From a4ed204eeb7f462eaa4a46d40ae15271aa9142d7 Mon Sep 17 00:00:00 2001
From: Peter Nose <peter.nose@gmail.com>
Date: Tue, 29 Nov 2022 21:14:09 +0100
Subject: [PATCH] go/worker/keymanager: Show current key manager policy in the
 node status

---
 .changelog/5079.feature.md      | 1 +
 go/worker/keymanager/api/api.go | 6 ++++++
 go/worker/keymanager/status.go  | 2 ++
 go/worker/keymanager/worker.go  | 7 ++++++-
 4 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/5079.feature.md

diff --git a/.changelog/5079.feature.md b/.changelog/5079.feature.md
new file mode 100644
index 00000000000..9d36b4a67f2
--- /dev/null
+++ b/.changelog/5079.feature.md
@@ -0,0 +1 @@
+go/worker/keymanager: Show current key manager policy in the node status
diff --git a/go/worker/keymanager/api/api.go b/go/worker/keymanager/api/api.go
index 41db53673c3..a103e6da533 100644
--- a/go/worker/keymanager/api/api.go
+++ b/go/worker/keymanager/api/api.go
@@ -6,6 +6,7 @@ import (
 	"github.com/libp2p/go-libp2p/core"
 
 	"github.com/oasisprotocol/oasis-core/go/common"
+	"github.com/oasisprotocol/oasis-core/go/keymanager/api"
 )
 
 // StatusState is the concise status state of the key manager worker.
@@ -97,4 +98,9 @@ type Status struct {
 	AccessList []RuntimeAccessList `json:"access_list"`
 	// PrivatePeers is a list of peers that are always allowed to call protected methods.
 	PrivatePeers []core.PeerID `json:"private_peers"`
+
+	// Policy is the key manager policy.
+	Policy *api.SignedPolicySGX `json:"signed_policy"`
+	// PolicyChecksum is the checksum of the key manager policy.
+	PolicyChecksum []byte `json:"policy_checksum"`
 }
diff --git a/go/worker/keymanager/status.go b/go/worker/keymanager/status.go
index f50dc6de7ad..1233d21829d 100644
--- a/go/worker/keymanager/status.go
+++ b/go/worker/keymanager/status.go
@@ -70,5 +70,7 @@ func (w *Worker) GetStatus(ctx context.Context) (*api.Status, error) {
 		ClientRuntimes: rts,
 		AccessList:     al,
 		PrivatePeers:   ps,
+		Policy:         w.policy,
+		PolicyChecksum: w.policyChecksum,
 	}, nil
 }
diff --git a/go/worker/keymanager/worker.go b/go/worker/keymanager/worker.go
index 38c98c0d930..02c14e2f12b 100644
--- a/go/worker/keymanager/worker.go
+++ b/go/worker/keymanager/worker.go
@@ -87,6 +87,9 @@ type Worker struct { // nolint: maligned
 	enclaveStatus *api.SignedInitResponse
 	backend       api.Backend
 
+	policy         *api.SignedPolicySGX
+	policyChecksum []byte
+
 	enabled     bool
 	mayGenerate bool
 }
@@ -338,11 +341,13 @@ func (w *Worker) updateStatus(status *api.Status, runtimeStatus *runtimeStatus)
 		return nil
 	})
 
-	// Cache the key manager enclave status.
+	// Cache the key manager enclave status and the currently active policy.
 	w.Lock()
 	defer w.Unlock()
 
 	w.enclaveStatus = &signedInitResp
+	w.policy = status.Policy
+	w.policyChecksum = signedInitResp.InitResponse.PolicyChecksum
 
 	return nil
 }