Skip to content

Commit efbc5bc

Browse files
committed
go: Validate attestation against per role policies prior early
1 parent 8ef5d63 commit efbc5bc

7 files changed

Lines changed: 48 additions & 14 deletions

File tree

go/oasis-node/cmd/node/node.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111
"github.com/oasisprotocol/oasis-core/go/common/grpc"
1212
"github.com/oasisprotocol/oasis-core/go/common/identity"
1313
"github.com/oasisprotocol/oasis-core/go/common/logging"
14+
"github.com/oasisprotocol/oasis-core/go/common/node"
1415
"github.com/oasisprotocol/oasis-core/go/common/persistent"
1516
"github.com/oasisprotocol/oasis-core/go/common/version"
1617
"github.com/oasisprotocol/oasis-core/go/config"
@@ -205,12 +206,29 @@ func (n *Node) initRuntimeWorkers(genesisDoc *genesisAPI.Document) error {
205206
}
206207
n.svcMgr.Register(n.RuntimeRegistry)
207208

209+
// Determine runtime role.
210+
runtimeRoles := node.RoleEmpty
211+
switch config.GlobalConfig.Mode {
212+
case config.ModeCompute:
213+
runtimeRoles = node.RoleComputeWorker
214+
case config.ModeKeyManager:
215+
runtimeRoles = node.RoleKeyManager
216+
case config.ModeClient, config.ModeStatelessClient:
217+
if config.GlobalConfig.Registration.Entity != "" || config.GlobalConfig.Registration.EntityID != "" {
218+
runtimeRoles |= node.RoleObserver
219+
}
220+
if config.GlobalConfig.Storage.PublicRPCEnabled {
221+
runtimeRoles |= node.RoleStorageRPC
222+
}
223+
}
224+
208225
// Initialize the common worker.
209226
n.CommonWorker, err = workerCommon.New(
210227
n,
211228
n.dataDir,
212229
n.chainContext,
213230
n.Identity,
231+
runtimeRoles,
214232
n.Consensus,
215233
n.LightService,
216234
n.P2P,

go/runtime/host/host.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,10 @@ type Config struct {
2222
// ID is the runtime identifier.
2323
ID common.Namespace
2424

25+
// RuntimeRoles is the runtime role mask the node will register RONL component with.
26+
// In case of ROFL only nodes (no registration) this is expected to be empty role.
27+
RuntimeRoles node.RolesMask
28+
2529
// Component is the component that should be provisioned.
2630
Component *bundle.ExplodedComponent
2731

go/runtime/host/sgx/common/common.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ func GetQuotePolicy(
4848
return nil, fmt.Errorf("malformed runtime SGX constraints: %w", err)
4949
}
5050

51-
return sc.Policy, nil
51+
return sc.PolicyFor(cfg.RuntimeRoles), nil
5252
}
5353
return fallbackPolicy, nil
5454
case component.ROFL:

go/runtime/registry/host.go

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -21,25 +21,27 @@ type RuntimeHostNode struct {
2121

2222
host *composite.Host
2323

24-
runtime Runtime
25-
provisioner host.Provisioner
26-
handler host.RuntimeHandler
27-
logManager *log.Manager
24+
runtime Runtime
25+
runtimeRoles node.RolesMask
26+
provisioner host.Provisioner
27+
handler host.RuntimeHandler
28+
logManager *log.Manager
2829

2930
rofls map[component.ID]version.Version
3031
}
3132

3233
// NewRuntimeHostNode creates a new runtime host node.
33-
func NewRuntimeHostNode(runtime Runtime, provisioner host.Provisioner, handler host.RuntimeHandler, logManager *log.Manager) (*RuntimeHostNode, error) {
34+
func NewRuntimeHostNode(runtime Runtime, runtimeRoles node.RolesMask, provisioner host.Provisioner, handler host.RuntimeHandler, logManager *log.Manager) (*RuntimeHostNode, error) {
3435
h := composite.NewHost(runtime.ID())
3536

3637
return &RuntimeHostNode{
37-
host: h,
38-
logManager: logManager,
39-
runtime: runtime,
40-
handler: handler,
41-
provisioner: provisioner,
42-
rofls: make(map[component.ID]version.Version),
38+
host: h,
39+
logManager: logManager,
40+
runtime: runtime,
41+
runtimeRoles: runtimeRoles,
42+
handler: handler,
43+
provisioner: provisioner,
44+
rofls: make(map[component.ID]version.Version),
4345
}, nil
4446
}
4547

@@ -67,6 +69,7 @@ func (n *RuntimeHostNode) ProvisionHostedRuntimeComponent(comp *bundle.ExplodedC
6769

6870
cfg := host.Config{
6971
ID: n.runtime.ID(),
72+
RuntimeRoles: n.runtimeRoles,
7073
Component: comp,
7174
MessageHandler: handler,
7275
LocalConfig: getLocalConfig(n.runtime.ID(), comp.ID()),

go/worker/common/committee/node.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111
beacon "github.com/oasisprotocol/oasis-core/go/beacon/api"
1212
"github.com/oasisprotocol/oasis-core/go/common/identity"
1313
"github.com/oasisprotocol/oasis-core/go/common/logging"
14+
"github.com/oasisprotocol/oasis-core/go/common/node"
1415
"github.com/oasisprotocol/oasis-core/go/common/service"
1516
"github.com/oasisprotocol/oasis-core/go/common/version"
1617
"github.com/oasisprotocol/oasis-core/go/config"
@@ -59,6 +60,7 @@ type Node struct {
5960
HostNode control.NodeController
6061

6162
Identity *identity.Identity
63+
RuntimeRoles node.RolesMask
6264
KeyManager keymanager.Backend
6365
KeyManagerClient *KeyManagerClientWrapper
6466
Consensus consensus.Service
@@ -637,6 +639,7 @@ func NewNode(
637639
provisioner host.Provisioner,
638640
rtRegistry runtimeRegistry.Registry,
639641
identity *identity.Identity,
642+
runtimeRoles node.RolesMask,
640643
keymanager keymanager.Backend,
641644
consensus consensus.Service,
642645
lightProvider consensus.LightProvider,
@@ -664,6 +667,7 @@ func NewNode(
664667
Runtime: runtime,
665668
RuntimeRegistry: rtRegistry,
666669
Identity: identity,
670+
RuntimeRoles: runtimeRoles,
667671
KeyManager: keymanager,
668672
Consensus: consensus,
669673
LightProvider: lightProvider,
@@ -686,7 +690,7 @@ func NewNode(
686690
handler := runtimeRegistry.NewRuntimeHostHandler(&nodeEnvironment{n}, n.Runtime, consensus)
687691

688692
// Prepare the runtime host node helpers.
689-
rhn, err := runtimeRegistry.NewRuntimeHostNode(runtime, provisioner, handler, rtRegistry.GetLogManager())
693+
rhn, err := runtimeRegistry.NewRuntimeHostNode(runtime, runtimeRoles, provisioner, handler, rtRegistry.GetLogManager())
690694
if err != nil {
691695
return nil, err
692696
}

go/worker/common/worker.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"github.com/oasisprotocol/oasis-core/go/common"
77
"github.com/oasisprotocol/oasis-core/go/common/identity"
88
"github.com/oasisprotocol/oasis-core/go/common/logging"
9+
"github.com/oasisprotocol/oasis-core/go/common/node"
910
"github.com/oasisprotocol/oasis-core/go/config"
1011
consensus "github.com/oasisprotocol/oasis-core/go/consensus/api"
1112
control "github.com/oasisprotocol/oasis-core/go/control/api"
@@ -25,6 +26,7 @@ type Worker struct {
2526
DataDir string
2627
ChainContext string
2728
Identity *identity.Identity
29+
runtimeRoles node.RolesMask
2830
Consensus consensus.Service
2931
LightProvider consensus.LightProvider
3032
P2P p2p.Service
@@ -161,6 +163,7 @@ func (w *Worker) registerRuntime(runtime runtimeRegistry.Runtime) error {
161163
w.Provisioner,
162164
w.RuntimeRegistry,
163165
w.Identity,
166+
w.runtimeRoles,
164167
w.KeyManager,
165168
w.Consensus,
166169
w.LightProvider,
@@ -185,6 +188,7 @@ func New(
185188
dataDir string,
186189
chainContext string,
187190
identity *identity.Identity,
191+
runtimeRoles node.RolesMask,
188192
consensus consensus.Service,
189193
lightProvider consensus.LightProvider,
190194
p2p p2p.Service,
@@ -215,6 +219,7 @@ func New(
215219
DataDir: dataDir,
216220
ChainContext: chainContext,
217221
Identity: identity,
222+
runtimeRoles: runtimeRoles,
218223
Consensus: consensus,
219224
LightProvider: lightProvider,
220225
P2P: p2p,

go/worker/keymanager/init.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ func New(
8282
handler := runtimeRegistry.NewRuntimeHostHandler(&workerEnvironment{w}, w.runtime, w.commonWorker.Consensus)
8383

8484
// Prepare the runtime host node helpers.
85-
w.RuntimeHostNode, err = runtimeRegistry.NewRuntimeHostNode(w.runtime, provisioner, handler, w.commonWorker.RuntimeRegistry.GetLogManager())
85+
w.RuntimeHostNode, err = runtimeRegistry.NewRuntimeHostNode(w.runtime, node.RoleKeyManager, provisioner, handler, w.commonWorker.RuntimeRegistry.GetLogManager())
8686
if err != nil {
8787
return nil, fmt.Errorf("worker/keymanager: failed to create runtime host helpers: %w", err)
8888
}

0 commit comments

Comments
 (0)