Avoid NullPointerException on empty enclave configuration during TEE pre-compute (#601)

Author: jbern0rd

CHANGELOG.md

@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file.
 - Fix `LoginServiceTests#shouldLoginOnceOnSimultaneousCalls` test. (#587)
 - Always use `WorkerpoolAuhorization` to retrieve JWT on Result Proxy. (#588)
 - Improve checks when receiving a `computed.json` file from a REST call. (#598)
+- Avoid `NullPointerException` on empty enclave configuration during TEE pre-compute. (#601)
 
 ### Quality
 

gradle.properties

@@ -3,7 +3,7 @@ iexecCommonVersion=8.4.0-NEXT-SNAPSHOT
 iexecCommonsContainersVersion=1.2.1
 iexecCommonsPocoVersion=3.2.0
 iexecResultVersion=8.4.0
-iexecSmsVersion=8.5.0
+iexecSmsVersion=8.5.1-NEXT-SNAPSHOT
 iexecCoreVersion=8.4.1-NEXT-SNAPSHOT
 nexusUser
 nexusPassword

src/main/java/com/iexec/worker/compute/pre/PreComputeService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,7 +50,6 @@
 import static com.iexec.common.replicate.ReplicateStatusCause.*;
 import static com.iexec.sms.api.TeeSessionGenerationError.UNKNOWN_ISSUE;
 
-
 @Slf4j
 @Service
 public class PreComputeService {
@@ -89,22 +88,29 @@ public PreComputeService(
      * If the task contains a dataset or some input files, the pre-compute enclave
      * is started to handle them.
      *
-     * @param taskDescription
-     * @param workerpoolAuth
+     * @param taskDescription Task description read on-chain
+     * @param workerpoolAuth  Workerpool authorization provided by scheduler
      * @return PreComputeResponse
      */
     public PreComputeResponse runTeePreCompute(TaskDescription taskDescription, WorkerpoolAuthorization workerpoolAuth) {
-        String chainTaskId = taskDescription.getChainTaskId();
+        final String chainTaskId = taskDescription.getChainTaskId();
         final PreComputeResponse.PreComputeResponseBuilder preComputeResponseBuilder = PreComputeResponse.builder()
                 .isTeeTask(taskDescription.isTeeTask());
 
         // verify enclave configuration for compute stage
-        TeeEnclaveConfiguration enclaveConfig = taskDescription.getAppEnclaveConfiguration();
+        final TeeEnclaveConfiguration enclaveConfig = taskDescription.getAppEnclaveConfiguration();
+        if (enclaveConfig == null) {
+            log.error("No enclave configuration found for task [chainTaskId:{}]", chainTaskId);
+            return preComputeResponseBuilder
+                    .exitCause(PRE_COMPUTE_MISSING_ENCLAVE_CONFIGURATION)
+                    .build();
+        }
         if (!enclaveConfig.getValidator().isValid()) {
             log.error("Invalid enclave configuration [chainTaskId:{}, violations:{}]",
                     chainTaskId, enclaveConfig.getValidator().validate().toString());
-            preComputeResponseBuilder.exitCause(PRE_COMPUTE_INVALID_ENCLAVE_CONFIGURATION);
-            return preComputeResponseBuilder.build();
+            return preComputeResponseBuilder
+                    .exitCause(PRE_COMPUTE_INVALID_ENCLAVE_CONFIGURATION)
+                    .build();
         }
         long teeComputeMaxHeapSize = DataSize
                 .ofGigabytes(workerConfigService.getTeeComputeMaxHeapSizeGb())
@@ -117,8 +123,7 @@ public PreComputeResponse runTeePreCompute(TaskDescription taskDescription, Work
             return preComputeResponseBuilder.build();
         }
         // create secure session
-        TeeSessionGenerationResponse secureSession = null;
-        TeeSessionGenerationError teeSessionGenerationError = null;
+        final TeeSessionGenerationResponse secureSession;
         try {
             secureSession = smsService.createTeeSession(workerpoolAuth);
             if (secureSession == null) {
@@ -127,16 +132,15 @@ public PreComputeResponse runTeePreCompute(TaskDescription taskDescription, Work
             preComputeResponseBuilder.secureSession(secureSession);
         } catch (TeeSessionGenerationException e) {
             log.error("Failed to create TEE secure session [chainTaskId:{}]", chainTaskId, e);
-            teeSessionGenerationError = e.getTeeSessionGenerationError();
-            preComputeResponseBuilder.exitCause(teeSessionGenerationErrorToReplicateStatusCause(e.getTeeSessionGenerationError()));
+            return preComputeResponseBuilder
+                    .exitCause(teeSessionGenerationErrorToReplicateStatusCause(e.getTeeSessionGenerationError()))
+                    .build();
         }
 
         // run TEE pre-compute container if needed
-        if (teeSessionGenerationError == null &&
-                (taskDescription.containsDataset() || taskDescription.containsInputFiles())) {
-            log.info("Task contains TEE input data [chainTaskId:{}, containsDataset:{}, " +
-                            "containsInputFiles:{}]", chainTaskId, taskDescription.containsDataset(),
-                    taskDescription.containsInputFiles());
+        if (taskDescription.containsDataset() || taskDescription.containsInputFiles()) {
+            log.info("Task contains TEE input data [chainTaskId:{}, containsDataset:{}, containsInputFiles:{}]",
+                    chainTaskId, taskDescription.containsDataset(), taskDescription.containsInputFiles());
             final ReplicateStatusCause exitCause = downloadDatasetAndFiles(taskDescription, secureSession);
             preComputeResponseBuilder.exitCause(exitCause);
         }
@@ -152,8 +156,8 @@ private ReplicateStatusCause downloadDatasetAndFiles(
             if (exitCode == null || exitCode != 0) {
                 String chainTaskId = taskDescription.getChainTaskId();
                 ReplicateStatusCause exitCause = getExitCause(chainTaskId, exitCode);
-                log.error("Failed to prepare TEE input data [chainTaskId:{}, " +
-                        "exitCode:{}, exitCause:{}]", chainTaskId, exitCode, exitCause);
+                log.error("Failed to prepare TEE input data [chainTaskId:{}, exitCode:{}, exitCause:{}]",
+                        chainTaskId, exitCode, exitCause);
                 return exitCause;
             }
         } catch (TimeoutException e) {

src/main/java/com/iexec/worker/executor/TaskManagerService.java

@@ -228,11 +228,11 @@ private ReplicateActionResponse triggerPostComputeHookOnError(String chainTaskId
 
     ReplicateActionResponse compute(TaskDescription taskDescription) {
         final String chainTaskId = taskDescription.getChainTaskId();
-        Optional<ReplicateStatusCause> oErrorStatus =
-                contributionService.getCannotContributeStatusCause(chainTaskId);
-        String context = "compute";
-        if (oErrorStatus.isPresent()) {
-            return getFailureResponseAndPrintError(oErrorStatus.get(), context, chainTaskId);
+        final ReplicateStatusCause errorStatus = contributionService.getCannotContributeStatusCause(chainTaskId)
+                .orElse(null);
+        final String context = "compute";
+        if (errorStatus != null) {
+            return getFailureResponseAndPrintError(errorStatus, context, chainTaskId);
         }
 
         if (!computeManagerService.isAppDownloaded(taskDescription.getAppUri())) {
@@ -255,13 +255,11 @@ ReplicateActionResponse compute(TaskDescription taskDescription) {
                 computeManagerService.runPreCompute(taskDescription,
                         workerpoolAuthorization);
         if (!preResponse.isSuccessful()) {
-            final ReplicateActionResponse failureResponseAndPrintError;
-            failureResponseAndPrintError = getFailureResponseAndPrintError(
+            return getFailureResponseAndPrintError(
                     preResponse.getExitCause(),
                     context,
                     chainTaskId
             );
-            return failureResponseAndPrintError;
         }
 
         AppComputeResponse appResponse =

src/test/java/com/iexec/worker/compute/pre/PreComputeServiceTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -56,6 +56,7 @@
 
 import static com.iexec.common.replicate.ReplicateStatusCause.*;
 import static com.iexec.sms.api.TeeSessionGenerationError.*;
+import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
 
@@ -241,38 +242,47 @@ void shouldRunTeePreComputeAndPrepareInputDataWhenOnlyInputFilesArePresent() thr
     }
 
     @Test
-    void shouldFailToRunTeePreComputeSinceInvalidEnclaveConfiguration() throws TeeSessionGenerationException {
+    void shouldFailToRunTeePreComputeSinceMissingEnclaveConfiguration() {
+        final TaskDescription taskDescription = taskDescriptionBuilder.appEnclaveConfiguration(null).build();
+
+        final PreComputeResponse response = preComputeService.runTeePreCompute(taskDescription, workerpoolAuthorization);
+        assertThat(response.isSuccessful()).isFalse();
+        assertThat(response.getExitCause()).isEqualTo(PRE_COMPUTE_MISSING_ENCLAVE_CONFIGURATION);
+        verifyNoInteractions(smsService);
+    }
+
+    @Test
+    void shouldFailToRunTeePreComputeSinceInvalidEnclaveConfiguration() {
         final TeeEnclaveConfiguration enclaveConfig = TeeEnclaveConfiguration.builder().build();
         final TaskDescription taskDescription = taskDescriptionBuilder.appEnclaveConfiguration(enclaveConfig).build();
-        Assertions.assertThat(enclaveConfig.getValidator().isValid()).isFalse();
+        assertThat(enclaveConfig.getValidator().isValid()).isFalse();
 
         final PreComputeResponse response = preComputeService.runTeePreCompute(taskDescription, workerpoolAuthorization);
-        Assertions.assertThat(response.isSuccessful()).isFalse();
-        Assertions.assertThat(response.getExitCause()).isEqualTo(PRE_COMPUTE_INVALID_ENCLAVE_CONFIGURATION);
-        verify(smsService, never()).createTeeSession(workerpoolAuthorization);
+        assertThat(response.isSuccessful()).isFalse();
+        assertThat(response.getExitCause()).isEqualTo(PRE_COMPUTE_INVALID_ENCLAVE_CONFIGURATION);
+        verifyNoInteractions(smsService);
     }
 
     @Test
-    void shouldFailToRunTeePreComputeSinceTooHighComputeHeapSize() throws TeeSessionGenerationException {
+    void shouldFailToRunTeePreComputeSinceTooHighComputeHeapSize() {
         final TeeEnclaveConfiguration enclaveConfiguration = TeeEnclaveConfiguration.builder()
                 .fingerprint("01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b")
                 .heapSize(DataSize.ofGigabytes(8).toBytes() + 1)
                 .entrypoint("python /app/app.py")
                 .build();
         final TaskDescription taskDescription = taskDescriptionBuilder.appEnclaveConfiguration(enclaveConfiguration).build();
 
-        Assertions.assertThat(preComputeService.runTeePreCompute(taskDescription, workerpoolAuthorization).isSuccessful())
+        assertThat(preComputeService.runTeePreCompute(taskDescription, workerpoolAuthorization).isSuccessful())
                 .isFalse();
-        verify(smsService, never()).createTeeSession(workerpoolAuthorization);
+        verifyNoInteractions(smsService);
     }
 
     @Test
     void shouldFailToRunTeePreComputeSinceCantCreateTeeSession() throws TeeSessionGenerationException {
         final TaskDescription taskDescription = taskDescriptionBuilder.build();
+        when(smsService.createTeeSession(workerpoolAuthorization)).thenReturn(null);
 
-        when(smsService.createTeeSession(workerpoolAuthorization)).thenReturn(secureSession);
-
-        Assertions.assertThat(preComputeService.runTeePreCompute(taskDescription, workerpoolAuthorization).isSuccessful())
+        assertThat(preComputeService.runTeePreCompute(taskDescription, workerpoolAuthorization).isSuccessful())
                 .isFalse();
         verify(smsService).createTeeSession(workerpoolAuthorization);
         verify(teeMockedService, never()).buildPreComputeDockerEnv(any(), any());
@@ -394,14 +404,12 @@ static Stream<Arguments> teeSessionGenerationErrorMap() {
                 // Secure session generation
                 Arguments.of(SECURE_SESSION_STORAGE_CALL_FAILED, TEE_SESSION_GENERATION_SECURE_SESSION_STORAGE_CALL_FAILED),
                 Arguments.of(SECURE_SESSION_GENERATION_FAILED, TEE_SESSION_GENERATION_SECURE_SESSION_GENERATION_FAILED),
-                Arguments.of(SECURE_SESSION_NO_TEE_PROVIDER, TEE_SESSION_GENERATION_SECURE_SESSION_NO_TEE_PROVIDER),
-                Arguments.of(SECURE_SESSION_UNKNOWN_TEE_PROVIDER, TEE_SESSION_GENERATION_SECURE_SESSION_UNKNOWN_TEE_PROVIDER),
+                Arguments.of(SECURE_SESSION_NO_TEE_FRAMEWORK, TEE_SESSION_GENERATION_SECURE_SESSION_NO_TEE_FRAMEWORK),
 
                 // Miscellaneous
                 Arguments.of(GET_TASK_DESCRIPTION_FAILED, TEE_SESSION_GENERATION_GET_TASK_DESCRIPTION_FAILED),
                 Arguments.of(NO_SESSION_REQUEST, TEE_SESSION_GENERATION_NO_SESSION_REQUEST),
                 Arguments.of(NO_TASK_DESCRIPTION, TEE_SESSION_GENERATION_NO_TASK_DESCRIPTION),
-                Arguments.of(GET_SESSION_FAILED, TEE_SESSION_GENERATION_GET_SESSION_FAILED),
 
                 Arguments.of(UNKNOWN_ISSUE, TEE_SESSION_GENERATION_UNKNOWN_ISSUE)
         );