Add configurable cron job to delete expired tasks TEE challenges and Ethereum credentials (#278)

Author: jbern0rd

CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
 - Accept scheduler default result-proxy as a web2 secret to fallback on it when no proxy
   is specified in deal parameters. (#273)
 - Configure the SMS at startup to generate Scone sessions in Hardware or MAA mode. (#275)
+- Add configurable cron job to delete expired tasks TEE challenges and Ethereum credentials. (#278)
 
 ### Quality
 

README.md

@@ -65,6 +65,7 @@ To support:
 | `IEXEC_SECRET_PROVISIONER_WEB_PORT` | Secret provisioner server port for session management. | Positive integer | `8081` | `8080` |
 | `IEXEC_SECRET_PROVISIONER_ENCLAVE_HOSTNAME` | Secret provisioner server host for retrieving secrets from attested enclaves. Typically used by workers to execute TEE tasks. | Positive integer | `localhost` | `localhost` |
 | `IEXEC_SECRET_PROVISIONER_ENCLAVE_PORT`|  Secret provisioner server port for retrieving secrets from attested enclaves. | Positive integer | `18765` | `4433` |
+| `IEXEC_TEE_CHALLENGE_CLEANUP_CRON` | Cron expression to configure TEE challenges cleanup policy. | String | `@hourly` | `@hourly` |
 | `IEXEC_TEE_WORKER_PRE_COMPUTE_IMAGE` | TEE enabled OCI image name for worker pre-compute stage of TEE tasks. | String | | |
 | `IEXEC_TEE_WORKER_PRE_COMPUTE_FINGERPRINT` | Fingerprint (aka mrenclave) of the TEE enabled worker pre-compute image. | String | | |
 | `IEXEC_TEE_WORKER_PRE_COMPUTE_HEAP_SIZE_GB` | Required heap size for a worker pre-compute enclave (in Giga Bytes). | Positive integer | `3` | `3` |

src/main/java/com/iexec/sms/App.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,7 +19,9 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
+import org.springframework.scheduling.annotation.EnableScheduling;
 
+@EnableScheduling
 @SpringBootApplication
 @ConfigurationPropertiesScan
 public class App {

src/main/java/com/iexec/sms/tee/challenge/EthereumCredentials.java

@@ -28,6 +28,7 @@
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;
 import javax.persistence.Id;
+import java.security.GeneralSecurityException;
 
 /**
  * Domain entity
@@ -61,10 +62,9 @@ private EthereumCredentials(String privateKey, String address) {
      * secure random source).
      *
      * @return Ethereum credentials
-     * @throws java.security.GeneralSecurityException exception if failed to
-     *                                                generate credentials
+     * @throws GeneralSecurityException exception if credentials generation failed
      */
-    public static EthereumCredentials generate() throws java.security.GeneralSecurityException {
+    public static EthereumCredentials generate() throws GeneralSecurityException {
         ECKeyPair randomEcKeyPair = Keys.createEcKeyPair();
         String privateKey =
                 Numeric.toHexStringWithPrefixZeroPadded(randomEcKeyPair.getPrivateKey(),

src/main/java/com/iexec/sms/tee/challenge/TeeChallenge.java

@@ -23,6 +23,8 @@
 import org.hibernate.annotations.GenericGenerator;
 
 import javax.persistence.*;
+import java.security.GeneralSecurityException;
+import java.time.Instant;
 
 @Entity
 @Getter
@@ -38,11 +40,14 @@ public class TeeChallenge {
 
     private String taskId;
 
+    private Instant finalDeadline;
+
     @OneToOne(cascade = {CascadeType.ALL})
     private EthereumCredentials credentials;
 
-    public TeeChallenge(String taskId) throws Exception {
+    public TeeChallenge(final String taskId, final Instant finalDeadline) throws GeneralSecurityException {
         this.taskId = taskId;
         this.credentials = EthereumCredentials.generate();
+        this.finalDeadline = finalDeadline;
     }
 }

src/main/java/com/iexec/sms/tee/challenge/TeeChallengeRepository.java

@@ -17,9 +17,14 @@
 package com.iexec.sms.tee.challenge;
 
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.transaction.annotation.Transactional;
 
+import java.time.Instant;
 import java.util.Optional;
 
 public interface TeeChallengeRepository extends JpaRepository<TeeChallenge, String> {
     Optional<TeeChallenge> findByTaskId(String taskId);
+
+    @Transactional
+    void deleteByFinalDeadlineBefore(Instant now);
 }

src/main/java/com/iexec/sms/tee/challenge/TeeChallengeService.java

@@ -16,11 +16,14 @@
 
 package com.iexec.sms.tee.challenge;
 
+import com.iexec.sms.blockchain.IexecHubService;
 import com.iexec.sms.encryption.EncryptionService;
 import com.iexec.sms.secret.MeasuredSecretService;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Service;
 
+import java.time.Instant;
 import java.util.Optional;
 
 @Slf4j
@@ -29,15 +32,18 @@ public class TeeChallengeService {
 
     private final TeeChallengeRepository teeChallengeRepository;
     private final EncryptionService encryptionService;
+    private final IexecHubService iexecHubService;
     private final MeasuredSecretService teeChallengesMeasuredSecretService;
     private final MeasuredSecretService ethereumCredentialsMeasuredSecretService;
 
-    public TeeChallengeService(TeeChallengeRepository teeChallengeRepository,
-                               EncryptionService encryptionService,
-                               MeasuredSecretService teeChallengeMeasuredSecretService,
-                               MeasuredSecretService ethereumCredentialsMeasuredSecretService) {
+    public TeeChallengeService(final TeeChallengeRepository teeChallengeRepository,
+                               final EncryptionService encryptionService,
+                               final IexecHubService iexecHubService,
+                               final MeasuredSecretService teeChallengeMeasuredSecretService,
+                               final MeasuredSecretService ethereumCredentialsMeasuredSecretService) {
         this.teeChallengeRepository = teeChallengeRepository;
         this.encryptionService = encryptionService;
+        this.iexecHubService = iexecHubService;
         this.teeChallengesMeasuredSecretService = teeChallengeMeasuredSecretService;
         this.ethereumCredentialsMeasuredSecretService = ethereumCredentialsMeasuredSecretService;
     }
@@ -54,7 +60,8 @@ public Optional<TeeChallenge> getOrCreate(String taskId, boolean shouldDecryptKe
 
         // otherwise create it
         try {
-            TeeChallenge teeChallenge = new TeeChallenge(taskId);
+            final long finalDeadline = iexecHubService.getTaskDescription(taskId).getFinalDeadline();
+            TeeChallenge teeChallenge = new TeeChallenge(taskId, Instant.ofEpochMilli(finalDeadline));
             encryptChallengeKeys(teeChallenge);
             teeChallenge = teeChallengeRepository.save(teeChallenge);
             teeChallengesMeasuredSecretService.newlyAddedSecret();
@@ -88,4 +95,16 @@ public void decryptChallengeKeys(TeeChallenge teeChallenge) {
             credentials.setPlainTextPrivateKey(privateKey);
         }
     }
+
+    /**
+     * Clean expired tasks challenges at regular intervals.
+     * <p>
+     * The interval between two consecutive executions is based on the {@code @Scheduled} annotation
+     * and its {@code cron} attribute.
+     */
+    @Scheduled(cron = "${tee.challenge.cleanup.cron}")
+    void cleanExpiredTasksTeeChallenges() {
+        log.debug("cleanExpiredTasksTeeChallenges");
+        teeChallengeRepository.deleteByFinalDeadlineBefore(Instant.now());
+    }
 }

src/main/resources/application.yml

@@ -45,10 +45,9 @@ metrics:
   storage:
     refresh-interval: ${IEXEC_SMS_METRICS_STORAGE_REFRESH_INTERVAL:30}  # In seconds
 
-#  level:
-#    org.springframework: DEBUG
-#    org.apache.http: DEBUG
-
 springdoc:
   packagesToScan: com.iexec.sms
   pathsToMatch: /**
+
+tee:
+  challenge.cleanup.cron: ${IEXEC_TEE_CHALLENGE_CLEANUP_CRON:@hourly}

src/test/java/com/iexec/sms/tee/TeeControllerTests.java

@@ -47,6 +47,8 @@
 import org.web3j.crypto.Credentials;
 import org.web3j.crypto.Keys;
 
+import java.security.GeneralSecurityException;
+import java.time.Instant;
 import java.util.Optional;
 import java.util.stream.Stream;
 
@@ -241,15 +243,15 @@ void shouldNotGenerateTeeChallengeWhenExceptionDuringGeneration() {
     }
 
     @Test
-    void shouldGenerateTeeChallenge() throws Exception {
+    void shouldGenerateTeeChallenge() throws GeneralSecurityException {
         final WorkerpoolAuthorization workerpoolAuthorization = WorkerpoolAuthorization
                 .builder()
                 .chainTaskId(TASK_ID)
                 .enclaveChallenge("")
                 .workerWallet("")
                 .signature(new Signature(AUTHORIZATION))
                 .build();
-        final TeeChallenge teeChallenge = new TeeChallenge(TASK_ID);
+        final TeeChallenge teeChallenge = new TeeChallenge(TASK_ID, Instant.now().plusMillis(1000));
         when(authorizationService.isAuthorizedOnExecutionWithDetailedIssue(workerpoolAuthorization))
                 .thenReturn(Optional.empty());
         when(teeChallengeService.getOrCreate(TASK_ID, false)).thenReturn(Optional.of(teeChallenge));