From e40d7026c54aa8f10f8feca4cf443dfaa6686349 Mon Sep 17 00:00:00 2001 From: Alain Brenzikofer Date: Mon, 7 Aug 2023 20:17:23 +0100 Subject: [PATCH] add proxied field to ias attestation_method too for attesteer rpc --- primitives/teerex/src/lib.rs | 7 +++-- sidechain/src/tests.rs | 2 +- teeracle/src/benchmarking.rs | 4 +-- teeracle/src/tests.rs | 6 ++-- teerex/src/lib.rs | 17 ++++++------ teerex/src/tests/test_cases.rs | 51 ++++++++++++++++++++++------------ 6 files changed, 52 insertions(+), 35 deletions(-) diff --git a/primitives/teerex/src/lib.rs b/primitives/teerex/src/lib.rs index 018ea5a1..d516328a 100644 --- a/primitives/teerex/src/lib.rs +++ b/primitives/teerex/src/lib.rs @@ -42,7 +42,7 @@ impl Default for SgxBuildMode { #[derive(Encode, Decode, Copy, Clone, PartialEq, Eq, sp_core::RuntimeDebug, TypeInfo)] pub enum SgxAttestationMethod { Skip { proxied: bool }, - Ias, + Ias { proxied: bool }, Dcap { proxied: bool }, } @@ -147,7 +147,8 @@ where MultiEnclave::Sgx(enclave) => matches!( enclave.attestation_method, SgxAttestationMethod::Skip { proxied: true } | - SgxAttestationMethod::Dcap { proxied: true } + SgxAttestationMethod::Dcap { proxied: true } | + SgxAttestationMethod::Ias { proxied: true } ), } } @@ -194,7 +195,7 @@ impl SgxEnclave { Ok(p) => match self.attestation_method { SgxAttestationMethod::Dcap { proxied: false } | SgxAttestationMethod::Skip { proxied: false } | - SgxAttestationMethod::Ias => Some(p), + SgxAttestationMethod::Ias { proxied: false } => Some(p), _ => None, }, Err(_) => None, diff --git a/sidechain/src/tests.rs b/sidechain/src/tests.rs index b9d0c9bc..8637a4f0 100644 --- a/sidechain/src/tests.rs +++ b/sidechain/src/tests.rs @@ -379,7 +379,7 @@ fn register_ias_enclave(signer_pub_key: &MrSigner, cert: &[u8]) { RuntimeOrigin::signed(signer.clone()), cert.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias, + SgxAttestationMethod::Ias { proxied: false }, )); assert!(Teerex::::sovereign_enclaves(signer).is_some()); } diff --git a/teeracle/src/benchmarking.rs b/teeracle/src/benchmarking.rs index eb0516ed..1288589a 100644 --- a/teeracle/src/benchmarking.rs +++ b/teeracle/src/benchmarking.rs @@ -49,7 +49,7 @@ benchmarks! { RawOrigin::Signed(signer.clone()).into(), TEST4_SETUP.cert.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias, + SgxAttestationMethod::Ias { proxied: false }, ).unwrap(); let fingerprint = Teerex::::sovereign_enclaves(&signer).unwrap().fingerprint(); Teeracle::::add_to_whitelist(RawOrigin::Root.into(), data_source.clone(), fingerprint).unwrap(); @@ -72,7 +72,7 @@ benchmarks! { RawOrigin::Signed(signer.clone()).into(), TEST4_SETUP.cert.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias, + SgxAttestationMethod::Ias { proxied: false }, ).unwrap(); let fingerprint = Teerex::::sovereign_enclaves(&signer).unwrap().fingerprint(); Teeracle::::add_to_whitelist(RawOrigin::Root.into(), data_source.clone(), fingerprint).unwrap(); diff --git a/teeracle/src/tests.rs b/teeracle/src/tests.rs index f3ca5354..100cae14 100644 --- a/teeracle/src/tests.rs +++ b/teeracle/src/tests.rs @@ -44,7 +44,7 @@ fn register_ias_enclave_and_add_oracle_to_whitelist_ok(src: &str) { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias, + SgxAttestationMethod::Ias { proxied: false }, )); let fingerprint = Teerex::sovereign_enclaves(&signer).unwrap().fingerprint(); assert_ok!(Teeracle::add_to_whitelist(RuntimeOrigin::root(), src.to_owned(), fingerprint)); @@ -228,7 +228,7 @@ fn update_exchange_rate_from_not_whitelisted_oracle_fails() { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias, + SgxAttestationMethod::Ias { proxied: false }, )); let rate = U32F32::from_num(43.65); @@ -253,7 +253,7 @@ fn update_oracle_from_not_whitelisted_oracle_fails() { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias, + SgxAttestationMethod::Ias { proxied: false }, )); assert_noop!( diff --git a/teerex/src/lib.rs b/teerex/src/lib.rs index f66bdac1..20308a0d 100644 --- a/teerex/src/lib.rs +++ b/teerex/src/lib.rs @@ -204,7 +204,7 @@ pub mod pallet { log::debug!(target: TEEREX, "parameter length ok"); let enclave = match attestation_method { - SgxAttestationMethod::Ias => { + SgxAttestationMethod::Ias { proxied } => { let report = sgx_verify::verify_ias_report(&proof) .map_err(|_| >::RemoteAttestationVerificationFailed)?; log::debug!(target: TEEREX, "IAS report successfully verified"); @@ -219,14 +219,15 @@ pub mod pallet { report.build_mode, report.status, ) - .with_attestation_method(SgxAttestationMethod::Ias); - - ensure!( - Ok(sender.clone()) == - T::AccountId::decode(&mut report.report_data.lower32().as_ref()), - >::SenderIsNotAttestedEnclave - ); + .with_attestation_method(SgxAttestationMethod::Ias { proxied }); + if !proxied { + ensure!( + Ok(sender.clone()) == + T::AccountId::decode(&mut report.report_data.lower32().as_ref()), + >::SenderIsNotAttestedEnclave + ); + }; // TODO: activate state checks as soon as we've fixed our setup #83 // ensure!((report.status == SgxStatus::Ok) | (report.status == SgxStatus::ConfigurationNeeded), // "RA status is insufficient"); diff --git a/teerex/src/tests/test_cases.rs b/teerex/src/tests/test_cases.rs index e8b0971e..3456d2a4 100644 --- a/teerex/src/tests/test_cases.rs +++ b/teerex/src/tests/test_cases.rs @@ -333,7 +333,7 @@ fn add_enclave_works() { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); assert!(>::contains_key(&signer)); }) @@ -349,7 +349,7 @@ fn add_and_remove_enclave_works() { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); assert!(>::contains_key(&signer)); Timestamp::set_timestamp(TEST4_TIMESTAMP + ::get() + 1); @@ -371,7 +371,7 @@ fn add_enclave_without_timestamp_fails() { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } ) .is_err()); assert!(!>::contains_key(&signer)); @@ -390,14 +390,14 @@ fn list_enclaves_works() { url: Some(URL.to_vec()), build_mode: SgxBuildMode::Debug, mr_signer: TEST4_MRSIGNER, - attestation_method: SgxAttestationMethod::Ias, + attestation_method: SgxAttestationMethod::Ias { proxied: false }, status: SgxStatus::ConfigurationNeeded, }; assert_ok!(Teerex::register_sgx_enclave( RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias, + SgxAttestationMethod::Ias { proxied: false }, )); assert!(>::contains_key(&signer)); let enclaves = list_sovereign_enclaves(); @@ -415,7 +415,7 @@ fn register_ias_enclave_with_different_signer_fails() { RuntimeOrigin::signed(signer), TEST5_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } ), Error::::SenderIsNotAttestedEnclave ); @@ -432,7 +432,7 @@ fn register_ias_enclave_with_to_old_attestation_report_fails() { RuntimeOrigin::signed(signer), TEST7_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } ), Error::::RemoteAttestationTooOld ); @@ -448,11 +448,26 @@ fn register_ias_enclave_with_almost_too_old_report_works() { RuntimeOrigin::signed(signer), TEST7_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); }) } +#[test] +fn register_ias_enclave_proxied_works() { + new_test_ext().execute_with(|| { + Timestamp::set_timestamp(TEST7_TIMESTAMP + TWENTY_FOUR_HOURS - 1); + let signer = get_signer(TEST7_SIGNER_PUB); + assert_ok!(Teerex::register_sgx_enclave( + RuntimeOrigin::signed(signer), + TEST7_CERT.to_vec(), + Some(URL.to_vec()), + SgxAttestationMethod::Ias { proxied: true } + )); + assert_eq!(list_proxied_enclaves().len(), 1); + }) +} + #[test] fn update_enclave_url_works() { new_test_ext().execute_with(|| { @@ -467,7 +482,7 @@ fn update_enclave_url_works() { url: None, build_mode: SgxBuildMode::Debug, mr_signer: TEST4_MRSIGNER, - attestation_method: SgxAttestationMethod::Ias, + attestation_method: SgxAttestationMethod::Ias { proxied: false }, status: SgxStatus::ConfigurationNeeded, }; @@ -475,7 +490,7 @@ fn update_enclave_url_works() { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); assert_eq!(Teerex::sovereign_enclaves(&signer).unwrap().instance_url(), Some(URL.to_vec())); @@ -483,7 +498,7 @@ fn update_enclave_url_works() { RuntimeOrigin::signed(signer.clone()), TEST4_CERT.to_vec(), Some(url2.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); assert_eq!( Teerex::sovereign_enclaves(&signer).unwrap().instance_url(), @@ -504,7 +519,7 @@ fn debug_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() { url: Some(URL.to_vec()), build_mode: SgxBuildMode::Debug, mr_signer: TEST4_MRSIGNER, - attestation_method: SgxAttestationMethod::Ias, + attestation_method: SgxAttestationMethod::Ias { proxied: false }, status: SgxStatus::ConfigurationNeeded, }; @@ -513,7 +528,7 @@ fn debug_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() { RuntimeOrigin::signed(signer4.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); assert!(>::contains_key(&signer4)); let enclaves = list_sovereign_enclaves(); @@ -534,7 +549,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() { url: Some(URL.to_vec()), build_mode: SgxBuildMode::Production, mr_signer: TEST8_MRSIGNER, - attestation_method: SgxAttestationMethod::Ias, + attestation_method: SgxAttestationMethod::Ias { proxied: false }, status: SgxStatus::Invalid, }; @@ -543,7 +558,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() { RuntimeOrigin::signed(signer8.clone()), TEST8_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); assert!(>::contains_key(&signer8)); let enclaves = list_sovereign_enclaves(); @@ -563,7 +578,7 @@ fn debug_mode_enclave_attest_fails_when_sgx_debug_mode_not_allowed() { RuntimeOrigin::signed(signer4.clone()), TEST4_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } ), Error::::SgxModeNotAllowed ); @@ -582,7 +597,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_not_allowed() { url: Some(URL.to_vec()), build_mode: SgxBuildMode::Production, mr_signer: TEST8_MRSIGNER, - attestation_method: SgxAttestationMethod::Ias, + attestation_method: SgxAttestationMethod::Ias { proxied: false }, status: SgxStatus::Invalid, }; @@ -591,7 +606,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_not_allowed() { RuntimeOrigin::signed(signer8.clone()), TEST8_CERT.to_vec(), Some(URL.to_vec()), - SgxAttestationMethod::Ias + SgxAttestationMethod::Ias { proxied: false } )); assert!(>::contains_key(&signer8)); let enclaves = list_sovereign_enclaves();