Validate authorization proof for pre/post-compute requests (#635)

Author: nabil-Tounarti

CHANGELOG.md

@@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file.
 ### New Features
 
 - Use TEE framework version of dApp to retrieve pre/post-compute properties via SMS endpoint. (#630)
+- Validate authorization proof for pre/post-compute requests. (#635)
 
 ### Quality
 

src/main/java/com/iexec/worker/chain/ContributionService.java

@@ -19,11 +19,11 @@
 import com.iexec.common.contribution.Contribution;
 import com.iexec.common.replicate.ReplicateStatusCause;
 import com.iexec.common.result.ComputedFile;
-import com.iexec.common.worker.result.ResultUtils;
 import com.iexec.commons.poco.chain.*;
 import com.iexec.commons.poco.contract.generated.IexecHubContract;
 import com.iexec.commons.poco.task.TaskDescription;
 import com.iexec.commons.poco.utils.BytesUtils;
+import com.iexec.commons.poco.utils.HashUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
@@ -153,8 +153,8 @@ public Contribution getContribution(ComputedFile computedFile) {
         }
 
         String resultDigest = computedFile.getResultDigest();
-        String resultHash = ResultUtils.computeResultHash(chainTaskId, resultDigest);
-        String resultSeal = ResultUtils.computeResultSeal(workerWalletAddress, chainTaskId, resultDigest);
+        String resultHash = HashUtils.concatenateAndHash(chainTaskId, resultDigest);
+        String resultSeal = HashUtils.concatenateAndHash(workerWalletAddress, chainTaskId, resultDigest);
         String workerpoolSignature = workerpoolAuthorization.getSignature().getValue();
         String enclaveChallenge = workerpoolAuthorization.getEnclaveChallenge();
         String enclaveSignature = computedFile.getEnclaveSignature();

src/main/java/com/iexec/worker/chain/WorkerpoolAuthorizationService.java

@@ -19,6 +19,7 @@
 import com.iexec.common.lifecycle.purge.ExpiringTaskMapFactory;
 import com.iexec.common.lifecycle.purge.Purgeable;
 import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
+import com.iexec.commons.poco.security.Signature;
 import com.iexec.commons.poco.utils.BytesUtils;
 import com.iexec.commons.poco.utils.HashUtils;
 import com.iexec.commons.poco.utils.SignatureUtils;
@@ -29,6 +30,7 @@
 import org.springframework.stereotype.Service;
 
 import java.util.Map;
+import java.util.NoSuchElementException;
 
 
 @Slf4j
@@ -77,6 +79,28 @@ WorkerpoolAuthorization getWorkerpoolAuthorization(final String chainTaskId) {
         return workerpoolAuthorizations.get(chainTaskId);
     }
 
+    public boolean isSignedWithEnclaveChallenge(final String chainTaskId, final String authorization) {
+        final WorkerpoolAuthorization workerpoolAuthorization = workerpoolAuthorizations.get(chainTaskId);
+        if (workerpoolAuthorization == null) {
+            throw new NoSuchElementException("Cant get workerpool authorization for chainTaskId: " + chainTaskId);
+        }
+        final String challenge = getChallenge(workerpoolAuthorization);
+        final Signature signature = new Signature(authorization);
+
+        return SignatureUtils.isSignatureValid(
+                BytesUtils.stringToBytes(challenge),
+                signature,
+                workerpoolAuthorization.getEnclaveChallenge()
+        );
+    }
+
+    private String getChallenge(final WorkerpoolAuthorization workerpoolAuthorization) {
+        return HashUtils.concatenateAndHash(
+                workerpoolAuthorization.getChainTaskId(),
+                workerpoolAuthorization.getWorkerWallet()
+        );
+    }
+
     /**
      * Try and remove workerpool authorization related to given task ID.
      *

src/main/java/com/iexec/worker/compute/ComputeController.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,13 +19,13 @@
 
 import com.iexec.common.result.ComputedFile;
 import com.iexec.common.worker.api.ExitMessage;
+import com.iexec.worker.chain.WorkerpoolAuthorizationService;
 import com.iexec.worker.result.ResultService;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.NoSuchElementException;
 
 import static org.springframework.http.ResponseEntity.ok;
 
@@ -34,26 +34,42 @@ public class ComputeController {
 
     private final ComputeExitCauseService computeStageExitService;
     private final ResultService resultService;
+    private final WorkerpoolAuthorizationService workerpoolAuthorizationService;
 
-    public ComputeController(ComputeExitCauseService computeStageExitService,
-                             ResultService resultService) {
+    public ComputeController(final ComputeExitCauseService computeStageExitService,
+                             final ResultService resultService,
+                             final WorkerpoolAuthorizationService workerpoolAuthorizationService) {
         this.computeStageExitService = computeStageExitService;
         this.resultService = resultService;
+        this.workerpoolAuthorizationService = workerpoolAuthorizationService;
     }
 
     @PostMapping("/compute/{stage}/{chainTaskId}/exit")
     public ResponseEntity<Void> sendExitCauseForGivenComputeStage(
+            @RequestHeader("Authorization") String authorization,
             @PathVariable ComputeStage stage,
             @PathVariable String chainTaskId,
             @RequestBody ExitMessage exitMessage) {
-        if (exitMessage.getCause() == null) {
+        try {
+            if (!workerpoolAuthorizationService.isSignedWithEnclaveChallenge(chainTaskId, authorization)) {
+                return ResponseEntity
+                        .status(HttpStatus.UNAUTHORIZED.value())
+                        .build();
+            }
+        } catch (NoSuchElementException e) {
+            return ResponseEntity
+                    .status(HttpStatus.NOT_FOUND.value())
+                    .build();
+        }
+
+        if (exitMessage.cause() == null) {
             return ResponseEntity
                     .status(HttpStatus.BAD_REQUEST.value())
                     .build();
         }
         if (!computeStageExitService.setExitCause(stage,
                 chainTaskId,
-                exitMessage.getCause())) {
+                exitMessage.cause())) {
             return ResponseEntity
                     .status(HttpStatus.ALREADY_REPORTED.value())
                     .build();
@@ -65,8 +81,20 @@ public ResponseEntity<Void> sendExitCauseForGivenComputeStage(
             "/iexec_out/{chainTaskId}/computed", //@Deprecated
             "/compute/" + ComputeStage.POST_VALUE + "/{chainTaskId}/computed"
     })
-    public ResponseEntity<String> sendComputedFileForTee(@PathVariable String chainTaskId,
+    public ResponseEntity<String> sendComputedFileForTee(@RequestHeader("Authorization") String authorization,
+                                                         @PathVariable String chainTaskId,
                                                          @RequestBody ComputedFile computedFile) {
+        try {
+            if (!workerpoolAuthorizationService.isSignedWithEnclaveChallenge(chainTaskId, authorization)) {
+                return ResponseEntity
+                        .status(HttpStatus.UNAUTHORIZED.value())
+                        .build();
+            }
+        } catch (NoSuchElementException e) {
+            return ResponseEntity
+                    .status(HttpStatus.NOT_FOUND.value())
+                    .build();
+        }
         if (!chainTaskId.equals(computedFile.getTaskId())) {
             return ResponseEntity.status(HttpStatus.BAD_REQUEST.value()).build();
         }

src/test/java/com/iexec/worker/chain/ContributionServiceTests.java

@@ -18,10 +18,10 @@
 
 import com.iexec.common.contribution.Contribution;
 import com.iexec.common.result.ComputedFile;
-import com.iexec.common.worker.result.ResultUtils;
 import com.iexec.commons.poco.chain.*;
 import com.iexec.commons.poco.task.TaskDescription;
 import com.iexec.commons.poco.utils.BytesUtils;
+import com.iexec.commons.poco.utils.HashUtils;
 import com.iexec.commons.poco.utils.TestUtils;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -298,8 +298,8 @@ void getContribution() {
         String chainTaskId = "0x0000000000000000000000000000000000000000000000000000000000000001";
         String resultDigest = "0x0000000000000000000000000000000000000000000000000000000000000002";
 
-        String resultHash = ResultUtils.computeResultHash(chainTaskId, resultDigest);
-        String resultSeal = ResultUtils.computeResultSeal(Credentials.create(TestUtils.WORKER_PRIVATE).getAddress(), chainTaskId, resultDigest);
+        String resultHash = HashUtils.concatenateAndHash(chainTaskId, resultDigest);
+        String resultSeal = HashUtils.concatenateAndHash(Credentials.create(TestUtils.WORKER_PRIVATE).getAddress(), chainTaskId, resultDigest);
 
         WorkerpoolAuthorization teeWorkerpoolAuth = TestUtils.getTeeWorkerpoolAuth();
         when(workerpoolAuthorizationService.getWorkerpoolAuthorization(chainTaskId)).thenReturn(teeWorkerpoolAuth);
@@ -331,8 +331,8 @@ void getContributionWithTee() {
         String chainTaskId = "0x0000000000000000000000000000000000000000000000000000000000000002";
         String resultDigest = "0x0000000000000000000000000000000000000000000000000000000000000001";
 
-        String resultHash = ResultUtils.computeResultHash(chainTaskId, resultDigest);
-        String resultSeal = ResultUtils.computeResultSeal(Credentials.create(TestUtils.WORKER_PRIVATE).getAddress(), chainTaskId, resultDigest);
+        String resultHash = HashUtils.concatenateAndHash(chainTaskId, resultDigest);
+        String resultSeal = HashUtils.concatenateAndHash(Credentials.create(TestUtils.WORKER_PRIVATE).getAddress(), chainTaskId, resultDigest);
 
         WorkerpoolAuthorization teeWorkerpoolAuth = TestUtils.getTeeWorkerpoolAuth();
         teeWorkerpoolAuth.setEnclaveChallenge(TestUtils.ENCLAVE_ADDRESS);

src/test/java/com/iexec/worker/chain/WorkerpoolAuthorizationServiceTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2025 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,16 +19,23 @@
 import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
 import com.iexec.commons.poco.security.Signature;
 import com.iexec.commons.poco.utils.BytesUtils;
+import com.iexec.commons.poco.utils.HashUtils;
+import com.iexec.commons.poco.utils.SignatureUtils;
 import com.iexec.worker.config.SchedulerConfiguration;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.test.util.ReflectionTestUtils;
+import org.web3j.crypto.Credentials;
+import org.web3j.crypto.ECKeyPair;
+import org.web3j.crypto.Keys;
 
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.NoSuchElementException;
 
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
@@ -37,7 +44,7 @@
 
 @ExtendWith(MockitoExtension.class)
 class WorkerpoolAuthorizationServiceTests {
-    private static final String CHAIN_TASK_ID = "chainTaskId";
+    private static final String CHAIN_TASK_ID = "0xd94b63fc2d3ec4b96daf84b403bbafdc8c8517e8e2addd51fec0fa4e67801be8";
 
     @Mock
     private SchedulerConfiguration schedulerConfiguration;
@@ -125,6 +132,80 @@ void shouldPurgeAllTasksData() {
     }
     // endregion
 
+    // region getChallenge
+    @Test
+    void shouldGetChallenge() {
+        final WorkerpoolAuthorization workerpoolAuthorization = getWorkerpoolAuthorization();
+
+        final String expectedChallenge = HashUtils.concatenateAndHash(
+                workerpoolAuthorization.getChainTaskId(),
+                workerpoolAuthorization.getWorkerWallet()
+        );
+
+        final String challenge = ReflectionTestUtils.invokeMethod(
+                workerpoolAuthorizationService,
+                "getChallenge",
+                workerpoolAuthorization);
+
+        assertEquals(expectedChallenge, challenge);
+    }
+    // endregion
+
+    // region isSignedWithEnclaveChallenge
+    @Test
+    void shouldConfirmSignatureIsSignedWithEnclaveChallenge() throws Exception {
+        final ECKeyPair workerKeyPair = Keys.createEcKeyPair();
+        final Credentials workerCredentials = Credentials.create(workerKeyPair);
+        final String workerWallet = workerCredentials.getAddress();
+
+        final ECKeyPair enclaveKeyPair = Keys.createEcKeyPair();
+        final Credentials enclaveCredentials = Credentials.create(enclaveKeyPair);
+        final String enclaveWallet = enclaveCredentials.getAddress();
+
+        final WorkerpoolAuthorization workerpoolAuthorization = WorkerpoolAuthorization.builder()
+                .workerWallet(workerWallet)
+                .chainTaskId(CHAIN_TASK_ID)
+                .enclaveChallenge(enclaveWallet)
+                .build();
+
+        final Map<String, WorkerpoolAuthorization> workerpoolAuthorizations = new HashMap<>();
+        workerpoolAuthorizations.put(CHAIN_TASK_ID, workerpoolAuthorization);
+        ReflectionTestUtils.setField(workerpoolAuthorizationService, "workerpoolAuthorizations", workerpoolAuthorizations);
+
+        final String challenge = HashUtils.concatenateAndHash(CHAIN_TASK_ID, workerWallet);
+        final Signature signature = SignatureUtils.signMessageHashAndGetSignature(challenge, enclaveKeyPair);
+        final boolean isValid = workerpoolAuthorizationService.isSignedWithEnclaveChallenge(
+                CHAIN_TASK_ID,
+                signature.getValue());
+
+        assertTrue(isValid);
+    }
+
+    @Test
+    void shouldRejectSignatureNotSignedWithEnclaveChallenge() {
+        final WorkerpoolAuthorization workerpoolAuthorization = getWorkerpoolAuthorization();
+        final Map<String, WorkerpoolAuthorization> workerpoolAuthorizations = new HashMap<>();
+        workerpoolAuthorizations.put(workerpoolAuthorization.getChainTaskId(), workerpoolAuthorization);
+        ReflectionTestUtils.setField(workerpoolAuthorizationService, "workerpoolAuthorizations", workerpoolAuthorizations);
+
+        final Signature invalidSignature = SignatureUtils.signMessageHashAndGetSignature(
+                Arrays.toString(BytesUtils.stringToBytes("wrong-challenge")),
+                workerpoolAuthorization.getWorkerWallet()
+        );
+
+        assertFalse(workerpoolAuthorizationService.isSignedWithEnclaveChallenge(
+                workerpoolAuthorization.getChainTaskId(),
+                invalidSignature.toString()));
+    }
+
+    @Test
+    void shouldThrowExceptionWhenWorkerpoolAuthorizationNotFound() {
+        assertThrows(NoSuchElementException.class, () ->
+                workerpoolAuthorizationService.isSignedWithEnclaveChallenge(CHAIN_TASK_ID, "anySignature")
+        );
+    }
+    // endregion
+
     private WorkerpoolAuthorization getWorkerpoolAuthorization() {
         final String workerWallet = "0x748e091bf16048cb5103E0E10F9D5a8b7fBDd860";
         final String chainTaskId = "0xd94b63fc2d3ec4b96daf84b403bbafdc8c8517e8e2addd51fec0fa4e67801be8";