Merge branch 'staging' into feataggmode/show-db-status-grafana

Author: maximopalopoli

.github/workflows/build-and-test-rust.yml

@@ -13,7 +13,7 @@ on:
       - ".github/workflows/build-and-test-rust.yml"
 
 jobs:
-  build:
+  build-and-test:
     runs-on: aligned-runner
 
     steps:
@@ -26,6 +26,9 @@ jobs:
           components: rustfmt, clippy
           override: true
 
+      - name: foundry-toolchain
+        uses: foundry-rs/foundry-toolchain@v1.2.0
+
       # Reference: https://github.com/succinctlabs/sp1/actions/runs/8886659400/workflow#L61-L65
       - name: Install sp1 toolchain
         run: |
@@ -82,54 +85,13 @@ jobs:
           # We need to skip the build as clippy does not support the riscv32im-risc0-zkvm-elf target
           RISC0_SKIP_BUILD=1 cargo clippy --all -- -D warnings
 
-  test:
-    runs-on: aligned-runner
-    needs: build
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Rust
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: 1.88.0
-          components: rustfmt, clippy
-          override: true
-
-      - name: foundry-toolchain
-        uses: foundry-rs/foundry-toolchain@v1.2.0
-      
-      # Reference: https://github.com/succinctlabs/sp1/actions/runs/8886659400/workflow#L61-L65
-      - name: Install sp1 toolchain
-        run: |
-          curl -L https://sp1.succinct.xyz | bash
-          source /home/runner/.bashrc
-           ~/.sp1/bin/sp1up
-
-      - name: Install risc0 toolchain
-        run: |
-          curl -L https://risczero.com/install | bash
-          source ~/.bashrc
-          ~/.risc0/bin/rzup install
-
-      - name: Cache Rust dependencies
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            crates/target
-          key: ${{ runner.os }}-rust-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-rust-
-
       - name: Run Batcher tests
         run: |
           cd crates
           cargo test --all
 
       - name: Run AggregationMode tests
         run: |
-          cd aggregation_mode/proof_aggregator && cargo test
+          cd aggregation_mode/proof_aggregator && SKIP_AGG_PROGRAMS_BUILD=1 cargo test
           cd ../gateway && cargo test
           cd ../payments_poller && cargo test

Makefile

@@ -288,7 +288,7 @@ verify_aggregated_proof_sp1:
 		--public-inputs ../../scripts/test_files/sp1/sp1_fibonacci_5_0_0.pub
 
 proof_aggregator_install: ## Install the aggregation mode with proving enabled
-	cargo install --path aggregation_mode --features prove,gpu --bin proof_aggregator_gpu --locked
+	cargo install --path aggregation_mode/proof_aggregator --features prove,gpu --bin proof_aggregator_gpu --locked
 
 proof_aggregator_write_program_ids: ## Write proof aggregator zkvm programs ids
 	@cd aggregation_mode/proof_aggregator && ./scripts/build_programs.sh

aggregation_mode/Cargo.lock

@@ -3,8 +3,8 @@ volumes:
 
 networks:
   aligned-network:
-    external: true
     name: aligned-network
+    driver: bridge
 
 name: aggregation-mode
 services:

aggregation_mode/docker-compose.yaml

@@ -3,6 +3,10 @@ name = "gateway"
 version = "0.1.0"
 edition = "2021"
 
+[features]
+default = []
+tls = ["dep:rustls"]
+
 [dependencies]
 serde =  { workspace = true }
 serde_json = { workspace = true }
@@ -14,11 +18,11 @@ db = { workspace = true }
 tracing = { version = "0.1", features = ["log"] }
 tracing-subscriber = { version = "0.3.0", features = ["env-filter"] }
 bincode = "1.3.3"
-actix-web = "4"
+actix-web = { version = "4", features = ["rustls-0_23"] }
 actix-multipart = "0.7.2"
 actix-web-prometheus = "0.1.2"
+rustls = { version = "0.23", optional = true, default-features = false, features = ["std", "aws-lc-rs"] }
 alloy = { workspace = true }
 tokio = { version = "1", features = ["time", "macros", "rt-multi-thread"]}
-# TODO: enable tls
 sqlx = { version = "0.8", features = [ "runtime-tokio", "postgres", "uuid", "bigdecimal" ] }
 hex = "0.4"

aggregation_mode/gateway/Cargo.toml

@@ -10,6 +10,12 @@ pub struct Config {
     pub network: String,
     pub max_daily_proofs_per_user: i64,
     pub gateway_metrics_port: u16,
+    #[cfg(feature = "tls")]
+    pub tls_cert_path: String,
+    #[cfg(feature = "tls")]
+    pub tls_key_path: String,
+    #[cfg(feature = "tls")]
+    pub tls_port: u16,
 }
 
 impl Config {

aggregation_mode/gateway/src/config.rs

@@ -4,6 +4,12 @@ use std::{
     time::{Instant, SystemTime, UNIX_EPOCH},
 };
 
+#[cfg(feature = "tls")]
+use rustls::{
+    pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer},
+    ServerConfig,
+};
+
 use actix_multipart::form::MultipartForm;
 use actix_web::{
     web::{self, Data},
@@ -56,9 +62,31 @@ impl GatewayServer {
         }
     }
 
+    #[cfg(feature = "tls")]
+    fn load_tls_config(
+        cert_path: &str,
+        key_path: &str,
+    ) -> Result<ServerConfig, Box<dyn std::error::Error>> {
+        // Install the default crypto provider
+        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+
+        // Load certificate chain
+        let certs: Vec<CertificateDer> =
+            CertificateDer::pem_file_iter(cert_path)?.collect::<Result<Vec<_>, _>>()?;
+
+        // Load private key
+        let private_key = PrivateKeyDer::from_pem_file(key_path)?;
+
+        let config = ServerConfig::builder()
+            .with_no_client_auth()
+            .with_single_cert(certs, private_key)?;
+
+        Ok(config)
+    }
+
     pub async fn start(&self) {
         // Note: GatewayServer is thread safe so we can just clone it (no need to add mutexes)
-        let port = self.config.port;
+        let http_port = self.config.port;
         let state = self.clone();
 
         // Note: This creates a new Prometheus server different from the one created in GatewayServer::new. The created
@@ -68,8 +96,7 @@ impl GatewayServer {
             .build()
             .unwrap();
 
-        tracing::info!("Starting server at port {}", self.config.port);
-        HttpServer::new(move || {
+        let server = HttpServer::new(move || {
             App::new()
                 .app_data(Data::new(state.clone()))
                 .wrap(prometheus.clone())
@@ -79,12 +106,37 @@ impl GatewayServer {
                 .route("/proof/sp1", web::post().to(Self::post_proof_sp1))
                 .route("/proof/risc0", web::post().to(Self::post_proof_risc0))
                 .route("/quotas/{address}", web::get().to(Self::get_quotas))
-        })
-        .bind((self.config.ip.as_str(), port))
-        .expect("To bind socket correctly")
-        .run()
-        .await
-        .expect("Server to never end");
+        });
+
+        tracing::info!(
+            "Starting HTTP server at http://{}:{}",
+            self.config.ip,
+            http_port
+        );
+
+        let server = server
+            .bind((self.config.ip.as_str(), http_port))
+            .expect("To bind HTTP socket correctly");
+
+        #[cfg(feature = "tls")]
+        let server = {
+            let tls_port = self.config.tls_port;
+            tracing::info!(
+                "Starting HTTPS server at https://{}:{}",
+                self.config.ip,
+                tls_port
+            );
+
+            let tls_config =
+                Self::load_tls_config(&self.config.tls_cert_path, &self.config.tls_key_path)
+                    .expect("Failed to load TLS configuration");
+
+            server
+                .bind_rustls_0_23((self.config.ip.as_str(), tls_port), tls_config)
+                .expect("To bind HTTPS socket correctly with TLS")
+        };
+
+        server.run().await.expect("Server to never end");
     }
 
     // Returns an OK response (code 200), no matters what receives in the request

aggregation_mode/gateway/src/http.rs

@@ -38,27 +38,24 @@ risc0-build = { version = "3.0.3" }
 # Tell risc0 build to find method in ./aggregation_programs/risc0 package
 methods = ["./aggregation_programs/risc0"]
 
-[profile.release]
-opt-level = 3
-
 [features]
 default = []
 prove = []
 gpu = ["risc0-zkvm/cuda"]
 
 [[bin]]
 name = "proof_aggregator_cpu"
-path = "./src/main.rs"
+path = "./src/bin/proof_aggregator_cpu.rs"
 required-features = ["prove"]
 
 [[bin]]
 name = "proof_aggregator_gpu"
-path = "./src/main.rs"
+path = "./src/bin/proof_aggregator_gpu.rs"
 required-features = ["prove", "gpu"]
 
 [[bin]]
 name = "proof_aggregator_dev"
-path = "./src/main.rs"
+path = "./src/bin/proof_aggregator_dev.rs"
 
 [[bin]]
 name = "write_program_image_id_vk_hash"

aggregation_mode/proof_aggregator/Cargo.toml

@@ -0,0 +1,4 @@
+#[tokio::main]
+async fn main() {
+    proof_aggregator::run().await;
+}

aggregation_mode/proof_aggregator/src/bin/proof_aggregator_cpu.rs

@@ -0,0 +1,4 @@
+#[tokio::main]
+async fn main() {
+    proof_aggregator::run().await;
+}