Use AuthorizationService to validate Authorization header of /tee/challenges/{chainTaskId} endpoint (#256)

jbern0rd · web-flow · commit 940182e0f7d1 · 2024-03-28T09:35:48.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### New Features
 
-- Add `Authorization` header on `/tee/challenges/{chainTaskId}` endpoint. (#255)
+- Add `Authorization` header on `/tee/challenges/{chainTaskId}` endpoint. (#255 #256)
 
 ### Quality
 
diff --git a/src/main/java/com/iexec/sms/authorization/AuthorizationService.java b/src/main/java/com/iexec/sms/authorization/AuthorizationService.java
@@ -16,7 +16,6 @@
 
 package com.iexec.sms.authorization;
 
-
 import com.iexec.commons.poco.chain.ChainDeal;
 import com.iexec.commons.poco.chain.ChainTask;
 import com.iexec.commons.poco.chain.ChainTaskStatus;
@@ -49,52 +48,49 @@ public AuthorizationService(IexecHubService iexecHubService) {
 
     /**
      * Checks whether this execution is authorized.
-     * If not authorized, return the reason.
-     * Otherwise, returns an empty {@link Optional}.
+     *
+     * @param workerpoolAuthorization The workerpool authorization to check
+     * @return {@code Optional.empty()} if all checks passed, the failure reason otherwise
      */
-    public Optional<AuthorizationError> isAuthorizedOnExecutionWithDetailedIssue(WorkerpoolAuthorization workerpoolAuthorization, boolean isTeeTask) {
+    public Optional<AuthorizationError> isAuthorizedOnExecutionWithDetailedIssue(WorkerpoolAuthorization workerpoolAuthorization) {
         if (workerpoolAuthorization == null || StringUtils.isEmpty(workerpoolAuthorization.getChainTaskId())) {
             log.error("Not authorized with empty params");
             return Optional.of(EMPTY_PARAMS_UNAUTHORIZED);
         }
 
-        String chainTaskId = workerpoolAuthorization.getChainTaskId();
-        Optional<ChainTask> optionalChainTask = iexecHubService.getChainTask(chainTaskId);
-        if (optionalChainTask.isEmpty()) {
+        final String chainTaskId = workerpoolAuthorization.getChainTaskId();
+        final ChainTask chainTask = iexecHubService.getChainTask(chainTaskId).orElse(null);
+        if (chainTask == null) {
             log.error("Could not get chainTask [chainTaskId:{}]", chainTaskId);
             return Optional.of(GET_CHAIN_TASK_FAILED);
         }
-        ChainTask chainTask = optionalChainTask.get();
-        ChainTaskStatus taskStatus = chainTask.getStatus();
-        String chainDealId = chainTask.getDealid();
+        final String chainDealId = chainTask.getDealid();
 
-        if (taskStatus != ChainTaskStatus.ACTIVE) {
-            log.error("Task not active onchain [chainTaskId:{}, status:{}]",
-                    chainTaskId, taskStatus);
+        if (chainTask.getStatus() != ChainTaskStatus.ACTIVE) {
+            log.error("Task not active on chain [chainTaskId:{}, status:{}]",
+                    chainTaskId, chainTask.getStatus());
             return Optional.of(TASK_NOT_ACTIVE);
         }
 
-        Optional<ChainDeal> optionalChainDeal = iexecHubService.getChainDeal(chainDealId);
-        if (optionalChainDeal.isEmpty()) {
+        final ChainDeal chainDeal = iexecHubService.getChainDeal(chainDealId).orElse(null);
+        if (chainDeal == null) {
             log.error("isAuthorizedOnExecution failed (getChainDeal failed) [chainTaskId:{}]", chainTaskId);
             return Optional.of(GET_CHAIN_DEAL_FAILED);
         }
-        ChainDeal chainDeal = optionalChainDeal.get();
 
-        boolean isTeeTaskOnchain = TeeUtils.isTeeTag(chainDeal.getTag());
-        if (isTeeTask != isTeeTaskOnchain) {
-            log.error("Could not match onchain task type [isTeeTask:{}, isTeeTaskOnchain:{}, chainTaskId:{}, walletAddress:{}]",
-                    isTeeTask, isTeeTaskOnchain, chainTaskId, workerpoolAuthorization.getWorkerWallet());
+        final boolean isTeeTaskOnchain = TeeUtils.isTeeTag(chainDeal.getTag());
+        if (!isTeeTaskOnchain) {
+            log.error("Could not match onchain task type [isTeeTaskOnchain:{}, chainTaskId:{}]",
+                    isTeeTaskOnchain, chainTaskId);
             return Optional.of(NO_MATCH_ONCHAIN_TYPE);
         }
 
-        String workerpoolAddress = chainDeal.getPoolOwner();
-        boolean isSignerByWorkerpool = isSignedByHimself(workerpoolAuthorization.getHash(),
-                workerpoolAuthorization.getSignature().getValue(), workerpoolAddress);
+        final boolean isSignedByWorkerpool = isSignedByHimself(workerpoolAuthorization.getHash(),
+                workerpoolAuthorization.getSignature().getValue(), chainDeal.getPoolOwner());
 
-        if (!isSignerByWorkerpool) {
-            log.error("isAuthorizedOnExecution failed (invalid signature) [chainTaskId:{}, isWorkerpoolSignatureValid:{}]",
-                    chainTaskId, isSignerByWorkerpool);
+        if (!isSignedByWorkerpool) {
+            log.error("isAuthorizedOnExecution failed (invalid signature) [chainTaskId:{}, isSignedByWorkerpool:{}]",
+                    chainTaskId, isSignedByWorkerpool);
             return Optional.of(INVALID_SIGNATURE);
         }
 
@@ -110,14 +106,6 @@ public boolean isSignedByOwner(String message, String signature, String address)
         String owner = iexecHubService.getOwner(address);
         return !owner.isEmpty() && isSignedByHimself(message, signature, owner);
     }
-
-    public String getChallengeForSetWeb3Secret(String secretAddress,
-                                               String secretValue) {
-        return HashUtils.concatenateAndHash(
-                Hash.sha3String(DOMAIN),
-                secretAddress,
-                Hash.sha3String(secretValue));
-    }
     // endregion
 
     // region challenges
@@ -152,6 +140,14 @@ public String getChallengeForSetWeb2Secret(String ownerAddress,
                 Hash.sha3String(secretValue));
     }
 
+    public String getChallengeForSetWeb3Secret(String secretAddress,
+                                               String secretValue) {
+        return HashUtils.concatenateAndHash(
+                Hash.sha3String(DOMAIN),
+                secretAddress,
+                Hash.sha3String(secretValue));
+    }
+
     public String getChallengeForWorker(WorkerpoolAuthorization workerpoolAuthorization) {
         return HashUtils.concatenateAndHash(
                 workerpoolAuthorization.getWorkerWallet(),
diff --git a/src/main/java/com/iexec/sms/tee/TeeController.java b/src/main/java/com/iexec/sms/tee/TeeController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,13 +19,13 @@
 
 import com.iexec.common.web.ApiResponseBody;
 import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
+import com.iexec.commons.poco.security.Signature;
 import com.iexec.commons.poco.tee.TeeFramework;
 import com.iexec.sms.api.TeeSessionGenerationError;
 import com.iexec.sms.api.TeeSessionGenerationResponse;
 import com.iexec.sms.api.config.TeeServicesProperties;
 import com.iexec.sms.authorization.AuthorizationError;
 import com.iexec.sms.authorization.AuthorizationService;
-import com.iexec.sms.tee.challenge.TeeChallenge;
 import com.iexec.sms.tee.challenge.TeeChallengeService;
 import com.iexec.sms.tee.session.TeeSessionService;
 import com.iexec.sms.tee.session.generic.TeeSessionGenerationException;
@@ -111,11 +111,19 @@ public ResponseEntity<TeeServicesProperties> getTeeServicesProperties(
      */
     @PostMapping("/challenges/{chainTaskId}")
     public ResponseEntity<String> generateTeeChallenge(@RequestHeader String authorization, @PathVariable String chainTaskId) {
-        Optional<TeeChallenge> executionChallenge =
-                teeChallengeService.getOrCreate(chainTaskId, false);
-        return executionChallenge
-                .map(teeChallenge -> ResponseEntity
-                        .ok(teeChallenge.getCredentials().getAddress()))
+        log.debug("generateTeeChallenge [authorization:{}, chainTaskId:{}]", authorization, chainTaskId);
+        final Optional<AuthorizationError> authorizationError = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(
+                WorkerpoolAuthorization.builder()
+                        .chainTaskId(chainTaskId)
+                        .enclaveChallenge("")
+                        .workerWallet("")
+                        .signature(new Signature(authorization))
+                        .build());
+        if (authorizationError.isPresent()) {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+        }
+        return teeChallengeService.getOrCreate(chainTaskId, false)
+                .map(teeChallenge -> ResponseEntity.ok(teeChallenge.getCredentials().getAddress()))
                 .orElseGet(() -> ResponseEntity.notFound().build());
     }
 
@@ -149,7 +157,7 @@ public ResponseEntity<ApiResponseBody<TeeSessionGenerationResponse, TeeSessionGe
                     .body(body);
         }
         final Optional<AuthorizationError> authorizationError =
-                authorizationService.isAuthorizedOnExecutionWithDetailedIssue(workerpoolAuthorization, true);
+                authorizationService.isAuthorizedOnExecutionWithDetailedIssue(workerpoolAuthorization);
         if (authorizationError.isPresent()) {
             final TeeSessionGenerationError teeSessionGenerationError =
                     authorizationToGenerationError.get(authorizationError.get());
diff --git a/src/test/java/com/iexec/sms/authorization/AuthorizationServiceTests.java b/src/test/java/com/iexec/sms/authorization/AuthorizationServiceTests.java
@@ -21,6 +21,7 @@
 import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
 import com.iexec.commons.poco.security.Signature;
 import com.iexec.commons.poco.tee.TeeUtils;
+import com.iexec.commons.poco.utils.BytesUtils;
 import com.iexec.commons.poco.utils.TestUtils;
 import com.iexec.sms.blockchain.IexecHubService;
 import org.junit.jupiter.api.Assertions;
@@ -60,33 +61,36 @@ void shouldBeAuthorizedOnExecutionOfTeeTaskWithDetails() {
         when(iexecHubService.getChainTask(auth.getChainTaskId())).thenReturn(Optional.of(chainTask));
         when(iexecHubService.getChainDeal(chainTask.getDealid())).thenReturn(Optional.of(chainDeal));
 
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth, true);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth);
         assertThat(isAuth).isEmpty();
     }
 
     @Test
     void shouldNotBeAuthorizedOnExecutionOfTeeTaskWithNullAuthorizationWithDetails() {
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(null, true);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(null);
         assertThat(isAuth).isNotEmpty()
                 .contains(EMPTY_PARAMS_UNAUTHORIZED);
     }
 
     @Test
     void shouldNotBeAuthorizedOnExecutionOfTeeTaskWithEmptyAuthorizationWithDetails() {
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(WorkerpoolAuthorization.builder().build(), true);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(WorkerpoolAuthorization.builder().build());
         assertThat(isAuth).isNotEmpty()
                 .contains(EMPTY_PARAMS_UNAUTHORIZED);
     }
 
     @Test
-    void shouldNotBeAuthorizedOnExecutionOfTeeTaskWhenTaskTypeNotMatchedOnchainWithDetails() {
-        ChainDeal chainDeal = getChainDeal();
+    void shouldNotBeAuthorizedOnExecutionOfTeeTaskWhenTaskTypeNotTeeOnchainWithDetails() {
+        ChainDeal chainDeal = ChainDeal.builder()
+                .poolOwner("0xc911f9345717ba7c8ec862ce002af3e058df84e4")
+                .tag(BytesUtils.EMPTY_HEX_STRING_32)
+                .build();
         ChainTask chainTask = TestUtils.getChainTask(ACTIVE);
         WorkerpoolAuthorization auth = TestUtils.getTeeWorkerpoolAuth();
         when(iexecHubService.getChainTask(auth.getChainTaskId())).thenReturn(Optional.of(chainTask));
         when(iexecHubService.getChainDeal(chainTask.getDealid())).thenReturn(Optional.of(chainDeal));
 
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth, false);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth);
         assertThat(isAuth).isNotEmpty()
                 .contains(NO_MATCH_ONCHAIN_TYPE);
     }
@@ -97,7 +101,7 @@ void shouldNotBeAuthorizedOnExecutionOfTeeTaskWhenGetTaskFailedWithDetails() {
         when(iexecHubService.isTeeTask(auth.getChainTaskId())).thenReturn(true);
         when(iexecHubService.getChainTask(auth.getChainTaskId())).thenReturn(Optional.empty());
 
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth, true);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth);
         assertThat(isAuth).isNotEmpty()
                 .contains(GET_CHAIN_TASK_FAILED);
     }
@@ -109,7 +113,7 @@ void shouldNotBeAuthorizedOnExecutionOfTeeTaskWhenTaskNotActiveWithDetails() {
         when(iexecHubService.isTeeTask(auth.getChainTaskId())).thenReturn(true);
         when(iexecHubService.getChainTask(auth.getChainTaskId())).thenReturn(Optional.of(chainTask));
 
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth, true);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth);
         assertThat(isAuth).isNotEmpty()
                 .contains(TASK_NOT_ACTIVE);
     }
@@ -124,7 +128,7 @@ void shouldNotBeAuthorizedOnExecutionOfTeeTaskWhenGetDealFailedWithDetails() {
         when(iexecHubService.getChainTask(auth.getChainTaskId())).thenReturn(Optional.of(chainTask));
         when(iexecHubService.getChainDeal(chainTask.getDealid())).thenReturn(Optional.empty());
 
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth, true);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth);
         assertThat(isAuth).isNotEmpty()
                 .contains(GET_CHAIN_DEAL_FAILED);
     }
@@ -139,7 +143,7 @@ void shouldNotBeAuthorizedOnExecutionOfTeeTaskWhenPoolSignatureIsNotValidWithDet
         when(iexecHubService.getChainTask(auth.getChainTaskId())).thenReturn(Optional.of(chainTask));
         when(iexecHubService.getChainDeal(chainTask.getDealid())).thenReturn(Optional.of(chainDeal));
 
-        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth, true);
+        Optional<AuthorizationError> isAuth = authorizationService.isAuthorizedOnExecutionWithDetailedIssue(auth);
         assertThat(isAuth).isNotEmpty()
                 .contains(INVALID_SIGNATURE);
     }
diff --git a/src/test/java/com/iexec/sms/tee/TeeControllerTests.java b/src/test/java/com/iexec/sms/tee/TeeControllerTests.java
