Merge pull request #303 from iExecBlockchainComputing/feature/sms-auth

Clean old sms legacy

Author: zguesmi

src/main/java/com/iexec/worker/docker/ComputationService.java

@@ -159,16 +159,13 @@ public boolean runTeeComputation(TaskDescription taskDescription,
             return false;
         }
 
-        String secureSessionId = sconeTeeService.createSconeSecureSession(contributionAuth);
-
-        log.info("Secure session created [chainTaskId:{}, secureSessionId:{}]", chainTaskId, secureSessionId);
-
+        String secureSessionId = smsService.createTeeSession(contributionAuth);
         if (secureSessionId.isEmpty()) {
-            String msg = "Could not generate scone secure session for tee computation";
-            log.error(msg + " [chainTaskId:{}]", chainTaskId);
+            log.error("Cannot compute TEE task without secure session [chainTaskId:{}]", chainTaskId);
             return false;
         }
 
+        log.info("Secure session created [chainTaskId:{}, secureSessionId:{}]", chainTaskId, secureSessionId);
         ArrayList<String> sconeAppEnv = sconeTeeService.buildSconeDockerEnv(secureSessionId + "/app",
                 publicConfigService.getSconeCasURL(), "1G");
         ArrayList<String> sconeUploaderEnv = sconeTeeService.buildSconeDockerEnv(secureSessionId + "/post-compute",

src/main/java/com/iexec/worker/feign/CustomSmsFeignClient.java

@@ -1,26 +1,29 @@
 package com.iexec.worker.feign.client;
 
 
-import com.iexec.common.sms.SmsRequest;
+import com.iexec.common.chain.ContributionAuthorization;
 import com.iexec.common.sms.secrets.SmsSecretResponse;
 import com.iexec.worker.feign.config.FeignConfiguration;
 
-import feign.FeignException;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 
+import feign.FeignException;
 
 @FeignClient(name = "SmsClient",
         url = "#{publicConfigurationService.smsURL}",
         configuration = FeignConfiguration.class)
 public interface SmsClient {
 
     @PostMapping("/untee/secrets")
-    ResponseEntity<SmsSecretResponse> getUnTeeSecrets(@RequestBody SmsRequest smsRequest) throws FeignException;
+    ResponseEntity<SmsSecretResponse> getUnTeeSecrets(@RequestHeader("Authorization") String authorization,
+                                                      @RequestBody ContributionAuthorization contributionAuth) throws FeignException;
 
     @PostMapping("/tee/sessions")
-    ResponseEntity<String> generateTeeSession(@RequestBody SmsRequest smsRequest) throws FeignException;
+    ResponseEntity<String> createTeeSession(@RequestHeader("Authorization") String authorization,
+                                              @RequestBody ContributionAuthorization contributionAuth) throws FeignException;
 
 }

src/main/java/com/iexec/worker/feign/client/SmsClient.java

@@ -3,24 +3,17 @@
 import java.util.Optional;
 
 import com.iexec.common.chain.ContributionAuthorization;
-import com.iexec.common.security.Signature;
 import com.iexec.common.sms.secrets.SmsSecret;
-import com.iexec.common.sms.SmsRequest;
-import com.iexec.common.sms.SmsRequestData;
-import com.iexec.common.sms.scone.SconeSecureSessionResponse.SconeSecureSession;
 import com.iexec.common.sms.secrets.SmsSecretResponse;
 import com.iexec.common.sms.secrets.TaskSecrets;
-import com.iexec.common.utils.BytesUtils;
 import com.iexec.common.utils.FileHelper;
-import com.iexec.common.utils.HashUtils;
 import com.iexec.worker.chain.CredentialsService;
-import com.iexec.worker.feign.CustomSmsFeignClient;
+import com.iexec.worker.feign.client.SmsClient;
 
 import org.springframework.http.ResponseEntity;
 import org.springframework.retry.annotation.Recover;
 import org.springframework.retry.annotation.Retryable;
 import org.springframework.stereotype.Service;
-import org.web3j.crypto.Sign;
 
 import feign.FeignException;
 import lombok.extern.slf4j.Slf4j;
@@ -31,22 +24,23 @@
 public class SmsService {
 
     private CredentialsService credentialsService;
-    private CustomSmsFeignClient customSmsFeignClient;
+    private SmsClient smsClient;
 
-    public SmsService(CredentialsService credentialsService, CustomSmsFeignClient customSmsFeignClient) {
+    public SmsService(CredentialsService credentialsService, SmsClient smsClient) {
         this.credentialsService = credentialsService;
-        this.customSmsFeignClient = customSmsFeignClient;
+        this.smsClient = smsClient;
     }
 
     @Retryable(value = FeignException.class)
     public Optional<TaskSecrets> fetchTaskSecrets(ContributionAuthorization contributionAuth) {
         String chainTaskId = contributionAuth.getChainTaskId();
+        String authorization = getAuthorizationString(contributionAuth);
+        ResponseEntity<SmsSecretResponse> response = smsClient.getUnTeeSecrets(authorization, contributionAuth);
+        if (!response.getStatusCode().is2xxSuccessful()) {
+            return Optional.empty();
+        }
 
-        SmsRequest smsRequest = buildSmsRequest(contributionAuth);
-
-        SmsSecretResponse smsResponse = customSmsFeignClient.getUnTeeSecrets(smsRequest);
-
-
+        SmsSecretResponse smsResponse = response.getBody();
         if (smsResponse == null) {
             log.error("Received null response from SMS [chainTaskId:{}]", chainTaskId);
             return Optional.empty();
@@ -69,11 +63,10 @@ public Optional<TaskSecrets> fetchTaskSecrets(ContributionAuthorization contribu
     }
 
     @Recover
-    private boolean fetchTaskSecrets(FeignException e, ContributionAuthorization contributionAuth) {
-        log.error("Failed to get task secrets from SMS [chainTaskId:{}, attempts:3]",
-                contributionAuth.getChainTaskId());
-        e.printStackTrace();
-        return false;
+    private Optional<TaskSecrets> fetchTaskSecrets(FeignException e, ContributionAuthorization contributionAuth) {
+        log.error("Failed to get task secrets from SMS [chainTaskId:{}, httpStatus:{}, exception:{}, attempts:3]",
+                contributionAuth.getChainTaskId(), e.status(), e.getMessage());
+        return Optional.empty();
     }
 
     public void saveSecrets(String chainTaskId,
@@ -109,43 +102,21 @@ public void saveSecrets(String chainTaskId,
     }
 
     @Retryable(value = FeignException.class)
-    public String getSconeSecureSession(ContributionAuthorization contributionAuth) {
-        String chainTaskId = contributionAuth.getChainTaskId();
-        SmsRequest smsRequest = buildSmsRequest(contributionAuth);
-
-        String sessionId = customSmsFeignClient.generateTeeSession(smsRequest);
-
-        if (sessionId.isEmpty()) {
-            log.error("Received null session from SMS [chainTaskId:{}]", chainTaskId);
-            return "";
-        }
-
-        return sessionId;
+    public String createTeeSession(ContributionAuthorization contributionAuth) {
+        String authorization = getAuthorizationString(contributionAuth);
+        ResponseEntity<String> response = smsClient.createTeeSession(authorization, contributionAuth);
+        return response.getStatusCode().is2xxSuccessful() ? response.getBody() : "";
     }
 
     @Recover
-    private String getSconeSecureSession(FeignException e, ContributionAuthorization contributionAuth) {
-        log.error("Failed to generate secure session [chainTaskId:{}, attempts:3]",
-                contributionAuth.getChainTaskId());
-        e.printStackTrace();
+    private String createTeeSession(FeignException e, ContributionAuthorization contributionAuth) {
+        log.error("Failed to create secure session [chainTaskId:{}, httpStatus:{}, exception:{}, attempts:3]",
+                contributionAuth.getChainTaskId(), e.status(), e.getMessage());
         return "";
     }
 
-    public SmsRequest buildSmsRequest(ContributionAuthorization contributionAuth) {
-        String hash = HashUtils.concatenateAndHash(contributionAuth.getWorkerWallet(),
-                contributionAuth.getChainTaskId(), contributionAuth.getEnclaveChallenge());
-
-        Sign.SignatureData workerSignature = Sign.signPrefixedMessage(
-                BytesUtils.stringToBytes(hash), credentialsService.getCredentials().getEcKeyPair());
-
-        SmsRequestData smsRequestData = SmsRequestData.builder()
-            .chainTaskId(contributionAuth.getChainTaskId())
-            .workerAddress(contributionAuth.getWorkerWallet())
-            .enclaveChallenge(contributionAuth.getEnclaveChallenge())
-            .coreSignature(contributionAuth.getSignature().getValue())
-            .workerSignature(new Signature(workerSignature).getValue())
-            .build();
-
-        return new SmsRequest(smsRequestData);
+    private String getAuthorizationString(ContributionAuthorization contributionAuth) {
+        String challenge = contributionAuth.getHash();
+        return credentialsService.hashAndSignMessage(challenge).getValue();
     }
-}
+}

src/main/java/com/iexec/worker/sms/SmsService.java

@@ -4,16 +4,10 @@
 
 import javax.annotation.PreDestroy;
 
-import com.iexec.common.chain.ContributionAuthorization;
-import com.iexec.common.security.Signature;
-import com.iexec.common.utils.BytesUtils;
-import com.iexec.common.utils.HashUtils;
-import com.iexec.common.utils.SignatureUtils;
 import com.iexec.worker.docker.CustomDockerClient;
 import com.iexec.worker.docker.DockerExecutionConfig;
 import com.iexec.worker.docker.DockerExecutionResult;
 import com.iexec.worker.sgx.SgxService;
-import com.iexec.worker.sms.SmsService;
 
 import org.springframework.stereotype.Service;
 
@@ -24,27 +18,15 @@
 @Service
 public class SconeTeeService {
 
-    // metadata file used by scone enclave. It contains the hash and encryption key
-    // for each file in the protected filesystem regions.
-    private static final String FSPF_FILENAME = "volume.fspf";
-
-    // beneficiary public key used when encrypting result
-    private static final String BENEFICIARY_KEY_FILENAME = "public.key";
-
-    private boolean isLasStarted;
-
     private SconeLasConfiguration sconeLasConfig;
     private CustomDockerClient customDockerClient;
-    private SmsService smsService;
+    private boolean isLasStarted;
 
     public SconeTeeService(SconeLasConfiguration sconeLasConfig,
                            CustomDockerClient customDockerClient,
-                           SgxService sgxService,
-                           SmsService smsService) {
-
+                           SgxService sgxService) {
         this.sconeLasConfig = sconeLasConfig;
         this.customDockerClient = customDockerClient;
-        this.smsService = smsService;
         isLasStarted = sgxService.isSgxEnabled() ? startLasService() : false;
     }
 
@@ -78,17 +60,6 @@ private boolean startLasService() {
         return true;
     }
 
-    public String createSconeSecureSession(ContributionAuthorization contributionAuth) {
-
-        // generate secure session
-        String sessionId = smsService.getSconeSecureSession(contributionAuth);
-        if (sessionId.isEmpty()) {
-            return "";
-        }
-
-        return sessionId;
-    }
-
     public ArrayList<String> buildSconeDockerEnv(String sconeConfigId, String sconeCasUrl, String sconeHeap) {
         SconeConfig sconeConfig = SconeConfig.builder()
                 .sconeLasAddress(sconeLasConfig.getUrl())
@@ -100,12 +71,6 @@ public ArrayList<String> buildSconeDockerEnv(String sconeConfigId, String sconeC
         return sconeConfig.toDockerEnv();
     }
 
-    public boolean isEnclaveSignatureValid(String resultHash, String resultSeal,
-                                           Signature enclaveSignature, String enclaveAddress) {
-        byte[] message = BytesUtils.stringToBytes(HashUtils.concatenateAndHash(resultHash, resultSeal));
-        return SignatureUtils.isSignatureValid(message, enclaveSignature, enclaveAddress);
-    }
-
     @PreDestroy
     void stopLasService() {
         if (isLasStarted) {

src/main/java/com/iexec/worker/tee/scone/SconeTeeService.java

@@ -154,7 +154,7 @@ public void shouldComputeTeeTask() {
         ArrayList<String> stubSconeEnv = new ArrayList<>();
         stubSconeEnv.add("fooBar");
 
-        when(sconeTeeService.createSconeSecureSession(any()))
+        when(smsService.createTeeSession(any()))
                 .thenReturn(awesomeSessionId);
         when(sconeTeeService.buildSconeDockerEnv(any(), any(), any())).thenReturn(stubSconeEnv);
         when(customDockerClient.pullImage(anyString(), anyString())).thenReturn(true);
@@ -173,7 +173,7 @@ public void shouldNotComputeTeeTaskSinceFailedToCreateSconeSession() {
         TaskDescription task = getStubTaskDescription(false);
         ContributionAuthorization contributionAuth = getStubAuth(TEE_ENCLAVE_CHALLENGE);
 
-        when(sconeTeeService.createSconeSecureSession(any()))
+        when(smsService.createTeeSession(any()))
                 .thenReturn("");
 
         boolean isComputed = computationService.runTeeComputation(task, contributionAuth);
@@ -186,7 +186,7 @@ public void shouldNotComputeTeeTaskSinceFailedToBuildSconeDockerEnv() {
         ContributionAuthorization contributionAuth = getStubAuth(TEE_ENCLAVE_CHALLENGE);
         String awesomeSessionId = "awesomeSessionId";
 
-        when(sconeTeeService.createSconeSecureSession(any()))
+        when(smsService.createTeeSession(any()))
                 .thenReturn(awesomeSessionId);
         when(sconeTeeService.buildSconeDockerEnv(any(), any(), any())).thenReturn(new ArrayList<>());
 
@@ -202,7 +202,7 @@ public void shouldNotComputeTeeTaskSinceFirstRunFailed() {
         ArrayList<String> stubSconeEnv = new ArrayList<>();
         stubSconeEnv.add("fooBar");
 
-        when(sconeTeeService.createSconeSecureSession(any()))
+        when(smsService.createTeeSession(any()))
                 .thenReturn(awesomeSessionId);
         when(sconeTeeService.buildSconeDockerEnv(any(), any(), any())).thenReturn(stubSconeEnv);
         when(customDockerClient.execute(any())).thenReturn(DockerExecutionResult.failure());