Merge pull request #448 from oasisprotocol/kostko/feature/rofl-manifest-historic-eid

feat(cmd/rofl): Add historic enclave identity support

Author: kostko

build/rofl/manifest.go

@@ -10,11 +10,13 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/github/go-spdx/v2/spdxexp"
 	"gopkg.in/yaml.v3"
 
-	"github.com/github/go-spdx/v2/spdxexp"
+	beacon "github.com/oasisprotocol/oasis-core/go/beacon/api"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
 	"github.com/oasisprotocol/oasis-core/go/common/version"
-
 	"github.com/oasisprotocol/oasis-sdk/client-sdk/go/modules/rofl"
 )
 
@@ -264,7 +266,7 @@ type Deployment struct {
 	// TrustRoot is the optional trust root configuration.
 	TrustRoot *TrustRootConfig `yaml:"trust_root,omitempty" json:"trust_root,omitempty"`
 	// Policy is the ROFL app policy.
-	Policy *rofl.AppAuthPolicy `yaml:"policy,omitempty" json:"policy,omitempty"`
+	Policy *AppAuthPolicy `yaml:"policy,omitempty" json:"policy,omitempty"`
 	// Metadata contains custom metadata.
 	Metadata map[string]string `yaml:"metadata,omitempty" json:"metadata,omitempty"`
 	// Secrets contains encrypted secrets.
@@ -288,6 +290,12 @@ func (d *Deployment) Validate() error {
 	if d.ParaTime == "" {
 		return fmt.Errorf("paratime cannot be empty")
 	}
+	if d.Policy != nil {
+		err := d.Policy.Validate()
+		if err != nil {
+			return fmt.Errorf("bad app policy: %w", err)
+		}
+	}
 	for _, s := range d.Secrets {
 		if err := s.Validate(); err != nil {
 			return fmt.Errorf("bad secret: %w", err)
@@ -307,6 +315,91 @@ func (d *Deployment) HasAppID() bool {
 	return len(d.AppID) > 0
 }
 
+// AppAuthPolicy is the per-application ROFL policy.
+//
+// This is a different type from `rofl.AppAuthPolicy` in order to add extra structure that makes it
+// easier to configure without changing the on-chain representation.
+type AppAuthPolicy struct {
+	// Quotes is a quote policy.
+	Quotes quote.Policy `json:"quotes" yaml:"quotes"`
+	// Enclaves is the set of allowed enclave identities.
+	Enclaves []*EnclaveIdentity `json:"enclaves" yaml:"enclaves"`
+	// Endorsements is the set of allowed endorsements.
+	Endorsements []rofl.AllowedEndorsement `json:"endorsements" yaml:"endorsements"`
+	// Fees is the gas fee payment policy.
+	Fees rofl.FeePolicy `json:"fees" yaml:"fees"`
+	// MaxExpiration is the maximum number of future epochs for which one can register.
+	MaxExpiration beacon.EpochTime `json:"max_expiration" yaml:"max_expiration"`
+}
+
+// Validate validates the policy for correctness.
+func (p *AppAuthPolicy) Validate() error {
+	for idx, ei := range p.Enclaves {
+		if err := ei.Validate(); err != nil {
+			return fmt.Errorf("bad enclave identity %d: %w", idx, err)
+		}
+	}
+	return nil
+}
+
+// AsDescriptor converts the structure into an on-chain policy descriptor.
+func (p *AppAuthPolicy) AsDescriptor() *rofl.AppAuthPolicy {
+	enclaves := make([]sgx.EnclaveIdentity, 0, len(p.Enclaves))
+	for _, ei := range p.Enclaves {
+		enclaves = append(enclaves, ei.ID)
+	}
+
+	return &rofl.AppAuthPolicy{
+		Quotes:        p.Quotes,
+		Enclaves:      enclaves,
+		Endorsements:  p.Endorsements,
+		Fees:          p.Fees,
+		MaxExpiration: p.MaxExpiration,
+	}
+}
+
+// EnclaveIdentity is the cryptographic enclave identity.
+type EnclaveIdentity struct {
+	// ID is the enclave identity.
+	ID sgx.EnclaveIdentity `json:"id" yaml:"id"`
+	// Version is an optional version this enclave identity is for, with an empty value indicating
+	// the latest version.
+	//
+	// This can be used to keep historic versions in the current policy.
+	Version string `json:"version,omitempty" yaml:"version,omitempty"`
+	// Description is an optional description of an enclave identity.
+	Description string `json:"description,omitempty" yaml:"description,omitempty"`
+}
+
+// UnmarshalYAML implements yaml.Unmarshaler.
+func (ei *EnclaveIdentity) UnmarshalYAML(value *yaml.Node) error {
+	switch value.ShortTag() {
+	case "!!str":
+		// Simple mode with just the enclave identity and no other information.
+		ei.Description = ""
+		ei.Version = ""
+		return value.Decode(&ei.ID)
+	default:
+		type enclaveIdentity EnclaveIdentity
+		return value.Decode((*enclaveIdentity)(ei))
+	}
+}
+
+// Validate validates the enclave identity for correctness.
+func (ei *EnclaveIdentity) Validate() error {
+	if len(ei.Version) > 0 {
+		if _, err := version.FromString(ei.Version); err != nil {
+			return fmt.Errorf("malformed version: %w", err)
+		}
+	}
+	return nil
+}
+
+// IsLatest returns true iff the enclave identity is for the latest app version.
+func (ei *EnclaveIdentity) IsLatest() bool {
+	return ei.Version == ""
+}
+
 // Machine is a hosted machine where a ROFL app is deployed.
 type Machine struct {
 	// Provider is the address of the ROFL market provider to deploy to.

cmd/rofl/build/build.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"maps"
 	"os"
+	"slices"
 
 	"github.com/spf13/cobra"
 	flag "github.com/spf13/pflag"
@@ -177,16 +178,20 @@ var (
 				buildEnclaves[id.Enclave] = struct{}{}
 			}
 
-			manifestEnclaves := make(map[sgx.EnclaveIdentity]struct{})
+			allManifestEnclaves := make(map[sgx.EnclaveIdentity]struct{})
+			latestManifestEnclaves := make(map[sgx.EnclaveIdentity]struct{})
 			for _, eid := range deployment.Policy.Enclaves {
-				manifestEnclaves[eid] = struct{}{}
+				if eid.IsLatest() {
+					latestManifestEnclaves[eid.ID] = struct{}{}
+				}
+				allManifestEnclaves[eid.ID] = struct{}{}
 			}
 
 			// Perform verification when requested.
 			if doVerify {
-				showIdentityDiff := func(build, other map[sgx.EnclaveIdentity]struct{}, otherName string) {
-					fmt.Println("Built enclave identities:")
-					for enclaveID := range build {
+				showIdentityDiff := func(this, other map[sgx.EnclaveIdentity]struct{}, thisName, otherName string) {
+					fmt.Printf("%s enclave identities:\n", thisName)
+					for enclaveID := range this {
 						data, _ := enclaveID.MarshalText()
 						fmt.Printf("  - %s\n", string(data))
 					}
@@ -198,13 +203,16 @@ var (
 					}
 				}
 
-				if !maps.Equal(buildEnclaves, manifestEnclaves) {
-					fmt.Println("Built enclave identities DIFFER from manifest enclave identities!")
-					showIdentityDiff(buildEnclaves, manifestEnclaves, "Manifest")
+				if !maps.Equal(buildEnclaves, latestManifestEnclaves) {
+					fmt.Println("Built enclave identities DIFFER from latest manifest enclave identities!")
+					showIdentityDiff(buildEnclaves, latestManifestEnclaves, "Built", "Manifest")
 					cobra.CheckErr(fmt.Errorf("enclave identity verification failed"))
 				}
 
-				fmt.Println("Built enclave identities MATCH manifest enclave identities.")
+				fmt.Println("Built enclave identities MATCH latest manifest enclave identities.")
+				if len(latestManifestEnclaves) != len(allManifestEnclaves) {
+					fmt.Println("NOTE: Non-latest enclave identities present in manifest!")
+				}
 
 				// When not in offline mode, also verify on-chain enclave identities.
 				if !offline {
@@ -213,13 +221,13 @@ var (
 					cfgEnclaves, err = roflCommon.GetRegisteredEnclaves(ctx, deployment.AppID, npa)
 					cobra.CheckErr(err)
 
-					if !maps.Equal(buildEnclaves, cfgEnclaves) {
-						fmt.Println("Built enclave identities DIFFER from on-chain enclave identities!")
-						showIdentityDiff(buildEnclaves, cfgEnclaves, "On-chain")
+					if !maps.Equal(allManifestEnclaves, cfgEnclaves) {
+						fmt.Println("Manifest enclave identities DIFFER from on-chain enclave identities!")
+						showIdentityDiff(allManifestEnclaves, cfgEnclaves, "Manifest", "On-chain")
 						cobra.CheckErr(fmt.Errorf("enclave identity verification failed"))
 					}
 
-					fmt.Println("Built enclave identities MATCH on-chain enclave identities.")
+					fmt.Println("Manifest enclave identities MATCH on-chain enclave identities.")
 				}
 				return
 			}
@@ -232,7 +240,7 @@ var (
 			switch noUpdate {
 			case true:
 				// Ask the user to update the manifest manually (if the manifest has changed).
-				if maps.Equal(buildEnclaves, manifestEnclaves) {
+				if maps.Equal(buildEnclaves, latestManifestEnclaves) {
 					fmt.Println("Built enclave identities already match manifest enclave identities.")
 					break
 				}
@@ -249,9 +257,13 @@ var (
 				}
 			case false:
 				// Update the manifest with the given enclave identities, overwriting existing ones.
-				deployment.Policy.Enclaves = make([]sgx.EnclaveIdentity, 0, len(ids))
+				deployment.Policy.Enclaves = slices.DeleteFunc(deployment.Policy.Enclaves, func(ei *buildRofl.EnclaveIdentity) bool {
+					return ei.IsLatest()
+				})
 				for _, id := range ids {
-					deployment.Policy.Enclaves = append(deployment.Policy.Enclaves, id.Enclave)
+					deployment.Policy.Enclaves = append(deployment.Policy.Enclaves, &buildRofl.EnclaveIdentity{
+						ID: id.Enclave,
+					})
 				}
 
 				if err = manifest.Save(); err != nil {

cmd/rofl/deploy.go

@@ -66,7 +66,7 @@ var (
 
 			manifestEnclaves := make(map[sgx.EnclaveIdentity]struct{})
 			for _, eid := range deployment.Policy.Enclaves {
-				manifestEnclaves[eid] = struct{}{}
+				manifestEnclaves[eid.ID] = struct{}{}
 			}
 
 			cfgEnclaves, err := roflCommon.GetRegisteredEnclaves(ctx, deployment.AppID, npa)

cmd/rofl/mgmt.go

@@ -185,7 +185,7 @@ var (
 					ParaTime: npa.ParaTimeName,
 					Admin:    npa.AccountName,
 					Debug:    debugMode,
-					Policy: &rofl.AppAuthPolicy{
+					Policy: &buildRofl.AppAuthPolicy{
 						Quotes: quote.Policy{
 							PCS: &pcs.QuotePolicy{
 								TCBValidityPeriod:          30,
@@ -217,7 +217,7 @@ var (
 
 			// Prepare transaction.
 			tx := rofl.NewCreateTx(nil, &rofl.Create{
-				Policy:   *deployment.Policy,
+				Policy:   *deployment.Policy.AsDescriptor(),
 				Scheme:   idScheme,
 				Metadata: manifest.GetMetadata(deploymentName),
 			})
@@ -291,7 +291,7 @@ var (
 
 			updateBody := rofl.Update{
 				ID:       appID,
-				Policy:   *deployment.Policy,
+				Policy:   *deployment.Policy.AsDescriptor(),
 				Metadata: manifest.GetMetadata(deploymentName),
 				Secrets:  secrets,
 			}