diff --git a/tee-worker/Cargo.lock b/tee-worker/Cargo.lock index c7e160cbd1..d22045684d 100644 --- a/tee-worker/Cargo.lock +++ b/tee-worker/Cargo.lock @@ -445,6 +445,8 @@ dependencies = [ "hex-literal", "itp-hashing", "itp-node-api", + "itp-ocall-api", + "itp-sgx-crypto", "itp-sgx-externalities", "itp-stf-interface", "itp-stf-primitives", diff --git a/tee-worker/bitacross/app-libs/stf/Cargo.toml b/tee-worker/bitacross/app-libs/stf/Cargo.toml index d3016c539c..dabc854784 100644 --- a/tee-worker/bitacross/app-libs/stf/Cargo.toml +++ b/tee-worker/bitacross/app-libs/stf/Cargo.toml @@ -15,6 +15,8 @@ sgx_tstd = { workspace = true, features = ["untrusted_fs", "net", "backtrace"], itp-hashing = { workspace = true } itp-node-api = { workspace = true } itp-sgx-externalities = { workspace = true } +itp-ocall-api = { workspace = true } +itp-sgx-crypto = { workspace = true } itp-stf-interface = { workspace = true } itp-stf-primitives = { workspace = true } itp-storage = { workspace = true } @@ -47,6 +49,7 @@ sgx = [ "sp-io/sgx", "itp-node-api/sgx", "litentry-primitives/sgx", + "itp-sgx-crypto/sgx", ] std = [ # crates.io @@ -68,6 +71,7 @@ std = [ "pallet-parentchain/std", "sp-io/std", "litentry-primitives/std", + "itp-sgx-crypto/std", ] test = [] development = [ diff --git a/tee-worker/bitacross/app-libs/stf/src/stf_sgx.rs b/tee-worker/bitacross/app-libs/stf/src/stf_sgx.rs index 6412b5cf78..cbdc572c9c 100644 --- a/tee-worker/bitacross/app-libs/stf/src/stf_sgx.rs +++ b/tee-worker/bitacross/app-libs/stf/src/stf_sgx.rs @@ -27,6 +27,9 @@ use ita_sgx_runtime::{ Executive, ParentchainInstanceLitentry, ParentchainInstanceTargetA, ParentchainInstanceTargetB, }; use itp_node_api::metadata::{provider::AccessNodeMetadata, NodeMetadataTrait}; +use itp_ocall_api::EnclaveOnChainOCallApi; +// TODO: use use Aes256 when available +use itp_sgx_crypto::{key_repository::AccessKey, Aes}; use itp_sgx_externalities::SgxExternalitiesTrait; use itp_stf_interface::{ parentchain_pallet::ParentchainPalletInstancesInterface, @@ -46,7 +49,7 @@ use itp_types::{ }; use itp_utils::stringify::account_id_to_string; use log::*; -use sp_runtime::traits::StaticLookup; +use sp_runtime::traits::{Header as HeaderTrait, StaticLookup}; use std::{fmt::Debug, format, prelude::v1::*, sync::Arc, vec}; impl InitState for Stf @@ -135,11 +138,27 @@ where } } -impl - StateCallInterface for Stf +impl< + TCS, + G, + State, + Runtime, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + > + StateCallInterface< + TCS, + State, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + > for Stf where TCS: PartialEq - + ExecuteCall + + ExecuteCall + Encode + Decode + Debug @@ -150,6 +169,9 @@ where State: SgxExternalitiesTrait + Debug, NodeMetadataRepository: AccessNodeMetadata, NodeMetadataRepository::MetadataType: NodeMetadataTrait, + OCallApi: EnclaveOnChainOCallApi, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Error = TCS::Error; type Result = TCS::Result; @@ -161,8 +183,21 @@ where top_hash: H256, calls: &mut Vec, node_metadata_repo: Arc, + ocall_api: Arc, + parentchain_header: &PH, + on_chain_encryption_key_repo: Arc, ) -> Result { - state.execute_with(|| call.execute(shard, top_hash, calls, node_metadata_repo)) + state.execute_with(|| { + call.execute( + shard, + top_hash, + calls, + node_metadata_repo, + ocall_api, + parentchain_header, + on_chain_encryption_key_repo, + ) + }) } } diff --git a/tee-worker/bitacross/app-libs/stf/src/stf_sgx_tests.rs b/tee-worker/bitacross/app-libs/stf/src/stf_sgx_tests.rs index 479f3b9bb0..89feb2d132 100644 --- a/tee-worker/bitacross/app-libs/stf/src/stf_sgx_tests.rs +++ b/tee-worker/bitacross/app-libs/stf/src/stf_sgx_tests.rs @@ -18,21 +18,30 @@ use crate::{Getter, State, Stf, TrustedCall, TrustedCallSigned}; use ita_sgx_runtime::Runtime; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; +use itp_ocall_api::mock::OnchainMock; +use itp_sgx_crypto::{key_repository::AccessKey, mocks::KeyRepositoryMock, Aes}; use itp_stf_interface::{ sudo_pallet::SudoPalletInterface, system_pallet::SystemPalletAccountInterface, InitState, StateCallInterface, }; use itp_stf_primitives::types::{AccountId, ShardIdentifier}; -use itp_types::parentchain::ParentchainId; +use itp_types::{parentchain::ParentchainId, Header}; use litentry_primitives::LitentryMultiSignature; use sp_core::{ ed25519::{Pair as Ed25519Pair, Signature as Ed25519Signature}, Pair, }; +use sp_runtime::traits::Header as HeaderTrait; use std::{sync::Arc, vec::Vec}; +type EncryptionKeyRepositoryMock = KeyRepositoryMock; + pub type StfState = Stf; +pub fn latest_parentchain_header() -> Header { + Header::new(1, Default::default(), Default::default(), [69; 32].into(), Default::default()) +} + pub fn enclave_account_initialization_works() { let enclave_account = AccountId::new([2u8; 32]); let mut state = StfState::init_state(enclave_account.clone()); @@ -48,6 +57,7 @@ pub fn shield_funds_increments_signer_account_nonce() { let enclave_call_signer = Ed25519Pair::from_seed(b"14672678901234567890123456789012"); let enclave_signer_account_id: AccountId = enclave_call_signer.public().into(); let mut state = StfState::init_state(enclave_signer_account_id.clone()); + let ocall_api = Arc::new(OnchainMock::default()); let shield_funds_call = TrustedCallSigned::new( TrustedCall::balance_shield( @@ -62,6 +72,7 @@ pub fn shield_funds_increments_signer_account_nonce() { let repo = Arc::new(NodeMetadataRepository::new(NodeMetadataMock::new())); let shard = ShardIdentifier::default(); + let encryption_key_repository = Arc::new(EncryptionKeyRepositoryMock::new(Aes::default())); StfState::execute_call( &mut state, &shard, @@ -69,6 +80,9 @@ pub fn shield_funds_increments_signer_account_nonce() { Default::default(), &mut Vec::new(), repo, + ocall_api.clone(), + &latest_parentchain_header(), + encryption_key_repository.clone(), ) .unwrap(); assert_eq!(1, StfState::get_account_nonce(&mut state, &enclave_signer_account_id)); diff --git a/tee-worker/bitacross/app-libs/stf/src/trusted_call.rs b/tee-worker/bitacross/app-libs/stf/src/trusted_call.rs index 8d8167d46b..003f1e005e 100644 --- a/tee-worker/bitacross/app-libs/stf/src/trusted_call.rs +++ b/tee-worker/bitacross/app-libs/stf/src/trusted_call.rs @@ -24,6 +24,9 @@ use codec::{Decode, Encode}; use frame_support::{ensure, traits::UnfilteredDispatchable}; pub use ita_sgx_runtime::{Balance, Index, Runtime, System}; use itp_node_api::metadata::{provider::AccessNodeMetadata, NodeMetadataTrait}; +use itp_ocall_api::EnclaveOnChainOCallApi; +// TODO: use use Aes256 when available +use itp_sgx_crypto::{key_repository::AccessKey, Aes}; use itp_stf_interface::ExecuteCall; use itp_stf_primitives::{ @@ -46,7 +49,7 @@ use sp_core::{ ed25519, }; use sp_io::hashing::blake2_256; -use sp_runtime::MultiAddress; +use sp_runtime::{traits::Header as HeaderTrait, MultiAddress}; use std::{format, prelude::v1::*, sync::Arc}; #[derive(Encode, Decode, Clone, Debug, PartialEq, Eq)] @@ -156,10 +159,15 @@ impl TrustedCallVerification for TrustedCallSigned { } } -impl ExecuteCall for TrustedCallSigned +impl + ExecuteCall + for TrustedCallSigned where NodeMetadataRepository: AccessNodeMetadata, NodeMetadataRepository::MetadataType: NodeMetadataTrait, + OCallApi: EnclaveOnChainOCallApi, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Error = StfError; type Result = TrustedCallResult; @@ -203,6 +211,9 @@ where _top_hash: H256, _calls: &mut Vec, _node_metadata_repo: Arc, + _ocall_api: Arc, + _parentchain_header: &PH, + _on_chain_encryption_key_repo: Arc, ) -> Result { let sender = self.call.sender_identity().clone(); let account_id: AccountId = sender.to_account_id().ok_or(Self::Error::InvalidAccount)?; diff --git a/tee-worker/bitacross/core-primitives/stf-executor/src/executor.rs b/tee-worker/bitacross/core-primitives/stf-executor/src/executor.rs index ffc6d92fce..80e15e4742 100644 --- a/tee-worker/bitacross/core-primitives/stf-executor/src/executor.rs +++ b/tee-worker/bitacross/core-primitives/stf-executor/src/executor.rs @@ -24,6 +24,8 @@ use codec::{Decode, Encode}; use itp_enclave_metrics::EnclaveMetric; use itp_node_api::metadata::{provider::AccessNodeMetadata, NodeMetadataTrait}; use itp_ocall_api::{EnclaveAttestationOCallApi, EnclaveMetricsOCallApi, EnclaveOnChainOCallApi}; +// TODO: use Aes256 when available +use itp_sgx_crypto::{key_repository::AccessKey, Aes}; use itp_sgx_externalities::{SgxExternalitiesTrait, StateHash}; use itp_stf_interface::{ parentchain_pallet::ParentchainPalletInstancesInterface, @@ -36,7 +38,7 @@ use itp_stf_primitives::{ use itp_stf_state_handler::{handle_state::HandleState, query_shard_state::QueryShardState}; use itp_time_utils::duration_now; use itp_types::{ - parentchain::{Header as ParentchainHeader, ParentchainCall, ParentchainId}, + parentchain::{ParentchainCall, ParentchainId}, storage::StorageEntryVerified, H256, }; @@ -47,20 +49,46 @@ use std::{ time::Duration, vec, vec::Vec, }; -pub struct StfExecutor -where +pub struct StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, +> where TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, { ocall_api: Arc, state_handler: Arc, node_metadata_repo: Arc, - _phantom: PhantomData<(Stf, TCS, G)>, + on_chain_encryption_key_repository: Arc, + _phantom: PhantomData<(Stf, TCS, G, PH)>, } -impl - StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > + StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi + EnclaveMetricsOCallApi, StateHandler: HandleState, StateHandler::StateT: SgxExternalitiesTrait + Encode, @@ -69,19 +97,42 @@ where Stf: UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, - > + StateCallInterface, + > + StateCallInterface< + TCS, + StateHandler::StateT, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + >, ::SgxExternalitiesDiffType: IntoIterator, Option>)> + From, Option>>>, - >::Error: Debug, + >::Error: Debug, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { pub fn new( ocall_api: Arc, state_handler: Arc, node_metadata_repo: Arc, + on_chain_encryption_key_repository: Arc, ) -> Self { - StfExecutor { ocall_api, state_handler, node_metadata_repo, _phantom: PhantomData } + StfExecutor { + ocall_api, + state_handler, + node_metadata_repo, + on_chain_encryption_key_repository, + _phantom: PhantomData, + } } /// Execute a trusted call on the STF @@ -90,17 +141,14 @@ where /// an invalid trusted call, which results in `Ok(ExecutionStatus::Failure)`. The latter /// can be used to remove the trusted call from a queue. In the former case we might keep the /// trusted call and just re-try the operation. - fn execute_trusted_call_on_stf( + fn execute_trusted_call_on_stf( &self, state: &mut StateHandler::StateT, trusted_operation: &TrustedOperation, - _header: &PH, + parentchain_header: &PH, shard: &ShardIdentifier, post_processing: StatePostProcessing, - ) -> Result> - where - PH: HeaderTrait, - { + ) -> Result> { debug!("query mrenclave of self"); let mrenclave = self.ocall_api.get_mrenclave_of_self()?; @@ -132,6 +180,9 @@ where trusted_operation.hash(), &mut extrinsic_call_backs, self.node_metadata_repo.clone(), + self.ocall_api.clone(), + parentchain_header, + self.on_chain_encryption_key_repository.clone(), ) { Err(e) => { if let Err(e) = @@ -180,10 +231,26 @@ where } } -impl - StfUpdateState - for StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > StfUpdateState + for StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi, StateHandler: HandleState + QueryShardState, StateHandler::StateT: SgxExternalitiesTrait + Encode, @@ -191,21 +258,18 @@ where Stf: UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, - > + ParentchainPalletInstancesInterface, + > + ParentchainPalletInstancesInterface, ::SgxExternalitiesDiffType: IntoIterator, Option>)>, - >::Error: - Debug, + >::Error: Debug, ::SgxExternalitiesDiffType: From, Option>>>, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { - fn update_states( - &self, - header: &ParentchainHeader, - parentchain_id: &ParentchainId, - ) -> Result<()> { + fn update_states(&self, header: &PH, parentchain_id: &ParentchainId) -> Result<()> { debug!("Update STF storage upon block import!"); let storage_hashes = Stf::storage_hashes_to_update_on_block(parentchain_id); @@ -245,28 +309,46 @@ where } } -impl - StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > + StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where ::SgxExternalitiesDiffType: From, Option>>> + IntoIterator, Option>)>, - >::Error: - Debug, + >::Error: Debug, NodeMetadataRepository: AccessNodeMetadata, OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi, StateHandler: HandleState + QueryShardState, StateHandler::StateT: Encode + SgxExternalitiesTrait, - Stf: ParentchainPalletInstancesInterface + Stf: ParentchainPalletInstancesInterface + UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, >, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { fn initialize_new_shards( &self, - header: &ParentchainHeader, + header: &PH, state_diff_update: &BTreeMap, Option>>, shards: &Vec, ) -> Result<()> { @@ -295,9 +377,26 @@ where } } -impl StateUpdateProposer - for StfExecutor -where +impl< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > StateUpdateProposer + for StfExecutor< + OCallApi, + StateHandler, + NodeMetadataRepository, + Stf, + TCS, + G, + PH, + OnChainEncryptionKeyRepository, + > where OCallApi: EnclaveAttestationOCallApi + EnclaveOnChainOCallApi + EnclaveMetricsOCallApi, StateHandler: HandleState, StateHandler::StateT: SgxExternalitiesTrait + Encode + StateHash, @@ -307,20 +406,35 @@ where Stf: UpdateState< StateHandler::StateT, ::SgxExternalitiesDiffType, - > + StateCallInterface - + RuntimeUpgradeInterface, + > + StateCallInterface< + TCS, + StateHandler::StateT, + NodeMetadataRepository, + OCallApi, + PH, + OnChainEncryptionKeyRepository, + > + RuntimeUpgradeInterface, ::SgxExternalitiesDiffType: IntoIterator, Option>)>, ::SgxExternalitiesDiffType: From, Option>>>, - >::Error: Debug, + >::Error: Debug, >::Error: Debug, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, + OnChainEncryptionKeyRepository: AccessKey, { type Externalities = StateHandler::StateT; - fn propose_state_update( + fn propose_state_update( &self, trusted_calls: &[TrustedOperation], header: &PH, @@ -329,7 +443,6 @@ where prepare_state_function: F, ) -> Result> where - PH: HeaderTrait, F: FnOnce(Self::Externalities) -> Self::Externalities, { let ends_at = duration_now() + max_exec_duration; diff --git a/tee-worker/bitacross/core-primitives/stf-executor/src/executor_tests.rs b/tee-worker/bitacross/core-primitives/stf-executor/src/executor_tests.rs index 2eb0185bcd..40e8e499f4 100644 --- a/tee-worker/bitacross/core-primitives/stf-executor/src/executor_tests.rs +++ b/tee-worker/bitacross/core-primitives/stf-executor/src/executor_tests.rs @@ -20,6 +20,8 @@ use codec::Encode; use itc_parentchain_test::ParentchainHeaderBuilder; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; use itp_ocall_api::EnclaveAttestationOCallApi; +// TODO: use Aes256 when available +use itp_sgx_crypto::{mocks::KeyRepositoryMock, Aes}; use itp_sgx_externalities::{SgxExternalities as State, SgxExternalitiesTrait}; use itp_stf_primitives::{traits::TrustedCallSigning, types::ShardIdentifier}; use itp_stf_state_handler::handle_state::HandleState; @@ -28,7 +30,7 @@ use itp_test::mock::{ onchain_mock::OnchainMock, stf_mock::{GetterMock, StfMock, TrustedCallMock, TrustedCallSignedMock}, }; -use itp_types::H256; +use itp_types::{parentchain::Header as ParentchainHeader, H256}; use sp_core::{ed25519, Pair}; use sp_runtime::app_crypto::sp_core::blake2_256; use std::{sync::Arc, time::Duration, vec}; @@ -244,6 +246,8 @@ fn stf_executor() -> ( StfMock, TrustedCallSignedMock, GetterMock, + ParentchainHeader, + KeyRepositoryMock, >, Arc, Arc, @@ -251,7 +255,13 @@ fn stf_executor() -> ( let ocall_api = Arc::new(OnchainMock::default()); let state_handler = Arc::new(HandleStateMock::default()); let node_metadata_repo = Arc::new(NodeMetadataRepository::new(NodeMetadataMock::new())); - let executor = StfExecutor::new(ocall_api.clone(), state_handler.clone(), node_metadata_repo); + let encryption_key_repository = Arc::new(KeyRepositoryMock::new(Aes::default())); + let executor = StfExecutor::new( + ocall_api.clone(), + state_handler.clone(), + node_metadata_repo, + encryption_key_repository, + ); (executor, ocall_api, state_handler) } diff --git a/tee-worker/bitacross/core-primitives/stf-executor/src/mocks.rs b/tee-worker/bitacross/core-primitives/stf-executor/src/mocks.rs index d328a2e24e..96a554501b 100644 --- a/tee-worker/bitacross/core-primitives/stf-executor/src/mocks.rs +++ b/tee-worker/bitacross/core-primitives/stf-executor/src/mocks.rs @@ -59,15 +59,16 @@ impl StfExecutorMock { } } -impl StateUpdateProposer for StfExecutorMock +impl StateUpdateProposer for StfExecutorMock where State: SgxExternalitiesTrait + Encode + Clone, TCS: PartialEq + Encode + Decode + Clone + Debug + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Clone + Debug + Send + Sync, + PH: HeaderTrait, { type Externalities = State; - fn propose_state_update( + fn propose_state_update( &self, trusted_calls: &[TrustedOperation], _header: &PH, @@ -76,7 +77,6 @@ where prepare_state_function: F, ) -> Result> where - PH: HeaderTrait, F: FnOnce(Self::Externalities) -> Self::Externalities, { let mut lock = self.state.write().unwrap(); diff --git a/tee-worker/bitacross/core-primitives/stf-executor/src/traits.rs b/tee-worker/bitacross/core-primitives/stf-executor/src/traits.rs index 62e788141a..3b77b99588 100644 --- a/tee-worker/bitacross/core-primitives/stf-executor/src/traits.rs +++ b/tee-worker/bitacross/core-primitives/stf-executor/src/traits.rs @@ -55,10 +55,11 @@ where } /// Proposes a state update to `Externalities`. -pub trait StateUpdateProposer +pub trait StateUpdateProposer where TCS: PartialEq + Encode + Decode + Debug + Send + Sync, G: PartialEq + Encode + Decode + Debug + Send + Sync, + PH: HeaderTrait, { type Externalities: SgxExternalitiesTrait + Encode; @@ -66,7 +67,7 @@ where /// /// All executed call hashes and the mutated state are returned. /// If the time expires, any remaining trusted calls within the batch will be ignored. - fn propose_state_update( + fn propose_state_update( &self, trusted_calls: &[TrustedOperation], header: &PH, @@ -75,7 +76,6 @@ where prepare_state_function: F, ) -> Result> where - PH: HeaderTrait, F: FnOnce(Self::Externalities) -> Self::Externalities; } diff --git a/tee-worker/bitacross/core/offchain-worker-executor/src/executor.rs b/tee-worker/bitacross/core/offchain-worker-executor/src/executor.rs index 5cf3e778b8..51f9590e12 100644 --- a/tee-worker/bitacross/core/offchain-worker-executor/src/executor.rs +++ b/tee-worker/bitacross/core/offchain-worker-executor/src/executor.rs @@ -30,7 +30,7 @@ use itp_stf_state_handler::{handle_state::HandleState, query_shard_state::QueryS use itp_top_pool_author::traits::AuthorApi; use itp_types::{parentchain::ParentchainCall, OpaqueCall, ShardIdentifier, H256}; use log::*; -use sp_runtime::traits::Block; +use sp_runtime::traits::{Block, Header as HeaderTrait}; use std::{marker::PhantomData, sync::Arc, time::Duration, vec::Vec}; /// Off-chain worker executor implementation. @@ -51,13 +51,14 @@ pub struct Executor< Stf, TCS, G, + PH, > { top_pool_author: Arc, stf_executor: Arc, state_handler: Arc, validator_accessor: Arc, extrinsics_factory: Arc, - _phantom: PhantomData<(ParentchainBlock, Stf, TCS, G)>, + _phantom: PhantomData<(ParentchainBlock, Stf, TCS, G, PH)>, } impl< @@ -70,6 +71,7 @@ impl< Stf, TCS, G, + PH, > Executor< ParentchainBlock, @@ -81,9 +83,10 @@ impl< Stf, TCS, G, + PH, > where - ParentchainBlock: Block, - StfExecutor: StateUpdateProposer, + ParentchainBlock: Block, + StfExecutor: StateUpdateProposer, TopPoolAuthor: AuthorApi, StateHandler: QueryShardState + HandleState, ValidatorAccessor: ValidatorAccess + Send + Sync + 'static, @@ -92,6 +95,7 @@ impl< Stf: SystemPalletEventInterface, TCS: PartialEq + Encode + Decode + Debug + Clone + Send + Sync + TrustedCallVerification, G: PartialEq + Encode + Decode + Debug + Clone + Send + Sync, + PH: HeaderTrait, { pub fn new( top_pool_author: Arc, @@ -186,7 +190,7 @@ impl< fn apply_state_update( &self, shard: &ShardIdentifier, - updated_state: >::Externalities, + updated_state: >::Externalities, ) -> Result<()> { self.state_handler.reset(updated_state, shard)?; Ok(()) diff --git a/tee-worker/bitacross/enclave-runtime/Cargo.lock b/tee-worker/bitacross/enclave-runtime/Cargo.lock index 0062a3972d..35e5242fa7 100644 --- a/tee-worker/bitacross/enclave-runtime/Cargo.lock +++ b/tee-worker/bitacross/enclave-runtime/Cargo.lock @@ -324,6 +324,8 @@ dependencies = [ "hex-literal", "itp-hashing", "itp-node-api", + "itp-ocall-api", + "itp-sgx-crypto", "itp-sgx-externalities", "itp-stf-interface", "itp-stf-primitives", @@ -969,7 +971,7 @@ checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e" [[package]] name = "core-primitives" version = "0.1.0" -source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#ea133d42f915d6e3cbbc51304f534d0b9f42e5d3" +source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#84afa8035ad15a50b57ec9f7d3845d03bc9a426b" dependencies = [ "base58", "frame-support", @@ -980,6 +982,7 @@ dependencies = [ "parity-scale-codec", "scale-info", "sp-core", + "sp-core-hashing", "sp-io", "sp-runtime", "sp-std", @@ -2484,9 +2487,12 @@ version = "0.8.0" dependencies = [ "itp-node-api-metadata", "itp-node-api-metadata-provider", + "itp-ocall-api", + "itp-sgx-crypto", "itp-stf-primitives", "itp-types", "parity-scale-codec", + "sp-runtime", ] [[package]] @@ -2544,6 +2550,7 @@ dependencies = [ "frame-support", "hash-db 0.15.2", "itp-types", + "litentry-hex-utils 0.1.0", "parity-scale-codec", "sgx_tstd", "sp-core", @@ -2764,7 +2771,7 @@ dependencies = [ [[package]] name = "litentry-hex-utils" version = "0.1.0" -source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#ea133d42f915d6e3cbbc51304f534d0b9f42e5d3" +source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#84afa8035ad15a50b57ec9f7d3845d03bc9a426b" dependencies = [ "hex", ] @@ -2776,7 +2783,7 @@ version = "0.1.0" [[package]] name = "litentry-macros" version = "0.1.0" -source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#ea133d42f915d6e3cbbc51304f534d0b9f42e5d3" +source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#84afa8035ad15a50b57ec9f7d3845d03bc9a426b" [[package]] name = "litentry-primitives" @@ -2815,7 +2822,7 @@ dependencies = [ [[package]] name = "litentry-proc-macros" version = "0.1.0" -source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#ea133d42f915d6e3cbbc51304f534d0b9f42e5d3" +source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#84afa8035ad15a50b57ec9f7d3845d03bc9a426b" dependencies = [ "cargo_toml", "proc-macro2", @@ -3190,7 +3197,7 @@ dependencies = [ [[package]] name = "pallet-teebag" version = "0.1.0" -source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#ea133d42f915d6e3cbbc51304f534d0b9f42e5d3" +source = "git+https://github.com/litentry/litentry-parachain?branch=release-v0.9.19#84afa8035ad15a50b57ec9f7d3845d03bc9a426b" dependencies = [ "base64 0.13.1", "chrono 0.4.31", diff --git a/tee-worker/bitacross/enclave-runtime/src/initialization/global_components.rs b/tee-worker/bitacross/enclave-runtime/src/initialization/global_components.rs index 6e60d93af5..cb81f274bc 100644 --- a/tee-worker/bitacross/enclave-runtime/src/initialization/global_components.rs +++ b/tee-worker/bitacross/enclave-runtime/src/initialization/global_components.rs @@ -85,7 +85,10 @@ use itp_top_pool_author::{ api::SidechainApi, author::{Author, AuthorTopFilter}, }; -use itp_types::{Block as ParentchainBlock, SignedBlock as SignedParentchainBlock}; +use itp_types::{ + parentchain::Header as ParentchainHeader, Block as ParentchainBlock, + SignedBlock as SignedParentchainBlock, +}; use lazy_static::lazy_static; use sgx_crypto_helper::rsa3072::Rsa3072KeyPair; use sgx_tstd::vec::Vec; @@ -122,6 +125,8 @@ pub type EnclaveStfExecutor = StfExecutor< EnclaveStf, EnclaveTrustedCallSigned, EnclaveGetter, + ParentchainHeader, + EnclaveStateKeyRepository, // TODO: use new aes256 key repository when available >; pub type EnclaveStfEnclaveSigner = StfEnclaveSigner< EnclaveOCallApi, @@ -328,6 +333,7 @@ pub type EnclaveOffchainWorkerExecutor = itc_offchain_worker_executor::executor: EnclaveStf, EnclaveTrustedCallSigned, EnclaveGetter, + ParentchainHeader, >; // Base component instances diff --git a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs index f0cc06a94b..608a48088e 100644 --- a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs +++ b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_parachain.rs @@ -19,12 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, IntegriteeParentchainBlockImportDispatcher, GLOBAL_INTEGRITEE_PARENTCHAIN_LIGHT_CLIENT_SEAL, - GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, GLOBAL_OCALL_API_COMPONENT, + GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, + GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository }, parentchain::common::{ create_extrinsics_factory, create_integritee_offchain_immediate_import_dispatcher, @@ -78,10 +83,13 @@ impl IntegriteeParachainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_integritee_parentchain_block_importer( diff --git a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs index ee5697967f..88c9d7d4d0 100644 --- a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs +++ b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/integritee_solochain.rs @@ -19,12 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, IntegriteeParentchainBlockImportDispatcher, GLOBAL_INTEGRITEE_PARENTCHAIN_LIGHT_CLIENT_SEAL, - GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, GLOBAL_OCALL_API_COMPONENT, + GLOBAL_INTEGRITEE_PARENTCHAIN_NONCE_CACHE, + GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository }, parentchain::common::{ create_extrinsics_factory, create_integritee_offchain_immediate_import_dispatcher, @@ -77,10 +82,13 @@ impl IntegriteeSolochainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_integritee_parentchain_block_importer( diff --git a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs index 32de87cfba..99e25d1b26 100644 --- a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs +++ b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_parachain.rs @@ -25,10 +25,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetAParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetAParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_target_a_offchain_immediate_import_dispatcher, @@ -82,10 +89,13 @@ impl TargetAParachainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_a_parentchain_block_importer( diff --git a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs index bd76a450f6..3ad0f870a0 100644 --- a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs +++ b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_a_solochain.rs @@ -19,10 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetAParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetAParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_A_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_A_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_target_a_offchain_immediate_import_dispatcher, @@ -75,10 +82,13 @@ impl TargetASolochainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_a_parentchain_block_importer( diff --git a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs index 221a37b0c0..8e1962ca55 100644 --- a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs +++ b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_parachain.rs @@ -25,10 +25,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetBParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetBParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_target_b_offchain_immediate_import_dispatcher, @@ -82,10 +89,13 @@ impl TargetBParachainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_b_parentchain_block_importer( diff --git a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs index 0953d15779..2b13e07d9b 100644 --- a/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs +++ b/tee-worker/bitacross/enclave-runtime/src/initialization/parentchain/target_b_solochain.rs @@ -19,10 +19,17 @@ use crate::{ error::Result, initialization::{ global_components::{ - EnclaveExtrinsicsFactory, EnclaveNodeMetadataRepository, EnclaveOCallApi, - EnclaveStfExecutor, EnclaveValidatorAccessor, TargetBParentchainBlockImportDispatcher, - GLOBAL_OCALL_API_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, + EnclaveExtrinsicsFactory, + EnclaveNodeMetadataRepository, + EnclaveOCallApi, + EnclaveStfExecutor, + EnclaveValidatorAccessor, + TargetBParentchainBlockImportDispatcher, + GLOBAL_OCALL_API_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, // TODO: use global for aes256 key repository + GLOBAL_TARGET_B_PARENTCHAIN_LIGHT_CLIENT_SEAL, + GLOBAL_TARGET_B_PARENTCHAIN_NONCE_CACHE, }, parentchain::common::{ create_extrinsics_factory, create_target_b_offchain_immediate_import_dispatcher, @@ -75,10 +82,13 @@ impl TargetBSolochainHandler { node_metadata_repository.clone(), )?; + let on_chain_encryption_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; + let stf_executor = Arc::new(EnclaveStfExecutor::new( ocall_api, state_handler, node_metadata_repository.clone(), + on_chain_encryption_key_repository, )); let block_importer = create_target_b_parentchain_block_importer( diff --git a/tee-worker/bitacross/enclave-runtime/src/test/enclave_signer_tests.rs b/tee-worker/bitacross/enclave-runtime/src/test/enclave_signer_tests.rs index b76af97d4a..6198befd7a 100644 --- a/tee-worker/bitacross/enclave-runtime/src/test/enclave_signer_tests.rs +++ b/tee-worker/bitacross/enclave-runtime/src/test/enclave_signer_tests.rs @@ -20,7 +20,10 @@ use ita_stf::{Getter, Stf, TrustedCall, TrustedCallSigned}; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; use itp_ocall_api::EnclaveAttestationOCallApi; use itp_sgx_crypto::{ - ed25519_derivation::DeriveEd25519, key_repository::AccessKey, mocks::KeyRepositoryMock, + ed25519_derivation::DeriveEd25519, + key_repository::AccessKey, + mocks::KeyRepositoryMock, + Aes, // TODO: use Aes256 when available }; use itp_sgx_externalities::SgxExternalities; use itp_stf_executor::{enclave_signer::StfEnclaveSigner, traits::StfEnclaveSigning}; @@ -35,14 +38,20 @@ use itp_stf_primitives::{ use itp_stf_state_observer::mock::ObserveStateMock; use itp_test::mock::onchain_mock::OnchainMock; use itp_top_pool_author::{mocks::AuthorApiMock, traits::AuthorApi}; -use itp_types::{parentchain::ParentchainId, RsaRequest}; +use itp_types::{parentchain::ParentchainId, Header, RsaRequest}; use litentry_primitives::Identity; use sgx_crypto_helper::{rsa3072::Rsa3072KeyPair, RsaKeyPair}; use sp_core::Pair; +use sp_runtime::traits::Header as HeaderTrait; use std::{sync::Arc, vec::Vec}; type ShieldingKeyRepositoryMock = KeyRepositoryMock; type TestStf = Stf; +type OnChainEncryptionKeyRepositoryMock = KeyRepositoryMock; + +pub fn latest_parentchain_header() -> Header { + Header::new(1, Default::default(), Default::default(), [69; 32].into(), Default::default()) +} pub fn derive_key_is_deterministic() { let rsa_key = Rsa3072KeyPair::new().unwrap(); @@ -103,7 +112,7 @@ pub fn nonce_is_computed_correctly() { let shard = ShardIdentifier::default(); let enclave_signer = StfEnclaveSigner::<_, _, _, TestStf, _, TrustedCallSigned, Getter>::new( state_observer, - ocall_api, + ocall_api.clone(), shielding_key_repo, top_pool_author.clone(), ); @@ -149,6 +158,8 @@ pub fn nonce_is_computed_correctly() { assert_eq!(0, TestStf::get_account_nonce(&mut state, &enclave_account)); let repo = Arc::new(NodeMetadataRepository::new(NodeMetadataMock::new())); + let on_chain_encryption_key_repository = + Arc::new(OnChainEncryptionKeyRepositoryMock::new(Aes::default())); assert!(TestStf::execute_call( &mut state, &shard, @@ -156,6 +167,9 @@ pub fn nonce_is_computed_correctly() { Default::default(), &mut Vec::new(), repo.clone(), + ocall_api.clone(), + &latest_parentchain_header(), + on_chain_encryption_key_repository.clone() ) .is_ok()); @@ -166,6 +180,9 @@ pub fn nonce_is_computed_correctly() { Default::default(), &mut Vec::new(), repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository ) .is_ok()); assert_eq!(2, TestStf::get_account_nonce(&mut state, &enclave_account)); diff --git a/tee-worker/bitacross/enclave-runtime/src/test/fixtures/test_setup.rs b/tee-worker/bitacross/enclave-runtime/src/test/fixtures/test_setup.rs index b9a357eab5..fb594dd696 100644 --- a/tee-worker/bitacross/enclave-runtime/src/test/fixtures/test_setup.rs +++ b/tee-worker/bitacross/enclave-runtime/src/test/fixtures/test_setup.rs @@ -24,7 +24,11 @@ use ita_sgx_runtime::Runtime; use ita_stf::{Getter, State, Stf, TrustedCallSigned}; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; use itp_ocall_api::EnclaveAttestationOCallApi; -use itp_sgx_crypto::{ed25519_derivation::DeriveEd25519, mocks::KeyRepositoryMock}; +use itp_sgx_crypto::{ + ed25519_derivation::DeriveEd25519, + mocks::KeyRepositoryMock, + Aes, // TODO: use Aes256 when available +}; use itp_sgx_externalities::SgxExternalities; use itp_stf_executor::executor::StfExecutor; use itp_stf_primitives::types::{ShardIdentifier, TrustedOperation}; @@ -33,9 +37,10 @@ use itp_test::mock::{ }; use itp_top_pool::{basic_pool::BasicPool, pool::ExtrinsicHash}; use itp_top_pool_author::{api::SidechainApi, author::Author, top_filter::AllowAllTopsFilter}; -use itp_types::{Block, MrEnclave}; +use itp_types::{parentchain::Header as ParentchainHeader, Block, MrEnclave}; use sp_core::{crypto::Pair, ed25519 as spEd25519}; use std::sync::Arc; + pub type TestRpcResponder = RpcResponderMock>>; pub type TestTopPool = BasicPool< SidechainApi, @@ -54,6 +59,8 @@ pub type TestTopPoolAuthor = Author< >; pub type TestStf = Stf; +type TestOnChainEncryptionKeyRepository = KeyRepositoryMock; + pub type TestStfExecutor = StfExecutor< OcallApi, HandleStateMock, @@ -61,6 +68,8 @@ pub type TestStfExecutor = StfExecutor< TestStf, TrustedCallSigned, Getter, + ParentchainHeader, + TestOnChainEncryptionKeyRepository, >; /// Returns all the things that are commonly used in tests and runs @@ -73,6 +82,7 @@ pub fn test_setup() -> ( ShieldingCryptoMock, Arc, Arc, + Arc, ) { let shielding_key = ShieldingCryptoMock::default(); let shielding_key_repo = Arc::new(KeyRepositoryMock::new(shielding_key.clone())); @@ -84,10 +94,13 @@ pub fn test_setup() -> ( let mrenclave = OcallApi.get_mrenclave_of_self().unwrap().m; let node_metadata_repo = Arc::new(NodeMetadataRepository::new(NodeMetadataMock::new())); + let on_chain_encryption_key_repository = KeyRepositoryMock::new(Aes::default()); + let stf_executor = Arc::new(TestStfExecutor::new( Arc::new(OcallApi), state_handler.clone(), node_metadata_repo, + Arc::new(on_chain_encryption_key_repository), )); ( @@ -103,6 +116,7 @@ pub fn test_setup() -> ( shielding_key, state_handler, stf_executor, + Arc::new(OcallApi), ) } diff --git a/tee-worker/bitacross/enclave-runtime/src/test/mocks/types.rs b/tee-worker/bitacross/enclave-runtime/src/test/mocks/types.rs index 1ffe90a2fd..c92a39d3f6 100644 --- a/tee-worker/bitacross/enclave-runtime/src/test/mocks/types.rs +++ b/tee-worker/bitacross/enclave-runtime/src/test/mocks/types.rs @@ -30,7 +30,10 @@ use itp_stf_primitives::types::TrustedOperation; use itp_test::mock::{handle_state_mock::HandleStateMock, onchain_mock::OnchainMock}; use itp_top_pool::basic_pool::BasicPool; use itp_top_pool_author::{api::SidechainApi, author::Author, top_filter::AllowAllTopsFilter}; -use itp_types::{Block as ParentchainBlock, SignedBlock as SignedParentchainBlock}; +use itp_types::{ + parentchain::Header as ParentchainHeader, Block as ParentchainBlock, + SignedBlock as SignedParentchainBlock, +}; use primitive_types::H256; use sgx_crypto_helper::rsa3072::Rsa3072KeyPair; use sp_core::ed25519 as spEd25519; @@ -63,6 +66,8 @@ pub type TestStfExecutor = StfExecutor< TestStf, TrustedCallSigned, Getter, + ParentchainHeader, + TestStateKeyRepo, >; pub type TestRpcResponder = RpcResponderMock; diff --git a/tee-worker/bitacross/enclave-runtime/src/test/tests_main.rs b/tee-worker/bitacross/enclave-runtime/src/test/tests_main.rs index 0e44a1937b..de9ebd3e2c 100644 --- a/tee-worker/bitacross/enclave-runtime/src/test/tests_main.rs +++ b/tee-worker/bitacross/enclave-runtime/src/test/tests_main.rs @@ -36,7 +36,7 @@ use ita_stf::{ Getter, State, TrustedCall, TrustedCallSigned, TrustedGetter, }; use itp_node_api::metadata::{metadata_mocks::NodeMetadataMock, provider::NodeMetadataRepository}; -use itp_sgx_crypto::{Aes, StateCrypto}; +use itp_sgx_crypto::{mocks::KeyRepositoryMock, Aes, StateCrypto}; use itp_sgx_externalities::{SgxExternalitiesDiffType, SgxExternalitiesTrait}; use itp_stf_executor::{ executor_tests as stf_executor_tests, traits::StateUpdateProposer, BatchExecutionResult, @@ -279,7 +279,7 @@ fn test_differentiate_getter_and_call_works() { fn test_executing_call_updates_account_nonce() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); let sender = funded_pair(); let receiver = unfunded_public(); @@ -312,7 +312,7 @@ fn test_executing_call_updates_account_nonce() { } fn test_call_set_update_parentchain_block() { - let (_, _, shard, _, _, state_handler, _) = test_setup(); + let (_, _, shard, _, _, state_handler, _, ..) = test_setup(); let (mut state, _) = state_handler.load_cloned(&shard).unwrap(); let block_number = 3; @@ -335,7 +335,7 @@ fn test_call_set_update_parentchain_block() { fn test_signature_must_match_public_sender_in_call() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); // create accounts let sender = funded_pair(); @@ -365,7 +365,7 @@ fn test_signature_must_match_public_sender_in_call() { fn test_invalid_nonce_call_is_not_executed() { // given - let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _, shard, mrenclave, shielding_key, _, stf_executor, ..) = test_setup(); // create accounts let sender = funded_pair(); @@ -395,7 +395,8 @@ fn test_invalid_nonce_call_is_not_executed() { fn test_non_root_shielding_call_is_not_executed() { // given - let (top_pool_author, _state, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _state, shard, mrenclave, shielding_key, _, stf_executor, ..) = + test_setup(); let sender = funded_pair(); let sender_acc: AccountId = sender.public().into(); @@ -424,7 +425,8 @@ fn test_non_root_shielding_call_is_not_executed() { } fn test_shielding_call_with_enclave_self_is_executed() { - let (top_pool_author, _state, shard, mrenclave, shielding_key, _, stf_executor) = test_setup(); + let (top_pool_author, _state, shard, mrenclave, shielding_key, _, stf_executor, ..) = + test_setup(); let sender = funded_pair(); let sender_account: AccountId = sender.public().into(); @@ -459,7 +461,8 @@ fn test_shielding_call_with_enclave_self_is_executed() { pub fn test_retrieve_events() { // given - let (_, mut state, shard, mrenclave, ..) = test_setup(); + let (_, mut state, shard, mrenclave, _shielding_key, _state_handler, _stf_executor, ocall_api) = + test_setup(); let mut opaque_vec = Vec::new(); let sender = funded_pair(); let receiver = unendowed_account(); @@ -476,6 +479,8 @@ pub fn test_retrieve_events() { .sign(&sender.into(), 0, &mrenclave, &shard); let repo = Arc::new(NodeMetadataRepository::::default()); let shard = ShardIdentifier::default(); + let on_chain_encryption_key_repository = + Arc::new(KeyRepositoryMock::::new(Aes::default())); TestStf::execute_call( &mut state, &shard, @@ -483,6 +488,9 @@ pub fn test_retrieve_events() { Default::default(), &mut opaque_vec, repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository, ) .unwrap(); @@ -490,7 +498,8 @@ pub fn test_retrieve_events() { } pub fn test_retrieve_event_count() { - let (_, mut state, shard, mrenclave, ..) = test_setup(); + let (_, mut state, shard, mrenclave, _shielding_key, _state_handler, _stf_executor, ocall_api) = + test_setup(); let mut opaque_vec = Vec::new(); let sender = funded_pair(); let receiver = unendowed_account(); @@ -509,6 +518,8 @@ pub fn test_retrieve_event_count() { // when let repo = Arc::new(NodeMetadataRepository::::default()); let shard = ShardIdentifier::default(); + let on_chain_encryption_key_repository = + Arc::new(KeyRepositoryMock::::new(Aes::default())); TestStf::execute_call( &mut state, &shard, @@ -516,6 +527,9 @@ pub fn test_retrieve_event_count() { Default::default(), &mut opaque_vec, repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository, ) .unwrap(); @@ -524,7 +538,8 @@ pub fn test_retrieve_event_count() { } pub fn test_reset_events() { - let (_, mut state, shard, mrenclave, ..) = test_setup(); + let (_, mut state, shard, mrenclave, _shielding_key, _state_handler, _stf_executor, ocall_api) = + test_setup(); let mut opaque_vec = Vec::new(); let sender = funded_pair(); let receiver = unendowed_account(); @@ -540,6 +555,8 @@ pub fn test_reset_events() { .sign(&sender.into(), 0, &mrenclave, &shard); let repo = Arc::new(NodeMetadataRepository::::default()); let shard = ShardIdentifier::default(); + let on_chain_encryption_key_repository = + Arc::new(KeyRepositoryMock::::new(Aes::default())); TestStf::execute_call( &mut state, &shard, @@ -547,6 +564,9 @@ pub fn test_reset_events() { Default::default(), &mut opaque_vec, repo, + ocall_api, + &latest_parentchain_header(), + on_chain_encryption_key_repository, ) .unwrap(); let receiver_acc_info = TestStf::get_account_data(&mut state, &receiver.public().into());