chore: update docker building action

Author: zensh

.github/workflows/build-dockers.yml

@@ -21,3 +21,11 @@ jobs:
         LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
         TAGS="-t ${IMAGE_TAG} -t ${LATEST_TAG}"
         docker buildx build --platform='linux/amd64,linux/arm64' $TAGS --push .
+        IMAGE_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_arm64:${{ github.ref_name }}"
+        LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_arm64:latest"
+        TAGS="-t ${IMAGE_TAG} -t ${LATEST_TAG}"
+        docker build -f enclave/arm64.Dockerfile $TAGS --push .
+        IMAGE_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_amd64:${{ github.ref_name }}"
+        LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}_enclave_amd64:latest"
+        TAGS="-t ${IMAGE_TAG} -t ${LATEST_TAG}"
+        docker build -f enclave/amd64.Dockerfile $TAGS --push .

Cargo.lock

@@ -68,8 +68,20 @@ cargo run -p idempotent-proxy-server
 
 https://docs.marlin.org/user-guides/oyster/instances/quickstart/build
 
+The following steps should be run in AWS Nitro-based instances.
+
+Spin up a new Docker container based on our nitro-cli image and mount the current directory using:
+```bash
+sudo docker run --rm --privileged --name nitro-cli -v `pwd`:/mnt/my-server marlinorg/nitro-cli
+```
+
+In a new terminal, run
 ```bash
-docker build -f enclave/arm64.Dockerfile -t enclave:latest .
+cd /mnt/my-server
+sudo docker exec -it nitro-cli sh
+# or docker pull enclave image
+docker build -f enclave/arm64.Dockerfile -t enclave_arm64:latest .
+nitro-cli build-enclave --docker-uri enclave_arm64:latest --output-file enclave_arm64.eif
 ```
 
 ### Running as Cloudflare Worker

README.md

@@ -1,12 +1,12 @@
 use async_trait::async_trait;
+use idempotent_proxy_types::unix_ms;
 use std::{
     collections::{
         hash_map::{Entry, HashMap},
         BTreeSet,
     },
     sync::Arc,
 };
-use structured_logger::unix_ms;
 use tokio::{
     sync::RwLock,
     time::{sleep, Duration},
@@ -39,7 +39,6 @@ impl MemoryCacher {
 
                 kv.remove(&key);
             }
-            ()
         })
     }
 }

src/idempotent-proxy-server/src/cache/memory.rs

@@ -13,21 +13,17 @@ license.workspace = true
 [lib]
 
 [dependencies]
-axum = { workspace = true }
 http = { workspace = true }
-async-trait = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde_bytes = { workspace = true }
 ciborium = { workspace = true }
-anyhow = { workspace = true }
 k256 = { workspace = true }
 ed25519-dalek = { workspace = true }
-base64 = { workspace = true }
 sha3 = { workspace = true }
-chrono = { workspace = true }
 
 [dev-dependencies]
+base64 = { workspace = true }
 rand_core = "0.6"
 hex = { package = "hex-conservative", version = "0.2", default-features = false, features = [
   "alloc",

src/idempotent-proxy-types/Cargo.toml

@@ -8,6 +8,8 @@ use serde::{Deserialize, Serialize};
 use serde_bytes::ByteBuf;
 use sha3::{Digest, Sha3_256};
 
+use crate::unix_ms;
+
 const PERMITTED_DRIFT: u64 = 10; // seconds
 
 // Token format: [expire_at in seconds, agent, signature]
@@ -27,7 +29,7 @@ pub fn ed25519_sign(key: &ed25519_dalek::SigningKey, expire_at: u64, agent: Stri
 
 pub fn ed25519_verify(keys: &[ed25519_dalek::VerifyingKey], data: &[u8]) -> Result<Token, String> {
     let token: Token = from_reader(data).map_err(|_err| "failed to decode CBOR data")?;
-    if token.0 + PERMITTED_DRIFT < chrono::Utc::now().timestamp() as u64 {
+    if token.0 + PERMITTED_DRIFT < unix_ms() / 1000 {
         return Err("token expired".to_string());
     }
     let sig = ed25519_dalek::Signature::from_slice(token.2.as_slice())
@@ -60,7 +62,7 @@ pub fn ecdsa_sign(key: &ecdsa::SigningKey, expire_at: u64, agent: String) -> Vec
 // Secp256k1
 pub fn ecdsa_verify(keys: &[ecdsa::VerifyingKey], data: &[u8]) -> Result<Token, String> {
     let token: Token = from_reader(data).map_err(|_err| "failed to decode CBOR data")?;
-    if token.0 + PERMITTED_DRIFT < chrono::Utc::now().timestamp() as u64 {
+    if token.0 + PERMITTED_DRIFT < unix_ms() / 1000 {
         return Err("token expired".to_string());
     }
     let sig = ecdsa::Signature::try_from(token.2.as_slice())
@@ -98,7 +100,7 @@ mod test {
         let signing_key: ed25519_dalek::SigningKey =
             ed25519_dalek::SigningKey::from_bytes(&secret_key);
         let agent = "alice".to_string();
-        let expire_at = chrono::Utc::now().timestamp() as u64 + 3600;
+        let expire_at = unix_ms() / 1000 + 3600;
         let signed = super::ed25519_sign(&signing_key, expire_at, agent.clone());
         let token = super::ed25519_verify(&[signing_key.verifying_key()], &signed).unwrap();
         assert_eq!(token.0, expire_at);
@@ -110,7 +112,7 @@ mod test {
     fn test_secp256k1_token() {
         let signing_key = ecdsa::SigningKey::random(&mut OsRng);
         let agent = "alice".to_string();
-        let expire_at = chrono::Utc::now().timestamp() as u64 + 3600;
+        let expire_at = unix_ms() / 1000 + 3600;
         let signed = super::ecdsa_sign(&signing_key, expire_at, agent.clone());
         let token =
             super::ecdsa_verify(&[ecdsa::VerifyingKey::from(&signing_key)], &signed).unwrap();

src/idempotent-proxy-types/src/auth.rs

@@ -1,4 +1,5 @@
 use http::header::HeaderName;
+use std::time::{SystemTime, UNIX_EPOCH};
 
 pub mod auth;
 
@@ -13,3 +14,11 @@ pub static HEADER_RESPONSE_HEADERS: HeaderName = HeaderName::from_static("respon
 pub fn err_string(err: impl std::fmt::Display) -> String {
     err.to_string()
 }
+
+/// Returns the current unix timestamp in milliseconds.
+pub fn unix_ms() -> u64 {
+    let ts = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .expect("system time before Unix epoch");
+    ts.as_millis() as u64
+}