neooracle

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 28, 2026 License: MIT Imports: 14 Imported by: 0

README

NeoOracle Marble Service

TEE-secured HTTP oracle proxy running inside MarbleRun enclave.

Overview

The NeoOracle Marble service implements secure external data fetching:

  1. User contracts request external data via Gateway
  2. TEE fetches data from external URLs within secure enclave
  3. Supports secret injection for authenticated API calls
  4. Returns data with TEE attestation

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    MarbleRun Enclave (TEE)                      │
│                                                                 │
│  ┌─────────────┐    ┌─────────────┐      ┌─────────────┐        │
│  │   Handler   │    │ URL Allow-  │      │  Secrets    │        │
│  │  (REST API) │───>│   list      │      │  Client     │        │
│  └─────────────┘    └──────┬──────┘      └──────┬──────┘        │
│         │                  │                    │               │
│         │                  │                    │               │
│  ┌──────▼──────────────────▼────────────────────▼──────┐        │
│  │                  HTTP Client                        │        │
│  │           (with optional secret auth)               │        │
│  └─────────────────────────┬───────────────────────────┘        │
└────────────────────────────┼────────────────────────────────────┘
                             │
                             ▼
                    ┌─────────────────┐
                    │  External APIs  │
                    │ (api.coingecko.com│
                    │   etc.)         │
                    └─────────────────┘

File Structure

File Purpose
service.go Service initialization, secrets provider
handlers.go HTTP request handlers
api.go Route registration
config.go URL allowlist configuration
types.go Request/response types

Key Components

Service Struct
type Service struct {
    *commonservice.BaseService
    secretProvider secrets.Provider
    httpClient   *http.Client
    maxBodyBytes int64
    allowlist    URLAllowlist
}
Secrets Provider

The oracle can inject user-owned secrets into outbound requests (e.g., API keys). Secrets are fetched via the shared infrastructure/secrets.Provider interface and enforced by per-secret access policies.

type Provider interface {
    GetSecret(ctx context.Context, userID, name string) (string, error)
}
URLAllowlist

Controls which external URLs can be fetched:

type URLAllowlist struct {
    Prefixes []string
}

func (a URLAllowlist) Allows(url string) bool

Security Features

URL Allowlist

Only configured URL prefixes are allowed:

allowlist := URLAllowlist{
    Prefixes: []string{
        "https://api.coingecko.com/",
        "https://api.binance.com/",
    },
}
Secret Injection

Secrets can be automatically injected into request headers:

{
    "url": "https://api.binance.com/api/v3/account",
    "secret_name": "binance_api_key",
    "secret_as_key": "X-MBX-APIKEY"
}
Response Size Limit

Maximum response body size (default 2MB) to prevent memory exhaustion.

API Endpoints

Endpoint Method Description
/health GET Service health check
/info GET Service status
/query POST Fetch external data

Request/Response Types

QueryInput
type QueryInput struct {
    URL         string            `json:"url"`
    Method      string            `json:"method,omitempty"`        // default: GET
    Headers     map[string]string `json:"headers,omitempty"`
    SecretName  string            `json:"secret_name,omitempty"`   // optional: secret for auth
    SecretAsKey string            `json:"secret_as_key,omitempty"` // header key (default: Authorization)
    Body        string            `json:"body,omitempty"`          // body for POST/PUT
}
QueryResponse
type QueryResponse struct {
    StatusCode int               `json:"status_code"`
    Headers    map[string]string `json:"headers"`
    Body       string            `json:"body"`
}

Configuration

type Config struct {
    Marble            *marble.Marble
    SecretProvider    secrets.Provider
    MaxBodyBytes      int64        // optional: default 2MB
    URLAllowlist      URLAllowlist // optional: URL restrictions
    Timeout           time.Duration
}

Constants

Constant Value Description
ServiceID neooracle Service identifier
ServiceName NeoOracle Service Display name
Version 1.0.0 Service version
DefaultMaxBytes 2MB Default response limit
DefaultTimeout 20s HTTP client timeout

Usage Examples

Basic GET Request
POST /query
{
    "url": "https://api.coingecko.com/api/v3/simple/price?ids=neo&vs_currencies=usd"
}
Authenticated Request with Secret
POST /query
{
    "url": "https://api.private.com/data",
    "method": "GET",
    "secret_name": "private_api_key",
    "secret_as_key": "X-API-Key"
}
POST Request with Body
POST /query
{
    "url": "https://api.thegraph.com/subgraphs/name/neo-project/neo",
    "method": "POST",
    "headers": {
        "Content-Type": "application/json"
    },
    "body": "{\"query\": \"{ users { id } }\"}"
}

Dependencies

Internal Packages
Package Purpose
infrastructure/marble MarbleRun TEE utilities
infrastructure/httputil HTTP response helpers
infrastructure/service Base service framework
External Packages
Package Purpose
github.com/gorilla/mux HTTP router
github.com/google/uuid Request ID generation

Documentation

Overview

Package neooracle provides API routes for the neooracle service.

Package neooracle provides HTTP handlers for the neooracle service.

Package oracle implements a simple oracle that can fetch external data and use secrets for auth.

Package neooracle provides a simple data-fetching neooracle service.

Index

Constants

View Source 
const (
	ServiceID   = "neooracle"
	ServiceName = "NeoOracle Service"
	Version     = "1.0.0"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	Marble         *marble.Marble
	SecretProvider secrets.Provider
	MaxBodyBytes   int64        // optional response cap; default 2MB
	URLAllowlist   URLAllowlist // optional allowlist for outbound fetch
	Timeout        time.Duration
}

Config configures the oracle.

type QueryInput 

type QueryInput struct {
	URL         string            `json:"url"`
	Method      string            `json:"method,omitempty"`        // default: GET
	Headers     map[string]string `json:"headers,omitempty"`       // optional additional headers
	SecretName  string            `json:"secret_name,omitempty"`   // optional: fetch secret and send as Authorization bearer
	SecretAsKey string            `json:"secret_as_key,omitempty"` // optional: header key to place secret in (default Authorization: Bearer <secret>)
	Body        string            `json:"body,omitempty"`          // optional body for POST/PUT
}

QueryInput is the request payload to fetch external data.

type QueryResponse 

type QueryResponse struct {
	StatusCode int               `json:"status_code"`
	Headers    map[string]string `json:"headers"`
	Body       string            `json:"body"`
}

QueryResponse returns the fetched data.

type Service 

type Service struct {
	*commonservice.BaseService
	// contains filtered or unexported fields
}

Service implements the oracle.

func New 

func New(cfg Config) (*Service, error)

New creates a new NeoOracle service.

type URLAllowlist 

type URLAllowlist struct {
	Prefixes []string
}

URLAllowlist defines allowed URL prefixes for outbound fetches. If empty, no restriction is applied (not recommended for production).

func (URLAllowlist) Allows 

func (a URLAllowlist) Allows(rawURL string) bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.