repo-sync-2024-12-27T16:48:19+0800

.circleci/config.yml

@@ -60,7 +60,7 @@ jobs:
             bazel --output_base=target build //trustflow/...
             bazel --output_base=target test //trustflow/...
             bazel --output_base=target test //trustflow/... --features=asan
-  docker_image_publish:
+  common_image_publish:
     docker:
       - image: cimg/deploy:2023.06.1
     resource_class: 2xlarge+
@@ -200,6 +200,36 @@ jobs:
                 -r "${CIRCLE_PROJECT_REPONAME}" -c "${CIRCLE_SHA1}" "${VERSION}" \
                 build/trustflow/attestation/verification/trustflow_verifier.js
 
+  proxy_image_publish:
+    docker:
+      - image: cimg/deploy:2023.06.1
+    resource_class: 2xlarge+
+    steps:
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and Push Docker image
+          command: |
+            COMMON_VERSION=<< pipeline.parameters.GHA_Version >>
+            # login docker
+            docker login -u secretflow -p ${DOCKER_DEPLOY_TOKEN}
+            # login docker - aliyun
+            docker login -u ${ALIYUN_DOCKER_USERNAME} -p ${ALIYUN_DOCKER_PASSWORD} secretflow-registry.cn-hangzhou.cr.aliyuncs.com
+
+            echo "version: ${COMMON_VERSION}"
+            
+            pushd docker/proxy/data_capsule_proxy
+            bash build.sh -p sim -v ${COMMON_VERSION} -l -u
+            bash build.sh -p tdx -v ${COMMON_VERSION} -l -u
+            bash build.sh -p csv -v ${COMMON_VERSION} -l -u
+            popd
+
+            pushd docker/proxy/ra_proxy
+            bash build.sh -p sim -v ${COMMON_VERSION} -l -u
+            bash build.sh -p tdx -v ${COMMON_VERSION} -l -u
+            bash build.sh -p csv -v ${COMMON_VERSION} -l -u
+            popd
+
 # Invoke jobs via workflows
 # See: https://circleci.com/docs/2.0/configuration-reference/#workflows
 workflows:
@@ -215,19 +245,26 @@ workflows:
         - exits: << pipeline.parameters.GHA_Version >>
     jobs:
       - wasm_verifier_publish
-  docker-image-publish-workflow:
+  common-image-publish-workflow:
     when:
       and:
-        - equal: ["docker_image_publish", << pipeline.parameters.GHA_Action >>]
+        - equal: ["common_image_publish", << pipeline.parameters.GHA_Action >>]
         - exits: << pipeline.parameters.GHA_Mode >>
         - exits: << pipeline.parameters.GHA_Version >>
     jobs:
-      - docker_image_publish
+      - common_image_publish
   pypi-publish-workflow:
     when:
       equal: ["pypi_publish", << pipeline.parameters.GHA_Action >>]
     jobs:
       - pypi_publish:
           matrix:
             parameters:
-              python_ver: ["3.10"]
+              python_ver: ["3.10"]
+  proxy-image-publish-workflow:
+    when:
+      and:
+        - equal: ["proxy_image_publish", << pipeline.parameters.GHA_Action >>]
+        - exits: << pipeline.parameters.GHA_Version >>
+    jobs:
+      - proxy_image_publish

.gitignore

@@ -51,3 +51,5 @@ external
 target
 _build
 .venv
+testdata
+*.log

README.md

@@ -24,7 +24,8 @@ TrustFlow is especially valuable in scenarios that involve secure storage, proce
 
 - [CapsuleManager](https://github.com/asterinas/trustflow-capsule-manager): authorization and key management module.
 - [TEEAPPs](https://github.com/asterinas/trustflow-teeapps): trusted applications.
-- [CapsuleManagerSDK](https://github.com/asterinas/trustflow-capsule-manager-sdk): the CLI tool and sdk for CapsuleManager.
+- [CapsuleManagerSDK](https://github.com/asterinas/trustflow-capsule-manager/tree/main/capsule-manager-sdk): the CLI tool and sdk for CapsuleManager.
+- [TrustflowEnvoy](https://github.com/asterinas/trustflow-envoy): Trustflow Envoy。
 
 ## Roadmap
 

README.zh-CN.md

@@ -24,7 +24,8 @@ TrustFlow可用于需要安全存储、处理或共享敏感数据的场景，
 
 - [CapsuleManager](https://github.com/asterinas/trustflow-capsule-manager): 授权和密钥管理模块。
 - [TEEAPPs](https://github.com/asterinas/trustflow-teeapps): 可信应用。
-- [CapsuleManagerSDK](https://github.com/asterinas/trustflow-capsule-manager-sdk): CapsuleManager的命令行工具和SDK。
+- [CapsuleManagerSDK](https://github.com/asterinas/trustflow-capsule-manager/tree/main/capsule-manager-sdk): CapsuleManager的命令行工具和SDK。
+- [TrustflowEnvoy](https://github.com/asterinas/trustflow-envoy): Trustflow的Envoy模块。
 
 ## 路线图
 

bazel/curl.BUILD

@@ -0,0 +1,22 @@
+# Copyright 2024 Ant Group Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package(default_visibility = ["//visibility:public"])
+
+cc_library(
+    name = "curl",
+    linkopts = [
+        "-lcurl",
+    ],
+)

bazel/oss_sdk.BUILD

@@ -0,0 +1,38 @@
+cc_library(
+    name = "oss_sdk_external",
+    srcs = glob([
+        "sdk/src/external/**/*.cpp",
+    ]),
+    hdrs = glob([
+        "sdk/src/external/**/*.h",
+    ]),
+    includes = [
+        "sdk/src/external",
+    ],
+    visibility = ["//visibility:public"],
+)
+
+cc_library(
+    name = "oss_sdk",
+    srcs = glob([
+        "sdk/src/*.cc",
+        "sdk/src/**/*.cc",
+    ]),
+    hdrs = glob([
+        "sdk/include/alibabacloud/oss/*.h",
+        "sdk/include/alibabacloud/oss/**/*.h",
+        "sdk/src/*.h",
+        "sdk/src/**/*.h",
+    ]),
+    includes = [
+        "sdk/include",
+        "sdk/include/alibabacloud/oss",
+        "sdk/src",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":oss_sdk_external",
+        "@com_github_curl//:curl",
+        "@com_github_openssl_openssl//:openssl",
+    ],
+)

bazel/repositories.bzl

@@ -25,6 +25,8 @@ def trustflow_dependencies():
     """
     _local_openssl_openssl()
 
+    _local_curl()
+
     _com_github_grpc_grpc()
 
     _com_github_rules_proto_grpc()
@@ -45,12 +47,24 @@ def trustflow_dependencies():
 
     _com_github_pybind11()
 
+    _aliyun_oss_cpp_sdk()
+
+    _com_github_yaml_cpp()
+
 def _local_openssl_openssl():
     maybe(
         native.new_local_repository,
         name = "com_github_openssl_openssl",
         build_file = "@trustflow//bazel:openssl.BUILD",
-        path = "/",
+        path = "bazel",
+    )
+
+def _local_curl():
+    maybe(
+        native.new_local_repository,
+        name = "com_github_curl",
+        build_file = "@trustflow//bazel:curl.BUILD",
+        path = "bazel",
     )
 
 def _com_github_grpc_grpc():
@@ -85,11 +99,11 @@ def _com_github_sf_apis():
         http_archive,
         name = "sf_apis",
         urls = [
-            "https://github.com/secretflow/secure-data-capsule-apis/archive/47a47f0f0096fdcc2c13c8ba3b86448d2795b829.tar.gz",
+            "https://github.com/secretflow/secure-data-capsule-apis/archive/bf3a19c4eddb0e2cf4c9c21c134413dffdf321c9.tar.gz",
         ],
-        strip_prefix = "secure-data-capsule-apis-47a47f0f0096fdcc2c13c8ba3b86448d2795b829",
+        strip_prefix = "secure-data-capsule-apis-bf3a19c4eddb0e2cf4c9c21c134413dffdf321c9",
         build_file = "@trustflow//bazel:sf_apis.BUILD",
-        sha256 = "c7b52eb51be3b4f1f380b8fb7cdd80a101e59e9471ca01d7b6c3441bd463dc3b",
+        sha256 = "99d7de35d410a7870d92e63d03c7c2d202bd5b3749e94cb6e0955dd6d62c06fa",
     )
 
 def _com_github_cppcodec():
@@ -102,6 +116,8 @@ def _com_github_cppcodec():
         ],
         strip_prefix = "cppcodec-0.2",
         sha256 = "0edaea2a9d9709d456aa99a1c3e17812ed130f9ef2b5c2d152c230a5cbc5c482",
+        patches = ["@trustflow//bazel:patches/cppcodec.patch"],
+        patch_args = ["-p1"],
     )
 
 def _com_github_yacl():
@@ -179,3 +195,28 @@ def _com_github_pybind11():
             "https://github.com/pybind/pybind11/archive/refs/tags/v2.11.1.tar.gz",
         ],
     )
+
+def _aliyun_oss_cpp_sdk():
+    maybe(
+        http_archive,
+        name = "com_github_aliyun_oss_cpp_sdk",
+        sha256 = "adee3beb0b7b88bfd947eb9dae5e0d22c8b3f315563aab076a7b60c140125f31",
+        strip_prefix = "aliyun-oss-cpp-sdk-1.9.0",
+        build_file = "//:bazel/oss_sdk.BUILD",
+        type = "tar.gz",
+        urls = [
+            "https://codeload.github.com/aliyun/aliyun-oss-cpp-sdk/tar.gz/1.9.0",
+        ],
+    )
+
+def _com_github_yaml_cpp():
+    maybe(
+        http_archive,
+        name = "com_github_yaml_cpp",
+        sha256 = "43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3",
+        strip_prefix = "yaml-cpp-yaml-cpp-0.7.0",
+        type = "tar.gz",
+        urls = [
+            "https://github.com/jbeder/yaml-cpp/archive/refs/tags/yaml-cpp-0.7.0.tar.gz",
+        ],
+    )

bazel/sf_apis.BUILD

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 load("@rules_proto//proto:defs.bzl", "proto_library")
+load("@rules_proto_grpc//cpp:defs.bzl", "cpp_grpc_library")
 
 package(default_visibility = ["//visibility:public"])
 
@@ -33,3 +34,25 @@ cc_proto_library(
         ":sf_apis_proto",
     ],
 )
+
+proto_library(
+    name = "sf_apis_no_proxy_proto",
+    srcs = glob(
+        [
+            "secretflowapis/v2/**/*.proto",
+        ],
+        exclude = [
+            "secretflowapis/v2/sdc/data_capsule_proxy/**",
+            "secretflowapis/v2/sdc/ra_proxy/**",
+        ],
+    ),
+    visibility = ["//visibility:public"],
+    deps = [
+        "@com_google_protobuf//:any_proto",
+    ],
+)
+
+cpp_grpc_library(
+    name = "cc_sf_apis_no_proxy_grpc",
+    deps = [":sf_apis_no_proxy_proto"],
+)

build.sh

@@ -15,4 +15,4 @@
 # limitations under the License.
 #
 
-bazel --output_base=target build //trustflow/... -c opt --repository_cache=/tmp/bazel_repo_cache --remote_download_minimal 
+bazel --output_base=target build //trustflow/proxy/... -c opt --repository_cache=/tmp/bazel_repo_cache --remote_download_minimal