Skip to content

feat(kms): enhance onboard page with site name, chain info, and k256 pubkey #571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Leechael wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

feat(kms): enhance onboard page with site name, chain info, and k256 pubkey #571

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1b4b399
feat(kms): enhance onboard page with site name, chain info, and k256 …
Leechael Mar 20, 2026
01d206e
feat(auth-mock): add configurable authorization policies
Leechael Mar 20, 2026
7bcb5c9
add ppid to kms onboard attestation info
Leechael Apr 16, 2026
799c92c
chore: fix prek formatting issues
Leechael Apr 16, 2026
f57d4d0
fix kms builder dockerfile and adjust ppid display
Leechael Apr 16, 2026
dfd8716
add eth rpc url to auth-eth-bun info endpoint
Leechael Apr 22, 2026
776f763
update auth-eth package-lock.json
Leechael Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions kms/auth-eth-bun/bun.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 15 additions & 13 deletions kms/auth-eth-bun/index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ beforeAll(async () => {
process.env.ETH_RPC_URL = 'http://localhost:8545';
process.env.KMS_CONTRACT_ADDR = '0x1234567890123456789012345678901234567890';
process.env.PORT = '3001';

// Import the app after mocking
const indexModule = await import('./index.ts');
appFetch = indexModule.default.fetch;
Expand Down Expand Up @@ -58,6 +58,7 @@ describe('API Compatibility Tests', () => {
expect(data).toMatchObject({
status: 'ok',
kmsContractAddr: '0x1234567890123456789012345678901234567890',
ethRpcUrl: 'http://localhost:8545',
gatewayAppId: expect.any(String),
chainId: expect.any(Number),
appAuthImplementation: expect.any(String),
Expand All @@ -67,7 +68,7 @@ describe('API Compatibility Tests', () => {
// Verify response structure matches OpenAPI spec
const systemInfoSchema = openApiSpec.components.schemas.SystemInfo;
const requiredFields = systemInfoSchema.required;

requiredFields.forEach(field => {
expect(data).toHaveProperty(field);
});
Expand Down Expand Up @@ -128,7 +129,7 @@ describe('API Compatibility Tests', () => {
// Verify response matches OpenAPI spec
const bootResponseSchema = openApiSpec.components.schemas.BootResponse;
const requiredFields = bootResponseSchema.required;

requiredFields.forEach(field => {
expect(data).toHaveProperty(field);
});
Expand Down Expand Up @@ -263,7 +264,7 @@ describe('API Compatibility Tests', () => {

it('should not log "Test backend error" messages', async () => {
const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});

mockReadContract.mockRejectedValue(new Error('Test backend error'));

const response = await appFetch(new Request('http://localhost:3001/bootAuth/kms', {
Expand All @@ -277,16 +278,16 @@ describe('API Compatibility Tests', () => {
expect(response.status).toBe(200);
expect(data.isAllowed).toBe(false);
expect(data.reason).toBe('Test backend error');

// Verify that console.error was not called for test errors
expect(consoleSpy).not.toHaveBeenCalled();

consoleSpy.mockRestore();
});

it('should log other error messages', async () => {
const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});

mockReadContract.mockRejectedValue(new Error('real error'));

const response = await appFetch(new Request('http://localhost:3001/bootAuth/kms', {
Expand All @@ -300,10 +301,10 @@ describe('API Compatibility Tests', () => {
expect(response.status).toBe(200);
expect(data.isAllowed).toBe(false);
expect(data.reason).toBe('real error');

// Verify that console.error was called for real errors
expect(consoleSpy).toHaveBeenCalledWith('error in KMS boot auth:', expect.any(Error));

consoleSpy.mockRestore();
});
});
Expand All @@ -312,7 +313,7 @@ describe('API Compatibility Tests', () => {
describe('API Schema Compatibility', () => {
it('should match BootInfo schema requirements', () => {
const bootInfoSchema = openApiSpec.components.schemas.BootInfo;

// Required fields should match original fastify schema
expect(bootInfoSchema.required).toEqual([
'mrAggregated',
Expand All @@ -331,7 +332,7 @@ describe('API Schema Compatibility', () => {

it('should match BootResponse schema requirements', () => {
const bootResponseSchema = openApiSpec.components.schemas.BootResponse;

expect(bootResponseSchema.required).toEqual([
'isAllowed',
'reason',
Expand All @@ -341,10 +342,11 @@ describe('API Schema Compatibility', () => {

it('should match SystemInfo schema requirements', () => {
const systemInfoSchema = openApiSpec.components.schemas.SystemInfo;

expect(systemInfoSchema.required).toEqual([
'status',
'kmsContractAddr',
'ethRpcUrl',
'gatewayAppId',
'chainId',
'appAuthImplementation',
Expand Down Expand Up @@ -385,4 +387,4 @@ describe('Hex Decoding Compatibility', () => {

expect(response.status).toBe(200);
});
});
});
17 changes: 9 additions & 8 deletions kms/auth-eth-bun/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,14 +150,14 @@ class EthereumBackend {
args: [bootInfoStruct]
});
}

const [isAllowed, reason] = response;
const gatewayAppId = await this.client.readContract({
address: this.kmsContractAddr,
abi: DSTACK_KMS_ABI,
functionName: 'gatewayAppId'
});

return {
isAllowed,
reason,
Expand Down Expand Up @@ -209,26 +209,27 @@ app.get('/', async (c) => {
ethereum.getAppImplementation(),
]);
console.log('batch', batch);

return c.json({
status: 'ok',
kmsContractAddr: kmsContractAddr,
ethRpcUrl: rpcUrl,
gatewayAppId: batch[0],
chainId: batch[1],
appAuthImplementation: batch[2], // NOTE: for backward compatibility
appImplementation: batch[2],
});
} catch (error) {
console.error('error in health check:', error);
return c.json({
status: 'error',
message: error instanceof Error ? error.message : String(error)
return c.json({
status: 'error',
message: error instanceof Error ? error.message : String(error)
}, 500);
}
});

// app boot authentication
app.post('/bootAuth/app',
app.post('/bootAuth/app',
zValidator('json', BootInfoSchema),
async (c) => {
try {
Expand Down Expand Up @@ -275,4 +276,4 @@ console.log(`starting server on port ${port}`);
export default {
port,
fetch: app.fetch,
};
};
15 changes: 10 additions & 5 deletions kms/auth-eth-bun/openapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@
"type": "object",
"required": [
"mrAggregated",
"osImageHash",
"osImageHash",
"appId",
"composeHash",
"instanceId",
Expand All @@ -118,7 +118,7 @@
"description": "Aggregated MR measurement"
},
"osImageHash": {
"type": "string",
"type": "string",
"description": "OS Image hash"
},
"appId": {
Expand Down Expand Up @@ -158,7 +158,7 @@
"type": "object",
"required": [
"isAllowed",
"reason",
"reason",
"gatewayAppId"
],
"properties": {
Expand All @@ -181,6 +181,7 @@
"required": [
"status",
"kmsContractAddr",
"ethRpcUrl",
"gatewayAppId",
"chainId",
"appAuthImplementation",
Expand All @@ -196,8 +197,12 @@
"type": "string",
"description": "KMS contract address"
},
"ethRpcUrl": {
"type": "string",
"description": "Ethereum RPC URL"
},
"gatewayAppId": {
"type": "string",
"type": "string",
"description": "Gateway application ID"
},
"chainId": {
Expand Down Expand Up @@ -233,4 +238,4 @@
}
}
}
}
}
Loading
Loading