New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
keymanager: Verify that policy was published in the consensus layer #4925
Conversation
339a2cc
to
7d8307a
Compare
Codecov Report
@@ Coverage Diff @@
## master #4925 +/- ##
==========================================
- Coverage 66.76% 66.71% -0.05%
==========================================
Files 464 464
Lines 51127 51127
==========================================
- Hits 34133 34110 -23
- Misses 12815 12836 +21
- Partials 4179 4181 +2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
e4431e2
to
50d5a6b
Compare
keymanager-api-common/src/lib.rs
Outdated
} | ||
/// Verify that policy has valid signatures and that enough of them are from the global set | ||
/// of trusted policy signers. | ||
pub fn verify_policy_and_trusted_signers(policy: &SignedPolicySGX) -> Result<(), KeyManagerError> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This (and maybe even the verify
method) could even return the policy.policy
so upstream callers can do something like let policy = verify_policy_and_trusted_signers(untrusted_policy)?;
which seems to be common now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I applied your comment. Policy is now returned (just as it was before this PR).
I intentionally wanted to removed this for 4 reasons:
- The
verify
method had two responsibilities, as can be seen from the comment/// Verify the signatures and return the PolicySGX
. - I expect that
verify
returnstrue/false
or()/Err
, and not a policy. However, I expectsign
to return a signed policy. - Policy had to be cloned, to achieve that
Ok(self.policy.clone())
. Unnecessary step. - Passing policy back and forth just doesn't feel right as it can always be accessed via
SignedPolicySGX
. It would be nice if this would give us some kind of protection, but it doesn't. For example, if policy was private and could be accessed only via getter functionverify
, then everyone would be forced to callverify
.
The only reason for is to have more readable code let policy = verify_policy...
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should be no need to clone a policy, you should be able to do something like:
pub fn verify<'a>(policy: &'a SignedPolicySGX) -> Result<&'a PolicySGX, Error> {
and then return a reference, e.g. &policy.policy
.
For example, if policy was private and could be accessed only via getter function verify, then everyone would be forced to call verify.
Yeah that would be ideal but not sure how it would work with deserialization.
10ac5fe
to
31bcfdb
Compare
31bcfdb
to
10925b2
Compare
Force on-chain publication of key manager policies
When the key manager policy is updated, the runtime should check whether this policy has actually been published in the consensus layer by using the light client verifier.
This will require adding the Rust implementation of the consensus state accessor for the key manager service. Then one can fetch the corresponding key manager Status and check that the correct policy has been published there.
Test
Happy path is already tested in
trust-root/simple
scenario. Unhappy path tested locally, the key manager doesn't update policy and constantly throws the following error:{"caller":"worker.go:737","err":"worker/keymanager: failed to extract rpc response payload: rpc failure: 'policy hasn't been published'","level":"error","module":"worker/keymanager","msg":"failed to handle status update","ts":"2022-09-08T22:56:44.214990354Z"}