Generate enclave challenge with Authorization header after on-chain task has been initialized (#686)

Author: jbern0rd

CHANGELOG.md

@@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file.
 ### New Features
 
 - Add `ConsensusReachedTaskDetector` to detect missed `TaskConsensus` on-chain events. (#683 #684)
+- Generate enclave challenge with `Authorization` header after on-chain task has been initialized. (#686)
 
 ### Bug Fixes
 

gradle.properties

@@ -3,7 +3,7 @@ iexecCommonVersion=8.4.0
 iexecCommonsPocoVersion=3.2.0
 iexecBlockchainAdapterVersion=8.4.0
 iexecResultVersion=8.4.0
-iexecSmsVersion=8.5.0
+iexecSmsVersion=8.5.0-NEXT-SNAPSHOT
 
 nexusUser
 nexusPassword

src/main/java/com/iexec/core/sms/SmsService.java

@@ -19,6 +19,7 @@
 import com.iexec.commons.poco.tee.TeeFramework;
 import com.iexec.commons.poco.tee.TeeUtils;
 import com.iexec.commons.poco.utils.BytesUtils;
+import com.iexec.core.chain.SignatureService;
 import com.iexec.core.registry.PlatformRegistryConfiguration;
 import com.iexec.sms.api.SmsClient;
 import com.iexec.sms.api.SmsClientProvider;
@@ -29,16 +30,18 @@
 
 import java.util.Optional;
 
-
 @Slf4j
 @Service
 public class SmsService {
     private final PlatformRegistryConfiguration registryConfiguration;
+    private final SignatureService signatureService;
     private final SmsClientProvider smsClientProvider;
 
     public SmsService(PlatformRegistryConfiguration registryConfiguration,
+                      SignatureService signatureService,
                       SmsClientProvider smsClientProvider) {
         this.registryConfiguration = registryConfiguration;
+        this.signatureService = signatureService;
         this.smsClientProvider = smsClientProvider;
     }
 
@@ -54,7 +57,7 @@ public SmsService(PlatformRegistryConfiguration registryConfiguration,
      *
      * @param chainTaskId ID of the on-chain task.
      * @param tag         Tag of the deal.
-     * @return SMS url if TEE types of tag & SMS match.
+     * @return SMS url if TEE types of tag & SMS match.
      */
     public Optional<String> getVerifiedSmsUrl(String chainTaskId, String tag) {
         final TeeFramework teeFrameworkForDeal = TeeUtils.getTeeFramework(tag);
@@ -124,11 +127,13 @@ Optional<String> generateEnclaveChallenge(String chainTaskId, String smsUrl) {
         final SmsClient smsClient = smsClientProvider.getSmsClient(smsUrl);
 
         try {
-            final String teeChallengePublicKey = smsClient.generateTeeChallenge(chainTaskId);
+            final String teeChallengePublicKey = smsClient.generateTeeChallenge(
+                    signatureService.createAuthorization("", chainTaskId, "").getSignature().getValue(),
+                    chainTaskId);
 
             if (StringUtils.isEmpty(teeChallengePublicKey)) {
-                log.error("An error occurred while getting teeChallengePublicKey "
-                        + "[chainTaskId:{}, smsUrl:{}]", chainTaskId, smsUrl);
+                log.error("An error occurred while getting teeChallengePublicKey [chainTaskId:{}, smsUrl:{}]",
+                        chainTaskId, smsUrl);
                 return Optional.empty();
             }
 

src/main/java/com/iexec/core/task/update/TaskUpdateManager.java

@@ -229,6 +229,7 @@ void received2Initializing(Task task) {
         }
 
         final Update update = new Update();
+        // First check on SMS URL before submitting transaction to fail fast
         if (task.isTeeTask()) {
             final Optional<String> smsUrl = smsService.getVerifiedSmsUrl(task.getChainTaskId(), task.getTag());
             if (smsUrl.isEmpty()) {
@@ -239,14 +240,6 @@ void received2Initializing(Task task) {
             task.setSmsUrl(smsUrl.get()); //SMS URL source of truth for the task
             update.set("smsUrl", smsUrl.get());
         }
-        final Optional<String> enclaveChallenge = smsService.getEnclaveChallenge(task.getChainTaskId(), task.getSmsUrl());
-        if (enclaveChallenge.isEmpty()) {
-            log.error("Can't initialize task, enclave challenge is empty [chainTaskId:{}]", task.getChainTaskId());
-            toFailed(task, INITIALIZE_FAILED);
-            return;
-        }
-        task.setEnclaveChallenge(enclaveChallenge.get());
-        update.set("enclaveChallenge", enclaveChallenge.get());
         taskService.updateTask(task.getChainTaskId(), task.getCurrentStatus(), update);
 
         blockchainAdapterService
@@ -272,24 +265,34 @@ void initializing2Initialized(Task task) {
             return;
         }
         // TODO: the block where initialization happened can be found
-        blockchainAdapterService
-                .isInitialized(task.getChainTaskId())
-                .ifPresentOrElse(isSuccess -> {
-                    if (Boolean.TRUE.equals(isSuccess)) {
-                        log.info("Initialized on blockchain (tx mined) [chainTaskId:{}]",
-                                task.getChainTaskId());
-                        //Without receipt, using deal block for initialization block
-                        task.setInitializationBlockNumber(task.getDealBlockNumber());
-                        replicatesService.createEmptyReplicateList(task.getChainTaskId());
-                        updateTaskStatusAndSave(task, INITIALIZED, null);
-                        return;
-                    }
-                    log.error("Initialization failed on blockchain (tx reverted) [chainTaskId:{}]",
-                            task.getChainTaskId());
-                    toFailed(task, INITIALIZE_FAILED);
-                }, () -> log.error("Unable to check initialization on blockchain " +
-                                "(likely too long), should use a detector [chainTaskId:{}]",
-                        task.getChainTaskId()));
+        final Optional<Boolean> isInitialized = blockchainAdapterService.isInitialized(task.getChainTaskId());
+        if (isInitialized.isEmpty()) {
+            log.error("Unable to check initialization on blockchain (likely too long), should use a detector [chainTaskId:{}]",
+                    task.getChainTaskId());
+        } else if (Boolean.TRUE.equals(isInitialized.get())) {
+            log.info("Initialized on blockchain (tx mined) [chainTaskId:{}]", task.getChainTaskId());
+            final Update update = new Update();
+            // Without receipt, using deal block for initialization block
+            task.setInitializationBlockNumber(task.getDealBlockNumber());
+            update.set("initializationBlockNumber", task.getDealBlockNumber());
+
+            // Create enclave challenge after task has been initialized on-chain
+            final Optional<String> enclaveChallenge = smsService.getEnclaveChallenge(task.getChainTaskId(), task.getSmsUrl());
+            if (enclaveChallenge.isEmpty()) {
+                log.error("Can't initialize task, enclave challenge is empty [chainTaskId:{}]", task.getChainTaskId());
+                toFailed(task, INITIALIZE_FAILED);
+                return;
+            }
+            task.setEnclaveChallenge(enclaveChallenge.get());
+            update.set("enclaveChallenge", enclaveChallenge.get());
+            taskService.updateTask(task.getChainTaskId(), task.getCurrentStatus(), update);
+
+            replicatesService.createEmptyReplicateList(task.getChainTaskId());
+            updateTaskStatusAndSave(task, INITIALIZED, null);
+        } else {
+            log.error("Initialization failed on blockchain (tx reverted) [chainTaskId:{}]", task.getChainTaskId());
+            toFailed(task, INITIALIZE_FAILED);
+        }
     }
 
     void initialized2Running(Task task, ChainTask chainTask) {
@@ -676,21 +679,17 @@ void finalizing2Finalized2Completed(Task task) {
             emitError(task, FINALIZING, "finalizing2Finalized2Completed");
             return;
         }
-        blockchainAdapterService
-                .isFinalized(task.getChainTaskId())
-                .ifPresentOrElse(isSuccess -> {
-                    if (Boolean.TRUE.equals(isSuccess)) {
-                        log.info("Finalized on blockchain (tx mined) [chainTaskId:{}]",
-                                task.getChainTaskId());
-                        toFinalizedToCompleted(task);
-                        return;
-                    }
-                    log.error("Finalization failed on blockchain (tx reverted) [chainTaskId:{}]",
-                            task.getChainTaskId());
-                    toFailed(task, FINALIZE_FAILED);
-                }, () -> log.error("Unable to check finalization on blockchain " +
-                                "(likely too long), should use a detector [chainTaskId:{}]",
-                        task.getChainTaskId()));
+        final Optional<Boolean> isFinalized = blockchainAdapterService.isFinalized(task.getChainTaskId());
+        if (isFinalized.isEmpty()) {
+            log.error("Unable to check finalization on blockchain (likely too long), should use a detector [chainTaskId:{}]",
+                    task.getChainTaskId());
+        } else if (Boolean.TRUE.equals(isFinalized.get())) {
+            log.info("Finalized on blockchain (tx mined) [chainTaskId:{}]", task.getChainTaskId());
+            toFinalizedToCompleted(task);
+        } else {
+            log.error("Finalization failed on blockchain (tx reverted) [chainTaskId:{}]", task.getChainTaskId());
+            toFailed(task, FINALIZE_FAILED);
+        }
     }
 
     void finalizedToCompleted(Task task) {

src/test/java/com/iexec/core/sms/SmsServiceTests.java

@@ -16,9 +16,12 @@
 
 package com.iexec.core.sms;
 
+import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
+import com.iexec.commons.poco.security.Signature;
 import com.iexec.commons.poco.tee.TeeFramework;
 import com.iexec.commons.poco.tee.TeeUtils;
 import com.iexec.commons.poco.utils.BytesUtils;
+import com.iexec.core.chain.SignatureService;
 import com.iexec.core.registry.PlatformRegistryConfiguration;
 import com.iexec.sms.api.SmsClient;
 import com.iexec.sms.api.SmsClientProvider;
@@ -42,14 +45,16 @@
 
 class SmsServiceTests {
 
+    private static final String AUTHORIZATION = "authorization";
     private static final String GRAMINE_SMS_URL = "http://gramine-sms";
     private static final String SCONE_SMS_URL = "http://scone-sms";
     private static final String CHAIN_TASK_ID = "chainTaskId";
     private static final String url = "url";
 
+    @Mock
+    private SignatureService signatureService;
     @Mock
     private SmsClient smsClient;
-
     @Mock
     private SmsClientProvider smsClientProvider;
     @Mock
@@ -63,6 +68,8 @@ void init() {
         MockitoAnnotations.openMocks(this);
         when(registryConfiguration.getSconeSms()).thenReturn(SCONE_SMS_URL);
         when(registryConfiguration.getGramineSms()).thenReturn(GRAMINE_SMS_URL);
+        when(signatureService.createAuthorization("", CHAIN_TASK_ID, ""))
+                .thenReturn(WorkerpoolAuthorization.builder().signature(new Signature(AUTHORIZATION)).build());
     }
 
     // region isSmsClientReady
@@ -119,34 +126,30 @@ void shouldNotGetVerifiedSmsUrlSinceWrongTeeEnclaveProviderOnRemoteSms() {
     // region getEnclaveChallenge
     @Test
     void shouldGetEmptyAddressForStandardTask() {
-        when(smsClientProvider.getSmsClient(url)).thenReturn(smsClient);
-        when(smsClient.generateTeeChallenge(CHAIN_TASK_ID)).thenReturn("");
-
         Assertions.assertThat(smsService.getEnclaveChallenge(CHAIN_TASK_ID, ""))
-                .get()
-                .isEqualTo(BytesUtils.EMPTY_ADDRESS);
-        verify(smsClient, never()).generateTeeChallenge(anyString());
+                .isEqualTo(Optional.of(BytesUtils.EMPTY_ADDRESS));
+
+        verifyNoInteractions(smsClientProvider, smsClient);
     }
 
     @Test
     void shouldGetEnclaveChallengeForTeeTask() {
         String expected = "challenge";
         when(smsClientProvider.getSmsClient(url)).thenReturn(smsClient);
-        when(smsClient.generateTeeChallenge(CHAIN_TASK_ID)).thenReturn(expected);
+        when(smsClient.generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID)).thenReturn(expected);
 
         Optional<String> received = smsService.getEnclaveChallenge(CHAIN_TASK_ID, url);
-        verify(smsClient).generateTeeChallenge(CHAIN_TASK_ID);
+        verify(smsClient).generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID);
         Assertions.assertThat(received)
-                .get()
-                .isEqualTo(expected);
+                .isEqualTo(Optional.of(expected));
     }
 
     @Test
     void shouldNotGetEnclaveChallengeForTeeTaskWhenEmptySmsResponse() {
         when(smsClientProvider.getSmsClient(url)).thenReturn(smsClient);
-        when(smsClient.generateTeeChallenge(CHAIN_TASK_ID)).thenReturn("");
+        when(smsClient.generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID)).thenReturn("");
         Optional<String> received = smsService.getEnclaveChallenge(CHAIN_TASK_ID, url);
-        verify(smsClient).generateTeeChallenge(CHAIN_TASK_ID);
+        verify(smsClient).generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID);
         Assertions.assertThat(received).isEmpty();
     }
     // endregion
@@ -157,7 +160,7 @@ void shouldGenerateEnclaveChallenge() {
         final String expected = "challenge";
 
         when(smsClientProvider.getSmsClient(url)).thenReturn(smsClient);
-        when(smsClient.generateTeeChallenge(CHAIN_TASK_ID)).thenReturn(expected);
+        when(smsClient.generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID)).thenReturn(expected);
 
         Optional<String> received = smsService.generateEnclaveChallenge(CHAIN_TASK_ID, url);
         Assertions.assertThat(received)
@@ -167,7 +170,7 @@ void shouldGenerateEnclaveChallenge() {
     @Test
     void shouldNotGenerateEnclaveChallengeSinceNoPublicKeyReturned() {
         when(smsClientProvider.getSmsClient(url)).thenReturn(smsClient);
-        when(smsClient.generateTeeChallenge(CHAIN_TASK_ID)).thenReturn("");
+        when(smsClient.generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID)).thenReturn("");
 
         Optional<String> received = smsService.generateEnclaveChallenge(CHAIN_TASK_ID, url);
         Assertions.assertThat(received)
@@ -177,7 +180,7 @@ void shouldNotGenerateEnclaveChallengeSinceNoPublicKeyReturned() {
     @Test
     void shouldNotGenerateEnclaveChallengeSinceFeignException() {
         when(smsClientProvider.getSmsClient(url)).thenReturn(smsClient);
-        when(smsClient.generateTeeChallenge(CHAIN_TASK_ID)).thenThrow(FeignException.GatewayTimeout.class);
+        when(smsClient.generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID)).thenThrow(FeignException.GatewayTimeout.class);
 
         Optional<String> received = smsService.generateEnclaveChallenge(CHAIN_TASK_ID, url);
         Assertions.assertThat(received)
@@ -187,7 +190,7 @@ void shouldNotGenerateEnclaveChallengeSinceFeignException() {
     @Test
     void shouldNotGenerateEnclaveChallengeSinceRuntimeException() {
         when(smsClientProvider.getSmsClient(url)).thenReturn(smsClient);
-        when(smsClient.generateTeeChallenge(CHAIN_TASK_ID)).thenThrow(RuntimeException.class);
+        when(smsClient.generateTeeChallenge(AUTHORIZATION, CHAIN_TASK_ID)).thenThrow(RuntimeException.class);
 
         Optional<String> received = smsService.generateEnclaveChallenge(CHAIN_TASK_ID, url);
         Assertions.assertThat(received)

src/test/java/com/iexec/core/task/update/TaskUpdateManagerTest.java

@@ -111,7 +111,6 @@ static void registerProperties(DynamicPropertyRegistry registry) {
     @Mock
     private SmsService smsService;
 
-    private TaskService taskService;
     private TaskUpdateManager taskUpdateManager;
 
     @Captor
@@ -126,10 +125,10 @@ static void initRegistry() {
     void init() {
         MockitoAnnotations.openMocks(this);
         taskRepository.deleteAll();
-        taskService = new TaskService(mongoTemplate, taskRepository, iexecHubService, applicationEventPublisher);
+        final TaskService taskService = new TaskService(mongoTemplate, taskRepository, iexecHubService, applicationEventPublisher);
         taskUpdateManager = new TaskUpdateManager(taskService, iexecHubService, replicatesService, applicationEventPublisher,
                 workerService, blockchainAdapterService, smsService);
-        ChainTask chainTask = ChainTask.builder().chainTaskId(CHAIN_TASK_ID).status(ChainTaskStatus.ACTIVE).build();
+        final ChainTask chainTask = ChainTask.builder().chainTaskId(CHAIN_TASK_ID).status(ChainTaskStatus.ACTIVE).build();
         when(iexecHubService.getChainTask(CHAIN_TASK_ID)).thenReturn(Optional.of(chainTask));
     }
 
@@ -329,15 +328,15 @@ void shouldNotUpdateReceived2InitializingSinceAfterContributionDeadline() {
     @Test
     void shouldNotUpdateReceived2InitializingSinceNoSmsClient() {
         final Task task = getStubTask();
+        task.setTag(TeeUtils.TEE_SCONE_ONLY_TAG);
         taskRepository.save(task);
 
         when(iexecHubService.hasEnoughGas()).thenReturn(true);
         when(iexecHubService.isTaskInUnsetStatusOnChain(CHAIN_DEAL_ID, 0)).thenReturn(true);
         when(iexecHubService.isBeforeContributionDeadline(task.getChainDealId()))
                 .thenReturn(true);
         when(blockchainAdapterService.requestInitialize(CHAIN_DEAL_ID, 0)).thenReturn(Optional.of(CHAIN_TASK_ID));
-        when(smsService.getVerifiedSmsUrl(CHAIN_TASK_ID, task.getTag()))
-                .thenReturn(Optional.of(smsUrl));
+        when(smsService.getVerifiedSmsUrl(CHAIN_TASK_ID, task.getTag())).thenReturn(Optional.empty());
 
         taskUpdateManager.updateTask(CHAIN_TASK_ID);
         final Task resultTask = taskRepository.findByChainTaskId(task.getChainTaskId()).orElseThrow();
@@ -380,7 +379,7 @@ void shouldUpdateInitializing2InitializeFailedSinceEnclaveChallengeIsEmpty() {
         taskUpdateManager.updateTask(task.getChainTaskId());
 
         final Task resultTask = taskRepository.findByChainTaskId(task.getChainTaskId()).orElseThrow();
-        assertThatTaskContainsStatuses(resultTask, FAILED, List.of(RECEIVED, INITIALIZE_FAILED, FAILED));
+        assertThatTaskContainsStatuses(resultTask, FAILED, List.of(RECEIVED, INITIALIZING, INITIALIZE_FAILED, FAILED));
     }
 
     @Test
@@ -481,6 +480,7 @@ void shouldUpdateInitializing2Initialized() {
         taskRepository.save(task);
 
         when(blockchainAdapterService.isInitialized(CHAIN_TASK_ID)).thenReturn(Optional.of(true));
+        when(smsService.getEnclaveChallenge(CHAIN_TASK_ID, null)).thenReturn(Optional.of(BytesUtils.EMPTY_ADDRESS));
 
         taskUpdateManager.updateTask(CHAIN_TASK_ID);
         final Task resultTask = taskRepository.findByChainTaskId(task.getChainTaskId()).orElseThrow();