OmniAccount auth rework (#3431)

Author: silva-fj

common/primitives/core/src/lib.rs

@@ -44,12 +44,22 @@ pub use constants::*;
 pub use litentry_proc_macros::*;
 pub use opaque::*;
 pub use sp_runtime::BoundedVec;
+pub use traits::*;
 pub use types::*;
 
 pub type ParameterString = BoundedVec<u8, ConstU32<64>>;
 
+mod traits {
+    use crate::types;
+
+    pub trait Hashable {
+        fn hash(&self) -> types::Hash;
+    }
+}
+
 /// Common types of parachains.
 mod types {
+    use parity_scale_codec::Encode;
     use sp_core::H256;
     use sp_runtime::{
         traits::{IdentifyAccount, Verify},
@@ -63,6 +73,12 @@ mod types {
     /// to the public key of our transaction signing scheme.
     pub type AccountId = <<Signature as Verify>::Signer as IdentifyAccount>::AccountId;
 
+    impl crate::traits::Hashable for AccountId {
+        fn hash(&self) -> Hash {
+            self.using_encoded(sp_core::hashing::blake2_256).into()
+        }
+    }
+
     /// Signed version of Balance
     pub type Amount = i128;
 

tee-worker/client-api/src/omni/interfaces/omniExecutor/definitions.ts

@@ -42,10 +42,10 @@ export default {
     },
     OmniAuth: {
       _enum: {
-        Web3: "(HeimaMultiSignature)",
+        Web3: "(Identity, HeimaMultiSignature)",
         Email: "(Text, Text)",
-        AuthToken: "(Text)",
-        OAuth2: "(OAuth2Data)",
+        AuthToken: "(Text, Text)",
+        OAuth2: "(Identity, OAuth2Data)",
       },
     },
     OAuth2Data: {

tee-worker/omni-executor/Cargo.lock

@@ -23,6 +23,7 @@ pub fn decode<T: DeserializeOwned>(
 	if skip_exp_check {
 		validation.validate_exp = false;
 	}
+	validation.set_required_spec_claims(&["sub", "typ"]);
 	let decoding_key = DecodingKey::from_rsa_der(public_key);
 	decode_jwt::<T>(token, &decoding_key, &validation).map(|data| data.claims)
 }

tee-worker/omni-executor/executor-crypto/src/jwt.rs

@@ -5,6 +5,7 @@ authors = ['Trust Computing GmbH <info@litentry.com>']
 edition.workspace = true
 
 [dependencies]
+base58 = { workspace = true }
 base64 = { workspace = true }
 bitcoin = { workspace = true, features = ["secp-recovery"] }
 hex = { workspace = true }
@@ -15,7 +16,10 @@ tracing = { workspace = true }
 
 executor-crypto = { workspace = true }
 heima-primitives = { workspace = true }
-sp-core = { workspace = true }
+sp-core = { workspace = true, features = ["serde"] }
+
+[dev-dependencies]
+serde_json = { workspace = true }
 
 [lints]
 workspace = true

tee-worker/omni-executor/executor-primitives/Cargo.toml

@@ -1,36 +1,140 @@
-use crate::{signature::HeimaMultiSignature, OmniAccountAuthType};
+use crate::{signature::HeimaMultiSignature, utils::hex::decode_hex, OmniAccountAuthType};
+use base58::FromBase58;
+use heima_primitives::{Address20, Address32, Address33, Identity, IdentityString};
 use parity_scale_codec::{Decode, Encode};
+use serde::{Deserialize, Serialize};
 
 pub type VerificationCode = String;
+type Email = String;
+type OmniAccount = String;
+type JwtToken = String;
+
+/// A serializable representation of Identity for JSON interchange.
+/// ```json
+/// {
+///  "type": "Email",
+///  "data": "test@test.com"
+/// }
+/// ```
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq)]
+#[serde(tag = "type", content = "data")]
+pub enum IdentitySerde {
+	Twitter(String),
+	Discord(String),
+	Github(String),
+	Substrate(String), // hex-encoded
+	Evm(String),       // hex-encoded
+	Bitcoin(String),   // hex-encoded
+	Solana(String),    // base58-encoded
+	Email(String),
+	Google(String),
+	Pumpx(String),
+}
+
+impl TryFrom<IdentitySerde> for Identity {
+	type Error = &'static str;
+
+	fn try_from(value: IdentitySerde) -> Result<Self, Self::Error> {
+		match value {
+			IdentitySerde::Twitter(handle) => {
+				Ok(Identity::Twitter(IdentityString::new(handle.as_bytes().to_vec())))
+			},
+			IdentitySerde::Discord(handle) => {
+				Ok(Identity::Discord(IdentityString::new(handle.as_bytes().to_vec())))
+			},
+			IdentitySerde::Github(handle) => {
+				Ok(Identity::Github(IdentityString::new(handle.as_bytes().to_vec())))
+			},
+			IdentitySerde::Substrate(hex_address) => {
+				let bytes = decode_hex(&hex_address).map_err(|_| "Invalid hex encoding")?;
+				let address =
+					Address32::try_from(bytes.as_slice()).map_err(|_| "Invalid address")?;
+				Ok(Identity::Substrate(address))
+			},
+			IdentitySerde::Evm(hex_address) => {
+				let bytes = decode_hex(&hex_address).map_err(|_| "Invalid hex encoding")?;
+				let address =
+					Address20::try_from(bytes.as_slice()).map_err(|_| "Invalid address")?;
+				Ok(Identity::Evm(address))
+			},
+			IdentitySerde::Bitcoin(hex_address) => {
+				let bytes = decode_hex(&hex_address).map_err(|_| "Invalid hex encoding")?;
+				let address =
+					Address33::try_from(bytes.as_slice()).map_err(|_| "Invalid address")?;
+				Ok(Identity::Bitcoin(address))
+			},
+			IdentitySerde::Solana(base58_address) => {
+				let address: Address32 = base58_address
+					.from_base58()
+					.map_err(|_| "Invalid base58 encoding")?
+					.as_slice()
+					.try_into()
+					.map_err(|_| "Invalid address")?;
+				Ok(Identity::Solana(address))
+			},
+			IdentitySerde::Email(handle) => {
+				Ok(Identity::Email(IdentityString::new(handle.as_bytes().to_vec())))
+			},
+			IdentitySerde::Google(handle) => {
+				Ok(Identity::Google(IdentityString::new(handle.as_bytes().to_vec())))
+			},
+			IdentitySerde::Pumpx(handle) => {
+				Ok(Identity::Pumpx(IdentityString::new(handle.as_bytes().to_vec())))
+			},
+		}
+	}
+}
 
 #[derive(Encode, Decode, Clone, Debug, PartialEq, Eq)]
 pub enum OmniAuth {
-	Web3(HeimaMultiSignature),
-	Email(String, VerificationCode),
-	AuthToken(String),
-	OAuth2(OAuth2Data),
+	Web3(Identity, HeimaMultiSignature), // (Signer, Signature)
+	Email(Email, VerificationCode),
+	AuthToken(OmniAccount, JwtToken),
+	OAuth2(Identity, OAuth2Data), // (Sender, OAuth2Data)
+}
+
+#[derive(Deserialize)]
+pub enum OmniAuthSerde {
+	Web3(IdentitySerde, HeimaMultiSignature),
+	Email(Email, VerificationCode),
+	AuthToken(OmniAccount, JwtToken),
+	OAuth2(IdentitySerde, OAuth2Data),
 }
 
 impl From<OmniAuth> for OmniAccountAuthType {
 	fn from(value: OmniAuth) -> Self {
 		match value {
-			OmniAuth::Web3(_) => Self::Web3,
+			OmniAuth::Web3(..) => Self::Web3,
 			OmniAuth::Email(..) => Self::Email,
-			OmniAuth::OAuth2(_) => Self::OAuth2,
-			OmniAuth::AuthToken(_) => Self::AuthToken,
+			OmniAuth::OAuth2(..) => Self::OAuth2,
+			OmniAuth::AuthToken(..) => Self::AuthToken,
 		}
 	}
 }
 
-#[derive(Encode, Decode, Clone, Debug, PartialEq, Eq)]
+#[derive(Encode, Decode, Clone, Debug, PartialEq, Eq, Deserialize)]
 pub enum OAuth2Provider {
 	Google,
 }
 
-#[derive(Encode, Decode, Clone, Debug, PartialEq, Eq)]
+#[derive(Encode, Decode, Clone, Debug, PartialEq, Eq, Deserialize)]
 pub struct OAuth2Data {
 	pub provider: OAuth2Provider,
 	pub code: String,
 	pub state: String,
 	pub redirect_uri: String,
 }
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+
+	#[test]
+	fn test_identity_serde() {
+		let json = r#"{"type":"Twitter","data":"handle"}"#;
+		let deserialized: IdentitySerde = serde_json::from_str(json).unwrap();
+		let identity = Identity::try_from(deserialized).unwrap();
+
+		assert_eq!(identity, Identity::Twitter(IdentityString::new(b"handle".to_vec())));
+	}
+}

tee-worker/omni-executor/executor-primitives/src/auth.rs

@@ -26,7 +26,7 @@ pub mod signature;
 pub mod utils;
 pub use heima_primitives::{
 	identity::Address32, omni::*, teebag::DcapQuote, AccountId, BlockNumber, ChainAsset, Hash,
-	Identity, IntentId, MrEnclave, Nonce, ShardIdentifier, Web2IdentityType,
+	Hashable, Identity, IntentId, MrEnclave, Nonce, ShardIdentifier, Web2IdentityType,
 };
 use std::fmt::Debug;
 

tee-worker/omni-executor/executor-primitives/src/lib.rs

@@ -18,6 +18,7 @@ use tracing::log::error;
 #[derive(
 	Encode, Decode, Clone, Debug, PartialEq, Eq, TypeInfo, MaxEncodedLen, Serialize, Deserialize,
 )]
+#[serde(tag = "type", content = "data")]
 pub enum HeimaMultiSignature {
 	/// An Ed25519 signature.
 	#[codec(index = 0)]
@@ -174,6 +175,8 @@ fn evm_eip191_wrap(msg: &[u8]) -> Vec<u8> {
 
 #[cfg(test)]
 mod tests {
+	use crate::utils::hex::hex_encode;
+
 	use super::*;
 	use base64::{engine::general_purpose::STANDARD, Engine};
 
@@ -214,4 +217,23 @@ mod tests {
 			.verify(b"test message", &signer);
 		assert!(result);
 	}
+
+	#[test]
+	fn test_heima_multi_signature_serde() {
+		let raw_signature: [u8; 64] = [
+			62, 25, 148, 186, 53, 137, 248, 174, 149, 187, 225, 24, 186, 48, 24, 109, 100, 27, 149,
+			196, 66, 5, 222, 140, 22, 16, 136, 239, 154, 22, 133, 96, 79, 2, 180, 106, 150, 112,
+			116, 11, 6, 35, 32, 4, 145, 240, 54, 130, 206, 193, 200, 57, 241, 112, 35, 122, 226,
+			97, 174, 231, 221, 13, 98, 2,
+		];
+
+		let hex_signature = hex_encode(raw_signature.as_slice());
+		let json = format!(r#"{{"type":"Ed25519","data":"{}"}}"#, hex_signature);
+		let deserialized: HeimaMultiSignature = serde_json::from_str(&json).unwrap();
+
+		assert_eq!(
+			deserialized,
+			HeimaMultiSignature::Ed25519(ed25519::Signature::from_raw(raw_signature))
+		);
+	}
 }

tee-worker/omni-executor/executor-primitives/src/signature/heima_multi_signature.rs

@@ -292,7 +292,7 @@ async fn main() -> Result<(), ()> {
 			})
 			.expect("Could not serialize shielding public key");
 
-			let mrenclave = perform_attestation(
+			let _ = perform_attestation(
 				parentchain_rpc_client_factory,
 				parentchain_signer,
 				tx_signer.clone(),
@@ -310,7 +310,6 @@ async fn main() -> Result<(), ()> {
 				Arc::new(native_task_sender),
 				pumpx_api,
 				storage_db.clone(),
-				mrenclave,
 				jwt_rsa_private_key,
 			)
 			.await

tee-worker/omni-executor/executor-worker/src/main.rs

@@ -15,8 +15,8 @@ executor-crypto = { workspace = true }
 executor-primitives = { workspace = true }
 
 [dev-dependencies]
-rand = { workspace = true }
 chrono = { workspace = true }
+rand = { workspace = true }
 
 [lints]
 workspace = true