From 9fba6d1a380b63d6634e4a3bcb038706795ebc1a Mon Sep 17 00:00:00 2001 From: Francisco Silva Date: Mon, 7 Oct 2024 16:43:28 +0000 Subject: [PATCH] injecting OnChainEncryptionKeyRepository and parentchain header to the stf executor --- tee-worker/Cargo.lock | 6 + .../core-primitives/ocall-api/Cargo.toml | 1 + .../core-primitives/ocall-api/src/lib.rs | 3 + .../core-primitives/ocall-api/src/mock.rs | 100 +++++++++ .../core-primitives/stf-interface/Cargo.toml | 14 +- .../core-primitives/stf-interface/src/lib.rs | 29 ++- .../stf-interface/src/mocks.rs | 33 ++- .../common/core-primitives/test/Cargo.toml | 2 +- .../core-primitives/test/src/mock/stf_mock.rs | 44 +++- tee-worker/identity/app-libs/stf/Cargo.toml | 4 + .../identity/app-libs/stf/src/stf_sgx.rs | 45 +++- .../identity/app-libs/stf/src/trusted_call.rs | 18 +- .../core-primitives/stf-executor/Cargo.toml | 1 + .../stf-executor/src/executor.rs | 199 ++++++++++++++---- .../stf-executor/src/executor_tests.rs | 15 +- .../core-primitives/stf-executor/src/mocks.rs | 6 +- .../stf-executor/src/traits.rs | 6 +- .../offchain-worker-executor/src/executor.rs | 14 +- .../identity/enclave-runtime/Cargo.lock | 6 + .../src/initialization/global_components.rs | 8 +- .../parentchain/integritee_parachain.rs | 14 +- .../parentchain/integritee_solochain.rs | 14 +- .../parentchain/target_a_parachain.rs | 18 +- .../parentchain/target_a_solochain.rs | 18 +- .../parentchain/target_b_parachain.rs | 18 +- .../parentchain/target_b_solochain.rs | 18 +- .../src/test/enclave_signer_tests.rs | 23 +- .../src/test/fixtures/test_setup.rs | 18 +- .../enclave-runtime/src/test/mocks/types.rs | 7 +- .../src/test/sidechain_aura_tests.rs | 1 + .../src/test/sidechain_event_tests.rs | 1 + .../enclave-runtime/src/test/tests_main.rs | 41 +++- .../enclave-runtime/src/top_pool_execution.rs | 2 +- .../consensus/aura/src/proposer_factory.rs | 25 ++- .../consensus/aura/src/slot_proposer.rs | 24 ++- 35 files changed, 659 insertions(+), 137 deletions(-) create mode 100644 tee-worker/common/core-primitives/ocall-api/src/mock.rs diff --git a/tee-worker/Cargo.lock b/tee-worker/Cargo.lock index 59fe636326..111a01a78a 100644 --- a/tee-worker/Cargo.lock +++ b/tee-worker/Cargo.lock @@ -3394,6 +3394,8 @@ dependencies = [ "itp-node-api", "itp-node-api-metadata", "itp-node-api-metadata-provider", + "itp-ocall-api", + "itp-sgx-crypto", "itp-sgx-externalities", "itp-stf-interface", "itp-stf-primitives", @@ -3604,6 +3606,7 @@ dependencies = [ "itp-ocall-api", "itp-sgx-crypto", "itp-sgx-externalities", + "itp-sgx-io", "itp-stf-interface", "itp-stf-primitives", "itp-stf-state-handler", @@ -4326,9 +4329,12 @@ version = "0.8.0" dependencies = [ "itp-node-api-metadata", "itp-node-api-metadata-provider", + "itp-ocall-api", + "itp-sgx-crypto", "itp-stf-primitives", "itp-types", "parity-scale-codec", + "sp-runtime", ] [[package]] diff --git a/tee-worker/common/core-primitives/ocall-api/Cargo.toml b/tee-worker/common/core-primitives/ocall-api/Cargo.toml index 655bedbc9a..e678a539bc 100644 --- a/tee-worker/common/core-primitives/ocall-api/Cargo.toml +++ b/tee-worker/common/core-primitives/ocall-api/Cargo.toml @@ -27,3 +27,4 @@ std = [ "itp-storage/std", "itp-types/std", ] +mocks = [] diff --git a/tee-worker/common/core-primitives/ocall-api/src/lib.rs b/tee-worker/common/core-primitives/ocall-api/src/lib.rs index d4a0a9b944..e3168a19cf 100644 --- a/tee-worker/common/core-primitives/ocall-api/src/lib.rs +++ b/tee-worker/common/core-primitives/ocall-api/src/lib.rs @@ -17,6 +17,9 @@ #![cfg_attr(not(feature = "std"), no_std)] +#[cfg(feature = "mocks")] +pub mod mock; + pub extern crate alloc; use alloc::{string::String, vec::Vec}; diff --git a/tee-worker/common/core-primitives/ocall-api/src/mock.rs b/tee-worker/common/core-primitives/ocall-api/src/mock.rs new file mode 100644 index 0000000000..c746865a93 --- /dev/null +++ b/tee-worker/common/core-primitives/ocall-api/src/mock.rs @@ -0,0 +1,100 @@ +/* + Copyright 2021 Integritee AG and Supercomputing Systems AG + Copyright (C) 2017-2019 Baidu, Inc. All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/ +use crate::{EnclaveOnChainOCallApi, Error as OCallApiError}; +use alloc::{collections::BTreeMap, string::String, vec::Vec}; +use codec::{Decode, Encode}; +use core::fmt::Debug; +use itp_storage::Error::StorageValueUnavailable; +use itp_types::{ + parentchain::ParentchainId, storage::StorageEntryVerified, AccountId, BlockHash, + ShardIdentifier, WorkerRequest, WorkerResponse, WorkerType, +}; +use sgx_types::*; +use sp_core::H256; +use sp_runtime::{traits::Header as HeaderTrait, OpaqueExtrinsic}; +use sp_std::prelude::*; + +#[derive(Default, Clone, Debug)] +pub struct OnchainMock { + inner: BTreeMap, Vec>, +} + +impl OnchainMock { + pub fn get_at_header>( + &self, + header: &Header, + key: &[u8], + ) -> Option<&Vec> { + let key_with_header = (header, key).encode(); + self.inner.get(&key_with_header) + } +} + +impl EnclaveOnChainOCallApi for OnchainMock { + fn send_to_parentchain( + &self, + _extrinsics: Vec, + _: &ParentchainId, + _: bool, + ) -> SgxResult<()> { + Ok(()) + } + + fn worker_request( + &self, + _req: Vec, + _: &ParentchainId, + ) -> SgxResult>> { + Ok(Vec::new()) + } + + fn get_storage_verified, V: Decode>( + &self, + storage_hash: Vec, + header: &Header, + parentchain_id: &ParentchainId, + ) -> Result, OCallApiError> { + self.get_multiple_storages_verified(vec![storage_hash], header, parentchain_id)? + .into_iter() + .next() + .ok_or_else(|| OCallApiError::Storage(StorageValueUnavailable)) + } + + fn get_multiple_storages_verified, V: Decode>( + &self, + storage_hashes: Vec>, + header: &Header, + _: &ParentchainId, + ) -> Result>, OCallApiError> { + let mut entries = Vec::with_capacity(storage_hashes.len()); + for hash in storage_hashes.into_iter() { + let value = self + .get_at_header(header, &hash) + .map(|val| Decode::decode(&mut val.as_slice())) + .transpose() + .map_err(OCallApiError::Codec)?; + + entries.push(StorageEntryVerified::new(hash, value)) + } + Ok(entries) + } + + fn get_storage_keys(&self, _key_prefix: Vec) -> Result>, OCallApiError> { + Ok(Default::default()) + } +} diff --git a/tee-worker/common/core-primitives/stf-interface/Cargo.toml b/tee-worker/common/core-primitives/stf-interface/Cargo.toml index a46749521d..bd3cddfbf5 100644 --- a/tee-worker/common/core-primitives/stf-interface/Cargo.toml +++ b/tee-worker/common/core-primitives/stf-interface/Cargo.toml @@ -11,6 +11,10 @@ itp-node-api-metadata = { workspace = true, features = ["mocks"] } itp-node-api-metadata-provider = { workspace = true } itp-stf-primitives = { workspace = true } itp-types = { workspace = true } +itp-ocall-api = { workspace = true } +itp-sgx-crypto = { workspace = true } + +sp-runtime = { workspace = true } [features] default = ["std"] @@ -19,6 +23,12 @@ std = [ "itp-node-api-metadata-provider/std", "itp-stf-primitives/std", "itp-types/std", + "itp-sgx-crypto/std", +] +sgx = [ + "itp-sgx-crypto/sgx", +] +mocks = [ + "itp-ocall-api/mocks", + "itp-sgx-crypto/mocks", ] -sgx = [] -mocks = [] diff --git a/tee-worker/common/core-primitives/stf-interface/src/lib.rs b/tee-worker/common/core-primitives/stf-interface/src/lib.rs index 179adf6504..40692790c7 100644 --- a/tee-worker/common/core-primitives/stf-interface/src/lib.rs +++ b/tee-worker/common/core-primitives/stf-interface/src/lib.rs @@ -27,11 +27,15 @@ use codec::{Decode, Encode}; use core::fmt::Debug; use itp_node_api_metadata::NodeMetadataTrait; use itp_node_api_metadata_provider::AccessNodeMetadata; +use itp_ocall_api::EnclaveOnChainOCallApi; +// TODO: use Aes256 when available +use itp_sgx_crypto::{aes::Aes, key_repository::AccessKey}; use itp_stf_primitives::traits::TrustedCallVerification; use itp_types::{ parentchain::{BlockHash, BlockNumber, ParentchainCall, ParentchainId}, ShardIdentifier, H256, }; +use sp_runtime::traits::Header as HeaderTrait; #[cfg(feature = "mocks")] pub mod mocks; @@ -62,11 +66,20 @@ pub trait UpdateState { } /// Interface to execute state mutating calls on a state. -pub trait StateCallInterface -where +pub trait StateCallInterface< + TCS, + State, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, +> where NodeMetadataRepository: AccessNodeMetadata, NodeMetadataRepository::MetadataType: NodeMetadataTrait, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, + OCallApi: EnclaveOnChainOCallApi, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Error: Encode; type Result: StfExecutionResult; @@ -77,6 +90,7 @@ where /// 1. add a parameter to pass the top_hash around /// 2. returns the encoded rpc response value field that should be passed /// back to the requester when the call is triggered synchronously + // #[allow(clippy::too_many_arguments)] fn execute_call( state: &mut State, shard: &ShardIdentifier, @@ -84,6 +98,9 @@ where top_hash: H256, calls: &mut Vec, node_metadata_repo: Arc, + ocall_api: Arc, + parentchain_header: &PH, + on_chain_encryption_key_repo: Arc, ) -> Result; } @@ -94,10 +111,13 @@ pub trait StateGetterInterface { } /// Trait used to abstract the call execution. -pub trait ExecuteCall +pub trait ExecuteCall where NodeMetadataRepository: AccessNodeMetadata, NodeMetadataRepository::MetadataType: NodeMetadataTrait, + OCallApi: EnclaveOnChainOCallApi, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Error: Encode; type Result: StfExecutionResult; @@ -112,6 +132,9 @@ where top_hash: H256, calls: &mut Vec, node_metadata_repo: Arc, + ocall_api: Arc, + parentchain_header: &PH, + on_chain_encryption_key_repo: Arc, ) -> Result; /// Get storages hashes that should be updated for a specific call. diff --git a/tee-worker/common/core-primitives/stf-interface/src/mocks.rs b/tee-worker/common/core-primitives/stf-interface/src/mocks.rs index 44bda77d36..1e2810b5a1 100644 --- a/tee-worker/common/core-primitives/stf-interface/src/mocks.rs +++ b/tee-worker/common/core-primitives/stf-interface/src/mocks.rs @@ -27,11 +27,18 @@ use codec::{Decode, Encode}; use core::{fmt::Debug, marker::PhantomData}; use itp_node_api_metadata::metadata_mocks::NodeMetadataMock; use itp_node_api_metadata_provider::NodeMetadataRepository; +use itp_ocall_api::mock::OnchainMock; +// TODO: use Aes256 when available +use itp_sgx_crypto::{mocks::KeyRepositoryMock, Aes}; use itp_stf_primitives::traits::TrustedCallVerification; use itp_types::{ parentchain::{ParentchainCall, ParentchainId}, AccountId, Index, ShardIdentifier, H256, }; +use sp_runtime::{generic::Header, traits::BlakeTwo256}; + +type BlockNumber = u32; +pub type ParentchainHeader = Header; #[derive(Default)] pub struct StateInterfaceMock { @@ -56,8 +63,15 @@ impl UpdateState for StateInterfaceMock StateCallInterface> - for StateInterfaceMock +impl + StateCallInterface< + TCS, + State, + NodeMetadataRepository, + OnchainMock, + ParentchainHeader, + KeyRepositoryMock, + > for StateInterfaceMock where TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, { @@ -71,6 +85,9 @@ where _top_hash: H256, _calls: &mut Vec, _node_metadata_repo: Arc>, + _ocall_api: Arc, + _parentchain_header: &ParentchainHeader, + _key_repository: Arc>, ) -> Result { unimplemented!() } @@ -100,7 +117,14 @@ impl SystemPalletAccountInterface pub struct CallExecutorMock; -impl ExecuteCall> for CallExecutorMock { +impl + ExecuteCall< + NodeMetadataRepository, + OnchainMock, + ParentchainHeader, + KeyRepositoryMock, + > for CallExecutorMock +{ type Error = String; type Result = (); @@ -110,6 +134,9 @@ impl ExecuteCall> for CallExecutorMock _top_hash: H256, _calls: &mut Vec, _node_metadata_repo: Arc>, + _ocall_api: Arc, + _parentchain_header: &ParentchainHeader, + _key_repository: Arc>, ) -> Result<(), Self::Error> { unimplemented!() } diff --git a/tee-worker/common/core-primitives/test/Cargo.toml b/tee-worker/common/core-primitives/test/Cargo.toml index a738a22b15..acfa543348 100644 --- a/tee-worker/common/core-primitives/test/Cargo.toml +++ b/tee-worker/common/core-primitives/test/Cargo.toml @@ -20,7 +20,7 @@ sp-std = { workspace = true } itp-node-api = { workspace = true } itp-node-api-metadata-provider = { workspace = true } itp-ocall-api = { workspace = true } -itp-sgx-crypto = { workspace = true } +itp-sgx-crypto = { workspace = true, features = ["mocks"] } itp-sgx-externalities = { workspace = true } itp-stf-interface = { workspace = true } itp-stf-primitives = { workspace = true } diff --git a/tee-worker/common/core-primitives/test/src/mock/stf_mock.rs b/tee-worker/common/core-primitives/test/src/mock/stf_mock.rs index 40b9225761..9d5c29022d 100644 --- a/tee-worker/common/core-primitives/test/src/mock/stf_mock.rs +++ b/tee-worker/common/core-primitives/test/src/mock/stf_mock.rs @@ -14,11 +14,14 @@ limitations under the License. */ +use super::onchain_mock::OnchainMock; use alloc::{boxed::Box, sync::Arc}; use codec::{Decode, Encode}; use core::fmt::Debug; use itp_node_api::metadata::metadata_mocks::NodeMetadataMock; use itp_node_api_metadata_provider::NodeMetadataRepository; +// TODO: use Aes256 when available +use itp_sgx_crypto::{mocks::KeyRepositoryMock, Aes}; use itp_sgx_externalities::{SgxExternalities, SgxExternalitiesDiffType, SgxExternalitiesTrait}; use itp_stf_interface::{ runtime_upgrade::RuntimeUpgradeInterface, ExecuteCall, InitState, StateCallInterface, @@ -37,14 +40,18 @@ use itp_types::{ use litentry_primitives::{Identity, LitentryMultiSignature}; use log::*; use sp_core::{sr25519, Pair}; -use sp_runtime::transaction_validity::{ - TransactionValidityError, UnknownTransaction, ValidTransaction, +use sp_runtime::{ + generic::Header, + traits::BlakeTwo256, + transaction_validity::{TransactionValidityError, UnknownTransaction, ValidTransaction}, }; use sp_std::{vec, vec::Vec}; use std::{thread::sleep, time::Duration}; // a few dummy types type NodeMetadataRepositoryMock = NodeMetadataRepository; +type BlockNumber = u32; +pub type ParentchainHeader = Header; #[derive(Debug, PartialEq, Eq, Encode)] pub enum StfMockError { @@ -63,8 +70,15 @@ impl UpdateState for StfMock { } } -impl StateCallInterface - for StfMock +impl + StateCallInterface< + TrustedCallSignedMock, + SgxExternalities, + NodeMetadataRepositoryMock, + OnchainMock, + ParentchainHeader, + KeyRepositoryMock, + > for StfMock { type Error = StfMockError; type Result = (); @@ -76,8 +90,21 @@ impl StateCallInterface, node_metadata_repo: Arc, + ocall_api: Arc, + parentchain_header: &ParentchainHeader, + key_repository: Arc>, ) -> Result<(), Self::Error> { - state.execute_with(|| call.execute(shard, top_hash, calls, node_metadata_repo)) + state.execute_with(|| { + call.execute( + shard, + top_hash, + calls, + node_metadata_repo, + ocall_api, + parentchain_header, + key_repository, + ) + }) } } @@ -170,7 +197,9 @@ impl Default for TrustedCallSignedMock { } } -impl ExecuteCall for TrustedCallSignedMock { +impl ExecuteCall> + for TrustedCallSignedMock +{ type Error = StfMockError; type Result = (); @@ -180,6 +209,9 @@ impl ExecuteCall for TrustedCallSignedMock { _top_hash: H256, _calls: &mut Vec, _node_metadata_repo: Arc, + _ocall_api: Arc, + _parentchain_header: &ParentchainHeader, + _on_chain_encryption_key_repo: Arc>, ) -> Result<(), Self::Error> { match self.call { TrustedCallMock::noop(_) => Ok(()), diff --git a/tee-worker/identity/app-libs/stf/Cargo.toml b/tee-worker/identity/app-libs/stf/Cargo.toml index 02b7067a1b..5926804de1 100644 --- a/tee-worker/identity/app-libs/stf/Cargo.toml +++ b/tee-worker/identity/app-libs/stf/Cargo.toml @@ -23,6 +23,8 @@ itp-stf-primitives = { workspace = true } itp-storage = { workspace = true } itp-types = { workspace = true } itp-utils = { workspace = true } +itp-ocall-api = { workspace = true } +itp-sgx-crypto = { workspace = true } ita-sgx-runtime = { package = "id-ita-sgx-runtime", path = "../sgx-runtime", default-features = false } sp-io = { path = "../../../common/core-primitives/substrate-sgx/sp-io", default-features = false, features = ["disable_oom", "disable_panic_handler", "disable_allocator"] } @@ -57,6 +59,7 @@ sgx = [ "litentry-primitives/sgx", "lc-stf-task-sender/sgx", "itp-node-api-metadata-provider/sgx", + "itp-sgx-crypto/sgx", ] std = [ "codec/std", @@ -80,6 +83,7 @@ std = [ "litentry-primitives/std", "lc-stf-task-sender/std", "itp-node-api-metadata-provider/std", + "itp-sgx-crypto/std", ] test = [] development = [ diff --git a/tee-worker/identity/app-libs/stf/src/stf_sgx.rs b/tee-worker/identity/app-libs/stf/src/stf_sgx.rs index 7e99061839..c6436bffb9 100644 --- a/tee-worker/identity/app-libs/stf/src/stf_sgx.rs +++ b/tee-worker/identity/app-libs/stf/src/stf_sgx.rs @@ -28,6 +28,9 @@ use ita_sgx_runtime::{ Executive, ParentchainInstanceLitentry, ParentchainInstanceTargetA, ParentchainInstanceTargetB, }; use itp_node_api::metadata::{provider::AccessNodeMetadata, NodeMetadataTrait}; +use itp_ocall_api::EnclaveOnChainOCallApi; +// TODO: use Aes256 when available +use itp_sgx_crypto::{aes::Aes, key_repository::AccessKey}; use itp_sgx_externalities::SgxExternalitiesTrait; use itp_stf_interface::{ parentchain_pallet::ParentchainPalletInstancesInterface, @@ -47,7 +50,7 @@ use itp_types::{ }; use itp_utils::stringify::account_id_to_string; use log::*; -use sp_runtime::traits::StaticLookup; +use sp_runtime::traits::{Header as HeaderTrait, StaticLookup}; impl InitState for Stf where @@ -134,11 +137,27 @@ where } } -impl - StateCallInterface for Stf +impl< + TCS, + G, + State, + Runtime, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + > + StateCallInterface< + TCS, + State, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + > for Stf where TCS: PartialEq - + ExecuteCall + + ExecuteCall + Encode + Decode + Debug @@ -149,6 +168,9 @@ where State: SgxExternalitiesTrait + Debug, NodeMetadataRepository: AccessNodeMetadata, NodeMetadataRepository::MetadataType: NodeMetadataTrait, + OCallApi: EnclaveOnChainOCallApi, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Error = TCS::Error; type Result = TCS::Result; @@ -160,8 +182,21 @@ where top_hash: H256, calls: &mut Vec, node_metadata_repo: Arc, + ocall_api: Arc, + parentchain_header: &PH, + on_chain_encryption_key_repo: Arc, ) -> Result { - state.execute_with(|| call.execute(shard, top_hash, calls, node_metadata_repo)) + state.execute_with(|| { + call.execute( + shard, + top_hash, + calls, + node_metadata_repo, + ocall_api, + parentchain_header, + on_chain_encryption_key_repo, + ) + }) } } diff --git a/tee-worker/identity/app-libs/stf/src/trusted_call.rs b/tee-worker/identity/app-libs/stf/src/trusted_call.rs index 0fc8c6f11c..525b3ef521 100644 --- a/tee-worker/identity/app-libs/stf/src/trusted_call.rs +++ b/tee-worker/identity/app-libs/stf/src/trusted_call.rs @@ -39,6 +39,9 @@ pub use ita_sgx_runtime::{ }; use itp_node_api::metadata::{provider::AccessNodeMetadata, NodeMetadataTrait}; use itp_node_api_metadata::{pallet_imp::IMPCallIndexes, pallet_vcmp::VCMPCallIndexes}; +use itp_ocall_api::EnclaveOnChainOCallApi; +// TODO: use Aes256 when available +use itp_sgx_crypto::{key_repository::AccessKey, Aes}; use itp_stf_interface::ExecuteCall; use itp_stf_primitives::{ error::StfError, @@ -62,7 +65,10 @@ use sp_core::{ ed25519, }; use sp_io::hashing::blake2_256; -use sp_runtime::{traits::ConstU32, BoundedVec, MultiAddress}; +use sp_runtime::{ + traits::{ConstU32, Header as HeaderTrait}, + BoundedVec, MultiAddress, +}; pub type IMTCall = ita_sgx_runtime::IdentityManagementCall; pub type IMT = ita_sgx_runtime::pallet_identity_management_tee::Pallet; @@ -339,10 +345,15 @@ impl TrustedCallVerification for TrustedCallSigned { } } -impl ExecuteCall for TrustedCallSigned +impl + ExecuteCall + for TrustedCallSigned where NodeMetadataRepository: AccessNodeMetadata, NodeMetadataRepository::MetadataType: NodeMetadataTrait, + OCallApi: EnclaveOnChainOCallApi, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Error = StfError; type Result = TrustedCallResult; @@ -386,6 +397,9 @@ where top_hash: H256, calls: &mut Vec, node_metadata_repo: Arc, + _ocall_api: Arc, + _parentchain_header: &PH, + _on_chain_encryption_key_repo: Arc, ) -> Result { let sender = self.call.sender_identity().clone(); let account_id: AccountId = sender.to_account_id().ok_or(Self::Error::InvalidAccount)?; diff --git a/tee-worker/identity/core-primitives/stf-executor/Cargo.toml b/tee-worker/identity/core-primitives/stf-executor/Cargo.toml index e77096f69e..21d5576966 100644 --- a/tee-worker/identity/core-primitives/stf-executor/Cargo.toml +++ b/tee-worker/identity/core-primitives/stf-executor/Cargo.toml @@ -21,6 +21,7 @@ itp-stf-state-handler = { workspace = true } itp-stf-state-observer = { workspace = true } itp-time-utils = { workspace = true } itp-types = { workspace = true } +itp-sgx-io = { workspace = true } itp-top-pool-author = { package = "id-itp-top-pool-author", path = "../top-pool-author", default-features = false } diff --git a/tee-worker/identity/core-primitives/stf-executor/src/executor.rs b/tee-worker/identity/core-primitives/stf-executor/src/executor.rs index ffc6d92fce..3e98e06214 100644 --- a/tee-worker/identity/core-primitives/stf-executor/src/executor.rs +++ b/tee-worker/identity/core-primitives/stf-executor/src/executor.rs @@ -24,6 +24,8 @@ use codec::{Decode, Encode}; use itp_enclave_metrics::EnclaveMetric; use itp_node_api::metadata::{provider::AccessNodeMetadata, NodeMetadataTrait}; use itp_ocall_api::{EnclaveAttestationOCallApi, EnclaveMetricsOCallApi, EnclaveOnChainOCallApi}; +// TODO: use Aes256 when available +use itp_sgx_crypto::{aes::Aes, key_repository::AccessKey}; use itp_sgx_externalities::{SgxExternalitiesTrait, StateHash}; use itp_stf_interface::{ parentchain_pallet::ParentchainPalletInstancesInterface, @@ -36,7 +38,7 @@ use itp_stf_primitives::{ use itp_stf_state_handler::{handle_state::HandleState, query_shard_state::QueryShardState}; use itp_time_utils::duration_now; use itp_types::{ - parentchain::{Header as ParentchainHeader, ParentchainCall, ParentchainId}, + parentchain::{ParentchainCall, ParentchainId}, storage::StorageEntryVerified, H256, }; @@ -47,20 +49,46 @@ use std::{ time::Duration, vec, vec::Vec, }; -pub struct StfExecutor -where +pub struct StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, +> where TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, { ocall_api: Arc, state_handler: Arc, node_metadata_repo: Arc, - _phantom: PhantomData<(Stf, TCS, G)>, + on_chain_encryption_key_repository: Arc, + _phantom: PhantomData<(Stf, TCS, G, PH)>, } -impl - StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > + StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi + EnclaveMetricsOCallApi, StateHandler: HandleState, StateHandler::StateT: SgxExternalitiesTrait + Encode, @@ -69,19 +97,42 @@ where Stf: UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, - > + StateCallInterface, + > + StateCallInterface< + TCS, + StateHandler::StateT, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + >, ::SgxExternalitiesDiffType: IntoIterator, Option>)> + From, Option>>>, - >::Error: Debug, + >::Error: Debug, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { pub fn new( ocall_api: Arc, state_handler: Arc, node_metadata_repo: Arc, + on_chain_encryption_key_repository: Arc, ) -> Self { - StfExecutor { ocall_api, state_handler, node_metadata_repo, _phantom: PhantomData } + StfExecutor { + ocall_api, + state_handler, + node_metadata_repo, + on_chain_encryption_key_repository, + _phantom: PhantomData, + } } /// Execute a trusted call on the STF @@ -90,17 +141,14 @@ where /// an invalid trusted call, which results in `Ok(ExecutionStatus::Failure)`. The latter /// can be used to remove the trusted call from a queue. In the former case we might keep the /// trusted call and just re-try the operation. - fn execute_trusted_call_on_stf( + fn execute_trusted_call_on_stf( &self, state: &mut StateHandler::StateT, trusted_operation: &TrustedOperation, - _header: &PH, + parentchain_header: &PH, shard: &ShardIdentifier, post_processing: StatePostProcessing, - ) -> Result> - where - PH: HeaderTrait, - { + ) -> Result> { debug!("query mrenclave of self"); let mrenclave = self.ocall_api.get_mrenclave_of_self()?; @@ -132,6 +180,9 @@ where trusted_operation.hash(), &mut extrinsic_call_backs, self.node_metadata_repo.clone(), + self.ocall_api.clone(), + parentchain_header, + self.on_chain_encryption_key_repository.clone(), ) { Err(e) => { if let Err(e) = @@ -180,10 +231,26 @@ where } } -impl - StfUpdateState - for StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > StfUpdateState + for StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi, StateHandler: HandleState + QueryShardState, StateHandler::StateT: SgxExternalitiesTrait + Encode, @@ -191,21 +258,18 @@ where Stf: UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, - > + ParentchainPalletInstancesInterface, + > + ParentchainPalletInstancesInterface, ::SgxExternalitiesDiffType: IntoIterator, Option>)>, - >::Error: - Debug, + >::Error: Debug, ::SgxExternalitiesDiffType: From, Option>>>, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { - fn update_states( - &self, - header: &ParentchainHeader, - parentchain_id: &ParentchainId, - ) -> Result<()> { + fn update_states(&self, header: &PH, parentchain_id: &ParentchainId) -> Result<()> { debug!("Update STF storage upon block import!"); let storage_hashes = Stf::storage_hashes_to_update_on_block(parentchain_id); @@ -245,28 +309,46 @@ where } } -impl - StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > + StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where ::SgxExternalitiesDiffType: From, Option>>> + IntoIterator, Option>)>, - >::Error: - Debug, + >::Error: Debug, NodeMetadataRepository: AccessNodeMetadata, OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi, StateHandler: HandleState + QueryShardState, StateHandler::StateT: Encode + SgxExternalitiesTrait, - Stf: ParentchainPalletInstancesInterface + Stf: ParentchainPalletInstancesInterface + UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, >, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { fn initialize_new_shards( &self, - header: &ParentchainHeader, + header: &PH, state_diff_update: &BTreeMap, Option>>, shards: &Vec, ) -> Result<()> { @@ -295,9 +377,26 @@ where } } -impl StateUpdateProposer - for StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > StateUpdateProposer + for StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi + EnclaveMetricsOCallApi, StateHandler: HandleState, StateHandler::StateT: SgxExternalitiesTrait + Encode + StateHash, @@ -307,20 +406,35 @@ where Stf: UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, - > + StateCallInterface - + RuntimeUpgradeInterface, + > + StateCallInterface< + TCS, + StateHandler::StateT, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + > + RuntimeUpgradeInterface, ::SgxExternalitiesDiffType: IntoIterator, Option>)>, ::SgxExternalitiesDiffType: From, Option>>>, - >::Error: Debug, + >::Error: Debug, >::Error: Debug, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Externalities = StateHandler::StateT; - fn propose_state_update( + fn propose_state_update( &self, trusted_calls: &[TrustedOperation], header: &PH, @@ -329,7 +443,6 @@ where prepare_state_function: F, ) -> Result> where - PH: HeaderTrait, F: FnOnce(Self::Externalities) -> Self::Externalities, { let ends_at = duration_now() + max_exec_duration; diff --git a/tee-worker/identity/core-primitives/stf-executor/src/executor_tests.rs b/tee-worker/identity/core-primitives/stf-executor/src/executor_tests.rs index 2eb0185bcd..b4249d5e49 100644 --- a/tee-worker/identity/core-primitives/stf-executor/src/executor_tests.rs +++ b/tee-worker/identity/core-primitives/stf-executor/src/executor_tests.rs @@ -18,9 +18,12 @@ use crate::{executor::StfExecutor, traits::StateUpdateProposer}; use codec::Encode; use itc_parentchain_test::ParentchainHeaderBuilder; +// TODO: use Aes256 when available use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; use itp_ocall_api::EnclaveAttestationOCallApi; +use itp_sgx_crypto::{mocks::KeyRepositoryMock, Aes}; use itp_sgx_externalities::{SgxExternalities as State, SgxExternalitiesTrait}; +use itp_sgx_io::SealedIO; use itp_stf_primitives::{traits::TrustedCallSigning, types::ShardIdentifier}; use itp_stf_state_handler::handle_state::HandleState; use itp_test::mock::{ @@ -28,7 +31,7 @@ use itp_test::mock::{ onchain_mock::OnchainMock, stf_mock::{GetterMock, StfMock, TrustedCallMock, TrustedCallSignedMock}, }; -use itp_types::H256; +use itp_types::{parentchain::Header as ParentchainHeader, H256}; use sp_core::{ed25519, Pair}; use sp_runtime::app_crypto::sp_core::blake2_256; use std::{sync::Arc, time::Duration, vec}; @@ -244,6 +247,8 @@ fn stf_executor() -> ( StfMock, TrustedCallSignedMock, GetterMock, + ParentchainHeader, + KeyRepositoryMock, >, Arc, Arc, @@ -251,7 +256,13 @@ fn stf_executor() -> ( let ocall_api = Arc::new(OnchainMock::default()); let state_handler = Arc::new(HandleStateMock::default()); let node_metadata_repo = Arc::new(NodeMetadataRepository::new(NodeMetadataMock::new())); - let executor = StfExecutor::new(ocall_api.clone(), state_handler.clone(), node_metadata_repo); + let encryption_key_repository = Arc::new(KeyRepositoryMock::new(Aes::default())); + let executor = StfExecutor::new( + ocall_api.clone(), + state_handler.clone(), + node_metadata_repo, + encryption_key_repository, + ); (executor, ocall_api, state_handler) } diff --git a/tee-worker/identity/core-primitives/stf-executor/src/mocks.rs b/tee-worker/identity/core-primitives/stf-executor/src/mocks.rs index d328a2e24e..96a554501b 100644 --- a/tee-worker/identity/core-primitives/stf-executor/src/mocks.rs +++ b/tee-worker/identity/core-primitives/stf-executor/src/mocks.rs @@ -59,15 +59,16 @@ impl StfExecutorMock { } } -impl StateUpdateProposer for StfExecutorMock +impl StateUpdateProposer for StfExecutorMock where State: SgxExternalitiesTrait + Encode + Clone, TCS: PartialEq + Encode + Decode + Clone + Debug + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Clone + Debug + Send + Sync, + PH: HeaderTrait, { type Externalities = State; - fn propose_state_update( + fn propose_state_update( &self, trusted_calls: &[TrustedOperation], _header: &PH, @@ -76,7 +77,6 @@ where prepare_state_function: F, ) -> Result> where - PH: HeaderTrait, F: FnOnce(Self::Externalities) -> Self::Externalities, { let mut lock = self.state.write().unwrap(); diff --git a/tee-worker/identity/core-primitives/stf-executor/src/traits.rs b/tee-worker/identity/core-primitives/stf-executor/src/traits.rs index 62e788141a..3b77b99588 100644 --- a/tee-worker/identity/core-primitives/stf-executor/src/traits.rs +++ b/tee-worker/identity/core-primitives/stf-executor/src/traits.rs @@ -55,10 +55,11 @@ where } /// Proposes a state update to `Externalities`. -pub trait StateUpdateProposer +pub trait StateUpdateProposer where TCS: PartialEq + Encode + Decode + Debug + Send + Sync, G: PartialEq + Encode + Decode + Debug + Send + Sync, + PH: HeaderTrait, { type Externalities: SgxExternalitiesTrait + Encode; @@ -66,7 +67,7 @@ where /// /// All executed call hashes and the mutated state are returned. /// If the time expires, any remaining trusted calls within the batch will be ignored. - fn propose_state_update( + fn propose_state_update( &self, trusted_calls: &[TrustedOperation], header: &PH, @@ -75,7 +76,6 @@ where prepare_state_function: F, ) -> Result> where - PH: HeaderTrait, F: FnOnce(Self::Externalities) -> Self::Externalities; } diff --git a/tee-worker/identity/core/offchain-worker-executor/src/executor.rs b/tee-worker/identity/core/offchain-worker-executor/src/executor.rs index 5cf3e778b8..51f9590e12 100644 --- a/tee-worker/identity/core/offchain-worker-executor/src/executor.rs +++ b/tee-worker/identity/core/offchain-worker-executor/src/executor.rs @@ -30,7 +30,7 @@ use itp_stf_state_handler::{handle_state::HandleState, query_shard_state::QueryS use itp_top_pool_author::traits::AuthorApi; use itp_types::{parentchain::ParentchainCall, OpaqueCall, ShardIdentifier, H256}; use log::*; -use sp_runtime::traits::Block; +use sp_runtime::traits::{Block, Header as HeaderTrait}; use std::{marker::PhantomData, sync::Arc, time::Duration, vec::Vec}; /// Off-chain worker executor implementation. @@ -51,13 +51,14 @@ pub struct Executor< Stf, TCS, G, + PH, > { top_pool_author: Arc, stf_executor: Arc, state_handler: Arc, validator_accessor: Arc, extrinsics_factory: Arc, - _phantom: PhantomData<(ParentchainBlock, Stf, TCS, G)>, + _phantom: PhantomData<(ParentchainBlock, Stf, TCS, G, PH)>, } impl< @@ -70,6 +71,7 @@ impl< Stf, TCS, G, + PH, > Executor< ParentchainBlock, @@ -81,9 +83,10 @@ impl< Stf, TCS, G, + PH, > where - ParentchainBlock: Block, - StfExecutor: StateUpdateProposer, + ParentchainBlock: Block, + StfExecutor: StateUpdateProposer, TopPoolAuthor: AuthorApi, StateHandler: QueryShardState + HandleState, ValidatorAccessor: ValidatorAccess + Send + Sync + 'static, @@ -92,6 +95,7 @@ impl< Stf: SystemPalletEventInterface, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, { pub fn new( top_pool_author: Arc, @@ -186,7 +190,7 @@ impl< fn apply_state_update( &self, shard: &ShardIdentifier, - updated_state: >::Externalities, + updated_state: >::Externalities, ) -> Result<()> { self.state_handler.reset(updated_state, shard)?; Ok(()) diff --git a/tee-worker/identity/enclave-runtime/Cargo.lock b/tee-worker/identity/enclave-runtime/Cargo.lock index 2d26517e8f..4a6442c950 100644 --- a/tee-worker/identity/enclave-runtime/Cargo.lock +++ b/tee-worker/identity/enclave-runtime/Cargo.lock @@ -1924,6 +1924,8 @@ dependencies = [ "itp-node-api", "itp-node-api-metadata", "itp-node-api-metadata-provider", + "itp-ocall-api", + "itp-sgx-crypto", "itp-sgx-externalities", "itp-stf-interface", "itp-stf-primitives", @@ -2086,6 +2088,7 @@ dependencies = [ "itp-ocall-api", "itp-sgx-crypto", "itp-sgx-externalities", + "itp-sgx-io", "itp-stf-interface", "itp-stf-primitives", "itp-stf-state-handler", @@ -2607,9 +2610,12 @@ version = "0.8.0" dependencies = [ "itp-node-api-metadata", "itp-node-api-metadata-provider", + "itp-ocall-api", + "itp-sgx-crypto", "itp-stf-primitives", "itp-types", "parity-scale-codec", + "sp-runtime", ] [[package]] diff --git a/tee-worker/identity/enclave-runtime/src/initialization/global_components.rs b/tee-worker/identity/enclave-runtime/src/initialization/global_components.rs index 5255d5303e..188eb8c6c8 100644 --- a/tee-worker/identity/enclave-runtime/src/initialization/global_components.rs +++ b/tee-worker/identity/enclave-runtime/src/initialization/global_components.rs @@ -79,7 +79,10 @@ use itp_top_pool_author::{ api::SidechainApi, author::{Author, AuthorTopFilter, BroadcastedTopFilter}, }; -use itp_types::{Block as ParentchainBlock, SignedBlock as SignedParentchainBlock}; +use itp_types::{ + parentchain::Header as ParentchainHeader, Block as ParentchainBlock, + SignedBlock as SignedParentchainBlock, +}; use its_primitives::{ traits::{Block as SidechainBlockTrait, SignedBlock as SignedSidechainBlockTrait}, types::block::SignedBlock as SignedSidechainBlock, @@ -126,6 +129,8 @@ pub type EnclaveStfExecutor = StfExecutor< EnclaveStf, EnclaveTrustedCallSigned, EnclaveGetter, + ParentchainHeader, + EnclaveStateKeyRepository, // TODO: use new aes256 key repository when available >; pub type EnclaveStfEnclaveSigner = StfEnclaveSigner< EnclaveOCallApi, @@ -362,6 +367,7 @@ pub type EnclaveOffchainWorkerExecutor = itc_offchain_worker_executor::executor: EnclaveStf, EnclaveTrustedCallSigned, EnclaveGetter, + ParentchainHeader, >; // Base component instances diff --git a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs index 62e7bb6d67..ebaf69177e 100644 --- a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs +++ b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs @@ -19,12 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, IntegriteeParentchainBlockImportDispatcher, GLOBAL_INTEGRITEE_PARENTCHAIN_LIGHT_CLIENT_SEAL, - GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, GLOBAL_OCALL_API_COMPONENT, + GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, + GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository }, parentchain::common::{ create_extrinsics_factory, create_integritee_offchain_immediate_import_dispatcher, @@ -80,10 +85,13 @@ impl IntegriteeParachainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_integritee_parentchain_block_importer( diff --git a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs index f8c8d512d7..f9a7c4df25 100644 --- a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs +++ b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs @@ -19,12 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, IntegriteeParentchainBlockImportDispatcher, GLOBAL_INTEGRITEE_PARENTCHAIN_LIGHT_CLIENT_SEAL, - GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, GLOBAL_OCALL_API_COMPONENT, + GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, + GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository }, parentchain::common::{ create_extrinsics_factory, create_integritee_offchain_immediate_import_dispatcher, @@ -79,10 +84,13 @@ impl IntegriteeSolochainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_integritee_parentchain_block_importer( diff --git a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs index 59921c14af..0d74df3e5f 100644 --- a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs +++ b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs @@ -25,10 +25,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetAParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetAParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_sidechain_triggered_import_dispatcher_for_target_a, @@ -84,10 +91,13 @@ impl TargetAParachainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_a_parentchain_block_importer( diff --git a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs index 41a12bbbf8..3836780052 100644 --- a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs +++ b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs @@ -19,10 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetAParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetAParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_sidechain_triggered_import_dispatcher_for_target_a, @@ -77,10 +84,13 @@ impl TargetASolochainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_a_parentchain_block_importer( diff --git a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs index 21b729a456..e4ec762651 100644 --- a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs +++ b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs @@ -25,10 +25,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetBParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetBParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_sidechain_triggered_import_dispatcher_for_target_b, @@ -84,10 +91,13 @@ impl TargetBParachainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_b_parentchain_block_importer( diff --git a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs index 954fe436c8..e457a24b44 100644 --- a/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs +++ b/tee-worker/identity/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs @@ -19,10 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetBParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetBParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_sidechain_triggered_import_dispatcher_for_target_b, @@ -77,10 +84,13 @@ impl TargetBSolochainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_b_parentchain_block_importer( diff --git a/tee-worker/identity/enclave-runtime/src/test/enclave_signer_tests.rs b/tee-worker/identity/enclave-runtime/src/test/enclave_signer_tests.rs index 8f20f23a86..e2fdd419ab 100644 --- a/tee-worker/identity/enclave-runtime/src/test/enclave_signer_tests.rs +++ b/tee-worker/identity/enclave-runtime/src/test/enclave_signer_tests.rs @@ -20,7 +20,10 @@ use ita_stf::{Getter, Stf, TrustedCall, TrustedCallSigned}; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; use itp_ocall_api::EnclaveAttestationOCallApi; use itp_sgx_crypto::{ - ed25519_derivation::DeriveEd25519, key_repository::AccessKey, mocks::KeyRepositoryMock, + ed25519_derivation::DeriveEd25519, + key_repository::AccessKey, + mocks::KeyRepositoryMock, + Aes, // TODO: use Aes256 when available }; use itp_sgx_externalities::SgxExternalities; use itp_stf_executor::{enclave_signer::StfEnclaveSigner, traits::StfEnclaveSigning}; @@ -35,15 +38,21 @@ use itp_stf_primitives::{ use itp_stf_state_observer::mock::ObserveStateMock; use itp_test::mock::onchain_mock::OnchainMock; use itp_top_pool_author::{mocks::AuthorApiMock, traits::AuthorApi}; -use itp_types::RsaRequest; +use itp_types::{Header, RsaRequest}; use litentry_primitives::Identity; use sgx_crypto_helper::{rsa3072::Rsa3072KeyPair, RsaKeyPair}; use sp_core::Pair; +use sp_runtime::traits::Header as HeaderTrait; use std::{sync::Arc, vec::Vec}; type ShieldingKeyRepositoryMock = KeyRepositoryMock; +type OnChainEncryptionKeyRepositoryMock = KeyRepositoryMock; type TestStf = Stf; +pub fn latest_parentchain_header() -> Header { + Header::new(1, Default::default(), Default::default(), [69; 32].into(), Default::default()) +} + pub fn derive_key_is_deterministic() { let rsa_key = Rsa3072KeyPair::new().unwrap(); @@ -98,7 +107,7 @@ pub fn nonce_is_computed_correctly() { let shard = ShardIdentifier::default(); let enclave_signer = StfEnclaveSigner::<_, _, _, TestStf, _, TrustedCallSigned, Getter>::new( state_observer, - ocall_api, + ocall_api.clone(), shielding_key_repo, top_pool_author.clone(), ); @@ -134,6 +143,8 @@ pub fn nonce_is_computed_correctly() { assert_eq!(0, TestStf::get_account_nonce(&mut state, &enclave_account)); let repo = Arc::new(NodeMetadataRepository::new(NodeMetadataMock::new())); + let on_chain_encryption_key_repository = + Arc::new(OnChainEncryptionKeyRepositoryMock::new(Aes::default())); assert!(TestStf::execute_call( &mut state, &shard, @@ -141,6 +152,9 @@ pub fn nonce_is_computed_correctly() { Default::default(), &mut Vec::new(), repo.clone(), + ocall_api.clone(), + &latest_parentchain_header(), + on_chain_encryption_key_repository.clone() ) .is_ok()); @@ -151,6 +165,9 @@ pub fn nonce_is_computed_correctly() { Default::default(), &mut Vec::new(), repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository ) .is_ok()); assert_eq!(2, TestStf::get_account_nonce(&mut state, &enclave_account)); diff --git a/tee-worker/identity/enclave-runtime/src/test/fixtures/test_setup.rs b/tee-worker/identity/enclave-runtime/src/test/fixtures/test_setup.rs index 78c2bef328..570b3e589e 100644 --- a/tee-worker/identity/enclave-runtime/src/test/fixtures/test_setup.rs +++ b/tee-worker/identity/enclave-runtime/src/test/fixtures/test_setup.rs @@ -24,7 +24,12 @@ use ita_sgx_runtime::Runtime; use ita_stf::{Getter, State, Stf, TrustedCallSigned}; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; use itp_ocall_api::EnclaveAttestationOCallApi; -use itp_sgx_crypto::{ed25519_derivation::DeriveEd25519, mocks::KeyRepositoryMock}; +use itp_sgx_crypto::{ + ed25519_derivation::DeriveEd25519, + key_repository::KeyRepository, + mocks::KeyRepositoryMock, + Aes, // TODO: use Aes256 when available +}; use itp_sgx_externalities::SgxExternalities; use itp_stf_executor::executor::StfExecutor; use itp_stf_primitives::types::{ShardIdentifier, TrustedOperation}; @@ -38,7 +43,7 @@ use itp_top_pool_author::{ author::Author, top_filter::{AllowAllTopsFilter, DirectCallsOnlyFilter}, }; -use itp_types::{Block, MrEnclave}; +use itp_types::{parentchain::Header as ParentchainHeader, Block, MrEnclave}; use sp_core::{crypto::Pair, ed25519 as spEd25519}; use std::sync::Arc; pub type TestRpcResponder = RpcResponderMock>>; @@ -61,6 +66,8 @@ pub type TestTopPoolAuthor = Author< >; pub type TestStf = Stf; +type TestOnChainEncryptionKeyRepository = KeyRepositoryMock; + pub type TestStfExecutor = StfExecutor< OcallApi, HandleStateMock, @@ -68,6 +75,8 @@ pub type TestStfExecutor = StfExecutor< TestStf, TrustedCallSigned, Getter, + ParentchainHeader, + TestOnChainEncryptionKeyRepository, >; /// Returns all the things that are commonly used in tests and runs @@ -80,6 +89,7 @@ pub fn test_setup() -> ( ShieldingCryptoMock, Arc, Arc, + Arc, ) { let shielding_key = ShieldingCryptoMock::default(); let shielding_key_repo = Arc::new(KeyRepositoryMock::new(shielding_key.clone())); @@ -91,10 +101,13 @@ pub fn test_setup() -> ( let mrenclave = OcallApi.get_mrenclave_of_self().unwrap().m; let node_metadata_repo = Arc::new(NodeMetadataRepository::new(NodeMetadataMock::new())); + let on_chain_encryption_key_repository = KeyRepositoryMock::new(Aes::default()); + let stf_executor = Arc::new(TestStfExecutor::new( Arc::new(OcallApi), state_handler.clone(), node_metadata_repo, + Arc::new(on_chain_encryption_key_repository), )); let (sender, _receiver) = std::sync::mpsc::sync_channel(1000); @@ -115,6 +128,7 @@ pub fn test_setup() -> ( shielding_key, state_handler, stf_executor, + Arc::new(OcallApi), ) } diff --git a/tee-worker/identity/enclave-runtime/src/test/mocks/types.rs b/tee-worker/identity/enclave-runtime/src/test/mocks/types.rs index ae939c53e4..ac39650570 100644 --- a/tee-worker/identity/enclave-runtime/src/test/mocks/types.rs +++ b/tee-worker/identity/enclave-runtime/src/test/mocks/types.rs @@ -39,7 +39,10 @@ use itp_top_pool_author::{ author::Author, top_filter::{AllowAllTopsFilter, DirectCallsOnlyFilter}, }; -use itp_types::{Block as ParentchainBlock, SignedBlock as SignedParentchainBlock}; +use itp_types::{ + parentchain::Header as ParentchainHeader, Block as ParentchainBlock, + SignedBlock as SignedParentchainBlock, +}; use its_primitives::types::SignedBlock as SignedSidechainBlock; use its_sidechain::{aura::block_importer::BlockImporter, block_composer::BlockComposer}; use primitive_types::H256; @@ -74,6 +77,8 @@ pub type TestStfExecutor = StfExecutor< TestStf, TrustedCallSigned, Getter, + ParentchainHeader, + TestStateKeyRepo, >; pub type TestRpcResponder = RpcResponderMock; diff --git a/tee-worker/identity/enclave-runtime/src/test/sidechain_aura_tests.rs b/tee-worker/identity/enclave-runtime/src/test/sidechain_aura_tests.rs index 0e2c6639c9..ac867fffa3 100644 --- a/tee-worker/identity/enclave-runtime/src/test/sidechain_aura_tests.rs +++ b/tee-worker/identity/enclave-runtime/src/test/sidechain_aura_tests.rs @@ -103,6 +103,7 @@ pub fn produce_sidechain_block_and_import_it() { ocall_api.clone(), state_handler.clone(), node_metadata_repo, + state_key_repo.clone(), )); let top_pool = create_top_pool(); diff --git a/tee-worker/identity/enclave-runtime/src/test/sidechain_event_tests.rs b/tee-worker/identity/enclave-runtime/src/test/sidechain_event_tests.rs index 458ea2053b..a148d54b2e 100644 --- a/tee-worker/identity/enclave-runtime/src/test/sidechain_event_tests.rs +++ b/tee-worker/identity/enclave-runtime/src/test/sidechain_event_tests.rs @@ -87,6 +87,7 @@ pub fn ensure_events_get_reset_upon_block_proposal() { ocall_api.clone(), state_handler.clone(), node_metadata_repo, + state_key_repo.clone(), )); let top_pool = create_top_pool(); let (sender, _receiver) = std::sync::mpsc::sync_channel(1000); diff --git a/tee-worker/identity/enclave-runtime/src/test/tests_main.rs b/tee-worker/identity/enclave-runtime/src/test/tests_main.rs index 0a61660650..c94e12ee18 100644 --- a/tee-worker/identity/enclave-runtime/src/test/tests_main.rs +++ b/tee-worker/identity/enclave-runtime/src/test/tests_main.rs @@ -37,7 +37,7 @@ use ita_stf::{ AccountInfo, Getter, State, TrustedCall, TrustedCallSigned, TrustedGetter, }; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; -use itp_sgx_crypto::{Aes, StateCrypto}; +use itp_sgx_crypto::{mocks::KeyRepositoryMock, Aes, StateCrypto}; use itp_sgx_externalities::{SgxExternalitiesDiffType, SgxExternalitiesTrait, StateHash}; use itp_stf_executor::{ executor_tests as stf_executor_tests, traits::StateUpdateProposer, BatchExecutionResult, @@ -183,7 +183,7 @@ fn run_evm_tests() {} fn test_compose_block() { // given - let (_, _, shard, _, _, state_handler, _) = test_setup(); + let (_, _, shard, _, _, state_handler, _, ..) = test_setup(); let block_composer = BlockComposer::::new( test_account(), Arc::new(TestStateKeyRepo::new(state_key())), @@ -325,7 +325,7 @@ fn test_differentiate_getter_and_call_works() { fn test_create_block_and_confirmation_works() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); let block_composer = BlockComposer::::new( test_account(), @@ -375,7 +375,7 @@ fn test_create_block_and_confirmation_works() { fn test_create_state_diff() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); let block_composer = BlockComposer::::new( test_account(), @@ -441,7 +441,7 @@ fn test_create_state_diff() { fn test_executing_call_updates_account_nonce() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); let sender = funded_pair(); let receiver = unfunded_public(); @@ -475,7 +475,7 @@ fn test_executing_call_updates_account_nonce() { } fn test_call_set_update_parentchain_block() { - let (_, _, shard, _, _, state_handler, _) = test_setup(); + let (_, _, shard, _, _, state_handler, _, ..) = test_setup(); let (mut state, _) = state_handler.load_cloned(&shard).unwrap(); let block_number = 3; @@ -498,7 +498,7 @@ fn test_call_set_update_parentchain_block() { fn test_signature_must_match_public_sender_in_call() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); // create accounts let sender = funded_pair(); @@ -529,7 +529,7 @@ fn test_signature_must_match_public_sender_in_call() { fn test_invalid_nonce_call_is_not_executed() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); // create accounts let sender = funded_pair(); @@ -560,7 +560,8 @@ fn test_invalid_nonce_call_is_not_executed() { pub fn test_retrieve_events() { // given - let (_, mut state, shard, mrenclave, ..) = test_setup(); + let (_, mut state, shard, mrenclave, _shielding_key, _state_handler, _stf_executor, ocall_api) = + test_setup(); let mut opaque_vec = Vec::new(); let sender = funded_pair(); let receiver = unendowed_account(); @@ -577,6 +578,8 @@ pub fn test_retrieve_events() { .sign(&sender.into(), 0, &mrenclave, &shard); let repo = Arc::new(NodeMetadataRepository::::default()); let shard = ShardIdentifier::default(); + let on_chain_encryption_key_repository = + Arc::new(KeyRepositoryMock::::new(Aes::default())); TestStf::execute_call( &mut state, &shard, @@ -584,6 +587,9 @@ pub fn test_retrieve_events() { Default::default(), &mut opaque_vec, repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository, ) .unwrap(); @@ -591,7 +597,8 @@ pub fn test_retrieve_events() { } pub fn test_retrieve_event_count() { - let (_, mut state, shard, mrenclave, ..) = test_setup(); + let (_, mut state, shard, mrenclave, _shielding_key, _state_handler, _stf_executor, ocall_api) = + test_setup(); let mut opaque_vec = Vec::new(); let sender = funded_pair(); let receiver = unendowed_account(); @@ -610,6 +617,8 @@ pub fn test_retrieve_event_count() { // when let repo = Arc::new(NodeMetadataRepository::::default()); let shard = ShardIdentifier::default(); + let on_chain_encryption_key_repository = + Arc::new(KeyRepositoryMock::::new(Aes::default())); TestStf::execute_call( &mut state, &shard, @@ -617,6 +626,9 @@ pub fn test_retrieve_event_count() { Default::default(), &mut opaque_vec, repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository, ) .unwrap(); @@ -625,7 +637,8 @@ pub fn test_retrieve_event_count() { } pub fn test_reset_events() { - let (_, mut state, shard, mrenclave, ..) = test_setup(); + let (_, mut state, shard, mrenclave, _shielding_key, _state_handler, _stf_executor, ocall_api) = + test_setup(); let mut opaque_vec = Vec::new(); let sender = funded_pair(); let receiver = unendowed_account(); @@ -641,6 +654,9 @@ pub fn test_reset_events() { .sign(&sender.into(), 0, &mrenclave, &shard); let repo = Arc::new(NodeMetadataRepository::::default()); let shard = ShardIdentifier::default(); + let on_chain_encryption_key_repository = + Arc::new(KeyRepositoryMock::::new(Aes::default())); + TestStf::execute_call( &mut state, &shard, @@ -648,6 +664,9 @@ pub fn test_reset_events() { Default::default(), &mut opaque_vec, repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository, ) .unwrap(); let receiver_acc_info = TestStf::get_account_data(&mut state, &receiver.public().into()); diff --git a/tee-worker/identity/enclave-runtime/src/top_pool_execution.rs b/tee-worker/identity/enclave-runtime/src/top_pool_execution.rs index 439a3f2463..f264ed819d 100644 --- a/tee-worker/identity/enclave-runtime/src/top_pool_execution.rs +++ b/tee-worker/identity/enclave-runtime/src/top_pool_execution.rs @@ -203,7 +203,7 @@ fn execute_top_pool_trusted_calls_internal() -> Result<()> { } log_remaining_slot_duration(&slot, "Before AURA"); - let env = ProposerFactory::::new( + let env = ProposerFactory::::new( top_pool_author, stf_executor, block_composer, diff --git a/tee-worker/identity/sidechain/consensus/aura/src/proposer_factory.rs b/tee-worker/identity/sidechain/consensus/aura/src/proposer_factory.rs index 61fa21557f..8c0f626dd9 100644 --- a/tee-worker/identity/sidechain/consensus/aura/src/proposer_factory.rs +++ b/tee-worker/identity/sidechain/consensus/aura/src/proposer_factory.rs @@ -32,7 +32,7 @@ use its_primitives::traits::{ }; use its_state::{SidechainState, SidechainSystemExt}; use sp_runtime::{ - traits::{Block, NumberFor}, + traits::{Block, Header as ParentchainHeaderTrait, NumberFor}, MultiSignature, }; use std::{marker::PhantomData, sync::Arc}; @@ -45,16 +45,18 @@ pub struct ProposerFactory< StfExecutor, BlockComposer, MetricsApi, + PH, > { top_pool_author: Arc, stf_executor: Arc, block_composer: Arc, metrics_api: Arc, _phantom: PhantomData, + _phantom_header: PhantomData, } -impl - ProposerFactory +impl + ProposerFactory { pub fn new( top_pool_executor: Arc, @@ -68,19 +70,21 @@ impl, + ParentchainBlock: Block, SignedSidechainBlock, TopPoolAuthor, StfExecutor, BlockComposer, MetricsApi, + PH, > Environment - for ProposerFactory + for ProposerFactory where NumberFor: BlockNumberOps, SignedSidechainBlock: SignedSidechainBlockTrait @@ -90,18 +94,19 @@ where HeaderTrait, TopPoolAuthor: AuthorApi + Send + Sync + 'static, - StfExecutor: StateUpdateProposer + Send + Sync + 'static, - ExternalitiesFor: + StfExecutor: StateUpdateProposer + Send + Sync + 'static, + ExternalitiesFor: SgxExternalitiesTrait + SidechainState + SidechainSystemExt + StateHash, - as SgxExternalitiesTrait>::SgxExternalitiesType: Encode, + as SgxExternalitiesTrait>::SgxExternalitiesType: Encode, BlockComposer: ComposeBlock< - ExternalitiesFor, + ExternalitiesFor, ParentchainBlock, SignedSidechainBlock = SignedSidechainBlock, > + Send + Sync + 'static, MetricsApi: EnclaveMetricsOCallApi, + PH: ParentchainHeaderTrait, { type Proposer = SlotProposer< ParentchainBlock, @@ -110,6 +115,7 @@ where StfExecutor, BlockComposer, MetricsApi, + PH, >; type Error = ConsensusError; @@ -126,6 +132,7 @@ where shard, metrics_api: self.metrics_api.clone(), _phantom: PhantomData, + _phantom_header: PhantomData, }) } } diff --git a/tee-worker/identity/sidechain/consensus/aura/src/slot_proposer.rs b/tee-worker/identity/sidechain/consensus/aura/src/slot_proposer.rs index 2424df56f6..eaf005d3a2 100644 --- a/tee-worker/identity/sidechain/consensus/aura/src/slot_proposer.rs +++ b/tee-worker/identity/sidechain/consensus/aura/src/slot_proposer.rs @@ -35,28 +35,31 @@ use its_primitives::traits::{ use its_state::{SidechainState, SidechainSystemExt}; use log::*; use sp_runtime::{ - traits::{Block, NumberFor}, + traits::{Block, Header as ParentchainHeaderTrait, NumberFor}, MultiSignature, }; use std::{marker::PhantomData, string::ToString, sync::Arc, time::Duration, vec::Vec}; -pub type ExternalitiesFor = >::Externalities; +pub type ExternalitiesFor = + >::Externalities; ///! `SlotProposer` instance that has access to everything needed to propose a sidechain block. pub struct SlotProposer< - ParentchainBlock: Block, + ParentchainBlock: Block
, SignedSidechainBlock: SignedSidechainBlockTrait, TopPoolAuthor, StfExecutor, BlockComposer, MetricsApi, + ParentchainHeader, > { pub(crate) top_pool_author: Arc, pub(crate) stf_executor: Arc, pub(crate) block_composer: Arc, - pub(crate) parentchain_header: ParentchainBlock::Header, + pub(crate) parentchain_header: ParentchainHeader, pub(crate) shard: ShardIdentifierFor, pub(crate) metrics_api: Arc, pub(crate) _phantom: PhantomData, + pub(crate) _phantom_header: PhantomData, } impl< @@ -66,6 +69,7 @@ impl< BlockComposer, StfExecutor, MetricsApi, + PH, > Proposer for SlotProposer< ParentchainBlock, @@ -74,28 +78,30 @@ impl< StfExecutor, BlockComposer, MetricsApi, + PH, > where - ParentchainBlock: Block, + ParentchainBlock: Block, NumberFor: BlockNumberOps, SignedSidechainBlock: SignedSidechainBlockTrait + 'static, SignedSidechainBlock::Block: SidechainBlockTrait, <::Block as SidechainBlockTrait>::HeaderType: HeaderTrait, - StfExecutor: StateUpdateProposer, - ExternalitiesFor: + StfExecutor: StateUpdateProposer, + ExternalitiesFor: SgxExternalitiesTrait + SidechainState + SidechainSystemExt + StateHash, - as SgxExternalitiesTrait>::SgxExternalitiesType: Encode, + as SgxExternalitiesTrait>::SgxExternalitiesType: Encode, TopPoolAuthor: AuthorApi + Send + Sync + 'static, BlockComposer: ComposeBlock< - ExternalitiesFor, + ExternalitiesFor, ParentchainBlock, SignedSidechainBlock = SignedSidechainBlock, > + Send + Sync + 'static, MetricsApi: EnclaveMetricsOCallApi, + PH: ParentchainHeaderTrait, { /// Proposes a new sidechain block. ///