Use only two SQL statements to read TeeTaskComputeSecret and Web2Secret during TEE session creation (#254)

jbern0rd · web-flow · commit fb980940858b · 2024-03-14T17:46:25.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 
 ## [[NEXT]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/vNEXT) 2024
 
+### Quality
+
+- Use only two SQL statements to read `TeeTaskComputeSecret` and `Web2Secret` during TEE session creation. (#254)
+
 ## [[8.5.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.5.0) 2024-02-29
 
 ### New Features
diff --git a/src/main/java/com/iexec/sms/secret/compute/TeeTaskComputeSecretService.java b/src/main/java/com/iexec/sms/secret/compute/TeeTaskComputeSecretService.java
@@ -26,7 +26,9 @@
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.stereotype.Service;
 
+import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 @Slf4j
 @Service
@@ -77,6 +79,12 @@ public Optional<TeeTaskComputeSecret> getSecret(
         return Optional.of(decryptedSecret);
     }
 
+    public List<TeeTaskComputeSecret> getSecretsForTeeSession(Iterable<TeeTaskComputeSecretHeader> ids) {
+        return teeTaskComputeSecretRepository.findAllById(ids).stream()
+                .map(secret -> secret.withValue(encryptionService.decrypt(secret.getValue())))
+                .collect(Collectors.toList());
+    }
+
     /**
      * Check whether a secret exists.
      *
diff --git a/src/main/java/com/iexec/sms/secret/web2/Web2SecretHeader.java b/src/main/java/com/iexec/sms/secret/web2/Web2SecretHeader.java
@@ -34,7 +34,7 @@ public class Web2SecretHeader implements Serializable {
     private String ownerAddress;
     private String address; //0xdataset1, aws.amazon.com, beneficiary.key.iex.ec (Kb)
 
-    Web2SecretHeader(String ownerAddress, String address) {
+    public Web2SecretHeader(String ownerAddress, String address) {
         Objects.requireNonNull(ownerAddress, "Web2 secret owner address can't be null.");
         Objects.requireNonNull(address, "Web2 secret address can't be null.");
 
diff --git a/src/main/java/com/iexec/sms/secret/web2/Web2SecretService.java b/src/main/java/com/iexec/sms/secret/web2/Web2SecretService.java
@@ -26,8 +26,10 @@
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.stereotype.Service;
 
+import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 @Slf4j
 @Service
@@ -68,6 +70,12 @@ public Optional<String> getDecryptedValue(String ownerAddress, String secretAddr
                 .map(secret -> encryptionService.decrypt(secret.getValue()));
     }
 
+    public List<Web2Secret> getSecretsForTeeSession(Iterable<Web2SecretHeader> ids) {
+        return web2SecretRepository.findAllById(ids).stream()
+                .map(secret -> secret.withValue(encryptionService.decrypt(secret.getValue())))
+                .collect(Collectors.toList());
+    }
+
     public boolean isSecretPresent(String ownerAddress, String secretAddress) {
         final Web2SecretHeader key = new Web2SecretHeader(ownerAddress, secretAddress);
         final Boolean found = cacheSecretService.lookSecretExistenceInCache(key);
diff --git a/src/main/java/com/iexec/sms/tee/session/base/SecretSessionBaseService.java b/src/main/java/com/iexec/sms/tee/session/base/SecretSessionBaseService.java
@@ -21,10 +21,9 @@
 import com.iexec.commons.poco.task.TaskDescription;
 import com.iexec.commons.poco.tee.TeeEnclaveConfiguration;
 import com.iexec.sms.api.config.TeeServicesProperties;
-import com.iexec.sms.secret.compute.OnChainObjectType;
-import com.iexec.sms.secret.compute.SecretOwnerRole;
-import com.iexec.sms.secret.compute.TeeTaskComputeSecret;
-import com.iexec.sms.secret.compute.TeeTaskComputeSecretService;
+import com.iexec.sms.secret.compute.*;
+import com.iexec.sms.secret.web2.Web2Secret;
+import com.iexec.sms.secret.web2.Web2SecretHeader;
 import com.iexec.sms.secret.web2.Web2SecretService;
 import com.iexec.sms.secret.web3.Web3SecretService;
 import com.iexec.sms.tee.challenge.EthereumCredentials;
@@ -220,54 +219,64 @@ public SecretEnclaveBase getAppTokens(TeeSessionRequest request)
 
     private Map<String, Object> getApplicationComputeSecrets(TaskDescription taskDescription) {
         final Map<String, Object> tokens = new HashMap<>();
-        final String applicationAddress = taskDescription.getAppAddress();
-
-        if (applicationAddress != null) {
-            final String secretIndex = "1";
-            String appDeveloperSecret = teeTaskComputeSecretService.getSecret(
-                            OnChainObjectType.APPLICATION,
-                            applicationAddress.toLowerCase(),
-                            SecretOwnerRole.APPLICATION_DEVELOPER,
-                            "",
-                            secretIndex)
-                    .map(TeeTaskComputeSecret::getValue)
-                    .orElse(EMPTY_YML_VALUE);
-            if (!StringUtils.isEmpty(appDeveloperSecret)) {
-                tokens.put("IEXEC_APP_DEVELOPER_SECRET", appDeveloperSecret);
-                tokens.put(IexecEnvUtils.IEXEC_APP_DEVELOPER_SECRET_PREFIX + secretIndex, appDeveloperSecret);
+        final List<TeeTaskComputeSecretHeader> ids = getAppComputeSecretsHeaders(taskDescription);
+        log.debug("TeeTaskComputeSecret looking for secrets [chainTaskId:{}, count:{}]",
+                taskDescription.getChainTaskId(), ids.size());
+        final List<TeeTaskComputeSecret> secrets = teeTaskComputeSecretService.getSecretsForTeeSession(ids);
+        log.debug("TeeTaskComputeSecret objects fetched from database [chainTaskId:{}, count:{}]",
+                taskDescription.getChainTaskId(), secrets.size());
+        for (TeeTaskComputeSecret secret : secrets) {
+            if (!StringUtils.isEmpty(secret.getHeader().getOnChainObjectAddress())) {
+                tokens.put("IEXEC_APP_DEVELOPER_SECRET", secret.getValue());
+                tokens.put(IexecEnvUtils.IEXEC_APP_DEVELOPER_SECRET_PREFIX + "1", secret.getValue());
+            } else {
+                final String secretKey = secret.getHeader().getKey();
+                taskDescription.getSecrets().forEach((key, value) -> {
+                    if (value.equals(secretKey)) {
+                        tokens.put(IexecEnvUtils.IEXEC_REQUESTER_SECRET_PREFIX + key, secret.getValue());
+                    }
+                });
             }
         }
+        return tokens;
+    }
 
-        if (taskDescription.getSecrets() == null || taskDescription.getRequester() == null) {
-            return tokens;
+    private List<TeeTaskComputeSecretHeader> getAppComputeSecretsHeaders(TaskDescription taskDescription) {
+        final List<TeeTaskComputeSecretHeader> ids = new ArrayList<>();
+        final String applicationAddress = taskDescription.getAppAddress();
+        if (applicationAddress != null) {
+            final String secretIndex = "1";
+            ids.add(new TeeTaskComputeSecretHeader(
+                    OnChainObjectType.APPLICATION,
+                    applicationAddress.toLowerCase(),
+                    SecretOwnerRole.APPLICATION_DEVELOPER,
+                    "",
+                    secretIndex));
         }
 
-        final HashMap<String, String> requesterSecrets = new HashMap<>();
-        for (Map.Entry<String, String> secretEntry : taskDescription.getSecrets().entrySet()) {
-            try {
-                int requesterSecretIndex = Integer.parseInt(secretEntry.getKey());
-                if (requesterSecretIndex <= 0) {
-                    String message = "Application secret indices provided in the deal parameters must be positive numbers"
-                            + " [providedApplicationSecretIndex:" + requesterSecretIndex + "]";
-                    log.warn(message);
-                    throw new NumberFormatException(message);
+        if (taskDescription.getSecrets() != null && taskDescription.getRequester() != null) {
+            for (Map.Entry<String, String> secretEntry : taskDescription.getSecrets().entrySet()) {
+                try {
+                    int requesterSecretIndex = Integer.parseInt(secretEntry.getKey());
+                    if (requesterSecretIndex <= 0) {
+                        String message = "Application secret indices provided in the deal parameters must be positive numbers"
+                                + " [providedApplicationSecretIndex:" + requesterSecretIndex + "]";
+                        log.warn(message);
+                        throw new NumberFormatException(message);
+                    }
+                } catch (NumberFormatException e) {
+                    log.warn("Invalid entry found in deal parameters secrets map", e);
+                    continue;
                 }
-            } catch (NumberFormatException e) {
-                log.warn("Invalid entry found in deal parameters secrets map", e);
-                continue;
+                ids.add(new TeeTaskComputeSecretHeader(
+                        OnChainObjectType.APPLICATION,
+                        "",
+                        SecretOwnerRole.REQUESTER,
+                        taskDescription.getRequester().toLowerCase(),
+                        secretEntry.getValue()));
             }
-            String requesterSecret = teeTaskComputeSecretService.getSecret(
-                            OnChainObjectType.APPLICATION,
-                            "",
-                            SecretOwnerRole.REQUESTER,
-                            taskDescription.getRequester().toLowerCase(),
-                            secretEntry.getValue())
-                    .map(TeeTaskComputeSecret::getValue)
-                    .orElse(EMPTY_YML_VALUE);
-            requesterSecrets.put(IexecEnvUtils.IEXEC_REQUESTER_SECRET_PREFIX + secretEntry.getKey(), requesterSecret);
         }
-        tokens.putAll(requesterSecrets);
-        return tokens;
+        return ids;
     }
 
     /**
@@ -287,12 +296,46 @@ public SecretEnclaveBase getPostComputeTokens(TeeSessionRequest request)
         if (taskDescription == null) {
             throw new TeeSessionGenerationException(NO_TASK_DESCRIPTION, "Task description must not be null");
         }
+
+        final List<Web2SecretHeader> ids = getPostComputeSecretHeaders(taskDescription, request.getWorkerAddress());
+        log.debug("Web2Secret looking for secrets [chainTaskId:{}, count:{}]",
+                taskDescription.getChainTaskId(), ids.size());
+        final List<Web2Secret> secrets = web2SecretService.getSecretsForTeeSession(ids);
+        log.debug("Web2Secret objects fetched from database [chainTaskId:{}, count:{}]",
+                taskDescription.getChainTaskId(), secrets.size());
         // encryption
-        Map<String, String> encryptionTokens = getPostComputeEncryptionTokens(request);
-        tokens.putAll(encryptionTokens);
+        final String resultEncryptionSecret = secrets.stream()
+                .filter(secret -> IEXEC_RESULT_ENCRYPTION_PUBLIC_KEY.equals(secret.getHeader().getAddress()))
+                .findFirst()
+                .map(Web2Secret::getValue)
+                .orElse("");
+        tokens.putAll(getPostComputeEncryptionTokens(request, resultEncryptionSecret));
         // storage
-        Map<String, String> storageTokens = getPostComputeStorageTokens(request);
-        tokens.putAll(storageTokens);
+        if (taskDescription.containsCallback()) {
+            tokens.putAll(getPostComputeStorageTokens(request, ""));
+        } else if (DROPBOX_RESULT_STORAGE_PROVIDER.equals(taskDescription.getResultStorageProvider())) {
+            final String storageToken = secrets.stream()
+                    .filter(secret -> IEXEC_RESULT_DROPBOX_TOKEN.equals(secret.getHeader().getAddress()))
+                    .findFirst()
+                    .map(Web2Secret::getValue)
+                    .orElse("");
+            tokens.putAll(getPostComputeStorageTokens(request, storageToken));
+        } else {
+            // TODO remove fallback on requester token when legacy Result Proxy endpoints have been removed
+            final boolean isWorkerTokenPresent = secrets.stream()
+                    .anyMatch(secret -> IEXEC_RESULT_IEXEC_IPFS_TOKEN.equals(secret.getHeader().getAddress())
+                            && request.getWorkerAddress().equalsIgnoreCase(secret.getHeader().getOwnerAddress()));
+            final String tokenOwner = isWorkerTokenPresent ? request.getWorkerAddress() : taskDescription.getRequester();
+            final String storageToken = secrets.stream()
+                    .filter(secret -> IEXEC_RESULT_IEXEC_IPFS_TOKEN.equals(secret.getHeader().getAddress()) &&
+                            tokenOwner.equalsIgnoreCase(secret.getHeader().getOwnerAddress()))
+                    .findFirst()
+                    .map(Web2Secret::getValue)
+                    .orElse("");
+            log.debug("storage token [isWorkerTokenPresent:{}, tokenOwner:{}]",
+                    isWorkerTokenPresent, tokenOwner);
+            tokens.putAll(getPostComputeStorageTokens(request, storageToken));
+        }
         // enclave signature
         Map<String, String> signTokens = getPostComputeSignTokens(request);
         tokens.putAll(signTokens);
@@ -301,7 +344,21 @@ public SecretEnclaveBase getPostComputeTokens(TeeSessionRequest request)
                 .build();
     }
 
-    public Map<String, String> getPostComputeEncryptionTokens(TeeSessionRequest request)
+    List<Web2SecretHeader> getPostComputeSecretHeaders(TaskDescription taskDescription, String workerAddress) {
+        final List<Web2SecretHeader> ids = new ArrayList<>();
+        if (taskDescription.isResultEncryption()) {
+            ids.add(new Web2SecretHeader(taskDescription.getBeneficiary(), IEXEC_RESULT_ENCRYPTION_PUBLIC_KEY));
+        }
+        if (DROPBOX_RESULT_STORAGE_PROVIDER.equals(taskDescription.getResultStorageProvider())) {
+            ids.add(new Web2SecretHeader(taskDescription.getRequester(), IEXEC_RESULT_DROPBOX_TOKEN));
+        } else {
+            ids.add(new Web2SecretHeader(taskDescription.getRequester(), IEXEC_RESULT_IEXEC_IPFS_TOKEN));
+            ids.add(new Web2SecretHeader(workerAddress, IEXEC_RESULT_IEXEC_IPFS_TOKEN));
+        }
+        return ids;
+    }
+
+    public Map<String, String> getPostComputeEncryptionTokens(TeeSessionRequest request, String resultEncryptionKey)
             throws TeeSessionGenerationException {
         TaskDescription taskDescription = request.getTaskDescription();
         String taskId = taskDescription.getChainTaskId();
@@ -313,24 +370,20 @@ public Map<String, String> getPostComputeEncryptionTokens(TeeSessionRequest requ
         if (!shouldEncrypt) {
             return tokens;
         }
-        Optional<String> beneficiaryResultEncryptionKeySecret = web2SecretService.getDecryptedValue(
-                taskDescription.getBeneficiary(),
-                IEXEC_RESULT_ENCRYPTION_PUBLIC_KEY);
-        if (beneficiaryResultEncryptionKeySecret.isEmpty()) {
+        if (StringUtils.isEmpty(resultEncryptionKey)) {
             throw new TeeSessionGenerationException(
                     POST_COMPUTE_GET_ENCRYPTION_TOKENS_FAILED_EMPTY_BENEFICIARY_KEY,
                     "Empty beneficiary encryption key - taskId: " + taskId);
         }
-        String publicKeyValue = beneficiaryResultEncryptionKeySecret.get();
-        tokens.put(RESULT_ENCRYPTION_PUBLIC_KEY, publicKeyValue); // base64 encoded by client
+        tokens.put(RESULT_ENCRYPTION_PUBLIC_KEY, resultEncryptionKey); // base64 encoded by client
         return tokens;
     }
 
     // TODO: We need a signature of the beneficiary to push
     // to the beneficiary private storage space waiting for
     // that feature we only allow to push to the requester
     // private storage space
-    public Map<String, String> getPostComputeStorageTokens(TeeSessionRequest request)
+    public Map<String, String> getPostComputeStorageTokens(TeeSessionRequest request, String storageToken)
             throws TeeSessionGenerationException {
         TaskDescription taskDescription = request.getTaskDescription();
         String taskId = taskDescription.getChainTaskId();
@@ -345,23 +398,13 @@ public Map<String, String> getPostComputeStorageTokens(TeeSessionRequest request
         }
         String storageProvider = taskDescription.getResultStorageProvider();
         String storageProxy = taskDescription.getResultStorageProxy();
-        final Optional<String> storageTokenSecret;
-        if (DROPBOX_RESULT_STORAGE_PROVIDER.equals(storageProvider)) {
-            storageTokenSecret = web2SecretService.getDecryptedValue(taskDescription.getRequester(), IEXEC_RESULT_DROPBOX_TOKEN);
-        } else {
-            // TODO remove fallback on requester token when legacy Result Proxy endpoints have been removed
-            final boolean isWorkerTokenPresent = web2SecretService.isSecretPresent(request.getWorkerAddress(), IEXEC_RESULT_IEXEC_IPFS_TOKEN);
-            final String tokenOwner = isWorkerTokenPresent ? request.getWorkerAddress() : taskDescription.getRequester();
-            storageTokenSecret = web2SecretService.getDecryptedValue(tokenOwner, IEXEC_RESULT_IEXEC_IPFS_TOKEN);
-        }
-        if (storageTokenSecret.isEmpty()) {
+        if (StringUtils.isEmpty(storageToken)) {
             log.error("Failed to get storage token [taskId:{}, storageProvider:{}, requester:{}]",
                     taskId, storageProvider, taskDescription.getRequester());
             throw new TeeSessionGenerationException(
                     POST_COMPUTE_GET_STORAGE_TOKENS_FAILED,
                     "Empty requester storage token - taskId: " + taskId);
         }
-        final String storageToken = storageTokenSecret.get();
         tokens.put(RESULT_STORAGE_PROVIDER, storageProvider);
         tokens.put(RESULT_STORAGE_PROXY, storageProxy);
         tokens.put(RESULT_STORAGE_TOKEN, storageToken);
diff --git a/src/test/java/com/iexec/sms/tee/session/TeeSessionTestUtils.java b/src/test/java/com/iexec/sms/tee/session/TeeSessionTestUtils.java
@@ -16,25 +16,19 @@
 
 package com.iexec.sms.tee.session;
 
-import com.iexec.common.precompute.PreComputeUtils;
-import com.iexec.common.utils.IexecEnvUtils;
 import com.iexec.commons.poco.task.TaskDescription;
 import com.iexec.commons.poco.tee.TeeEnclaveConfiguration;
 import com.iexec.sms.secret.compute.OnChainObjectType;
 import com.iexec.sms.secret.compute.SecretOwnerRole;
 import com.iexec.sms.secret.compute.TeeTaskComputeSecret;
-import com.iexec.sms.tee.session.base.SecretSessionBaseService;
 import com.iexec.sms.tee.session.generic.TeeSessionRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.ClassUtils;
 
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
-import static com.iexec.common.worker.result.ResultUtils.*;
 import static com.iexec.sms.Web3jUtils.createEthereumAddress;
-import static com.iexec.sms.tee.session.base.SecretSessionBaseService.*;
 import static org.assertj.core.api.Assertions.assertThat;
 
 @Slf4j
@@ -139,39 +133,6 @@ public static TaskDescription.TaskDescriptionBuilder createTaskDescription(TeeEn
                 .botIndex(0);
     }
 
-    public static Map<String, Object> getPreComputeTokens() {
-        return Map.of(
-                PRE_COMPUTE_MRENCLAVE, PRE_COMPUTE_FINGERPRINT,
-                PreComputeUtils.IS_DATASET_REQUIRED, true,
-                PreComputeUtils.IEXEC_DATASET_KEY, DATASET_KEY.trim(),
-                INPUT_FILE_URLS, Map.of(
-                        IexecEnvUtils.IEXEC_INPUT_FILE_URL_PREFIX + "1", INPUT_FILE_URL_1,
-                        IexecEnvUtils.IEXEC_INPUT_FILE_URL_PREFIX + "2", INPUT_FILE_URL_2));
-    }
-
-    public static Map<String, Object> getAppTokens() {
-        return Map.of(
-            APP_MRENCLAVE, APP_FINGERPRINT,
-            SecretSessionBaseService.INPUT_FILE_NAMES, Map.of(
-                        IexecEnvUtils.IEXEC_INPUT_FILE_NAME_PREFIX + "1", INPUT_FILE_NAME_1,
-                        IexecEnvUtils.IEXEC_INPUT_FILE_NAME_PREFIX + "2", INPUT_FILE_NAME_2));
-    }
-
-    public static Map<String, Object> getPostComputeTokens() {
-        Map<String, Object> map = new HashMap<>();
-        map.put(POST_COMPUTE_MRENCLAVE, POST_COMPUTE_FINGERPRINT);
-        map.put(RESULT_TASK_ID, TASK_ID);
-        map.put(RESULT_ENCRYPTION, "yes");
-        map.put(RESULT_ENCRYPTION_PUBLIC_KEY, ENCRYPTION_PUBLIC_KEY);
-        map.put(RESULT_STORAGE_PROVIDER, STORAGE_PROVIDER);
-        map.put(RESULT_STORAGE_PROXY, STORAGE_PROXY);
-        map.put(RESULT_STORAGE_TOKEN, STORAGE_TOKEN);
-        map.put(RESULT_STORAGE_CALLBACK, "no");
-        map.put(RESULT_SIGN_WORKER_ADDRESS, WORKER_ADDRESS);
-        map.put(RESULT_SIGN_TEE_CHALLENGE_PRIVATE_KEY, TEE_CHALLENGE_PRIVATE_KEY);
-        return map;
-    }
-
     public static void assertRecursively(Object expected, Object actual) {
         if (expected == null ||
                 expected instanceof String ||
diff --git a/src/test/java/com/iexec/sms/tee/session/base/SecretSessionBaseServiceTests.java b/src/test/java/com/iexec/sms/tee/session/base/SecretSessionBaseServiceTests.java
