Fix conditions to retrieve a JWT or to allow a result upload (#132)

Author: jbern0rd

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 
 ## [[NEXT]](https://github.com/iExecBlockchainComputing/iexec-result-proxy/releases/tag/vNEXT) 2024
 
+### Bug Fixes
+
+- Fix conditions to retrieve a JWT or to allow a result upload. (#132)
+
 ## [[8.4.0]](https://github.com/iExecBlockchainComputing/iexec-result-proxy/releases/tag/v8.4.0) 2024-02-29
 
 ### Deprecation Notices

src/main/java/com/iexec/resultproxy/authorization/AuthorizationError.java

@@ -20,7 +20,7 @@ public enum AuthorizationError {
     EMPTY_PARAMS_UNAUTHORIZED,
     NO_MATCH_ONCHAIN_TYPE,
     GET_CHAIN_TASK_FAILED,
-    TASK_NOT_ACTIVE,
+    TASK_FINAL_DEADLINE_REACHED,
     GET_CHAIN_DEAL_FAILED,
     INVALID_SIGNATURE;
 }

src/main/java/com/iexec/resultproxy/authorization/AuthorizationService.java

@@ -19,7 +19,6 @@
 import com.iexec.common.result.ResultModel;
 import com.iexec.commons.poco.chain.ChainDeal;
 import com.iexec.commons.poco.chain.ChainTask;
-import com.iexec.commons.poco.chain.ChainTaskStatus;
 import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
 import com.iexec.commons.poco.security.Signature;
 import com.iexec.commons.poco.tee.TeeUtils;
@@ -32,6 +31,7 @@
 import org.springframework.dao.DataAccessException;
 import org.springframework.stereotype.Service;
 
+import java.time.Instant;
 import java.util.Optional;
 
 import static com.iexec.resultproxy.authorization.AuthorizationError.*;
@@ -50,8 +50,19 @@ public AuthorizationService(AuthorizationRepository authorizationRepository, Iex
 
     /**
      * Checks whether this execution is authorized.
-     * If not authorized, return the reason.
-     * Otherwise, returns an empty {@link Optional}.
+     * <p>
+     * The following conditions have to be verified:
+     * <ul>
+     * <li>The {@code WorkerpoolAuthorization} must not be null and must contain a task ID
+     * <li>The task must be retrieved from the blockchain network
+     * <li>The current timestamp must be before the task final deadline
+     * <li>The deal must be retrieved from the blockchain network
+     * <li>If the {@code WorkerpoolAuthorization} contains an enclave challenge, the on-chain deal must have a correct tag
+     * <li>The {@code WorkerpoolAuthorization} has been signed with the private key of the workerpool owner found in the deal
+     * </ul>
+     *
+     * @param workerpoolAuthorization The authorization to check
+     * @return the reason if unauthorized, an empty {@code Optional} otherwise
      */
     public Optional<AuthorizationError> isAuthorizedOnExecutionWithDetailedIssue(WorkerpoolAuthorization workerpoolAuthorization) {
         if (workerpoolAuthorization == null || StringUtils.isEmpty(workerpoolAuthorization.getChainTaskId())) {
@@ -60,38 +71,36 @@ public Optional<AuthorizationError> isAuthorizedOnExecutionWithDetailedIssue(Wor
         }
 
         final String chainTaskId = workerpoolAuthorization.getChainTaskId();
-        Optional<ChainTask> optionalChainTask = iexecHubService.getChainTask(chainTaskId);
-        if (optionalChainTask.isEmpty()) {
+        final ChainTask chainTask = iexecHubService.getChainTask(chainTaskId).orElse(null);
+        if (chainTask == null) {
             log.error("Could not get chainTask [chainTaskId:{}]", chainTaskId);
             return Optional.of(GET_CHAIN_TASK_FAILED);
         }
-        final ChainTask chainTask = optionalChainTask.get();
 
-        final ChainTaskStatus taskStatus = chainTask.getStatus();
-        if (taskStatus != ChainTaskStatus.ACTIVE) {
-            log.error("Task not active onchain [chainTaskId:{}, status:{}]",
-                    chainTaskId, taskStatus);
-            return Optional.of(TASK_NOT_ACTIVE);
+        final long deadline = chainTask.getFinalDeadline();
+        if (Instant.now().isAfter(Instant.ofEpochMilli(deadline))) {
+            log.error("Task deadline reached [chainTaskId:{}, deadline:{}]",
+                    chainTaskId, Instant.ofEpochMilli(deadline));
+            return Optional.of(TASK_FINAL_DEADLINE_REACHED);
         }
 
         final String chainDealId = chainTask.getDealid();
-        Optional<ChainDeal> optionalChainDeal = iexecHubService.getChainDeal(chainDealId);
-        if (optionalChainDeal.isEmpty()) {
+        final ChainDeal chainDeal = iexecHubService.getChainDeal(chainDealId).orElse(null);
+        if (chainDeal == null) {
             log.error("isAuthorizedOnExecution failed (getChainDeal failed) [chainTaskId:{}]", chainTaskId);
             return Optional.of(GET_CHAIN_DEAL_FAILED);
         }
-        ChainDeal chainDeal = optionalChainDeal.get();
 
-        final boolean isTeeTask = !workerpoolAuthorization.getEnclaveChallenge().equals(BytesUtils.EMPTY_HEX_STRING_32);
+        final boolean isTeeTask = !workerpoolAuthorization.getEnclaveChallenge().equals(BytesUtils.EMPTY_ADDRESS);
         final boolean isTeeTaskOnchain = TeeUtils.isTeeTag(chainDeal.getTag());
         if (isTeeTask != isTeeTaskOnchain) {
-            log.error("Could not match onchain task type [isTeeTask:{}, isTeeTaskOnchain:{}, chainTaskId:{}, walletAddress:{}]",
+            log.error("Could not match on-chain task type [isTeeTask:{}, isTeeTaskOnchain:{}, chainTaskId:{}, walletAddress:{}]",
                     isTeeTask, isTeeTaskOnchain, chainTaskId, workerpoolAuthorization.getWorkerWallet());
             return Optional.of(NO_MATCH_ONCHAIN_TYPE);
         }
 
-        String workerpoolAddress = chainDeal.getPoolOwner();
-        boolean isSignedByWorkerpool = isSignedByHimself(workerpoolAuthorization.getHash(),
+        final String workerpoolAddress = chainDeal.getPoolOwner();
+        final boolean isSignedByWorkerpool = isSignedByHimself(workerpoolAuthorization.getHash(),
                 workerpoolAuthorization.getSignature().getValue(), workerpoolAddress);
 
         if (!isSignedByWorkerpool) {

src/main/java/com/iexec/resultproxy/proxy/ProxyService.java

@@ -60,6 +60,22 @@ public ProxyService(AuthorizationService authorizationService,
         this.ipfsResultService = ipfsResultService;
     }
 
+    /**
+     * Checks if result can be uploaded.
+     * <p>
+     * The following conditions have to be verified:
+     * <ul>
+     * <li>No result should have been uploaded for this task
+     * <li>Both task and deal data can be retrieved from the blockchain network
+     * <li>A standard task must be in {@code REVEALING} state and {@link #isResultValid(String, String, byte[])} must return {@literal true}
+     * <li>A TEE task must be in {@code ACTIVE} state and its enclave signature must be valid and verified against the enclave challenge
+     * </ul>
+     * Task status: REVEALING for standard tasks, ACTIVE for TEE tasks with contributeAndFinalize workflow.
+     *
+     * @param model         Model containing data relevant to the requested result upload
+     * @param walletAddress Wallet address of the JWT requesting an upload
+     * @return {@literal true} if result can be contributed, {@literal false} otherwise.
+     */
     boolean canUploadResult(ResultModel model, String walletAddress) {
         final String chainTaskId = model.getChainTaskId();
         final byte[] zip = model.getZip();
@@ -74,14 +90,14 @@ boolean canUploadResult(ResultModel model, String walletAddress) {
         // TODO [PoCo Boost] on-chain deal id available in result model to avoid fetching task
         final ChainTask chainTask = iexecHubService.getChainTask(chainTaskId).orElse(null);
         if (chainTask == null) {
-            log.error("Trying to upload result for TEE but getChainTask failed [chainTaskId:{}, uploader:{}]",
+            log.error("Trying to upload result but on-chain task retrieval failed [chainTaskId:{}, uploader:{}]",
                     chainTaskId, walletAddress);
             return false;
         }
 
         final ChainDeal chainDeal = iexecHubService.getChainDeal(chainTask.getDealid()).orElse(null);
         if (chainDeal == null) {
-            log.error("Trying to upload result for TEE but getChainDeal failed [chainTaskId:{}, uploader:{}]",
+            log.error("Trying to upload result but on-chain deal retrieval failed [chainTaskId:{}, uploader:{}]",
                     chainTaskId, walletAddress);
             return false;
         }
@@ -90,7 +106,7 @@ boolean canUploadResult(ResultModel model, String walletAddress) {
 
         // Standard tasks
         if (!isTeeTask) {
-            return isResultValid(chainTaskId, walletAddress, zip);
+            return chainTask.getStatus() == ChainTaskStatus.REVEALING && isResultValid(chainTaskId, walletAddress, zip);
         }
 
         // TODO remove this case in the future. As we support 2 stack versions, it will be a major after deprecated proxy controller endpoints removal
@@ -100,10 +116,12 @@ boolean canUploadResult(ResultModel model, String walletAddress) {
         }
 
         // TEE tasks with ResultModel containing the enclave signature
-        return authorizationService.checkEnclaveSignature(model, walletAddress);
+        return chainTask.getStatus() == ChainTaskStatus.ACTIVE && authorizationService.checkEnclaveSignature(model, walletAddress);
     }
 
     /**
+     * Checks a result is valid for a standard task and can safely be uploaded on IPFS.
+     * <p>
      * A result for a standard task is considered as valid if:
      * <ul>
      * <li>It has an associated on-chain contribution
@@ -116,7 +134,7 @@ boolean canUploadResult(ResultModel model, String walletAddress) {
      * @param zip           Result as a zip
      * @return {@literal true} if the result is valid, {@literal false} otherwise.
      */
-    boolean isResultValid(String chainTaskId, String walletAddress, byte[] zip) {
+    private boolean isResultValid(String chainTaskId, String walletAddress, byte[] zip) {
         final String resultFolderPath = getResultFolderPath(chainTaskId);
         final String resultZipPath = resultFolderPath + ".zip";
         final String zipDestinationPath = resultFolderPath + SLASH_IEXEC_OUT;

src/test/java/com/iexec/resultproxy/TestUtils.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2024-2024 IEXEC BLOCKCHAIN TECH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.iexec.resultproxy;
+
+import com.iexec.commons.poco.chain.ChainDeal;
+import com.iexec.commons.poco.chain.ChainTask;
+import com.iexec.commons.poco.chain.ChainTaskStatus;
+import com.iexec.commons.poco.tee.TeeUtils;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class TestUtils {
+    public static final String CHAIN_DEAL_ID = "0x8012c1515a23e0d7ef07b7de780343df2fd18034ca55eea7202cab814603d288";
+    public static final String CHAIN_TASK_ID = "0x877210dbec7b8461e396751e311b574d6b6909e3618dd0622f7182eaffdc6901";
+
+    public static final String POOL_ADDRESS = "0xc911f9345717ba7c8ec862ce002af3e058df84e4";
+    public static final String POOL_PRIVATE = "0xe2a973b083fae8043543f15313955aecee9de809a318656c1cfb22d3a6d52de1";
+    public static final String POOL_WRONG_SIGNATURE = "0xf869daaca2407b7eabd27c3c4c5a3f3565172ca7211ac1d8bfacea2beb511a4029446a07cccc0884"
+            + "c2193b269dfb341461db8c680a8898bb53862d6e48340c2e1b";
+
+    public static ChainDeal getChainDeal() {
+        return ChainDeal.builder()
+                .poolOwner(POOL_ADDRESS)
+                .tag(TeeUtils.TEE_SCONE_ONLY_TAG)
+                .build();
+    }
+
+    public static ChainTask getChainTask(ChainTaskStatus status) {
+        return ChainTask.builder()
+                .dealid(CHAIN_DEAL_ID)
+                .finalDeadline(Instant.now().plus(5L, ChronoUnit.SECONDS).toEpochMilli())
+                .status(status)
+                .build();
+    }
+}