Merge pull request #101 from iExecBlockchainComputing/feature/check-result

mcornaton · web-flow · commit 4082a5dbe36d · 2023-09-19T15:49:48.000+02:00
Check result before uploading
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### New Features
 - Remove `nexus.intra.iex.ec` repository. (#94)
+- Check result hash before uploading. (#101)
 ### Bug Fixes
 - Fix and harmonize `Dockerfile entrypoint` in all Spring Boot applications. (#98)
 ### Quality
diff --git a/src/main/java/com/iexec/resultproxy/proxy/ProxyController.java b/src/main/java/com/iexec/resultproxy/proxy/ProxyController.java
@@ -73,9 +73,11 @@ public ResponseEntity<String> addResult(@RequestHeader("Authorization") String t
         }
 
         String walletAddress = jwtService.getWalletAddressFromJwtString(token);
-        boolean canUploadResult = proxyService.canUploadResult(model.getChainTaskId(), walletAddress);
-
-        // TODO check if the result to be added is the correct result for that task
+        boolean canUploadResult = proxyService.canUploadResult(
+                model.getChainTaskId(),
+                walletAddress,
+                model.getZip()
+        );
 
         if (!canUploadResult) {
             return ResponseEntity.status(HttpStatus.UNAUTHORIZED.value()).build();
diff --git a/src/main/java/com/iexec/resultproxy/proxy/ProxyService.java b/src/main/java/com/iexec/resultproxy/proxy/ProxyService.java
@@ -17,6 +17,10 @@
 package com.iexec.resultproxy.proxy;
 
 
+import com.iexec.common.result.ComputedFile;
+import com.iexec.common.utils.FileHelper;
+import com.iexec.common.worker.result.ResultUtils;
+import com.iexec.commons.poco.chain.ChainContribution;
 import com.iexec.commons.poco.chain.ChainContributionStatus;
 import com.iexec.commons.poco.chain.ChainTask;
 import com.iexec.commons.poco.chain.ChainTaskStatus;
@@ -27,8 +31,15 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Objects;
 import java.util.Optional;
 
+import static com.iexec.common.utils.IexecFileHelper.SLASH_IEXEC_OUT;
+import static com.iexec.common.utils.IexecFileHelper.readComputedFile;
+
 /**
  * Service class to manage all the results. If the result is public, it will be stored on IPFS. If there is a dedicated
  * beneficiary, the result will be pushed to mongo.
@@ -47,7 +58,7 @@ public ProxyService(IexecHubService iexecHubService,
     }
 
 
-    boolean canUploadResult(String chainTaskId, String walletAddress) {
+    boolean canUploadResult(String chainTaskId, String walletAddress, byte[] zip) {
         if (iexecHubService.isTeeTask(chainTaskId)){
             Optional<ChainTask> chainTask = iexecHubService.getChainTask(chainTaskId);//TODO Add requester field to getChainTask
             if (chainTask.isEmpty()){
@@ -83,10 +94,64 @@ boolean canUploadResult(String chainTaskId, String walletAddress) {
                 return false;
             }
 
+            return isResultValid(chainTaskId, walletAddress, zip);
+        }
+    }
+
+    /**
+     * A result for a standard task is considered as valid if:
+     * <ul>
+     * <li>It has an associated on-chain contribution
+     * <li>The on-chain contribution result hash is the one we compute here again.
+     * </ul>
+     *
+     * @param chainTaskId   ID of the task
+     * @param walletAddress Address of the uploader
+     * @param zip           Result as a zip
+     * @return {@literal true} if the result is valid, {@literal false} otherwise.
+     */
+    boolean isResultValid(String chainTaskId, String walletAddress, byte[] zip) {
+        final String resultFolderPath = getResultFolderPath(chainTaskId);
+        final String resultZipPath = resultFolderPath + ".zip";
+        final String zipDestinationPath = resultFolderPath + SLASH_IEXEC_OUT;
+        try {
+            final Optional<ChainContribution> oChainContribution = iexecHubService.getChainContribution(chainTaskId, walletAddress);
+            if (oChainContribution.isEmpty()) {
+                log.error("Trying to upload result but no on-chain contribution [chainTaskId:{}, uploader:{}]",
+                        chainTaskId, walletAddress);
+                return false;
+            }
+
+            final String onChainHash = oChainContribution.get().getResultHash();
+            try {
+                Files.write(Path.of(resultZipPath), zip);
+            } catch (IOException e) {
+                log.error("Can't write result file [chainTaskId:{}, uploader:{}]", chainTaskId, walletAddress);
+                return false;
+            }
+             FileHelper.unZipFile(resultZipPath, zipDestinationPath);
+
+            final ComputedFile computedFile = readComputedFile(chainTaskId, zipDestinationPath);
+            final String resultDigest = ResultUtils.computeWeb2ResultDigest(computedFile, resultFolderPath);
+            final String computedResultHash = ResultUtils.computeResultHash(chainTaskId, resultDigest);
+
+            if (!Objects.equals(computedResultHash, onChainHash)) {
+                log.error("Trying to upload result but on-chain result hash differs from given hash " +
+                                "[chainTaskId:{}, uploader:{}, onChainHash:{}, computedResultHash:{}]",
+                        chainTaskId, walletAddress, onChainHash, computedResultHash);
+                return false;
+            }
+
             return true;
+        } finally {
+            FileHelper.deleteFolder(resultFolderPath);
         }
     }
 
+    String getResultFolderPath(String chainTaskId) {
+        return "/tmp/" + chainTaskId;
+    }
+
     boolean isResultFound(String chainTaskId) {
         return ipfsResultService.doesResultExist(chainTaskId);
     }
diff --git a/src/test/java/com/iexec/resultproxy/proxy/ProxyServiceTest.java b/src/test/java/com/iexec/resultproxy/proxy/ProxyServiceTest.java
@@ -1,63 +1,154 @@
 package com.iexec.resultproxy.proxy;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.when;
-
+import com.iexec.commons.poco.chain.ChainContribution;
 import com.iexec.resultproxy.chain.IexecHubService;
 import com.iexec.resultproxy.ipfs.IpfsResultService;
-
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
+import org.mockito.Spy;
+
+import java.io.File;
+import java.util.Base64;
+import java.util.Optional;
+
+import static com.iexec.commons.poco.chain.ChainContributionStatus.REVEALED;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.*;
 
 class ProxyServiceTest {
+    private static final String CHAIN_TASK_ID = "0x59d9b6c36d6db89bae058ff55de6e4d6a6f6e0da3f9ea02297fc8d6d5f5cedf1";
+    private static final String WALLET_ADDRESS = "0x123abc";
+    /**
+     * Contains a valid result zip, with the following files:
+     * <ul>
+     *     <li>{@literal computed.json}, pointing on `/iexec_out/result.txt`
+     *     <li>{@literal result.txt}
+     * </ul>
+     */
+    private static final byte[] RESULT_ZIP = Base64.getDecoder().decode("UEsDBBQACAgIADhKL1cAAAAAAAAAAAAAAAANAAAAY29tcHV0ZWQuanNvbqtWSkktSS3KzczLLC7JTNbNLy0pKC3RLUgsyVCyUlDSz0ytSE2OB4rqF6UWl+aU6JVUlCjVAgBQSwcIv08alTcAAAA2AAAAUEsDBBQACAgIADhKL1cAAAAAAAAAAAAAAAAKAAAAcmVzdWx0LnR4dG2NsQrDMAxEd33FdbOhoL1boUM/wnCE4MFg2qEZOvjjK9tKhhIbW9LTnQQC6G8ET7DX/5CQhnlJHol3FQkGAuOAU9ENPaqZE45k6h0NSC/N0Ff231DzgW3qbWxqDqeCZuDYkfpCehIQoeYHEtMOR4NRcHKantF55JlrfV9xr2XNF5HHsi2fvCFoyd+8srw03iDyA1BLBwgqyEkSkwAAAE0BAABQSwECFAAUAAgICAA4Si9Xv08alTcAAAA2AAAADQAAAAAAAAAAAAAAAAAAAAAAY29tcHV0ZWQuanNvblBLAQIUABQACAgIADhKL1cqyEkSkwAAAE0BAAAKAAAAAAAAAAAAAAAAAHIAAAByZXN1bHQudHh0UEsFBgAAAAACAAIAcwAAAD0BAAAAAA==");
+    /**
+     * {@link ChainContribution} with a hash
+     * corresponding to {@link ProxyServiceTest#RESULT_ZIP} hash,
+     * including a fixed ChainTask ID: {@literal 0x59d9b6c36d6db89bae058ff55de6e4d6a6f6e0da3f9ea02297fc8d6d5f5cedf1}.
+     */
+    private static final ChainContribution CHAIN_CONTRIBUTION = ChainContribution.builder()
+            .resultHash("0x865e1ebff87de7928040a42383b46690a12a988b278eb880e0e641f5da3cc9d1")
+            .build();
+
+    @TempDir
+    File tmpFolder;
 
     @Mock
     private IexecHubService iexecHubService;
 
     @Mock
     private IpfsResultService ipfsResultService;
 
-
+    @Spy
     @InjectMocks
     private ProxyService proxyService;
 
-    private String chainTaskId;
-    private String walletAddress;
 
     @BeforeEach
     void init() {
         MockitoAnnotations.openMocks(this);
-        chainTaskId = "0x1";
-        walletAddress = "0x123abc";
+    }
+
+    @Test
+    void isNotAbleToUploadSinceNoChainContribution() {
+        when(iexecHubService.isTeeTask(CHAIN_TASK_ID)).thenReturn(false);
+        when(ipfsResultService.doesResultExist(CHAIN_TASK_ID)).thenReturn(false);
+        when(iexecHubService.isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED)).thenReturn(true);
+        when(iexecHubService.getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS)).thenReturn(Optional.empty());
+
+        assertThat(proxyService.canUploadResult(CHAIN_TASK_ID, WALLET_ADDRESS, RESULT_ZIP)).isFalse();
+
+        verify(iexecHubService).isTeeTask(CHAIN_TASK_ID);
+        verify(proxyService).isResultFound(CHAIN_TASK_ID);
+        verify(iexecHubService).isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED);
+        verify(iexecHubService).getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS);
+    }
+
+    @Test
+    void isNotAbleToUploadSinceCannotWriteZip() {
+        when(iexecHubService.isTeeTask(CHAIN_TASK_ID)).thenReturn(false);
+        when(ipfsResultService.doesResultExist(CHAIN_TASK_ID)).thenReturn(false);
+        when(iexecHubService.isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED)).thenReturn(true);
+        when(iexecHubService.getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS)).thenReturn(Optional.of(CHAIN_CONTRIBUTION));
+        when(proxyService.getResultFolderPath(CHAIN_TASK_ID)).thenReturn("/this/path/does/not/exist");
+
+        assertThat(proxyService.canUploadResult(CHAIN_TASK_ID, WALLET_ADDRESS, RESULT_ZIP)).isFalse();
+
+        verify(iexecHubService).isTeeTask(CHAIN_TASK_ID);
+        verify(proxyService).isResultFound(CHAIN_TASK_ID);
+        verify(iexecHubService).isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED);
+        verify(iexecHubService).getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS);
+    }
+
+    @Test
+    void isNotAbleToUploadSinceWrongHash() {
+        when(iexecHubService.isTeeTask(CHAIN_TASK_ID)).thenReturn(false);
+        when(ipfsResultService.doesResultExist(CHAIN_TASK_ID)).thenReturn(false);
+        when(iexecHubService.isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED)).thenReturn(true);
+        when(iexecHubService.getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS)).thenReturn(Optional.of(CHAIN_CONTRIBUTION));
+        when(proxyService.getResultFolderPath(CHAIN_TASK_ID)).thenReturn(tmpFolder.getAbsolutePath());
+
+        assertThat(proxyService.canUploadResult(CHAIN_TASK_ID, WALLET_ADDRESS, new byte[] {})).isFalse();
+
+        verify(iexecHubService).isTeeTask(CHAIN_TASK_ID);
+        verify(proxyService).isResultFound(CHAIN_TASK_ID);
+        verify(iexecHubService).isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED);
+        verify(iexecHubService).getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS);
     }
 
     @Test
     void isNotAbleToUploadSinceResultAlreadyExistsWithIpfs() {
-        when(iexecHubService.isPublicResult(chainTaskId, 0)).thenReturn(true);
-        when(ipfsResultService.doesResultExist(chainTaskId)).thenReturn(true);
+        when(iexecHubService.isTeeTask(CHAIN_TASK_ID)).thenReturn(false);
+        when(ipfsResultService.doesResultExist(CHAIN_TASK_ID)).thenReturn(true);
+        when(iexecHubService.getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS)).thenReturn(Optional.of(CHAIN_CONTRIBUTION));
+        when(proxyService.getResultFolderPath(CHAIN_TASK_ID)).thenReturn(tmpFolder.getAbsolutePath());
+
+        assertThat(proxyService.canUploadResult(CHAIN_TASK_ID, WALLET_ADDRESS, RESULT_ZIP)).isFalse();
 
-        assertThat(proxyService.canUploadResult(chainTaskId, walletAddress)).isFalse();
+        verify(iexecHubService).isTeeTask(CHAIN_TASK_ID);
+        verify(proxyService).isResultFound(CHAIN_TASK_ID);
+        verify(iexecHubService, never()).isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED);
+        verify(iexecHubService, never()).getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS);
     }
 
     @Test
     void isNotAbleToUploadSinceChainStatusIsNotRevealedWithIpfs() {
-        when(iexecHubService.isPublicResult(chainTaskId, 0)).thenReturn(true);
-        when(ipfsResultService.doesResultExist(chainTaskId)).thenReturn(true);
-        when(iexecHubService.isStatusTrueOnChain(any(), any(), any())).thenReturn(false);
-
-        assertThat(proxyService.canUploadResult(chainTaskId, walletAddress)).isFalse();
+        when(iexecHubService.isTeeTask(CHAIN_TASK_ID)).thenReturn(false);
+        when(ipfsResultService.doesResultExist(CHAIN_TASK_ID)).thenReturn(true);
+        when(iexecHubService.isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED)).thenReturn(false);
+        when(iexecHubService.getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS)).thenReturn(Optional.of(CHAIN_CONTRIBUTION));
+        when(proxyService.getResultFolderPath(CHAIN_TASK_ID)).thenReturn(tmpFolder.getAbsolutePath());
+
+        assertThat(proxyService.canUploadResult(CHAIN_TASK_ID, WALLET_ADDRESS, RESULT_ZIP)).isFalse();
+
+        verify(iexecHubService).isTeeTask(CHAIN_TASK_ID);
+        verify(proxyService).isResultFound(CHAIN_TASK_ID);
+        verify(iexecHubService, never()).isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED);
+        verify(iexecHubService, never()).getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS);
     }
 
     @Test
     void isAbleToUploadWithIpfs() {
-        when(iexecHubService.isPublicResult(chainTaskId, 0)).thenReturn(true);
-        when(ipfsResultService.doesResultExist(chainTaskId)).thenReturn(false);
-        when(iexecHubService.isStatusTrueOnChain(any(), any(), any())).thenReturn(true);
-
-        assertThat(proxyService.canUploadResult(chainTaskId, walletAddress)).isTrue();
+        when(iexecHubService.isTeeTask(CHAIN_TASK_ID)).thenReturn(false);
+        when(ipfsResultService.doesResultExist(CHAIN_TASK_ID)).thenReturn(false);
+        when(iexecHubService.isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED)).thenReturn(true);
+        when(iexecHubService.getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS)).thenReturn(Optional.of(CHAIN_CONTRIBUTION));
+        when(proxyService.getResultFolderPath(CHAIN_TASK_ID)).thenReturn(tmpFolder.getAbsolutePath());
+
+        assertThat(proxyService.canUploadResult(CHAIN_TASK_ID, WALLET_ADDRESS, RESULT_ZIP)).isTrue();
+
+        verify(iexecHubService).getChainContribution(CHAIN_TASK_ID, WALLET_ADDRESS);
+        verify(iexecHubService).isTeeTask(CHAIN_TASK_ID);
+        verify(proxyService).isResultFound(CHAIN_TASK_ID);
+        verify(iexecHubService).isStatusTrueOnChain(CHAIN_TASK_ID, WALLET_ADDRESS, REVEALED);
     }
 }
