transparency-dev
diff --git a/‎cmd/aws/main.go
Lines changed: 43 additions & 8 deletions b/‎cmd/aws/main.go
Lines changed: 43 additions & 8 deletions
diff --git a/‎cmd/gcp/main.go
Lines changed: 3 additions & 13 deletions b/‎cmd/gcp/main.go
Lines changed: 3 additions & 13 deletions
diff --git a/‎deployment/live/aws/test/.terraform.lock.hcl
Lines changed: 23 additions & 1 deletion b/‎deployment/live/aws/test/.terraform.lock.hcl
Lines changed: 23 additions & 1 deletion
diff --git a/‎deployment/live/aws/test/README.md
Lines changed: 6 additions & 4 deletions b/‎deployment/live/aws/test/README.md
Lines changed: 6 additions & 4 deletions
diff --git a/‎deployment/modules/aws/storage/main.tf
Lines changed: 21 additions & 0 deletions b/‎deployment/modules/aws/storage/main.tf
Lines changed: 21 additions & 0 deletions
diff --git a/‎deployment/modules/aws/storage/outputs.tf
Lines changed: 4 additions & 0 deletions b/‎deployment/modules/aws/storage/outputs.tf
Lines changed: 4 additions & 0 deletions
diff --git a/‎deployment/modules/aws/storage/variables.tf
Lines changed: 6 additions & 0 deletions b/‎deployment/modules/aws/storage/variables.tf
Lines changed: 6 additions & 0 deletions
diff --git a/‎deployment/modules/aws/tesseract/conformance/main.tf
Lines changed: 6 additions & 4 deletions b/‎deployment/modules/aws/tesseract/conformance/main.tf
Lines changed: 6 additions & 4 deletions
diff --git a/‎deployment/modules/aws/tesseract/test/main.tf
Lines changed: 5 additions & 4 deletions b/‎deployment/modules/aws/tesseract/test/main.tf
Lines changed: 5 additions & 4 deletions
diff --git a/‎go.mod
Lines changed: 5 additions & 0 deletions b/‎go.mod
Lines changed: 5 additions & 0 deletions
diff --git a/‎go.sum
Lines changed: 10 additions & 0 deletions b/‎go.sum
Lines changed: 10 additions & 0 deletions
diff --git a/‎internal/ct/ctlog.go
Lines changed: 0 additions & 5 deletions b/‎internal/ct/ctlog.go
Lines changed: 0 additions & 5 deletions
@@ -31,9 +31,9 @@ import (
 	tesseract "github.com/transparency-dev/static-ct"
 	"github.com/transparency-dev/static-ct/storage"
 	"github.com/transparency-dev/static-ct/storage/aws"
-	"github.com/transparency-dev/static-ct/storage/bbolt"
 	tessera "github.com/transparency-dev/trillian-tessera"
 	taws "github.com/transparency-dev/trillian-tessera/storage/aws"
+	aws_as "github.com/transparency-dev/trillian-tessera/storage/aws/antispam"
 	"golang.org/x/mod/sumdb/note"
 	"k8s.io/klog/v2"
 )
@@ -54,6 +54,7 @@ var (
 	origin                     = flag.String("origin", "", "Origin of the log, for checkpoints and the monitoring prefix.")
 	bucket                     = flag.String("bucket", "", "Name of the bucket to store the log in.")
 	dbName                     = flag.String("db_name", "", "AuroraDB name")
+	antispamDBName             = flag.String("antispam_db_name", "", "AuroraDB antispam name")
 	dbHost                     = flag.String("db_host", "", "AuroraDB host")
 	dbPort                     = flag.Int("db_port", 3306, "AuroraDB port")
 	dbUser                     = flag.String("db_user", "", "AuroraDB user")
@@ -147,9 +148,19 @@ func newAWSStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage,
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize AWS Tessera storage driver: %v", err)
 	}
+
+	var antispam tessera.Antispam
+	if *antispamDBName != "" {
+		antispam, err = aws_as.NewAntispam(ctx, antispamMysqlConfig().FormatDSN(), aws_as.AntispamOpts{})
+		if err != nil {
+			klog.Exitf("Failed to create new GCP antispam storage: %v", err)
+		}
+	}
+
 	appender, _, _, err := tessera.NewAppender(ctx, driver, tessera.NewAppendOptions().
 		WithCheckpointSigner(signer).
-		WithCTLayout())
+		WithCTLayout().
+		WithAntispam(2<<18, antispam)) // TODO(phbnf): do the math to see what fits in memory
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize AWS Tessera storage: %v", err)
 	}
@@ -159,12 +170,7 @@ func newAWSStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage,
 		return nil, fmt.Errorf("failed to initialize AWS issuer storage: %v", err)
 	}
 
-	beDedupStorage, err := bbolt.NewStorage(*dedupPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize BBolt deduplication database: %v", err)
-	}
-
-	return storage.NewCTStorage(appender, issuerStorage, beDedupStorage)
+	return storage.NewCTStorage(appender, issuerStorage)
 }
 
 type timestampFlag struct {
@@ -230,3 +236,32 @@ func storageConfigFromFlags() taws.Config {
 		MaxIdleConns: *dbMaxIdle,
 	}
 }
+
+func antispamMysqlConfig() *mysql.Config {
+	if *antispamDBName == "" {
+		klog.Exit("--antispam_db_name must be set")
+	}
+	if *dbHost == "" {
+		klog.Exit("--db_host must be set")
+	}
+	if *dbPort == 0 {
+		klog.Exit("--db_port must be set")
+	}
+	if *dbUser == "" {
+		klog.Exit("--db_user must be set")
+	}
+	// Empty passord isn't an option with AuroraDB MySQL.
+	if *dbPassword == "" {
+		klog.Exit("--db_password must be set")
+	}
+
+	return &mysql.Config{
+		User:                    *dbUser,
+		Passwd:                  *dbPassword,
+		Net:                     "tcp",
+		Addr:                    fmt.Sprintf("%s:%d", *dbHost, *dbPort),
+		DBName:                  *antispamDBName,
+		AllowCleartextPasswords: true,
+		AllowNativePasswords:    true,
+	}
+}
@@ -54,7 +54,6 @@ var (
 	origin                     = flag.String("origin", "", "Origin of the log, for checkpoints and the monitoring prefix.")
 	bucket                     = flag.String("bucket", "", "Name of the bucket to store the log in.")
 	spannerDB                  = flag.String("spanner_db_path", "", "Spanner database path: projects/{projectId}/instances/{instanceId}/databases/{databaseId}.")
-	spannerDedupDB             = flag.String("spanner_dedup_db_path", "", "Spanner deduplication database path: projects/{projectId}/instances/{instanceId}/databases/{databaseId}.")
 	spannerAntispamDB          = flag.String("spanner_antispam_db_path", "", "EXPERIMENTAL: Spanner antispam deduplication database path projects/{projectId}/instances/{instanceId}/databases/{databaseId}.")
 	rootsPemFile               = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
 	rejectExpired              = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
@@ -162,11 +161,7 @@ func newGCPStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage,
 	var antispam tessera.Antispam
 	// Persistent antispam is currently experimental, so there's no terraform or documentation yet!
 	if *spannerAntispamDB != "" {
-		asOpts := gcp_as.AntispamOpts{
-			MaxBatchSize:      5000,
-			PushbackThreshold: 1024,
-		}
-		antispam, err = gcp_as.NewAntispam(ctx, *spannerAntispamDB, asOpts)
+		antispam, err = gcp_as.NewAntispam(ctx, *spannerAntispamDB, gcp_as.AntispamOpts{})
 		if err != nil {
 			klog.Exitf("Failed to create new GCP antispam storage: %v", err)
 		}
@@ -175,7 +170,7 @@ func newGCPStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage,
 	opts := tessera.NewAppendOptions().
 		WithCheckpointSigner(signer).
 		WithCTLayout().
-		WithAntispam(256, antispam)
+		WithAntispam(2<<18, antispam) // TODO(phbnf): do the math to see what fits in memory
 
 	// TODO(phbnf): figure out the best way to thread the `shutdown` func NewAppends returns back out to main so we can cleanly close Tessera down
 	// when it's time to exit.
@@ -189,12 +184,7 @@ func newGCPStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage,
 		return nil, fmt.Errorf("failed to initialize GCP issuer storage: %v", err)
 	}
 
-	beDedupStorage, err := gcp.NewDedupeStorage(ctx, *spannerDedupDB)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize GCP Spanner deduplication database: %v", err)
-	}
-
-	return storage.NewCTStorage(appender, issuerStorage, beDedupStorage)
+	return storage.NewCTStorage(appender, issuerStorage)
 }
 
 type timestampFlag struct {
 
@@ -66,8 +66,10 @@ export AWS_PROFILE=AdministratorAccess-<REDACTED>
 
 Terraforming the account can be done by:
   1. `cd` to [/deployment/live/aws/test/](/deployment/live/aws/test/) to deploy/change.
-  2. Run `terragrunt apply`.
-
+  2. Run `terragrunt apply`. If this fails to create the antispam database,
+  connect the RDS instance to your VM using the instrunctions bellow, and run
+  `terragrunt apply` again.
+  
 Store the Aurora RDS database and S3 bucket information into the environment variables:
 
 ```sh
@@ -95,7 +97,7 @@ go run ./cmd/aws \
   --db_port=3306 \
   --db_user=tesseract \
   --db_password=${TESSERACT_DB_PASSWORD} \
-  --dedup_path=test-static-ct
+  --antispam_db_name=antispam_db
 ```
 
 In a different terminal you can either mint and submit certificates manually, or
@@ -187,7 +189,7 @@ go run ./cmd/aws \
   --db_port=3306 \
   --db_user=tesseract \
   --db_password=${TESSERACT_DB_PASSWORD} \
-  --dedup_path=test-static-ct
+  --antispam_db_name=antispam_db
   -v=3
 ```
 
 
@@ -4,6 +4,10 @@ terraform {
       source  = "hashicorp/aws"
       version = "5.92.0"
     }
+    mysql = {
+      source  = "petoju/mysql"
+      version = "3.0.71"
+    }
   }
 }
 
@@ -50,3 +54,20 @@ data "aws_secretsmanager_secret_version" "db_credentials" {
     aws_rds_cluster_instance.cluster_instances
   ]
 }
+
+# Configure the MySQL provider based on the outcome of
+# creating the aws_db_instance.
+# This requires that the machine running terraform has access
+# to the DB instance created above. This is _NOT_ the case when
+# github actions are applying the terraform.
+provider "mysql" {
+  endpoint = aws_rds_cluster_instance.cluster_instances[0].endpoint
+  username = aws_rds_cluster.log_rds_cluster.master_username
+  password = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["password"]
+}
+
+# Create a second database for antispam.
+resource "mysql_database" "antispam_db" {
+  name  = "antispam_db"
+  count = var.create_antispam_db ? 1 : 0
+}
@@ -33,3 +33,7 @@ output "rds_aurora_cluster_master_user_secret_unsafe" {
   value       = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["password"]
   sensitive   = true # Mark as sensitive, but it can still be exposed
 }
+
+output "antispam_database_name" {
+  value = mysql_database.antispam_db[0].name
+}
@@ -13,6 +13,12 @@ variable "region" {
   type        = string
 }
 
+variable "create_antispam_db" {
+  description = "Set to true to create another database to be used by the antispam implementation."
+  type        = bool
+  default     = false
+}
+
 variable "ephemeral" {
   description = "Set to true if this is a throwaway/temporary log instance. Will set attributes on created resources to allow them to be disabled/deleted more easily."
   type        = bool
 
@@ -16,10 +16,11 @@ locals {
 module "storage" {
   source = "../../storage"
 
-  prefix_name = var.prefix_name
-  base_name   = var.base_name
-  region      = var.region
-  ephemeral   = var.ephemeral
+  prefix_name        = var.prefix_name
+  base_name          = var.base_name
+  region             = var.region
+  ephemeral          = var.ephemeral
+  create_antispam_db = true
 }
 
 module "secretsmanager" {
@@ -171,6 +172,7 @@ resource "aws_ecs_task_definition" "conformance" {
       "--dedup_path=ci-static-ct",
       "--signer_public_key_secret_name=${module.secretsmanager.ecdsa_p256_public_key_id}",
       "--signer_private_key_secret_name=${module.secretsmanager.ecdsa_p256_private_key_id}",
+      "--antispam_db_name=${module.storage.antispam_database_name}",
       "-v=2"
     ],
     "logConfiguration" : {
 
@@ -5,10 +5,11 @@ terraform {
 module "storage" {
   source = "../../storage"
 
-  prefix_name = var.prefix_name
-  base_name   = var.base_name
-  region      = var.region
-  ephemeral   = var.ephemeral
+  prefix_name        = var.prefix_name
+  base_name          = var.base_name
+  region             = var.region
+  ephemeral          = var.ephemeral
+  create_antispam_db = true
 }
 
 module "secretsmanager" {
 
@@ -67,6 +67,9 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect
+	github.com/dgraph-io/badger/v4 v4.7.0 // indirect
+	github.com/dgraph-io/ristretto/v2 v2.2.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -76,11 +79,13 @@ require (
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 
@@ -724,8 +724,14 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgraph-io/badger/v4 v4.7.0 h1:Q+J8HApYAY7UMpL8d9owqiB+odzEc0zn/aqOD9jhc6Y=
+github.com/dgraph-io/badger/v4 v4.7.0/go.mod h1:He7TzG3YBy3j4f5baj5B7Zl2XyfNe5bl4Udl0aPemVA=
+github.com/dgraph-io/ristretto/v2 v2.2.0 h1:bkY3XzJcXoMuELV8F+vS8kzNgicwQFAaGINAEJdWGOM=
+github.com/dgraph-io/ristretto/v2 v2.2.0/go.mod h1:RZrm63UmcBAaYWC1DotLYBmTvgkrs0+XhBd7Npn7/zI=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -831,6 +837,8 @@ github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEW
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
+github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
+github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -920,6 +928,8 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:C
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 
@@ -9,7 +9,6 @@ import (
 	"fmt"
 
 	"github.com/transparency-dev/static-ct/internal/types/rfc6962"
-	"github.com/transparency-dev/static-ct/modules/dedup"
 	"github.com/transparency-dev/static-ct/storage"
 	tessera "github.com/transparency-dev/trillian-tessera"
 	"github.com/transparency-dev/trillian-tessera/ctonly"
@@ -39,10 +38,6 @@ type Storage interface {
 	Add(context.Context, *ctonly.Entry) tessera.IndexFuture
 	// AddIssuerChain stores every the chain certificate in a content-addressable store under their sha256 hash.
 	AddIssuerChain(context.Context, []*x509.Certificate) error
-	// AddCertDedupInfo stores the SCTDedupInfo of certificate in a log under its hash.
-	AddCertDedupInfo(context.Context, *x509.Certificate, dedup.SCTDedupInfo) error
-	// GetCertDedupInfo gets the SCTDedupInfo of certificate in a log from its hash.
-	GetCertDedupInfo(context.Context, *x509.Certificate) (dedup.SCTDedupInfo, bool, error)
 }
 
 // ChainValidator provides functions to validate incoming chains.
Original file line number	Diff line number	Diff line change
`@@ -33,3 +33,7 @@ output "rds_aurora_cluster_master_user_secret_unsafe" {`
`33`	`33`	`value = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["password"]`
`34`	`34`	`sensitive = true # Mark as sensitive, but it can still be exposed`
`35`	`35`	`}`
	`36`	`+`
	`37`	`+output "antispam_database_name" {`
	`38`	`+ value = mysql_database.antispam_db[0].name`
	`39`	`+}`