Persist WorkerpoolAuthorization instances to MongoDB (#127)

Author: jbern0rd

CHANGELOG.md

@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file.
 - Label REST API with `v1` version. (#120)
 - Add an endpoint to retrieve a JWT against a valid `WorkerpoolAuthorization`. (#123 #124)
 - Verify TEE tasks `enclaveSignature` before accepting IPFS upload. (#125 #126)
+- Persist `WorkerpoolAuthorization` instances to MongoDB. (#127)
 
 ### Quality
 

build.gradle

@@ -11,6 +11,7 @@ plugins {
 ext {
     springCloudVersion = '2021.0.8'
     jjwtVersion = '0.11.5'
+    testContainersVersion = '1.19.3'
 }
 
 if (!project.hasProperty('gitBranch')) {
@@ -77,6 +78,10 @@ dependencies {
     // test
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testRuntimeOnly("org.junit.platform:junit-platform-launcher")
+
+    // mongo
+    testImplementation "org.testcontainers:junit-jupiter:$testContainersVersion"
+    testImplementation "org.testcontainers:mongodb:$testContainersVersion"
 }
 
 dependencyManagement {
@@ -98,6 +103,7 @@ tasks.named("bootJar") {
 
 test {
     useJUnitPlatform()
+    systemProperty "mongo.image", "mongo:4.4.28-focal"
 }
 
 tasks.register('itest') {

src/main/java/com/iexec/resultproxy/authorization/Authorization.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.iexec.resultproxy.authorization;
+
+import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import org.springframework.data.annotation.Id;
+import org.springframework.data.annotation.Version;
+import org.springframework.data.mongodb.core.index.CompoundIndex;
+import org.springframework.data.mongodb.core.mapping.Document;
+
+@Document
+@CompoundIndex(name = "workerpool_authorization", def = "{'chainTaskId': 1, 'workerWallet': 1}", unique = true)
+@Getter
+@NoArgsConstructor
+public class Authorization {
+    @Id
+    private String id;
+
+    @Version
+    private Long version;
+
+    private String chainTaskId;
+    private String workerWallet;
+    private String enclaveChallenge;
+
+    public Authorization(WorkerpoolAuthorization workerpoolAuthorization) {
+        this.chainTaskId = workerpoolAuthorization.getChainTaskId();
+        this.workerWallet = workerpoolAuthorization.getWorkerWallet();
+        this.enclaveChallenge = workerpoolAuthorization.getEnclaveChallenge();
+    }
+
+}

src/main/java/com/iexec/resultproxy/authorization/AuthorizationRepository.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2024-2024 IEXEC BLOCKCHAIN TECH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.iexec.resultproxy.authorization;
+
+import org.springframework.data.mongodb.repository.MongoRepository;
+
+import java.util.Optional;
+
+public interface AuthorizationRepository extends MongoRepository<Authorization, String> {
+    Optional<Authorization> findByChainTaskIdAndWorkerWallet(String chainTaskId, String workerWallet);
+}

src/main/java/com/iexec/resultproxy/authorization/AuthorizationService.java

@@ -16,7 +16,6 @@
 
 package com.iexec.resultproxy.authorization;
 
-import com.iexec.common.lifecycle.purge.ExpiringTaskMapFactory;
 import com.iexec.common.result.ResultModel;
 import com.iexec.commons.poco.chain.ChainDeal;
 import com.iexec.commons.poco.chain.ChainTask;
@@ -30,9 +29,9 @@
 import com.iexec.resultproxy.chain.IexecHubService;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
+import org.springframework.dao.DataAccessException;
 import org.springframework.stereotype.Service;
 
-import java.util.Map;
 import java.util.Optional;
 
 import static com.iexec.resultproxy.authorization.AuthorizationError.*;
@@ -41,12 +40,12 @@
 @Service
 public class AuthorizationService {
 
+    private final AuthorizationRepository authorizationRepository;
     private final IexecHubService iexecHubService;
-    private final Map<String, WorkerpoolAuthorization> workerpoolAuthorizations;
 
-    public AuthorizationService(IexecHubService iexecHubService) {
+    public AuthorizationService(AuthorizationRepository authorizationRepository, IexecHubService iexecHubService) {
+        this.authorizationRepository = authorizationRepository;
         this.iexecHubService = iexecHubService;
-        this.workerpoolAuthorizations = ExpiringTaskMapFactory.getExpiringTaskMap();
     }
 
     /**
@@ -122,11 +121,12 @@ public boolean checkEnclaveSignature(ResultModel model, String walletAddress) {
             return false;
         }
         final String chainTaskId = model.getChainTaskId();
-        final String wpAuthKey = String.join("-", chainTaskId, walletAddress);
         final String resultHash = HashUtils.concatenateAndHash(chainTaskId, model.getDeterministHash());
         final String resultSeal = HashUtils.concatenateAndHash(walletAddress, chainTaskId, model.getDeterministHash());
         final String messageHash = HashUtils.concatenateAndHash(resultHash, resultSeal);
-        final WorkerpoolAuthorization workerpoolAuthorization = workerpoolAuthorizations.get(wpAuthKey);
+        final Authorization workerpoolAuthorization = authorizationRepository
+                .findByChainTaskIdAndWorkerWallet(chainTaskId, walletAddress)
+                .orElse(null);
         if (workerpoolAuthorization == null) {
             log.warn("No workerpool authorization was found [chainTaskId:{}, walletAddress:{}]",
                     chainTaskId, walletAddress);
@@ -136,7 +136,7 @@ public boolean checkEnclaveSignature(ResultModel model, String walletAddress) {
         boolean isSignedByEnclave = isSignedByHimself(messageHash, model.getEnclaveSignature(), enclaveChallenge);
         if (isSignedByEnclave) {
             log.info("Valid enclave signature received, allowed to push result");
-            workerpoolAuthorizations.remove(wpAuthKey);
+            authorizationRepository.deleteById(workerpoolAuthorization.getId());
             log.debug("Workerpool authorization entry removed [chainTaskId:{}, workerWallet:{}]",
                     workerpoolAuthorization.getChainTaskId(), workerpoolAuthorization.getWorkerWallet());
         } else {
@@ -146,10 +146,14 @@ public boolean checkEnclaveSignature(ResultModel model, String walletAddress) {
     }
 
     public void putIfAbsent(WorkerpoolAuthorization workerpoolAuthorization) {
-        final String key = String.join("-", workerpoolAuthorization.getChainTaskId(), workerpoolAuthorization.getWorkerWallet());
-        workerpoolAuthorizations.putIfAbsent(key, workerpoolAuthorization);
-        log.debug("Workerpool authorization entry added [chainTaskId:{}, workerWallet:{}]",
-                workerpoolAuthorization.getChainTaskId(), workerpoolAuthorization.getWorkerWallet());
+        try {
+            authorizationRepository.save(new Authorization(workerpoolAuthorization));
+            log.debug("Workerpool authorization entry added [chainTaskId:{}, workerWallet:{}]",
+                    workerpoolAuthorization.getChainTaskId(), workerpoolAuthorization.getWorkerWallet());
+        } catch (DataAccessException e) {
+            log.warn("Workerpool authorization entry not added [chainTaskId:{}, workerWallet: {}]",
+                    workerpoolAuthorization.getChainTaskId(), workerpoolAuthorization.getWorkerWallet(), e);
+        }
     }
     // endregion
 

src/test/java/com/iexec/resultproxy/authorization/AuthorizationServiceTests.java

@@ -29,9 +29,16 @@
 import com.iexec.resultproxy.chain.IexecHubService;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.data.mongo.DataMongoTest;
+import org.springframework.test.context.DynamicPropertyRegistry;
+import org.springframework.test.context.DynamicPropertySource;
+import org.testcontainers.containers.MongoDBContainer;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+import org.testcontainers.utility.DockerImageName;
 import org.web3j.crypto.Credentials;
 import org.web3j.crypto.ECKeyPair;
 import org.web3j.crypto.Keys;
@@ -50,16 +57,28 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.when;
 
+@DataMongoTest
+@Testcontainers
 class AuthorizationServiceTests {
 
     private static final String CHAIN_TASK_ID = "0x0123";
     private static final String RESULT_DIGEST = "0x3210";
     private static final String WALLET_ADDRESS = "0xabcd";
 
+    @Container
+    private static final MongoDBContainer mongoDBContainer = new MongoDBContainer(DockerImageName.parse(System.getProperty("mongo.image")));
+
+    @DynamicPropertySource
+    static void registerProperties(DynamicPropertyRegistry registry) {
+        registry.add("spring.data.mongodb.host", mongoDBContainer::getHost);
+        registry.add("spring.data.mongodb.port", () -> mongoDBContainer.getMappedPort(27017));
+    }
+
+    @Autowired
+    private AuthorizationRepository authorizationRepository;
     @Mock
-    IexecHubService iexecHubService;
+    private IexecHubService iexecHubService;
 
-    @InjectMocks
     private AuthorizationService authorizationService;
 
     private Credentials enclaveCreds;
@@ -68,6 +87,8 @@ class AuthorizationServiceTests {
     void beforeEach() throws GeneralSecurityException {
         MockitoAnnotations.openMocks(this);
         enclaveCreds = Credentials.create(Keys.createEcKeyPair());
+        authorizationRepository.deleteAll();
+        authorizationService = new AuthorizationService(authorizationRepository, iexecHubService);
     }
 
     // region isAuthorizedOnExecutionWithDetailedIssue
@@ -249,6 +270,17 @@ void shouldBeSignedByEnclave() {
     }
     // endregion
 
+    // region
+    @Test
+    void shouldNotAddAuthorizationTwiceInCollection() {
+        final WorkerpoolAuthorization authorization = getWorkerpoolAuthorization();
+        authorizationService.putIfAbsent(authorization);
+        assertThat(authorizationRepository.count()).isOne();
+        authorizationService.putIfAbsent(authorization);
+        assertThat(authorizationRepository.count()).isOne();
+    }
+    // endregion
+
     // region utils
     ChainDeal getChainDeal() {
         return ChainDeal.builder()