc UserDecrypt(kms.v1.UserDecryptionRequest) returns (kms.v1.Empty);
 
-  // Get the user decryption result.
-  // This query fails if the result is not available yet.
   rpc GetUserDecryptionResult(kms.v1.RequestId) returns (kms.v1.UserDecryptionResponse);
 
-  // Start the CRS generation protocol asynchronously.
   rpc CrsGen(kms.v1.CrsGenRequest) returns (kms.v1.Empty);
 
-  // Get a reference to the CRS.
-  // This query fails if the result is not available yet.
   rpc GetCrsGenResult(kms.v1.RequestId) returns (kms.v1.CrsGenResult);
 
-  // Start the insecure CRS generation protocol asynchronously.
   rpc InsecureCrsGen(kms.v1.CrsGenRequest) returns (kms.v1.Empty);
 
-  // Get a reference to the insecure CRS.
-  // This query fails if the result is not available yet.
   rpc GetInsecureCrsGenResult(kms.v1.RequestId) returns (kms.v1.CrsGenResult);
 
-  // Create a new KMS context, it may be created without an existing one.
   rpc NewKmsContext(kms.v1.NewKmsContextRequest) returns (kms.v1.Empty);
 
-  // Destroy an existing KMS context.
   rpc DestroyKmsContext(kms.v1.DestroyKmsContextRequest) returns (kms.v1.Empty);
 
-  // Create a new custodian context, it may be created without an existing one.
   rpc NewCustodianContext(kms.v1.NewCustodianContextRequest) returns (kms.v1.Empty);
 
-  // Destroy an existing custodian context.
   rpc DestroyCustodianContext(kms.v1.DestroyCustodianContextRequest) returns (kms.v1.Empty);
 
-  // Get the public key that a custodian can use to encrypt a backup share
-  // before sending it to the KMS.
   rpc GetOperatorPublicKey(kms.v1.Empty) returns (kms.v1.OperatorPublicKey);
 
   // Restore the contents of the KMS private storage from the backup vault.