Add AWS storage backend support (#204)

* Add AWS storage backend support

* Remove TODOs from `storage/aws/issuers`

Author: roger2hk

README.md

@@ -16,6 +16,7 @@ Each Tessera storage backend needs its own SCTFE binary.
 At the moment, these storage backends are supported:
 
  - [GCP](./cmd/gcp/): [deployment instructions](./deployment/live/gcp/test/)
+ - [AWS](./cmd/aws/)
  - more to come soon!
 
 ## Working on the Code

cmd/aws/Dockerfile

@@ -0,0 +1,25 @@
+FROM golang:1.24.0-alpine3.21@sha256:2d40d4fc278dad38be0777d5e2a88a2c6dee51b0b29c97a764fc6c6a11ca893c AS builder
+
+ARG GOFLAGS="-trimpath -buildvcs=false -buildmode=exe"
+ENV GOFLAGS=$GOFLAGS
+
+# Move to working directory /build
+WORKDIR /build
+
+# Copy and download dependency using go mod
+COPY go.mod .
+COPY go.sum .
+RUN go mod download
+
+# Copy the code into the container
+COPY . .
+
+# Build the application
+RUN go build -o bin/sctfe-aws ./cmd/aws
+
+# Build release image
+FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
+
+COPY --from=builder /build/bin/sctfe-aws /bin/sctfe-aws
+
+ENTRYPOINT ["/bin/sctfe-aws"]

cmd/aws/main.go

@@ -0,0 +1,257 @@
+// Copyright 2016 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// The ct_server binary runs the CT personality.
+package main
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/go-sql-driver/mysql"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	sctfe "github.com/transparency-dev/static-ct"
+	"github.com/transparency-dev/static-ct/internal/testdata"
+	"github.com/transparency-dev/static-ct/storage"
+	awsSCTFE "github.com/transparency-dev/static-ct/storage/aws"
+	"github.com/transparency-dev/static-ct/storage/bbolt"
+	tessera "github.com/transparency-dev/trillian-tessera"
+	awsTessera "github.com/transparency-dev/trillian-tessera/storage/aws"
+	"golang.org/x/mod/sumdb/note"
+	"k8s.io/klog/v2"
+)
+
+func init() {
+	flag.Var(&notAfterStart, "not_after_start", "Start of the range of acceptable NotAfter values, inclusive. Leaving this unset implies no lower bound to the range. RFC3339 UTC format, e.g: 2024-01-02T15:04:05Z.")
+	flag.Var(&notAfterLimit, "not_after_limit", "Cut off point of notAfter dates - only notAfter dates strictly *before* notAfterLimit will be accepted. Leaving this unset means no upper bound on the accepted range. RFC3339 UTC format, e.g: 2024-01-02T15:04:05Z.")
+}
+
+// Global flags that affect all log instances.
+var (
+	notAfterStart timestampFlag
+	notAfterLimit timestampFlag
+
+	httpEndpoint       = flag.String("http_endpoint", "localhost:6962", "Endpoint for HTTP (host:port).")
+	metricsEndpoint    = flag.String("metrics_endpoint", "", "Endpoint for serving metrics; if left empty, metrics will be visible on --http_endpoint.")
+	httpDeadline       = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")
+	maskInternalErrors = flag.Bool("mask_internal_errors", false, "Don't return error strings with Internal Server Error HTTP responses.")
+	origin             = flag.String("origin", "", "Origin of the log, for checkpoints and the monitoring prefix.")
+	bucket             = flag.String("bucket", "", "Name of the bucket to store the log in.")
+	dbName             = flag.String("db_name", "", "AuroraDB name")
+	dbHost             = flag.String("db_host", "", "AuroraDB host")
+	dbPort             = flag.Int("db_port", 3306, "AuroraDB port")
+	dbUser             = flag.String("db_user", "", "AuroraDB user")
+	dbPassword         = flag.String("db_password", "", "AuroraDB password")
+	dbMaxConns         = flag.Int("db_max_conns", 0, "Maximum connections to the database, defaults to 0, i.e unlimited")
+	dbMaxIdle          = flag.Int("db_max_idle_conns", 2, "Maximum idle database connections in the connection pool, defaults to 2")
+	dedupPath          = flag.String("dedup_path", "", "Path to the deduplication database.")
+	rootsPemFile       = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
+	rejectExpired      = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
+	rejectUnexpired    = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
+	extKeyUsages       = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.")
+	rejectExtensions   = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")
+)
+
+// nolint:staticcheck
+func main() {
+	klog.InitFlags(nil)
+	flag.Parse()
+	ctx := context.Background()
+
+	// TODO: Replace the fake signer with AWS Secrets Manager Signer.
+	block, _ := pem.Decode([]byte(testdata.DemoPublicKey))
+	key, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		klog.Exitf("Can't parse public key: %v", err)
+	}
+	fakeSigner := testdata.NewSignerWithFixedSig(key, []byte("sig"))
+
+	chainValidationConfig := sctfe.ChainValidationConfig{
+		RootsPEMFile:     *rootsPemFile,
+		RejectExpired:    *rejectExpired,
+		RejectUnexpired:  *rejectUnexpired,
+		ExtKeyUsages:     *extKeyUsages,
+		RejectExtensions: *rejectExtensions,
+		NotAfterStart:    notAfterStart.t,
+		NotAfterLimit:    notAfterLimit.t,
+	}
+
+	logHandler, err := sctfe.NewLogHandler(ctx, *origin, fakeSigner, chainValidationConfig, newAWSStorage, *httpDeadline, *maskInternalErrors)
+	if err != nil {
+		klog.Exitf("Can't initialize CT HTTP Server: %v", err)
+	}
+
+	klog.CopyStandardLogTo("WARNING")
+	klog.Info("**** CT HTTP Server Starting ****")
+	http.Handle("/", logHandler)
+
+	metricsAt := *metricsEndpoint
+	if metricsAt == "" {
+		metricsAt = *httpEndpoint
+	}
+
+	if metricsAt != *httpEndpoint {
+		// Run a separate handler for metrics.
+		go func() {
+			mux := http.NewServeMux()
+			mux.Handle("/metrics", promhttp.Handler())
+			metricsServer := http.Server{Addr: metricsAt, Handler: mux}
+			err := metricsServer.ListenAndServe()
+			klog.Warningf("Metrics server exited: %v", err)
+		}()
+	} else {
+		// Handle metrics on the DefaultServeMux.
+		http.Handle("/metrics", promhttp.Handler())
+	}
+
+	// Bring up the HTTP server and serve until we get a signal not to.
+	srv := http.Server{Addr: *httpEndpoint}
+	shutdownWG := new(sync.WaitGroup)
+	go awaitSignal(func() {
+		shutdownWG.Add(1)
+		defer shutdownWG.Done()
+		// Allow 60s for any pending requests to finish then terminate any stragglers
+		// TODO(phboneff): maybe wait for the sequencer queue to be empty?
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*60)
+		defer cancel()
+		klog.Info("Shutting down HTTP server...")
+		if err := srv.Shutdown(ctx); err != nil {
+			klog.Errorf("srv.Shutdown(): %v", err)
+		}
+		klog.Info("HTTP server shutdown")
+	})
+
+	if err := srv.ListenAndServe(); err != http.ErrServerClosed {
+		klog.Warningf("Server exited: %v", err)
+	}
+	// Wait will only block if the function passed to awaitSignal was called,
+	// in which case it'll block until the HTTP server has gracefully shutdown
+	shutdownWG.Wait()
+	klog.Flush()
+}
+
+// awaitSignal waits for standard termination signals, then runs the given
+// function; it should be run as a separate goroutine.
+func awaitSignal(doneFn func()) {
+	// Arrange notification for the standard set of signals used to terminate a server
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+
+	// Now block main and wait for a signal
+	sig := <-sigs
+	klog.Warningf("Signal received: %v", sig)
+	klog.Flush()
+
+	doneFn()
+}
+
+func newAWSStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage, error) {
+	awsCfg := storageConfigFromFlags()
+	driver, err := awsTessera.New(ctx, awsCfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize AWS Tessera storage driver: %v", err)
+	}
+	appender, _, _, err := tessera.NewAppender(ctx, driver, tessera.NewAppendOptions().
+		WithCheckpointSigner(signer).
+		WithCTLayout())
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize AWS Tessera storage: %v", err)
+	}
+
+	issuerStorage, err := awsSCTFE.NewIssuerStorage(ctx, *bucket, "fingerprints/", "application/pkix-cert")
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize AWS issuer storage: %v", err)
+	}
+
+	beDedupStorage, err := bbolt.NewStorage(*dedupPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize BBolt deduplication database: %v", err)
+	}
+
+	return storage.NewCTStorage(appender, issuerStorage, beDedupStorage)
+}
+
+type timestampFlag struct {
+	t *time.Time
+}
+
+func (t *timestampFlag) String() string {
+	if t.t != nil {
+		return t.t.Format(time.RFC3339)
+	}
+	return ""
+}
+
+func (t *timestampFlag) Set(w string) error {
+	if !strings.HasSuffix(w, "Z") {
+		return fmt.Errorf("timestamps MUST be in UTC, got %v", w)
+	}
+	tt, err := time.Parse(time.RFC3339, w)
+	if err != nil {
+		return fmt.Errorf("can't parse %q as RFC3339 timestamp: %v", w, err)
+	}
+	t.t = &tt
+	return nil
+}
+
+// storageConfigFromFlags returns an aws.Config struct populated with values
+// provided via flags.
+func storageConfigFromFlags() awsTessera.Config {
+	if *bucket == "" {
+		klog.Exit("--bucket must be set")
+	}
+	if *dbName == "" {
+		klog.Exit("--db_name must be set")
+	}
+	if *dbHost == "" {
+		klog.Exit("--db_host must be set")
+	}
+	if *dbPort == 0 {
+		klog.Exit("--db_port must be set")
+	}
+	if *dbUser == "" {
+		klog.Exit("--db_user must be set")
+	}
+	// Empty passord isn't an option with AuroraDB MySQL.
+	if *dbPassword == "" {
+		klog.Exit("--db_password must be set")
+	}
+
+	c := mysql.Config{
+		User:                    *dbUser,
+		Passwd:                  *dbPassword,
+		Net:                     "tcp",
+		Addr:                    fmt.Sprintf("%s:%d", *dbHost, *dbPort),
+		DBName:                  *dbName,
+		AllowCleartextPasswords: true,
+		AllowNativePasswords:    true,
+	}
+
+	return awsTessera.Config{
+		Bucket:       *bucket,
+		DSN:          c.FormatDSN(),
+		MaxOpenConns: *dbMaxConns,
+		MaxIdleConns: *dbMaxIdle,
+	}
+}

deployment/live/aws/README.md

@@ -0,0 +1,41 @@
+# AWS live configs
+
+TODO: Add terraform configuration files.
+
+## Temporary Dev Env Setup
+
+### Create the MySQL database and user
+
+```sh
+mysql -h tesseract.cluster-xxxx12345678.us-east-1.rds.amazonaws.com -u admin -p
+```
+
+```sql
+CREATE DATABASE tesseract;
+CREATE USER 'tesseract'@'%' IDENTIFIED BY 'tesseract';
+GRANT ALL PRIVILEGES ON tesseract.* TO 'tesseract'@'%';
+FLUSH PRIVILEGES;
+```
+
+### Create the S3 bucket
+
+### Start the TesseraCT server
+
+```sh
+export AWS_REGION=us-east-1
+export AWS_PROFILE=AdministratorAccess-<REDACTED>
+```
+
+```sh
+go run ./cmd/aws \
+  --http_endpoint=localhost:6962 \
+  --roots_pem_file=./internal/testdata/fake-ca.cert \
+  --origin=test-static-ct \
+  --bucket=test-static-ct \
+  --db_name=tesseract \
+  --db_host=tesseract.cluster-xxxx12345678.us-east-1.rds.amazonaws.com \
+  --db_port=3306 \
+  --db_user=tesseract \
+  --db_password=tesseract \
+  --dedup_path=test-static-ct
+```

go.mod

@@ -7,7 +7,12 @@ require (
 	cloud.google.com/go/spanner v1.77.0
 	cloud.google.com/go/storage v1.51.0
 	github.com/RobinUS2/golang-moving-average v1.0.0
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.9
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.78.2
+	github.com/aws/smithy-go v1.22.3
 	github.com/gdamore/tcell/v2 v2.8.1
+	github.com/go-sql-driver/mysql v1.9.0
 	github.com/golang/mock v1.7.0-rc.1
 	github.com/google/go-cmp v0.7.0
 	github.com/kylelemons/godebug v1.1.0
@@ -35,11 +40,26 @@ require (
 	cloud.google.com/go/iam v1.4.1 // indirect
 	cloud.google.com/go/longrunning v0.6.5 // indirect
 	cloud.google.com/go/monitoring v1.24.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.2 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
 	github.com/avast/retry-go/v4 v4.6.1 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.62 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect