feat: initial commit

Signed-off-by: Harald Hoyer <[email protected]>

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+# Each line is a file pattern followed by one or more owners.
+# Owners will be automatically notified about new PRs and
+# an owner's approval is required to merge to protected branches.
+* @haraldh @thomasknauth

.github/workflows/container.yml

@@ -0,0 +1,41 @@
+name: Container
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  packages: write
+  contents: read
+
+jobs:
+  push_to_registry:
+    name: Build and push containers image to GitHub Packages
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up env
+        run: echo "repository_owner=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
+      - name: Build and Push Container
+        uses: docker/build-push-action@v5
+        with:
+          tags: |
+            ghcr.io/${{env.repository_owner}}/${{ github.event.repository.name }}:latest
+            matterlabsrobot/${{ github.event.repository.name }}:latest
+          push: ${{ github.event_name == 'push' ||  github.event_name == 'schedule' }}
+

.github/workflows/go.yml

@@ -0,0 +1,40 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: Go
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prep
+        run: |
+          wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
+          sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
+          sudo apt -o Acquire::Retries=3 update
+          sudo apt -o Acquire::Retries=3 install -y --no-install-recommends \
+            libsgx-headers \
+            libsgx-enclave-common \
+            libsgx-urts \
+            libsgx-dcap-quote-verify \
+            libsgx-dcap-quote-verify-dev
+
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.19
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Test
+        run: go test -v ./...

.github/workflows/nix.yml

@@ -0,0 +1,72 @@
+name: nix
+
+on:
+  pull_request:
+    branches: [ "main" ]
+    paths:
+    - '**.nix'
+    - 'go.mod'
+    - 'go.sum'
+    - 'flake.lock'
+  push:
+    branches: [ "main" ]
+    paths:
+      - '**.nix'
+      - 'go.mod'
+      - 'go.sum'
+      - 'flake.lock'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - run: nix flake check -L --show-trace --keep-going
+
+  fmt:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - run: nix fmt
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - uses: cachix/cachix-action@v12
+      continue-on-error: true
+      with:
+        name: haraldh
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: nix build -L .
+
+  develop:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - uses: cachix/cachix-action@v12
+      continue-on-error: true
+      with:
+        name: haraldh
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: nix develop -L  -c go test ./...

.github/workflows/secrets_scanner.yaml

@@ -0,0 +1,18 @@
+name: Leaked Secrets Scan
+on: [pull_request]
+jobs:
+  TruffleHog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@6914dacde37c95874645cc208ce63a58c888cc6c # v3.60.4
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
+

.gitignore

@@ -0,0 +1,24 @@
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+# IDE
+/.idea

CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# Contribution Guidelines
+
+Hello! Thanks for your interest in joining the mission to accelerate the mass adoption of crypto for personal
+sovereignty! We welcome contributions from anyone on the internet, and are grateful for even the smallest of fixes!
+
+## Ways to contribute
+
+There are many ways to contribute to the project:
+
+1. Open issues: if you find a bug, have something you believe needs to be fixed, or have an idea for a feature, please
+   open an issue.
+2. Add color to existing issues: provide screenshots, code snippets, and whatever you think would be helpful to resolve
+   issues.
+3. Resolve issues: either by showing an issue isn't a problem and the current state is ok as is or by fixing the problem
+   and opening a PR.
+4. Report security issues, see [our security policy](SECURITY.md).
+5. [Join the team!](https://matterlabs.notion.site/Shape-the-future-of-Ethereum-at-Matter-Labs-dfb3b5a037044bb3a8006af2eb0575e0)
+
+## Fixing issues
+
+To contribute code fixing issues, please fork the repo, fix an issue, commit, add documentation as per the PR template,
+and the repo's maintainers will review the PR.
+[here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork)
+for guidance how to work with PRs created from a fork.
+
+## Licenses
+
+If you contribute to this project, your contributions will be made to the project under the Mozilla Public License 2.0
+license.
+
+## Resources
+
+We aim to make it as easy as possible to contribute to the mission. This is still WIP, and we're happy for contributions
+and suggestions here too.
+
+## Code of Conduct
+
+Be polite and respectful.
+
+### Thank you
+

Dockerfile

@@ -0,0 +1,53 @@
+FROM docker.io/ubuntu:20.04 AS pluginbuilder
+
+ARG VERSION=1.20.4
+ARG CGO_ENABLED=1
+ARG BUILD_TAGS="default"
+ENV JOBS=2
+RUN set -eux; \
+    DEBIAN_FRONTEND=noninteractive apt-get update -y; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y -q curl; \
+    :
+
+RUN set -eux; \
+    curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key; \
+    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list; \
+    DEBIAN_FRONTEND=noninteractive apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        build-essential \
+        cmake \
+        rsync \
+        pkg-config \
+        libssl-dev \
+        libcurl4-openssl-dev \
+        libprotobuf-dev \
+        protobuf-compiler \
+        clang \
+        libsgx-headers \
+        libsgx-dcap-quote-verify-dev \
+    ; \
+    :
+
+RUN mkdir /goroot && mkdir /go
+RUN curl https://storage.googleapis.com/golang/go${VERSION}.linux-amd64.tar.gz \
+           | tar xvzf - -C /goroot --strip-components=1
+ENV GOPATH /go
+ENV GOROOT /goroot
+ENV PATH $GOROOT/bin:$GOPATH/bin:$PATH
+
+WORKDIR /
+
+RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/go --mount=type=bind,target=/data  \
+    set -eux; \
+    mkdir -p /go/src/github.com/matter-labs/vault-auth-tee; \
+    cd /go/src/github.com/matter-labs/vault-auth-tee; \
+    rsync -a --delete-after /data/ ./ ; \
+    CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o vault-auth-tee; \
+    mkdir -p /opt/vault/plugins; \
+    cp vault-auth-tee /opt/vault/plugins/vault-auth-tee; \
+    :
+
+FROM scratch
+WORKDIR /opt/vault/plugins
+
+COPY --from=pluginbuilder /opt/vault/plugins/vault-auth-tee /opt/vault/plugins/vault-auth-tee