feat: enforce String serialization for TEE sessions tokens values (#319)

Author: jbern0rd

src/main/java/com/iexec/sms/tee/session/base/SecretEnclaveBase.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,5 +30,5 @@ public class SecretEnclaveBase {
     @JsonProperty("mrenclave")
     String mrenclave;
     @JsonProperty("environment")
-    Map<String, Object> environment;
+    Map<String, String> environment;
 }

src/main/java/com/iexec/sms/tee/session/base/SecretSessionBaseService.java

@@ -188,7 +188,7 @@ private List<DatasetOrder> fetchDatasetOrders(final TaskDescription taskDescript
         }
     }
 
-    private Map<String, Object> getBulkDatasetTokens(final int index,
+    private Map<String, String> getBulkDatasetTokens(final int index,
                                                      final TaskDescription taskDescription,
                                                      final DatasetOrder datasetOrder) {
         final String prefix = IEXEC_DATASET_PREFIX + (index + 1);
@@ -235,17 +235,17 @@ boolean isBulkDatasetOrderCompatibleWithDeal(final DatasetOrder datasetOrder, fi
     SecretEnclaveBase getPreComputeTokens(final TeeSessionRequest request, final Map<String, String> signTokens) throws TeeSessionGenerationException {
         final SecretEnclaveBaseBuilder enclaveBase = SecretEnclaveBase.builder();
         enclaveBase.name("pre-compute");
-        final Map<String, Object> tokens = new HashMap<>();
+        final Map<String, String> tokens = new HashMap<>();
         final TaskDescription taskDescription = request.getTaskDescription();
         final String taskId = taskDescription.getChainTaskId();
         enclaveBase.mrenclave(request.getTeeServicesProperties().getPreComputeProperties().getFingerprint());
         tokens.put(IEXEC_PRE_COMPUTE_OUT.name(), IexecFileHelper.SLASH_IEXEC_IN);
         // `IS_DATASET_REQUIRED` still meaningful?
-        tokens.put(IS_DATASET_REQUIRED.name(), taskDescription.containsDataset());
+        tokens.put(IS_DATASET_REQUIRED.name(), String.valueOf(taskDescription.containsDataset()));
 
         if (taskDescription.isBulkRequest()) {
             final List<DatasetOrder> orders = fetchDatasetOrders(taskDescription);
-            tokens.put(IEXEC_BULK_SLICE_SIZE.name(), orders.size());
+            tokens.put(IEXEC_BULK_SLICE_SIZE.name(), String.valueOf(orders.size()));
             for (int i = 0; i < orders.size(); i++) {
                 final DatasetOrder order = orders.get(i);
                 tokens.putAll(getBulkDatasetTokens(i, taskDescription, order));
@@ -307,7 +307,7 @@ SecretEnclaveBase getAppTokens(final TeeSessionRequest request) throws TeeSessio
         enclaveBase.name("app");
         final TaskDescription taskDescription = request.getTaskDescription();
 
-        final Map<String, Object> tokens = new HashMap<>();
+        final Map<String, String> tokens = new HashMap<>();
         final TeeEnclaveConfiguration enclaveConfig = taskDescription.getAppEnclaveConfiguration();
         if (enclaveConfig == null) {
             throw new TeeSessionGenerationException(
@@ -323,7 +323,7 @@ SecretEnclaveBase getAppTokens(final TeeSessionRequest request) throws TeeSessio
 
         enclaveBase.mrenclave(enclaveConfig.getFingerprint());
 
-        final Map<String, Object> computeSecrets = getApplicationComputeSecrets(taskDescription);
+        final Map<String, String> computeSecrets = getApplicationComputeSecrets(taskDescription);
         tokens.putAll(computeSecrets);
         // trusted env variables (not confidential)
         tokens.putAll(IexecEnvUtils.getComputeStageEnvMap(taskDescription));
@@ -332,7 +332,7 @@ SecretEnclaveBase getAppTokens(final TeeSessionRequest request) throws TeeSessio
             final List<String> addresses = fetchDatasetOrders(taskDescription).stream()
                     .map(DatasetOrder::getDataset)
                     .toList();
-            tokens.put(IEXEC_BULK_SLICE_SIZE.name(), addresses.size());
+            tokens.put(IEXEC_BULK_SLICE_SIZE.name(), String.valueOf(addresses.size()));
             for (int i = 0; i < addresses.size(); i++) {
                 tokens.put(IEXEC_DATASET_PREFIX + (i + 1) + IEXEC_DATASET_FILENAME_SUFFIX, addresses.get(i));
             }
@@ -356,8 +356,8 @@ SecretEnclaveBase getAppTokens(final TeeSessionRequest request) throws TeeSessio
      * @param taskDescription A task description
      * @return A {@code Map} containing secrets retrieved from the database.
      */
-    private Map<String, Object> getApplicationComputeSecrets(final TaskDescription taskDescription) {
-        final Map<String, Object> tokens = new HashMap<>();
+    private Map<String, String> getApplicationComputeSecrets(final TaskDescription taskDescription) {
+        final Map<String, String> tokens = new HashMap<>();
         final List<TeeTaskComputeSecretHeader> ids = getAppComputeSecretsHeaders(taskDescription);
         log.debug("TeeTaskComputeSecret looking for secrets [chainTaskId:{}, count:{}]",
                 taskDescription.getChainTaskId(), ids.size());
@@ -434,7 +434,7 @@ SecretEnclaveBase getPostComputeTokens(final TeeSessionRequest request, final Ma
         final SecretEnclaveBaseBuilder enclaveBase = SecretEnclaveBase.builder()
                 .name("post-compute")
                 .mrenclave(request.getTeeServicesProperties().getPostComputeProperties().getFingerprint());
-        final Map<String, Object> tokens = new HashMap<>();
+        final Map<String, String> tokens = new HashMap<>();
         final TaskDescription taskDescription = request.getTaskDescription();
         final List<Web2SecretHeader> ids = getPostComputeSecretHeaders(taskDescription, request.getWorkerAddress());
         log.debug("Web2Secret looking for secrets [chainTaskId:{}, count:{}]",

src/main/java/com/iexec/sms/tee/session/gramine/GramineSessionMakerService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,7 +37,7 @@ public class GramineSessionMakerService {
 
     private final SecretSessionBaseService secretSessionBaseService;
 
-    public GramineSessionMakerService(SecretSessionBaseService secretSessionBaseService) {
+    public GramineSessionMakerService(final SecretSessionBaseService secretSessionBaseService) {
         this.secretSessionBaseService = secretSessionBaseService;
     }
 
@@ -49,29 +49,25 @@ public GramineSessionMakerService(SecretSessionBaseService secretSessionBaseServ
      * @return session config
      */
     @NonNull
-    public GramineSession generateSession(TeeSessionRequest request) throws TeeSessionGenerationException {
-        SecretSessionBase baseSession = secretSessionBaseService.getSecretsTokens(request);
-        GramineSessionBuilder gramineSession = GramineSession.builder()
+    public GramineSession generateSession(final TeeSessionRequest request) throws TeeSessionGenerationException {
+        final SecretSessionBase baseSession = secretSessionBaseService.getSecretsTokens(request);
+        final GramineSessionBuilder gramineSession = GramineSession.builder()
                 .session(request.getSessionId());
-        GramineEnclave gramineAppEnclave = toGramineEnclave(baseSession.getAppCompute());
-        GramineEnclave graminePostEnclave = toGramineEnclave(baseSession.getPostCompute());
+        final GramineEnclave gramineAppEnclave = toGramineEnclave(baseSession.getAppCompute());
+        final GramineEnclave graminePostEnclave = toGramineEnclave(baseSession.getPostCompute());
 
-        return gramineSession.enclaves(List.of(
-                // No pre-compute for now
-                gramineAppEnclave,
-                graminePostEnclave))
+        // No pre-compute for now
+        return gramineSession
+                .enclaves(List.of(gramineAppEnclave, graminePostEnclave))
                 .build();
     }
 
-    private GramineEnclave toGramineEnclave(SecretEnclaveBase enclaveBase) {
+    private GramineEnclave toGramineEnclave(final SecretEnclaveBase enclaveBase) {
         return GramineEnclave.builder()
                 .name(enclaveBase.getName())
                 .mrenclave(enclaveBase.getMrenclave())
-                // TODO: Validate command-line arguments from the host
-                // (https://github.com/gramineproject/gsc/issues/13)
                 .command("")
                 .environment(enclaveBase.getEnvironment())
-                // TODO: Remove useless volumes when SPS is ready
                 .volumes(List.of())
                 .build();
     }

src/main/java/com/iexec/sms/tee/session/gramine/sps/GramineEnclave.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,8 @@
 package com.iexec.sms.tee.session.gramine.sps;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import lombok.*;
+import lombok.Builder;
+import lombok.Value;
 
 import java.util.List;
 import java.util.Map;
@@ -33,7 +34,7 @@ public class GramineEnclave {
     @JsonProperty("command")
     String command;
     @JsonProperty("environment")
-    Map<String, Object> environment;
+    Map<String, String> environment;
     @JsonProperty("volumes")
     List<String> volumes;
 

src/main/java/com/iexec/sms/tee/session/scone/SconeSessionMakerService.java

@@ -154,7 +154,7 @@ private URL resolveValidAttestationServer() {
     private SconeEnclave toSconeEnclave(final SecretEnclaveBase enclaveBase,
                                         final String command,
                                         final boolean addJavaEnvVars) {
-        final HashMap<String, Object> enclaveEnvironment = new HashMap<>(enclaveBase.getEnvironment());
+        final HashMap<String, String> enclaveEnvironment = new HashMap<>(enclaveBase.getEnvironment());
         if (addJavaEnvVars) {
             enclaveEnvironment.putAll(
                     Map.of(

src/main/java/com/iexec/sms/tee/session/scone/cas/SconeEnclave.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,7 +19,8 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import lombok.*;
+import lombok.Builder;
+import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 
 import java.util.List;
@@ -41,16 +42,16 @@ public class SconeEnclave {
     @JsonProperty("command")
     String command;
     @JsonProperty("environment")
-    Map<String, Object> environment;
+    Map<String, String> environment;
 
-  @Override
-  public String toString() {
-    try {
-      return new ObjectMapper().writeValueAsString(this);
-    } catch (JsonProcessingException e) {
-      log.error("Failed to write CAS session as string [session:{}]", name, e);
-      return "";
+    @Override
+    public String toString() {
+        try {
+            return new ObjectMapper().writeValueAsString(this);
+        } catch (JsonProcessingException e) {
+            log.error("Failed to write CAS session as string [session:{}]", name, e);
+            return "";
+        }
     }
-  }
 
 }

src/test/java/com/iexec/sms/tee/session/base/SecretSessionBaseServiceTests.java

@@ -291,7 +291,7 @@ void shouldGetPreComputeBulkProcessingTokensForInvalidOrder() throws Exception {
         assertThat(enclaveBase.getName()).isEqualTo("pre-compute");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(PRE_COMPUTE_FINGERPRINT);
         assertThat(enclaveBase.getEnvironment()).containsAllEntriesOf(Map.ofEntries(
-                Map.entry("IEXEC_BULK_SLICE_SIZE", 1),
+                Map.entry("IEXEC_BULK_SLICE_SIZE", "1"),
                 Map.entry("IEXEC_DATASET_1_URL", ""),
                 Map.entry("IEXEC_DATASET_1_CHECKSUM", ""),
                 Map.entry("IEXEC_DATASET_1_KEY", ""),
@@ -332,7 +332,7 @@ void shouldGetPreComputeBulkProcessingTokensForValidOrder() throws Exception {
         assertThat(enclaveBase.getName()).isEqualTo("pre-compute");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(PRE_COMPUTE_FINGERPRINT);
         assertThat(enclaveBase.getEnvironment()).containsAllEntriesOf(Map.ofEntries(
-                Map.entry("IEXEC_BULK_SLICE_SIZE", 1),
+                Map.entry("IEXEC_BULK_SLICE_SIZE", "1"),
                 Map.entry("IEXEC_DATASET_1_URL", DATASET_URL),
                 Map.entry("IEXEC_DATASET_1_CHECKSUM", DATASET_CHECKSUM),
                 Map.entry("IEXEC_DATASET_1_KEY", DATASET_KEY),
@@ -355,7 +355,7 @@ void shouldNotGetBulkProcessingPreComputeTokens() throws Exception {
         );
         assertThat(enclaveBase.getName()).isEqualTo("pre-compute");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(PRE_COMPUTE_FINGERPRINT);
-        assertThat(enclaveBase.getEnvironment()).contains(Map.entry("IEXEC_BULK_SLICE_SIZE", 0));
+        assertThat(enclaveBase.getEnvironment()).contains(Map.entry("IEXEC_BULK_SLICE_SIZE", "0"));
     }
 
     @Test
@@ -375,12 +375,12 @@ void shouldGetPreComputeTokensWithDataset() throws Exception {
         );
         assertThat(enclaveBase.getName()).isEqualTo("pre-compute");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(PRE_COMPUTE_FINGERPRINT);
-        final Map<String, Object> expectedTokens = Map.ofEntries(
+        final Map<String, String> expectedTokens = Map.ofEntries(
                 Map.entry("IEXEC_DEAL_ID", DEAL_ID),
                 Map.entry("IEXEC_TASK_INDEX", "0"),
                 Map.entry("IEXEC_TASK_ID", TASK_ID),
                 Map.entry("IEXEC_PRE_COMPUTE_OUT", "/iexec_in"),
-                Map.entry("IS_DATASET_REQUIRED", true),
+                Map.entry("IS_DATASET_REQUIRED", "true"),
                 Map.entry("IEXEC_DATASET_KEY", DATASET_KEY),
                 Map.entry("IEXEC_DATASET_URL", DATASET_URL),
                 Map.entry("IEXEC_DATASET_FILENAME", DATASET_ADDRESS),
@@ -426,12 +426,12 @@ void shouldGetPreComputeTokensWithoutDataset() throws Exception {
         );
         assertThat(enclaveBase.getName()).isEqualTo("pre-compute");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(PRE_COMPUTE_FINGERPRINT);
-        final Map<String, Object> expectedTokens = Map.ofEntries(
+        final Map<String, String> expectedTokens = Map.ofEntries(
                 Map.entry("IEXEC_DEAL_ID", DEAL_ID),
                 Map.entry("IEXEC_TASK_INDEX", "0"),
                 Map.entry("IEXEC_TASK_ID", TASK_ID),
                 Map.entry("IEXEC_PRE_COMPUTE_OUT", "/iexec_in"),
-                Map.entry("IS_DATASET_REQUIRED", false),
+                Map.entry("IS_DATASET_REQUIRED", "false"),
                 Map.entry("IEXEC_INPUT_FILES_FOLDER", "/iexec_in"),
                 Map.entry("IEXEC_INPUT_FILES_NUMBER", "2"),
                 Map.entry("IEXEC_INPUT_FILE_URL_1", INPUT_FILE_URL_1),
@@ -462,7 +462,7 @@ void shouldGetAppComputeBulkProcessingTokens() throws TeeSessionGenerationExcept
         assertThat(enclaveBase.getName()).isEqualTo("app");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(APP_FINGERPRINT);
         assertThat(enclaveBase.getEnvironment()).containsAllEntriesOf(Map.ofEntries(
-                Map.entry("IEXEC_BULK_SLICE_SIZE", 1),
+                Map.entry("IEXEC_BULK_SLICE_SIZE", "1"),
                 Map.entry("IEXEC_DATASET_1_FILENAME", datasetAddress)
         ));
     }
@@ -483,7 +483,7 @@ void shouldGetAppTokensForAdvancedTaskDescription() throws TeeSessionGenerationE
         final SecretEnclaveBase enclaveBase = teeSecretsService.getAppTokens(request);
         assertThat(enclaveBase.getName()).isEqualTo("app");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(APP_FINGERPRINT);
-        final Map<String, Object> expectedTokens = Map.ofEntries(
+        final Map<String, String> expectedTokens = Map.ofEntries(
                 Map.entry("IEXEC_DEAL_ID", DEAL_ID),
                 Map.entry("IEXEC_TASK_INDEX", "0"),
                 Map.entry("IEXEC_TASK_ID", TASK_ID),
@@ -541,7 +541,7 @@ void shouldGetTokensWithEmptyAppComputeSecretWhenSecretsDoNotExist() throws TeeS
         final SecretEnclaveBase enclaveBase = teeSecretsService.getAppTokens(request);
         assertThat(enclaveBase.getName()).isEqualTo("app");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(APP_FINGERPRINT);
-        final Map<String, Object> expectedTokens = Map.ofEntries(
+        final Map<String, String> expectedTokens = Map.ofEntries(
                 Map.entry("IEXEC_DEAL_ID", DEAL_ID),
                 Map.entry("IEXEC_TASK_INDEX", "0"),
                 Map.entry("IEXEC_TASK_ID", TASK_ID),
@@ -652,7 +652,7 @@ void shouldGetPostComputeTokens() throws Exception {
         );
         assertThat(enclaveBase.getName()).isEqualTo("post-compute");
         assertThat(enclaveBase.getMrenclave()).isEqualTo(POST_COMPUTE_FINGERPRINT);
-        final Map<String, Object> expectedTokens = Map.of(
+        final Map<String, String> expectedTokens = Map.of(
                 // encryption tokens
                 "RESULT_ENCRYPTION", "true",
                 "RESULT_ENCRYPTION_PUBLIC_KEY", ENCRYPTION_PUBLIC_KEY,