Deprecate ScheduledEnclave and introduce AuthorizedEnclave (#2856)

* add AuthorizedEnclave

* adjust tests

* remove old scheduled enclave

* bump version

* remove indirect call

.github/workflows/ci.yml

@@ -646,7 +646,6 @@ jobs:
           - test_name: lit-dr-vc-test
           - test_name: lit-parentchain-nonce
           - test_name: lit-test-failed-parentchain-extrinsic
-          - test_name: lit-scheduled-enclave-test
           - test_name: lit-twitter-identity-test
           - test_name: lit-discord-identity-test
     steps:
@@ -732,7 +731,6 @@ jobs:
           - test_name: lit-di-vc-multiworker-test
           - test_name: lit-dr-vc-multiworker-test
           - test_name: lit-resume-worker
-          - test_name: lit-scheduled-enclave-multiworker-test
     steps:
       - uses: actions/checkout@v4
 

bitacross-worker/app-libs/parentchain-interface/Cargo.toml

@@ -35,7 +35,6 @@ sp-runtime = { default-features = false, git = "https://github.com/paritytech/su
 bc-enclave-registry = { path = "../../bitacross/core/bc-enclave-registry", default-features = false }
 bc-relayer-registry = { path = "../../bitacross/core/bc-relayer-registry", default-features = false }
 bc-signer-registry = { path = "../../bitacross/core/bc-signer-registry", default-features = false }
-lc-scheduled-enclave = { path = "../../litentry/core/scheduled-enclave", default-features = false, optional = true }
 litentry-hex-utils = { path = "../../../primitives/hex", default-features = false }
 litentry-primitives = { path = "../../litentry/primitives", default-features = false }
 sp-std = { default-features = false, git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.42" }
@@ -73,7 +72,6 @@ std = [
     "sp-runtime/std",
     "substrate-api-client",
     "litentry-primitives/std",
-    "lc-scheduled-enclave/std",
     "sp-std/std",
     "bc-enclave-registry/std",
     "bc-relayer-registry/std",
@@ -88,7 +86,6 @@ sgx = [
     "itp-stf-executor/sgx",
     "itp-top-pool-author/sgx",
     "litentry-primitives/sgx",
-    "lc-scheduled-enclave/sgx",
     "bc-enclave-registry/sgx",
     "bc-relayer-registry/sgx",
     "bc-signer-registry/sgx",

bitacross-worker/app-libs/parentchain-interface/src/integritee/event_filter.rs

@@ -23,8 +23,8 @@ use itp_node_api::api_client::StaticEvent;
 use itp_types::{
 	parentchain::{
 		events::{
-			BalanceTransfer, BtcWalletGenerated, EnclaveAdded, EnclaveRemoved, RelayerAdded,
-			RelayerRemoved, ScheduledEnclaveRemoved, ScheduledEnclaveSet,
+			BalanceTransfer, BtcWalletGenerated, EnclaveAdded, EnclaveRemoved, EnclaveUnauthorized,
+			RelayerAdded, RelayerRemoved,
 		},
 		FilterEvents,
 	},
@@ -72,13 +72,7 @@ impl FilterEvents for FilterableEvents {
 		self.filter()
 	}
 
-	fn get_scheduled_enclave_removed_events(
-		&self,
-	) -> Result<Vec<ScheduledEnclaveRemoved>, Self::Error> {
-		self.filter()
-	}
-
-	fn get_scheduled_enclave_set_events(&self) -> Result<Vec<ScheduledEnclaveSet>, Self::Error> {
+	fn get_enclave_unauthorized_events(&self) -> Result<Vec<EnclaveUnauthorized>, Self::Error> {
 		self.filter()
 	}
 

bitacross-worker/app-libs/parentchain-interface/src/integritee/event_handler.rs

@@ -27,10 +27,9 @@ use itc_parentchain_indirect_calls_executor::error::Error;
 use itp_stf_primitives::traits::IndirectExecutor;
 use itp_types::{
 	parentchain::{FilterEvents, HandleParentchainEvents, ParentchainEventProcessingError},
-	MrEnclave, WorkerType,
+	WorkerType,
 };
-use lc_scheduled_enclave::{ScheduledEnclaveUpdater, GLOBAL_SCHEDULED_ENCLAVE};
-use litentry_primitives::{Address32, Identity, SidechainBlockNumber};
+use litentry_primitives::{Address32, Identity};
 use log::*;
 use sp_core::{blake2_256, H256};
 use sp_std::vec::Vec;
@@ -39,33 +38,6 @@ use std::string::ToString;
 pub struct ParentchainEventHandler {}
 
 impl ParentchainEventHandler {
-	fn set_scheduled_enclave(
-		worker_type: WorkerType,
-		sbn: SidechainBlockNumber,
-		mrenclave: MrEnclave,
-	) -> Result<(), Error> {
-		if worker_type != WorkerType::BitAcross {
-			warn!("Ignore SetScheduledEnclave due to wrong worker_type");
-			return Ok(())
-		}
-		GLOBAL_SCHEDULED_ENCLAVE.update(sbn, mrenclave)?;
-
-		Ok(())
-	}
-
-	fn remove_scheduled_enclave(
-		worker_type: WorkerType,
-		sbn: SidechainBlockNumber,
-	) -> Result<(), Error> {
-		if worker_type != WorkerType::BitAcross {
-			warn!("Ignore RemoveScheduledEnclave due to wrong worker_type");
-			return Ok(())
-		}
-		GLOBAL_SCHEDULED_ENCLAVE.remove(sbn)?;
-
-		Ok(())
-	}
-
 	fn add_relayer(relayer_registry: &RelayerRegistry, account: Identity) -> Result<(), Error> {
 		info!("Adding Relayer Account to Registry: {:?}", account);
 		relayer_registry.update(account).map_err(|e| {
@@ -158,41 +130,6 @@ where
 	fn handle_events(executor: &Executor, events: impl FilterEvents) -> Result<Vec<H256>, Error> {
 		let mut handled_events: Vec<H256> = Vec::new();
 
-		if let Ok(events) = events.get_scheduled_enclave_set_events() {
-			debug!("Handling ScheduledEnclaveSet events");
-			events
-				.iter()
-				.try_for_each(|event| {
-					debug!("found ScheduledEnclaveSet event: {:?}", event);
-					let result = Self::set_scheduled_enclave(
-						event.worker_type,
-						event.sidechain_block_number,
-						event.mrenclave,
-					);
-					handled_events.push(hash_of(&event));
-
-					result
-				})
-				.map_err(|_| ParentchainEventProcessingError::ScheduledEnclaveSetFailure)?;
-		}
-
-		if let Ok(events) = events.get_scheduled_enclave_removed_events() {
-			debug!("Handling ScheduledEnclaveRemoved events");
-			events
-				.iter()
-				.try_for_each(|event| {
-					debug!("found ScheduledEnclaveRemoved event: {:?}", event);
-					let result = Self::remove_scheduled_enclave(
-						event.worker_type,
-						event.sidechain_block_number,
-					);
-					handled_events.push(hash_of(&event));
-
-					result
-				})
-				.map_err(|_| ParentchainEventProcessingError::ScheduledEnclaveRemovedFailure)?;
-		}
-
 		if let Ok(events) = events.get_relayer_added_events() {
 			debug!("Handling RelayerAdded events");
 			let relayer_registry = executor.get_relayer_registry_updater();

bitacross-worker/app-libs/parentchain-interface/src/target_a/event_filter.rs

@@ -22,8 +22,8 @@ use itp_node_api::api_client::StaticEvent;
 use itp_types::{
 	parentchain::{
 		events::{
-			BalanceTransfer, BtcWalletGenerated, EnclaveAdded, EnclaveRemoved, RelayerAdded,
-			RelayerRemoved, ScheduledEnclaveRemoved, ScheduledEnclaveSet,
+			BalanceTransfer, BtcWalletGenerated, EnclaveAdded, EnclaveRemoved, EnclaveUnauthorized,
+			RelayerAdded, RelayerRemoved,
 		},
 		FilterEvents,
 	},
@@ -70,13 +70,7 @@ impl FilterEvents for FilterableEvents {
 		self.filter()
 	}
 
-	fn get_scheduled_enclave_removed_events(
-		&self,
-	) -> Result<Vec<ScheduledEnclaveRemoved>, Self::Error> {
-		self.filter()
-	}
-
-	fn get_scheduled_enclave_set_events(&self) -> Result<Vec<ScheduledEnclaveSet>, Self::Error> {
+	fn get_enclave_unauthorized_events(&self) -> Result<Vec<EnclaveUnauthorized>, Self::Error> {
 		self.filter()
 	}
 

bitacross-worker/app-libs/parentchain-interface/src/target_b/event_filter.rs

@@ -22,8 +22,8 @@ use itp_node_api::api_client::StaticEvent;
 use itp_types::{
 	parentchain::{
 		events::{
-			BalanceTransfer, BtcWalletGenerated, EnclaveAdded, EnclaveRemoved, RelayerAdded,
-			RelayerRemoved, ScheduledEnclaveRemoved, ScheduledEnclaveSet,
+			BalanceTransfer, BtcWalletGenerated, EnclaveAdded, EnclaveRemoved, EnclaveUnauthorized,
+			RelayerAdded, RelayerRemoved,
 		},
 		FilterEvents,
 	},
@@ -70,13 +70,7 @@ impl FilterEvents for FilterableEvents {
 		self.filter()
 	}
 
-	fn get_scheduled_enclave_removed_events(
-		&self,
-	) -> Result<Vec<ScheduledEnclaveRemoved>, Self::Error> {
-		self.filter()
-	}
-
-	fn get_scheduled_enclave_set_events(&self) -> Result<Vec<ScheduledEnclaveSet>, Self::Error> {
+	fn get_enclave_unauthorized_events(&self) -> Result<Vec<EnclaveUnauthorized>, Self::Error> {
 		self.filter()
 	}
 

bitacross-worker/app-libs/sgx-runtime/src/lib.rs

@@ -121,7 +121,7 @@ pub const VERSION: RuntimeVersion = RuntimeVersion {
 	spec_name: create_runtime_str!("node-template"),
 	impl_name: create_runtime_str!("node-template"),
 	authoring_version: 1,
-	spec_version: 104,
+	spec_version: 105,
 	impl_version: 1,
 	apis: RUNTIME_API_VERSIONS,
 	transaction_version: 1,

bitacross-worker/core-primitives/node-api/metadata/src/metadata_mocks.rs

@@ -37,8 +37,8 @@ impl TryFrom<NodeMetadataMock> for Metadata {
 pub struct NodeMetadataMock {
 	// teebag
 	teebag_module: u8,
-	set_scheduled_enclave: u8,
-	remove_scheduled_enclave: u8,
+	force_add_authorized_enclave: u8,
+	force_remove_authorized_enclave: u8,
 	register_enclave: u8,
 	unregister_enclave: u8,
 	register_quoting_enclave: u8,
@@ -78,8 +78,8 @@ impl NodeMetadataMock {
 	pub fn new() -> Self {
 		NodeMetadataMock {
 			teebag_module: 50u8,
-			set_scheduled_enclave: 0u8,
-			remove_scheduled_enclave: 1u8,
+			force_add_authorized_enclave: 0u8,
+			force_remove_authorized_enclave: 1u8,
 			register_enclave: 2u8,
 			unregister_enclave: 3u8,
 			register_quoting_enclave: 4u8,
@@ -118,11 +118,11 @@ impl NodeMetadataMock {
 }
 
 impl TeebagCallIndexes for NodeMetadataMock {
-	fn set_scheduled_enclave_call_indexes(&self) -> Result<[u8; 2]> {
-		Ok([self.teebag_module, self.set_scheduled_enclave])
+	fn force_add_authorized_enclave_call_indexes(&self) -> Result<[u8; 2]> {
+		Ok([self.teebag_module, self.force_add_authorized_enclave])
 	}
-	fn remove_scheduled_enclave_call_indexes(&self) -> Result<[u8; 2]> {
-		Ok([self.teebag_module, self.remove_scheduled_enclave])
+	fn force_remove_authorized_enclave_call_indexes(&self) -> Result<[u8; 2]> {
+		Ok([self.teebag_module, self.force_remove_authorized_enclave])
 	}
 	fn register_enclave_call_indexes(&self) -> Result<[u8; 2]> {
 		Ok([self.teebag_module, self.register_enclave])

bitacross-worker/core-primitives/node-api/metadata/src/pallet_teebag.rs

@@ -21,9 +21,9 @@ pub const TEEBAG: &str = "Teebag";
 
 // we only list the extrinsics that we care
 pub trait TeebagCallIndexes {
-	fn set_scheduled_enclave_call_indexes(&self) -> Result<[u8; 2]>;
+	fn force_add_authorized_enclave_call_indexes(&self) -> Result<[u8; 2]>;
 
-	fn remove_scheduled_enclave_call_indexes(&self) -> Result<[u8; 2]>;
+	fn force_remove_authorized_enclave_call_indexes(&self) -> Result<[u8; 2]>;
 
 	fn register_enclave_call_indexes(&self) -> Result<[u8; 2]>;
 
@@ -41,11 +41,11 @@ pub trait TeebagCallIndexes {
 }
 
 impl TeebagCallIndexes for NodeMetadata {
-	fn set_scheduled_enclave_call_indexes(&self) -> Result<[u8; 2]> {
-		self.call_indexes(TEEBAG, "set_scheduled_enclave")
+	fn force_add_authorized_enclave_call_indexes(&self) -> Result<[u8; 2]> {
+		self.call_indexes(TEEBAG, "force_add_authorized_enclave")
 	}
-	fn remove_scheduled_enclave_call_indexes(&self) -> Result<[u8; 2]> {
-		self.call_indexes(TEEBAG, "remove_scheduled_enclave")
+	fn force_remove_authorized_enclave_call_indexes(&self) -> Result<[u8; 2]> {
+		self.call_indexes(TEEBAG, "force_remove_authorized_enclave")
 	}
 	fn register_enclave_call_indexes(&self) -> Result<[u8; 2]> {
 		self.call_indexes(TEEBAG, "register_enclave")

bitacross-worker/core-primitives/settings/src/lib.rs

@@ -36,9 +36,6 @@ pub mod files {
 	/// Path to the light-client db for the Target B parentchain.
 	pub const TARGET_B_PARENTCHAIN_LIGHT_CLIENT_DB_PATH: &str = "target_b_lcdb";
 
-	// litentry
-	pub const SCHEDULED_ENCLAVE_FILE: &str = "scheduled_enclave_sealed.bin";
-
 	// bitacross
 	pub const RELAYER_REGISTRY_FILE: &str = "relayer_registry_sealed.bin";
 

bitacross-worker/core-primitives/stf-executor/src/enclave_signer.rs

@@ -32,7 +32,7 @@ use itp_stf_primitives::{
 };
 use itp_stf_state_observer::traits::ObserveState;
 use itp_top_pool_author::traits::AuthorApi;
-use itp_types::{Index, ShardIdentifier};
+use itp_types::{Index, MrEnclave, ShardIdentifier};
 use log::*;
 use sp_core::{ed25519::Pair as Ed25519Pair, Pair};
 use std::{boxed::Box, sync::Arc, vec::Vec};
@@ -117,12 +117,16 @@ where
 		Ok(enclave_call_signing_key.public().into())
 	}
 
+	fn get_mrenclave(&self) -> Result<MrEnclave> {
+		Ok(self.ocall_api.get_mrenclave_of_self().map(|m| m.m)?)
+	}
+
 	fn sign_call_with_self<TC: Encode + Debug + TrustedCallSigning<TCS>>(
 		&self,
 		trusted_call: &TC,
 		shard: &ShardIdentifier,
 	) -> Result<TCS> {
-		let mr_enclave = self.ocall_api.get_mrenclave_of_self()?;
+		let mrenclave = self.get_mrenclave()?;
 		let enclave_account = self.get_enclave_account()?;
 		let enclave_call_signing_key = self.get_enclave_call_signing_key()?;
 
@@ -138,7 +142,7 @@ where
 		Ok(trusted_call.sign(
 			&KeyPair::Ed25519(Box::new(enclave_call_signing_key)),
 			adjusted_nonce,
-			&mr_enclave.m,
+			&mrenclave,
 			shard,
 		))
 	}

bitacross-worker/core-primitives/stf-executor/src/mocks.rs

@@ -28,7 +28,7 @@ use itp_stf_primitives::{
 	traits::TrustedCallSigning,
 	types::{AccountId, KeyPair, ShardIdentifier, TrustedOperationOrHash},
 };
-use itp_types::H256;
+use itp_types::{MrEnclave, H256};
 use sp_core::Pair;
 use sp_runtime::traits::Header as HeaderTrait;
 #[cfg(feature = "std")]
@@ -134,6 +134,10 @@ impl<TCS: PartialEq + Encode + Debug> StfEnclaveSigning<TCS> for StfEnclaveSigne
 		Ok(self.signer.public().into())
 	}
 
+	fn get_mrenclave(&self) -> Result<MrEnclave> {
+		Ok(self.mr_enclave)
+	}
+
 	fn sign_call_with_self<TC: Encode + Debug + TrustedCallSigning<TCS>>(
 		&self,
 		trusted_call: &TC,