feat: retrieve and cache TEE sessions metadata during task preflight checks (#664)

Author: jbern0rd

src/main/java/com/iexec/worker/compute/ComputeManagerService.java

@@ -19,10 +19,8 @@
 import com.iexec.common.replicate.ReplicateStatusCause;
 import com.iexec.common.result.ComputedFile;
 import com.iexec.common.utils.FileHelper;
-import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
 import com.iexec.commons.poco.dapp.DappType;
 import com.iexec.commons.poco.task.TaskDescription;
-import com.iexec.sms.api.TeeSessionGenerationResponse;
 import com.iexec.worker.compute.app.AppComputeResponse;
 import com.iexec.worker.compute.app.AppComputeService;
 import com.iexec.worker.compute.post.PostComputeResponse;
@@ -91,8 +89,7 @@ public boolean downloadApp(TaskDescription taskDescription) {
         if (taskDescription == null || taskDescription.getAppType() == null) {
             return false;
         }
-        boolean isDockerType =
-                taskDescription.getAppType().equals(DappType.DOCKER);
+        final boolean isDockerType = taskDescription.getAppType() == DappType.DOCKER;
         if (!isDockerType || taskDescription.getAppUri() == null) {
             return false;
         }
@@ -153,23 +150,21 @@ public boolean isAppDownloaded(String imageUri) {
      * Execute pre-compute stage for standard and TEE tasks.
      * <ul>
      * <li>Standard tasks: Nothing is executed, an empty result is returned
-     * <li>TEE tasks: Call {@link PreComputeService#runTeePreCompute(TaskDescription, WorkerpoolAuthorization)}
+     * <li>TEE tasks: Call {@link PreComputeService#runTeePreCompute(TaskDescription)}
      * </ul>
      * TEE tasks: download pre-compute and post-compute images,
      * create SCONE secure session, and run pre-compute container.
      *
      * @param taskDescription Description of the task
-     * @param workerpoolAuth  Authorization to contribute delivered by the scheduler for the given task
      * @return {@code PreComputeResponse} instance
-     * @see PreComputeService#runTeePreCompute(TaskDescription, WorkerpoolAuthorization)
+     * @see PreComputeService#runTeePreCompute(TaskDescription)
      */
-    public PreComputeResponse runPreCompute(final TaskDescription taskDescription,
-                                            final WorkerpoolAuthorization workerpoolAuth) {
+    public PreComputeResponse runPreCompute(final TaskDescription taskDescription) {
         log.info("Running pre-compute [chainTaskId:{}, isTee:{}]",
                 taskDescription.getChainTaskId(), taskDescription.isTeeTask());
 
         if (taskDescription.isTeeTask()) {
-            return preComputeService.runTeePreCompute(taskDescription, workerpoolAuth);
+            return preComputeService.runTeePreCompute(taskDescription);
         }
         return PreComputeResponse.builder().build();
     }
@@ -178,18 +173,15 @@ public PreComputeResponse runPreCompute(final TaskDescription taskDescription,
      * Execute application stage for standard and TEE tasks.
      *
      * @param taskDescription Description of the task
-     * @param secureSession   Session ID and session storage URL for TEE tasks
      * @return {@code AppComputeResponse} instance
-     * @see AppComputeService#runCompute(TaskDescription, TeeSessionGenerationResponse)
+     * @see AppComputeService#runCompute(TaskDescription)
      */
-    public AppComputeResponse runCompute(final TaskDescription taskDescription,
-                                         final TeeSessionGenerationResponse secureSession) {
+    public AppComputeResponse runCompute(final TaskDescription taskDescription) {
         final String chainTaskId = taskDescription.getChainTaskId();
         log.info("Running compute [chainTaskId:{}, isTee:{}]",
                 chainTaskId, taskDescription.isTeeTask());
 
-        final AppComputeResponse appComputeResponse =
-                appComputeService.runCompute(taskDescription, secureSession);
+        final AppComputeResponse appComputeResponse = appComputeService.runCompute(taskDescription);
 
         if (appComputeResponse.isSuccessful()) {
             writeLogs(chainTaskId, STDOUT_FILENAME, appComputeResponse.getStdout());
@@ -213,26 +205,20 @@ private void writeLogs(String chainTaskId, String filename, String logs) {
      * This method calls methods from {@code PostComputeService} depending on the Task type.
      *
      * @param taskDescription Description of the task
-     * @param secureSession   Session ID and session storage URL for TEE tasks
      * @return {@code PostComputeResponse} instance
      * @see PostComputeService#runStandardPostCompute(TaskDescription)
-     * @see PostComputeService#runTeePostCompute(TaskDescription, TeeSessionGenerationResponse)
+     * @see PostComputeService#runTeePostCompute(TaskDescription)
      */
-    public PostComputeResponse runPostCompute(final TaskDescription taskDescription,
-                                              final TeeSessionGenerationResponse secureSession) {
+    public PostComputeResponse runPostCompute(final TaskDescription taskDescription) {
         final String chainTaskId = taskDescription.getChainTaskId();
         log.info("Running post-compute [chainTaskId:{}, isTee:{}]",
                 chainTaskId, taskDescription.isTeeTask());
 
         final PostComputeResponse postComputeResponse;
         if (!taskDescription.isTeeTask()) {
             postComputeResponse = postComputeService.runStandardPostCompute(taskDescription);
-        } else if (secureSession != null) {
-            postComputeResponse = postComputeService.runTeePostCompute(taskDescription, secureSession);
         } else {
-            postComputeResponse = PostComputeResponse.builder()
-                    .exitCauses(List.of(new WorkflowError(ReplicateStatusCause.POST_COMPUTE_FAILED_UNKNOWN_ISSUE)))
-                    .build();
+            postComputeResponse = postComputeService.runTeePostCompute(taskDescription);
         }
         if (!postComputeResponse.isSuccessful()) {
             return postComputeResponse;

src/main/java/com/iexec/worker/compute/app/AppComputeResponse.java

@@ -26,7 +26,6 @@
 @Value
 @Builder
 public class AppComputeResponse implements ComputeResponse {
-
     @Builder.Default
     List<WorkflowError> exitCauses = List.of();
     String stdout;

src/main/java/com/iexec/worker/compute/app/AppComputeService.java

@@ -25,7 +25,6 @@
 import com.iexec.commons.containers.DockerRunResponse;
 import com.iexec.commons.containers.SgxDriverMode;
 import com.iexec.commons.poco.task.TaskDescription;
-import com.iexec.sms.api.TeeSessionGenerationResponse;
 import com.iexec.worker.config.WorkerConfigurationService;
 import com.iexec.worker.docker.DockerService;
 import com.iexec.worker.metric.ComputeDurationsService;
@@ -61,8 +60,7 @@ public AppComputeService(
         this.appComputeDurationsService = appComputeDurationsService;
     }
 
-    public AppComputeResponse runCompute(final TaskDescription taskDescription,
-                                         final TeeSessionGenerationResponse secureSession) {
+    public AppComputeResponse runCompute(final TaskDescription taskDescription) {
         final String chainTaskId = taskDescription.getChainTaskId();
 
         final List<Bind> binds = new ArrayList<>();
@@ -73,7 +71,7 @@ public AppComputeResponse runCompute(final TaskDescription taskDescription,
         final List<String> env;
         if (taskDescription.isTeeTask()) {
             final TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
-            env = teeService.buildComputeDockerEnv(taskDescription, secureSession);
+            env = teeService.buildComputeDockerEnv(taskDescription);
             binds.addAll(teeService.getAdditionalBindings().stream().map(Bind::parse).toList());
             sgxDriverMode = sgxService.getSgxDriverMode();
         } else {

src/main/java/com/iexec/worker/compute/post/PostComputeResponse.java

@@ -26,7 +26,6 @@
 @Value
 @Builder
 public class PostComputeResponse implements ComputeResponse {
-
     @Builder.Default
     List<WorkflowError> exitCauses = List.of();
     String stdout;

src/main/java/com/iexec/worker/compute/post/PostComputeService.java

@@ -161,8 +161,7 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) {
         return Optional.empty();
     }
 
-    public PostComputeResponse runTeePostCompute(TaskDescription taskDescription,
-                                                 TeeSessionGenerationResponse secureSession) {
+    public PostComputeResponse runTeePostCompute(final TaskDescription taskDescription) {
         String chainTaskId = taskDescription.getChainTaskId();
 
         TeeServicesProperties properties =
@@ -179,7 +178,7 @@ public PostComputeResponse runTeePostCompute(TaskDescription taskDescription,
         }
         TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
         List<String> env = teeService
-                .buildPostComputeDockerEnv(taskDescription, secureSession);
+                .buildPostComputeDockerEnv(taskDescription);
         List<Bind> binds = Stream.of(
                         Collections.singletonList(dockerService.getIexecOutBind(chainTaskId)),
                         teeService.getAdditionalBindings())

src/main/java/com/iexec/worker/compute/pre/PreComputeResponse.java

@@ -16,7 +16,6 @@
 
 package com.iexec.worker.compute.pre;
 
-import com.iexec.sms.api.TeeSessionGenerationResponse;
 import com.iexec.worker.compute.ComputeResponse;
 import com.iexec.worker.workflow.WorkflowError;
 import lombok.Builder;
@@ -27,19 +26,8 @@
 @Value
 @Builder
 public class PreComputeResponse implements ComputeResponse {
-
     @Builder.Default
     List<WorkflowError> exitCauses = List.of();
-    boolean isTeeTask;
-    TeeSessionGenerationResponse secureSession;
     String stdout;
     String stderr;
-
-    @Override
-    public boolean isSuccessful() {
-        if (isTeeTask) {
-            return ComputeResponse.super.isSuccessful() && secureSession != null;
-        }
-        return ComputeResponse.super.isSuccessful();
-    }
 }

src/main/java/com/iexec/worker/compute/pre/PreComputeService.java

@@ -22,11 +22,8 @@
 import com.iexec.commons.containers.DockerRunFinalStatus;
 import com.iexec.commons.containers.DockerRunRequest;
 import com.iexec.commons.containers.DockerRunResponse;
-import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
 import com.iexec.commons.poco.task.TaskDescription;
 import com.iexec.commons.poco.tee.TeeEnclaveConfiguration;
-import com.iexec.sms.api.TeeSessionGenerationError;
-import com.iexec.sms.api.TeeSessionGenerationResponse;
 import com.iexec.sms.api.config.TeeAppProperties;
 import com.iexec.sms.api.config.TeeServicesProperties;
 import com.iexec.worker.compute.ComputeExitCauseService;
@@ -35,8 +32,6 @@
 import com.iexec.worker.docker.DockerService;
 import com.iexec.worker.metric.ComputeDurationsService;
 import com.iexec.worker.sgx.SgxService;
-import com.iexec.worker.sms.SmsService;
-import com.iexec.worker.sms.TeeSessionGenerationException;
 import com.iexec.worker.tee.TeeServicesManager;
 import com.iexec.worker.tee.TeeServicesPropertiesService;
 import com.iexec.worker.workflow.WorkflowError;
@@ -49,13 +44,10 @@
 import java.util.List;
 import java.util.concurrent.TimeoutException;
 
-import static com.iexec.sms.api.TeeSessionGenerationError.UNKNOWN_ISSUE;
-
 @Slf4j
 @Service
 public class PreComputeService {
 
-    private final SmsService smsService;
     private final DockerService dockerService;
     private final TeeServicesManager teeServicesManager;
     private final WorkerConfigurationService workerConfigService;
@@ -65,15 +57,13 @@ public class PreComputeService {
     private final ComputeDurationsService preComputeDurationsService;
 
     public PreComputeService(
-            SmsService smsService,
             DockerService dockerService,
             TeeServicesManager teeServicesManager,
             WorkerConfigurationService workerConfigService,
             SgxService sgxService,
             ComputeExitCauseService computeExitCauseService,
             TeeServicesPropertiesService teeServicesPropertiesService,
             ComputeDurationsService preComputeDurationsService) {
-        this.smsService = smsService;
         this.dockerService = dockerService;
         this.teeServicesManager = teeServicesManager;
         this.workerConfigService = workerConfigService;
@@ -90,13 +80,11 @@ public PreComputeService(
      * is started to handle them.
      *
      * @param taskDescription Task description read on-chain
-     * @param workerpoolAuth  Workerpool authorization provided by scheduler
      * @return PreComputeResponse
      */
-    public PreComputeResponse runTeePreCompute(TaskDescription taskDescription, WorkerpoolAuthorization workerpoolAuth) {
+    public PreComputeResponse runTeePreCompute(final TaskDescription taskDescription) {
         final String chainTaskId = taskDescription.getChainTaskId();
-        final PreComputeResponse.PreComputeResponseBuilder preComputeResponseBuilder = PreComputeResponse.builder()
-                .isTeeTask(taskDescription.isTeeTask());
+        final PreComputeResponse.PreComputeResponseBuilder preComputeResponseBuilder = PreComputeResponse.builder();
 
         // verify enclave configuration for compute stage
         final TeeEnclaveConfiguration enclaveConfig = taskDescription.getAppEnclaveConfiguration();
@@ -122,37 +110,21 @@ public PreComputeResponse runTeePreCompute(TaskDescription taskDescription, Work
             preComputeResponseBuilder.exitCauses(List.of(new WorkflowError(ReplicateStatusCause.PRE_COMPUTE_INVALID_ENCLAVE_HEAP_CONFIGURATION)));
             return preComputeResponseBuilder.build();
         }
-        // create secure session
-        final TeeSessionGenerationResponse secureSession;
-        try {
-            secureSession = smsService.createTeeSession(workerpoolAuth);
-            if (secureSession == null) {
-                throw new TeeSessionGenerationException(UNKNOWN_ISSUE);
-            }
-            preComputeResponseBuilder.secureSession(secureSession);
-        } catch (TeeSessionGenerationException e) {
-            log.error("Failed to create TEE secure session [chainTaskId:{}]", chainTaskId, e);
-            return preComputeResponseBuilder
-                    .exitCauses(List.of(new WorkflowError(teeSessionGenerationErrorToReplicateStatusCause(e.getTeeSessionGenerationError()))))
-                    .build();
-        }
 
         // run TEE pre-compute container if needed
         if (taskDescription.requiresPreCompute()) {
             log.info("Task contains TEE input data [chainTaskId:{}, containsDataset:{}, containsInputFiles:{}, isBulkRequest:{}]",
                     chainTaskId, taskDescription.containsDataset(), taskDescription.containsInputFiles(), taskDescription.isBulkRequest());
-            final List<WorkflowError> exitCauses = downloadDatasetAndFiles(taskDescription, secureSession);
+            final List<WorkflowError> exitCauses = downloadDatasetAndFiles(taskDescription);
             preComputeResponseBuilder.exitCauses(exitCauses);
         }
 
         return preComputeResponseBuilder.build();
     }
 
-    private List<WorkflowError> downloadDatasetAndFiles(
-            final TaskDescription taskDescription,
-            final TeeSessionGenerationResponse secureSession) {
+    private List<WorkflowError> downloadDatasetAndFiles(final TaskDescription taskDescription) {
         try {
-            final Integer exitCode = prepareTeeInputData(taskDescription, secureSession);
+            final Integer exitCode = prepareTeeInputData(taskDescription);
             if (exitCode == null || exitCode != 0) {
                 final String chainTaskId = taskDescription.getChainTaskId();
                 final List<WorkflowError> exitCauses = getExitCauses(chainTaskId, exitCode);
@@ -179,33 +151,14 @@ private List<WorkflowError> getExitCauses(final String chainTaskId, final Intege
         };
     }
 
-
-    /**
-     * {@link TeeSessionGenerationError} and {@link ReplicateStatusCause} are dynamically bound
-     * such as {@code TeeSessionGenerationError.MEMBER_X == ReplicateStatusCause.TEE_SESSION_GENERATION_MEMBER_X}.
-     *
-     * @return {@literal null} if no member of {@link ReplicateStatusCause} matches,
-     * the matching member otherwise.
-     */
-    ReplicateStatusCause teeSessionGenerationErrorToReplicateStatusCause(TeeSessionGenerationError error) {
-        try {
-            return ReplicateStatusCause.valueOf("TEE_SESSION_GENERATION_" + error.name());
-        } catch (IllegalArgumentException e) {
-            return null;
-        }
-    }
-
     /**
      * Run tee-worker-pre-compute docker image. The pre-compute enclave downloads
      * the dataset and decrypts it for the compute stage. It also downloads input
      * files if requested.
      *
      * @return pre-compute exit code
      */
-    private Integer prepareTeeInputData(
-            TaskDescription taskDescription,
-            TeeSessionGenerationResponse secureSession)
-            throws TimeoutException {
+    private Integer prepareTeeInputData(final TaskDescription taskDescription) throws TimeoutException {
         String chainTaskId = taskDescription.getChainTaskId();
         log.info("Preparing tee input data [chainTaskId:{}]", chainTaskId);
 
@@ -221,7 +174,7 @@ private Integer prepareTeeInputData(
         }
         // run container
         List<String> env = teeServicesManager.getTeeService(taskDescription.getTeeFramework())
-                .buildPreComputeDockerEnv(taskDescription, secureSession);
+                .buildPreComputeDockerEnv(taskDescription);
         List<Bind> binds = Collections.singletonList(Bind.parse(dockerService.getInputBind(chainTaskId)));
         HostConfig hostConfig = HostConfig.newHostConfig()
                 .withBinds(binds)
@@ -244,15 +197,14 @@ private Integer prepareTeeInputData(
         }
         final DockerRunFinalStatus finalStatus = dockerResponse.getFinalStatus();
         if (finalStatus == DockerRunFinalStatus.TIMEOUT) {
-            log.error("Tee pre-compute container timed out" +
-                            " [chainTaskId:{}, maxExecutionTime:{}]",
+            log.error("Tee pre-compute container timed out [chainTaskId:{}, maxExecutionTime:{}]",
                     chainTaskId, taskDescription.getMaxExecutionTime());
             throw new TimeoutException("Tee pre-compute container timed out");
         }
         if (finalStatus == DockerRunFinalStatus.FAILED) {
             int exitCode = dockerResponse.getContainerExitCode();
-            log.error("Tee pre-compute container failed [chainTaskId:{}, " +
-                    "exitCode:{}]", chainTaskId, exitCode);
+            log.error("Tee pre-compute container failed [chainTaskId:{}, exitCode:{}]",
+                    chainTaskId, exitCode);
             return dockerResponse.getContainerExitCode();
         }
         log.info("Prepared tee input data successfully [chainTaskId:{}]", chainTaskId);