Renamed ContribAuth to WorkerpoolAuthorization

Author: Jérémy James Toussaint

src/main/java/com/iexec/worker/chain/ContributionAuthorizationService.java

@@ -5,12 +5,7 @@
 import com.iexec.common.contribution.Contribution;
 import com.iexec.common.replicate.ReplicateStatusCause;
 import com.iexec.common.result.ComputedFile;
-import com.iexec.common.security.Signature;
-import com.iexec.common.tee.TeeEnclaveChallengeSignature;
 import com.iexec.common.utils.BytesUtils;
-import com.iexec.common.utils.HashUtils;
-import com.iexec.common.utils.SignatureUtils;
-
 import com.iexec.common.worker.result.ResultUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
@@ -19,20 +14,25 @@
 import java.util.Optional;
 
 import static com.iexec.common.replicate.ReplicateStatusCause.*;
-import static com.iexec.common.utils.SignatureUtils.isExpectedSignerOnSignedMessageHash;
 
 
 @Slf4j
 @Service
 public class ContributionService {
 
     private IexecHubService iexecHubService;
-    private ContributionAuthorizationService contributionAuthorizationService;
+    private WorkerpoolAuthorizationService workerpoolAuthorizationService;
+    private EnclaveAuthorizationService enclaveAuthorizationService;
+    private CredentialsService credentialsService;
 
     public ContributionService(IexecHubService iexecHubService,
-                               ContributionAuthorizationService contributionAuthorizationService) {
+                               WorkerpoolAuthorizationService workerpoolAuthorizationService,
+                               EnclaveAuthorizationService enclaveAuthorizationService,
+                               CredentialsService credentialsService) {
         this.iexecHubService = iexecHubService;
-        this.contributionAuthorizationService = contributionAuthorizationService;
+        this.workerpoolAuthorizationService = workerpoolAuthorizationService;
+        this.enclaveAuthorizationService = enclaveAuthorizationService;
+        this.credentialsService = credentialsService;
     }
 
     public boolean isChainTaskInitialized(String chainTaskId) {
@@ -63,20 +63,20 @@ public Optional<ReplicateStatusCause> getCannotContributeStatusCause(String chai
             return Optional.of(CONTRIBUTION_ALREADY_SET);
         }
 
-        if (!isContributionAuthorizationPresent(chainTaskId)) {
-            return Optional.of(CONTRIBUTION_AUTHORIZATION_NOT_FOUND);
+        if (!isWorkerpoolAuthorizationPresent(chainTaskId)) {
+            return Optional.of(CONTRIBUTION_AUTHORIZATION_NOT_FOUND);//TODO Rename status to WORKERPOOL_AUTHORIZATION_NOT_FOUND
         }
 
         return Optional.empty();
     }
 
-    private boolean isContributionAuthorizationPresent(String chainTaskId) {
-        ContributionAuthorization contributionAuthorization =
-                contributionAuthorizationService.getContributionAuthorization(chainTaskId);
-        if (contributionAuthorization != null){
+    private boolean isWorkerpoolAuthorizationPresent(String chainTaskId) {
+        WorkerpoolAuthorization workerpoolAuthorization =
+                workerpoolAuthorizationService.getWorkerpoolAuthorization(chainTaskId);
+        if (workerpoolAuthorization != null) {
             return true;
         }
-        log.error("ContributionAuthorization missing [chainTaskId:{}]", chainTaskId);
+        log.error("WorkerpoolAuthorization missing [chainTaskId:{}]", chainTaskId);
         return false;
     }
 
@@ -105,14 +105,6 @@ private boolean isContributionUnsetToContribute(ChainTask chainTask) {
         return chainContribution.getStatus().equals(ChainContributionStatus.UNSET);
     }
 
-    public boolean isContributionAuthorizationValid(ContributionAuthorization auth, String signerAddress) {
-        // create the hash that was used in the signature in the core
-        byte[] message = BytesUtils.stringToBytes(
-                HashUtils.concatenateAndHash(auth.getWorkerWallet(), auth.getChainTaskId(), auth.getEnclaveChallenge()));
-
-        return SignatureUtils.isSignatureValid(message, auth.getSignature(), signerAddress);
-    }
-
     public boolean isContributionDeadlineReached(String chainTaskId) {
         Optional<ChainTask> oTask = iexecHubService.getChainTask(chainTaskId);
         if (!oTask.isPresent()) return true;
@@ -136,43 +128,36 @@ public Optional<ChainReceipt> contribute(Contribution contribution) {
         return Optional.of(chainReceipt);
     }
 
-    public boolean putContributionAuthorization(ContributionAuthorization contributionAuthorization) {
-        return contributionAuthorizationService.putContributionAuthorization(contributionAuthorization);
+    public boolean putWorkerpoolAuthorization(WorkerpoolAuthorization workerpoolAuthorization) {
+        return workerpoolAuthorizationService.putWorkerpoolAuthorization(workerpoolAuthorization);
     }
 
-    public ContributionAuthorization getContributionAuthorization(String chainTaskId) {
-        return contributionAuthorizationService.getContributionAuthorization(chainTaskId);
+    public WorkerpoolAuthorization getWorkerpoolAuthorization(String chainTaskId) {
+        return workerpoolAuthorizationService.getWorkerpoolAuthorization(chainTaskId);
     }
 
-    /*
-    * TODO See if it possible to remove useless fields from ContributionAuthorization:
-    * remove/merge, define Contribution/ContributionAuthorization responsibilities
-     */
-    //TODO Add unit test
-    public Contribution getContribution(ComputedFile computedFile, ContributionAuthorization contributionAuthorization) {
+    public Contribution getContribution(ComputedFile computedFile) {
         String chainTaskId = computedFile.getTaskId();
+        WorkerpoolAuthorization workerpoolAuthorization = workerpoolAuthorizationService.getWorkerpoolAuthorization(chainTaskId);
+        if (workerpoolAuthorization == null) {
+            log.error("Cant getContribution (cant getWorkerpoolAuthorization) [chainTaskId:{}]", chainTaskId);
+            return null;
+        }
+
         String resultDigest = computedFile.getResultDigest();
         String resultHash = ResultUtils.computeResultHash(chainTaskId, resultDigest);
-        String resultSeal = ResultUtils.computeResultSeal(contributionAuthorization.getWorkerWallet(), chainTaskId, resultDigest);
+        String resultSeal = ResultUtils.computeResultSeal(credentialsService.getCredentials().getAddress(), chainTaskId, resultDigest);
+        String workerpoolSignature = workerpoolAuthorization.getSignature().getValue();
+        String enclaveChallenge = workerpoolAuthorization.getEnclaveChallenge();
         String enclaveSignature = computedFile.getEnclaveSignature();
 
         boolean isTeeTask = iexecHubService.isTeeTask(chainTaskId);
         if (isTeeTask) {
-            if (enclaveSignature.isEmpty()){
-                log.error("Cannot contribute enclave signature not found [chainTaskId:{}]", chainTaskId);
+            if (!enclaveAuthorizationService.isVerifiedEnclaveSignature(chainTaskId,
+                    resultHash, resultSeal, enclaveSignature, enclaveChallenge)){
+                log.error("Cant getContribution (isVerifiedEnclaveSignature false) [chainTaskId:{}]", chainTaskId);
                 return null;
             }
-
-            String messageHash = TeeEnclaveChallengeSignature.getMessageHash(resultHash, resultSeal);
-
-            boolean isExpectedSigner = isExpectedSignerOnSignedMessageHash(messageHash,
-                    new Signature(enclaveSignature), contributionAuthorization.getEnclaveChallenge());
-
-            if (!isExpectedSigner){
-                log.error("Cannot contribute enclave signature invalid [chainTaskId:{}]", chainTaskId);
-                return null;
-            }
-
         } else {
             enclaveSignature = BytesUtils.EMPTY_HEXASTRING_64;
         }
@@ -182,9 +167,9 @@ public Contribution getContribution(ComputedFile computedFile, ContributionAutho
                 .resultDigest(resultDigest)
                 .resultHash(resultHash)
                 .resultSeal(resultSeal)
-                .enclaveChallenge(contributionAuthorization.getEnclaveChallenge())
+                .enclaveChallenge(enclaveChallenge)
                 .enclaveSignature(enclaveSignature)
-                .workerPoolSignature(contributionAuthorization.getSignature().getValue())
+                .workerPoolSignature(workerpoolSignature)
                 .build();
     }
 

src/main/java/com/iexec/worker/chain/ContributionService.java

@@ -0,0 +1,32 @@
+package com.iexec.worker.chain;
+
+import com.iexec.common.security.Signature;
+import com.iexec.common.tee.TeeEnclaveChallengeSignature;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+
+import static com.iexec.common.utils.SignatureUtils.isExpectedSignerOnSignedMessageHash;
+
+
+@Slf4j
+@Service
+public class EnclaveAuthorizationService {
+
+    public boolean isVerifiedEnclaveSignature(String chainTaskId, String resultHash, String resultSeal,
+                                              String enclaveSignature, String enclaveChallenge) {
+        if (enclaveChallenge == null || enclaveChallenge.isEmpty()) {
+            log.error("Cant verify enclave signature (enclave challenge not found) [chainTaskId:{}]", chainTaskId);
+            return false;
+        }
+
+        if (enclaveSignature == null || enclaveSignature.isEmpty()) {
+            log.error("Cant verify enclave signature (enclave signature not found) [chainTaskId:{}]", chainTaskId);
+            return false;
+        }
+
+        String messageHash = TeeEnclaveChallengeSignature.getMessageHash(resultHash, resultSeal);
+
+        return isExpectedSignerOnSignedMessageHash(messageHash,
+                new Signature(enclaveSignature), enclaveChallenge);
+    }
+}

src/main/java/com/iexec/worker/chain/EnclaveAuthorizationService.java

@@ -0,0 +1,60 @@
+package com.iexec.worker.chain;
+
+import com.iexec.common.chain.WorkerpoolAuthorization;
+import com.iexec.common.utils.BytesUtils;
+import com.iexec.common.utils.HashUtils;
+import com.iexec.common.utils.SignatureUtils;
+import com.iexec.worker.config.PublicConfigurationService;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+
+import javax.annotation.PostConstruct;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+
+@Slf4j
+@Service
+public class WorkerpoolAuthorizationService {
+
+    private PublicConfigurationService publicConfigurationService;
+    private Map<String, WorkerpoolAuthorization> workerpoolAuthorizations;
+    private String corePublicAddress;
+
+    public WorkerpoolAuthorizationService(PublicConfigurationService publicConfigurationService) {
+        this.publicConfigurationService = publicConfigurationService;
+    }
+
+    @PostConstruct
+    public void initIt() {
+        corePublicAddress = publicConfigurationService.getSchedulerPublicAddress();
+        workerpoolAuthorizations = new ConcurrentHashMap<>();
+    }
+
+
+    public boolean isWorkerpoolAuthorizationValid(WorkerpoolAuthorization auth, String signerAddress) {
+        // create the hash that was used in the signature in the core
+        byte[] message = BytesUtils.stringToBytes(
+                HashUtils.concatenateAndHash(auth.getWorkerWallet(), auth.getChainTaskId(), auth.getEnclaveChallenge()));
+
+        return SignatureUtils.isSignatureValid(message, auth.getSignature(), signerAddress);
+    }
+
+    public boolean putWorkerpoolAuthorization(WorkerpoolAuthorization workerpoolAuthorization) {
+        if (workerpoolAuthorization == null || workerpoolAuthorization.getChainTaskId() == null) {
+            log.error("Cant putWorkerpoolAuthorization (null) [workerpoolAuthorization:{}]", workerpoolAuthorization);
+            return false;
+        }
+
+        if (!isWorkerpoolAuthorizationValid(workerpoolAuthorization, corePublicAddress)) {
+            log.error("Cant putWorkerpoolAuthorization (invalid) [workerpoolAuthorization:{}]", workerpoolAuthorization);
+            return false;
+        }
+        workerpoolAuthorizations.putIfAbsent(workerpoolAuthorization.getChainTaskId(), workerpoolAuthorization);
+        return true;
+    }
+
+    WorkerpoolAuthorization getWorkerpoolAuthorization(String chainTaskId) {
+        return workerpoolAuthorizations.get(chainTaskId);
+    }
+}

src/main/java/com/iexec/worker/chain/WorkerpoolAuthorizationService.java

@@ -1,6 +1,6 @@
 package com.iexec.worker.docker;
 
-import com.iexec.common.chain.ContributionAuthorization;
+import com.iexec.common.chain.WorkerpoolAuthorization;
 import com.iexec.common.dapp.DappType;
 import com.iexec.common.sms.secret.TaskSecrets;
 import com.iexec.common.task.TaskDescription;
@@ -11,7 +11,6 @@
 import com.iexec.worker.result.ResultService;
 import com.iexec.worker.sms.SmsService;
 import com.iexec.worker.tee.scone.SconeTeeService;
-
 import com.iexec.worker.utils.LoggingUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FilenameUtils;
@@ -83,14 +82,14 @@ public boolean isAppDownloaded(String imageUri) {
     }
 
     public boolean runNonTeeComputation(TaskDescription taskDescription,
-                                        ContributionAuthorization contributionAuth) {
+                                        WorkerpoolAuthorization workerpoolAuthorization) {
         String chainTaskId = taskDescription.getChainTaskId();
         String imageUri = taskDescription.getAppUri();
         String cmd = taskDescription.getCmd();
         long maxExecutionTime = taskDescription.getMaxExecutionTime();
 
         // fetch task secrets from SMS
-        Optional<TaskSecrets> oTaskSecrets = smsService.fetchTaskSecrets(contributionAuth);
+        Optional<TaskSecrets> oTaskSecrets = smsService.fetchTaskSecrets(workerpoolAuthorization);
         if (!oTaskSecrets.isPresent()) {
             log.warn("No secrets fetched for this task, will continue [chainTaskId:{}]:", chainTaskId);
         } else {
@@ -131,7 +130,7 @@ public boolean runNonTeeComputation(TaskDescription taskDescription,
                 .build();
 
         DockerExecutionResult appExecutionResult = customDockerClient.execute(dockerExecutionConfig);
-        if (shouldPrintDeveloperLogs(taskDescription)){
+        if (shouldPrintDeveloperLogs(taskDescription)) {
             log.info("Developer logs of computing stage [chainTaskId:{}, logs:{}]", chainTaskId,
                     getDockerExecutionDeveloperLogs(chainTaskId, appExecutionResult));
         }
@@ -145,8 +144,8 @@ public boolean runNonTeeComputation(TaskDescription taskDescription,
     }
 
     public boolean runTeeComputation(TaskDescription taskDescription,
-                                     ContributionAuthorization contributionAuth) {
-        String chainTaskId = contributionAuth.getChainTaskId();
+                                     WorkerpoolAuthorization workerpoolAuthorization) {
+        String chainTaskId = workerpoolAuthorization.getChainTaskId();
         String imageUri = taskDescription.getAppUri();
         String datasetUri = taskDescription.getDatasetUri();
         String cmd = taskDescription.getCmd();
@@ -159,7 +158,7 @@ public boolean runTeeComputation(TaskDescription taskDescription,
             return false;
         }
 
-        String secureSessionId = smsService.createTeeSession(contributionAuth);
+        String secureSessionId = smsService.createTeeSession(workerpoolAuthorization);
         if (secureSessionId.isEmpty()) {
             log.error("Cannot compute TEE task without secure session [chainTaskId:{}]", chainTaskId);
             return false;
@@ -195,7 +194,7 @@ public boolean runTeeComputation(TaskDescription taskDescription,
         // run computation
         DockerExecutionResult appExecutionResult = customDockerClient.execute(appExecutionConfig);
 
-        if (shouldPrintDeveloperLogs(taskDescription)){
+        if (shouldPrintDeveloperLogs(taskDescription)) {
             log.info("Developer logs of computing stage [chainTaskId:{}, logs:{}]", chainTaskId,
                     getDockerExecutionDeveloperLogs(chainTaskId, appExecutionResult));
         }