diff --git a/node/src/chain_specs/litmus.rs b/node/src/chain_specs/litmus.rs index 2b280ee98c..c19f445b62 100644 --- a/node/src/chain_specs/litmus.rs +++ b/node/src/chain_specs/litmus.rs @@ -19,7 +19,7 @@ use cumulus_primitives_core::ParaId; use litmus_parachain_runtime::{ AccountId, AuraId, Balance, BalancesConfig, CollatorSelectionConfig, CouncilMembershipConfig, GenesisConfig, ParachainInfoConfig, PolkadotXcmConfig, SessionConfig, SystemConfig, - TechnicalCommitteeMembershipConfig, TeerexConfig, UNIT, WASM_BINARY, + TechnicalCommitteeMembershipConfig, TeerexConfig, VCManagementConfig, UNIT, WASM_BINARY, }; use sc_service::ChainType; use sc_telemetry::TelemetryEndpoints; @@ -237,7 +237,8 @@ fn generate_genesis( aura_ext: Default::default(), parachain_system: Default::default(), polkadot_xcm: PolkadotXcmConfig { safe_xcm_version: Some(SAFE_XCM_VERSION) }, - teerex: TeerexConfig { allow_sgx_debug_mode: true }, + teerex: TeerexConfig { allow_sgx_debug_mode: true, admin: None }, + vc_management: VCManagementConfig { admin: None }, transaction_payment: Default::default(), tokens: Default::default(), } diff --git a/node/src/chain_specs/rococo.rs b/node/src/chain_specs/rococo.rs index 3c05e145be..dbe7e2322c 100644 --- a/node/src/chain_specs/rococo.rs +++ b/node/src/chain_specs/rococo.rs @@ -19,7 +19,8 @@ use cumulus_primitives_core::ParaId; use rococo_parachain_runtime::{ AccountId, AuraId, Balance, BalancesConfig, CouncilMembershipConfig, GenesisConfig, ParachainInfoConfig, ParachainStakingConfig, PolkadotXcmConfig, SessionConfig, SudoConfig, - SystemConfig, TechnicalCommitteeMembershipConfig, TeerexConfig, UNIT, WASM_BINARY, + SystemConfig, TechnicalCommitteeMembershipConfig, TeerexConfig, VCManagementConfig, UNIT, + WASM_BINARY, }; use sc_service::ChainType; use sc_telemetry::TelemetryEndpoints; @@ -199,7 +200,7 @@ fn generate_genesis( code: WASM_BINARY.expect("WASM binary was not build, please build it!").to_vec(), }, balances: BalancesConfig { balances: endowed_accounts }, - sudo: SudoConfig { key: Some(root_key) }, + sudo: SudoConfig { key: Some(root_key.clone()) }, parachain_info: ParachainInfoConfig { parachain_id: id }, parachain_staking: ParachainStakingConfig { candidates: invulnerables.iter().cloned().map(|(acc, _)| (acc, 50 * UNIT)).collect(), @@ -235,7 +236,9 @@ fn generate_genesis( aura_ext: Default::default(), parachain_system: Default::default(), polkadot_xcm: PolkadotXcmConfig { safe_xcm_version: Some(SAFE_XCM_VERSION) }, - teerex: TeerexConfig { allow_sgx_debug_mode: true }, + // use sudo key as genesis admin for teerex and VCMP + teerex: TeerexConfig { allow_sgx_debug_mode: true, admin: Some(root_key.clone()) }, + vc_management: VCManagementConfig { admin: Some(root_key) }, transaction_payment: Default::default(), tokens: Default::default(), } diff --git a/pallets/identity-management/src/lib.rs b/pallets/identity-management/src/lib.rs index 1f8e3a7643..b9266e72e0 100644 --- a/pallets/identity-management/src/lib.rs +++ b/pallets/identity-management/src/lib.rs @@ -64,7 +64,7 @@ pub mod pallet { type WeightInfo: WeightInfo; // some extrinsics should only be called by origins from TEE type TEECallOrigin: EnsureOrigin; - /// origin to manage authorised delegatee list + // origin to manage authorised delegatee list type DelegateeAdminOrigin: EnsureOrigin; // origin that is allowed to call extrinsics type ExtrinsicWhitelistOrigin: EnsureOrigin; @@ -256,7 +256,7 @@ pub mod pallet { /// --------------------------------------------------- /// The following extrinsics are supposed to be called by TEE only /// --------------------------------------------------- - #[pallet::call_index(6)] + #[pallet::call_index(30)] #[pallet::weight(195_000_000)] pub fn user_shielding_key_set( origin: OriginFor, @@ -268,7 +268,7 @@ pub mod pallet { Ok(Pays::No.into()) } - #[pallet::call_index(7)] + #[pallet::call_index(31)] #[pallet::weight(195_000_000)] pub fn identity_created( origin: OriginFor, @@ -282,7 +282,7 @@ pub mod pallet { Ok(Pays::No.into()) } - #[pallet::call_index(8)] + #[pallet::call_index(32)] #[pallet::weight(195_000_000)] pub fn identity_removed( origin: OriginFor, @@ -295,7 +295,7 @@ pub mod pallet { Ok(Pays::No.into()) } - #[pallet::call_index(9)] + #[pallet::call_index(33)] #[pallet::weight(195_000_000)] pub fn identity_verified( origin: OriginFor, @@ -314,7 +314,7 @@ pub mod pallet { Ok(Pays::No.into()) } - #[pallet::call_index(10)] + #[pallet::call_index(34)] #[pallet::weight(195_000_000)] pub fn some_error( origin: OriginFor, diff --git a/pallets/identity-management/src/mock.rs b/pallets/identity-management/src/mock.rs index 1b62a21339..bd07687669 100644 --- a/pallets/identity-management/src/mock.rs +++ b/pallets/identity-management/src/mock.rs @@ -129,7 +129,7 @@ impl pallet_teerex::Config for Test { type Currency = Balances; type MomentsPerDay = MomentsPerDay; type WeightInfo = (); - type SetEnclaveAdminOrigin = EnsureRoot; + type SetAdminOrigin = EnsureRoot; } impl pallet_identity_management::Config for Test { diff --git a/pallets/sidechain/src/mock.rs b/pallets/sidechain/src/mock.rs index 5deffe384a..968df66346 100644 --- a/pallets/sidechain/src/mock.rs +++ b/pallets/sidechain/src/mock.rs @@ -131,7 +131,7 @@ impl pallet_teerex::Config for Test { type Currency = Balances; type MomentsPerDay = MomentsPerDay; type WeightInfo = (); - type SetEnclaveAdminOrigin = EnsureRoot; + type SetAdminOrigin = EnsureRoot; } parameter_types! { @@ -152,7 +152,7 @@ pub fn new_test_ext() -> sp_io::TestExternalities { } .assimilate_storage(&mut t) .unwrap(); - let teerex_config = pallet_teerex::GenesisConfig { allow_sgx_debug_mode: true }; + let teerex_config = pallet_teerex::GenesisConfig { allow_sgx_debug_mode: true, admin: None }; GenesisBuild::::assimilate_storage(&teerex_config, &mut t).unwrap(); let mut ext: sp_io::TestExternalities = t.into(); diff --git a/pallets/teeracle/src/benchmarking.rs b/pallets/teeracle/src/benchmarking.rs index e6fda946d2..2848daadd9 100644 --- a/pallets/teeracle/src/benchmarking.rs +++ b/pallets/teeracle/src/benchmarking.rs @@ -50,7 +50,7 @@ benchmarks! { let rate = U32F32::from_num(43.65); let data_source: DataSource = "https://api.coingecko.com".into(); - Teerex::::set_enclave_admin( + Teerex::::set_admin( RawOrigin::Root.into(), signer.clone(), ).unwrap(); @@ -92,7 +92,7 @@ benchmarks! { let oracle_blob: crate::OracleDataBlob = vec![1].try_into().expect("Can Convert to OracleDataBlob; QED"); - Teerex::::set_enclave_admin( + Teerex::::set_admin( RawOrigin::Root.into(), signer.clone(), ).unwrap(); diff --git a/pallets/teeracle/src/mock.rs b/pallets/teeracle/src/mock.rs index 6dbf6e87e2..71e235de8a 100644 --- a/pallets/teeracle/src/mock.rs +++ b/pallets/teeracle/src/mock.rs @@ -131,7 +131,7 @@ impl pallet_teerex::Config for Test { type Currency = Balances; type MomentsPerDay = MomentsPerDay; type WeightInfo = (); - type SetEnclaveAdminOrigin = EnsureRoot; + type SetAdminOrigin = EnsureRoot; } impl Config for Test { @@ -150,7 +150,7 @@ pub fn new_test_ext() -> sp_io::TestExternalities { } .assimilate_storage(&mut t) .unwrap(); - let teerex_config = pallet_teerex::GenesisConfig { allow_sgx_debug_mode: true }; + let teerex_config = pallet_teerex::GenesisConfig { allow_sgx_debug_mode: true, admin: None }; GenesisBuild::::assimilate_storage(&teerex_config, &mut t).unwrap(); let mut ext: sp_io::TestExternalities = t.into(); diff --git a/pallets/teerex/src/benchmarking.rs b/pallets/teerex/src/benchmarking.rs index 5202acc6b6..3b7cc1f20c 100644 --- a/pallets/teerex/src/benchmarking.rs +++ b/pallets/teerex/src/benchmarking.rs @@ -76,7 +76,7 @@ benchmarks! { timestamp::Pallet::::set_timestamp(TEST4_SETUP.timestamp.checked_into().unwrap()); let signer: T::AccountId = get_signer(TEST4_SETUP.signer_pub); - Teerex::::set_enclave_admin( + Teerex::::set_admin( RawOrigin::Root.into(), signer.clone(), ).unwrap(); diff --git a/pallets/teerex/src/lib.rs b/pallets/teerex/src/lib.rs index 7cf53694aa..0b1064a8b1 100644 --- a/pallets/teerex/src/lib.rs +++ b/pallets/teerex/src/lib.rs @@ -77,13 +77,13 @@ pub mod pallet { type MomentsPerDay: Get; type WeightInfo: WeightInfo; /// The origin who can set the admin account - type SetEnclaveAdminOrigin: EnsureOrigin; + type SetAdminOrigin: EnsureOrigin; } #[pallet::event] #[pallet::generate_deposit(pub(super) fn deposit_event)] pub enum Event { - EnclaveAdminChanged { + AdminChanged { old_admin: Option, }, AddedEnclave(T::AccountId, Vec), @@ -104,8 +104,8 @@ pub mod pallet { } #[pallet::storage] - #[pallet::getter(fn enclave_admin)] - pub type EnclaveAdmin = StorageValue<_, T::AccountId, OptionQuery>; + #[pallet::getter(fn admin)] + pub type Admin = StorageValue<_, T::AccountId, OptionQuery>; // Watch out: we start indexing with 1 instead of zero in order to // avoid ambiguity between Null and 0. @@ -146,7 +146,7 @@ pub mod pallet { } // keep track of a list of scheduled/allowed enchalves, mainly used for enclave updates, - // can only be modified by EnclaveAdminOrigin + // can only be modified by AdminOrigin // sidechain_block_number -> expected MrEnclave // // about the first time enclave registration: @@ -168,15 +168,25 @@ pub mod pallet { StorageValue<_, T::Moment, ValueQuery, HeartbeatTimeoutDefault>; #[pallet::genesis_config] - #[cfg_attr(feature = "std", derive(Default))] - pub struct GenesisConfig { + pub struct GenesisConfig { pub allow_sgx_debug_mode: bool, + pub admin: Option, + } + + #[cfg(feature = "std")] + impl Default for GenesisConfig { + fn default() -> Self { + Self { allow_sgx_debug_mode: false, admin: None } + } } #[pallet::genesis_build] - impl GenesisBuild for GenesisConfig { + impl GenesisBuild for GenesisConfig { fn build(&self) { AllowSGXDebugMode::::put(self.allow_sgx_debug_mode); + if let Some(ref admin) = self.admin { + Admin::::put(admin); + } } } @@ -385,13 +395,13 @@ pub mod pallet { } #[pallet::call_index(6)] - #[pallet::weight((1000, DispatchClass::Normal, Pays::No))] + #[pallet::weight((195_000_000, DispatchClass::Normal, Pays::No))] pub fn set_heartbeat_timeout( origin: OriginFor, timeout: u64, ) -> DispatchResultWithPostInfo { let sender = ensure_signed(origin)?; - ensure!(Some(sender) == Self::enclave_admin(), Error::::RequireAdmin); + ensure!(Some(sender) == Self::admin(), Error::::RequireAdmin); >::put(T::Moment::saturated_from(timeout)); Self::deposit_event(Event::SetHeartbeatTimeout(timeout)); Ok(().into()) @@ -455,14 +465,14 @@ pub mod pallet { } #[pallet::call_index(8)] - #[pallet::weight((1000, DispatchClass::Normal, Pays::No))] + #[pallet::weight((195_000_000, DispatchClass::Normal, Pays::No))] pub fn update_scheduled_enclave( origin: OriginFor, sidechain_block_number: SidechainBlockNumber, mr_enclave: MrEnclave, ) -> DispatchResultWithPostInfo { let sender = ensure_signed(origin)?; - ensure!(Some(sender) == Self::enclave_admin(), Error::::RequireAdmin); + ensure!(Some(sender) == Self::admin(), Error::::RequireAdmin); ScheduledEnclave::::insert(sidechain_block_number, mr_enclave); Self::deposit_event(Event::UpdatedScheduledEnclave(sidechain_block_number, mr_enclave)); Ok(().into()) @@ -486,13 +496,13 @@ pub mod pallet { } #[pallet::call_index(10)] - #[pallet::weight((1000, DispatchClass::Normal, Pays::No))] + #[pallet::weight((195_000_000, DispatchClass::Normal, Pays::No))] pub fn remove_scheduled_enclave( origin: OriginFor, sidechain_block_number: SidechainBlockNumber, ) -> DispatchResultWithPostInfo { let sender = ensure_signed(origin)?; - ensure!(Some(sender) == Self::enclave_admin(), Error::::RequireAdmin); + ensure!(Some(sender) == Self::admin(), Error::::RequireAdmin); ensure!( ScheduledEnclave::::contains_key(sidechain_block_number), Error::::ScheduledEnclaveNotExist @@ -555,14 +565,11 @@ pub mod pallet { /// Change the admin account /// similar to sudo.set_key, the old account will be supplied in event #[pallet::call_index(13)] - #[pallet::weight((1000, DispatchClass::Normal, Pays::No))] - pub fn set_enclave_admin( - origin: OriginFor, - new: T::AccountId, - ) -> DispatchResultWithPostInfo { - T::SetEnclaveAdminOrigin::ensure_origin(origin)?; - Self::deposit_event(Event::EnclaveAdminChanged { old_admin: Self::enclave_admin() }); - >::put(new); + #[pallet::weight((195_000_000, DispatchClass::Normal, Pays::No))] + pub fn set_admin(origin: OriginFor, new: T::AccountId) -> DispatchResultWithPostInfo { + T::SetAdminOrigin::ensure_origin(origin)?; + Self::deposit_event(Event::AdminChanged { old_admin: Self::admin() }); + >::put(new); // Do not pay a fee Ok(Pays::No.into()) } diff --git a/pallets/teerex/src/mock.rs b/pallets/teerex/src/mock.rs index a0a4fb04d8..c376e45ccc 100644 --- a/pallets/teerex/src/mock.rs +++ b/pallets/teerex/src/mock.rs @@ -135,7 +135,7 @@ impl Config for Test { type Currency = Balances; type MomentsPerDay = MomentsPerDay; type WeightInfo = (); - type SetEnclaveAdminOrigin = EnsureRoot; + type SetAdminOrigin = EnsureRoot; } // This function basically just builds a genesis storage key/value store according to @@ -147,7 +147,7 @@ pub fn new_test_ext() -> sp_io::TestExternalities { } .assimilate_storage(&mut t) .unwrap(); - let teerex_config = crate::GenesisConfig { allow_sgx_debug_mode: true }; + let teerex_config = crate::GenesisConfig { allow_sgx_debug_mode: true, admin: None }; GenesisBuild::::assimilate_storage(&teerex_config, &mut t).unwrap(); let mut ext: sp_io::TestExternalities = t.into(); @@ -164,7 +164,7 @@ pub fn new_test_production_ext() -> sp_io::TestExternalities { .assimilate_storage(&mut t) .unwrap(); - let teerex_config = crate::GenesisConfig { allow_sgx_debug_mode: false }; + let teerex_config = crate::GenesisConfig { allow_sgx_debug_mode: false, admin: None }; GenesisBuild::::assimilate_storage(&teerex_config, &mut t).unwrap(); let mut ext: sp_io::TestExternalities = t.into(); diff --git a/pallets/vc-management/src/lib.rs b/pallets/vc-management/src/lib.rs index 7d2eb21b3c..5ab27a1b31 100644 --- a/pallets/vc-management/src/lib.rs +++ b/pallets/vc-management/src/lib.rs @@ -17,8 +17,6 @@ //! A pallet to serve as the interface for F/E for verifiable credentials (VC) //! management. Similar to IMP pallet, the actual processing will be done within TEE. -// Note: -// the admin account can only be set by SetAdminOrigin, which will be bound at runtime. // TODO: benchmark and weights: we need worst-case scenarios #![cfg_attr(not(feature = "std"), no_std)] @@ -61,10 +59,9 @@ pub mod pallet { type RuntimeEvent: From> + IsType<::RuntimeEvent>; // some extrinsics should only be called by origins from TEE type TEECallOrigin: EnsureOrigin; - /// The origin who can set the admin account + // origin who can set the admin account type SetAdminOrigin: EnsureOrigin; - // This type should be safe to remove - /// Temporary type for whitelist function + // origin that is allowed to call extrinsics type ExtrinsicWhitelistOrigin: EnsureOrigin; } @@ -73,10 +70,10 @@ pub mod pallet { #[pallet::getter(fn vc_registry)] pub type VCRegistry = StorageMap<_, Blake2_128Concat, VCIndex, VCContext>; - // the Schema admin account + // the admin account #[pallet::storage] - #[pallet::getter(fn schema_admin)] - pub type SchemaAdmin = StorageValue<_, T::AccountId, OptionQuery>; + #[pallet::getter(fn admin)] + pub type Admin = StorageValue<_, T::AccountId, OptionQuery>; #[pallet::storage] #[pallet::getter(fn schema_index)] @@ -116,7 +113,7 @@ pub mod pallet { req_ext_hash: H256, }, // Admin account was changed - SchemaAdminChanged { + AdminChanged { old_admin: Option, new_admin: Option, }, @@ -180,7 +177,7 @@ pub mod pallet { /// The VC is already disabled VCAlreadyDisabled, /// Error when the caller account is not the admin - RequireSchemaAdmin, + RequireAdmin, /// Schema not exists SchemaNotExists, /// Schema is already disabled @@ -191,6 +188,27 @@ pub mod pallet { LengthMismatch, } + #[pallet::genesis_config] + pub struct GenesisConfig { + pub admin: Option, + } + + #[cfg(feature = "std")] + impl Default for GenesisConfig { + fn default() -> Self { + Self { admin: None } + } + } + + #[pallet::genesis_build] + impl GenesisBuild for GenesisConfig { + fn build(&self) { + if let Some(ref admin) = self.admin { + Admin::::put(admin); + } + } + } + #[pallet::call] impl Pallet { #[pallet::call_index(0)] @@ -209,7 +227,6 @@ pub mod pallet { #[pallet::weight(195_000_000)] pub fn disable_vc(origin: OriginFor, index: VCIndex) -> DispatchResultWithPostInfo { let who = T::ExtrinsicWhitelistOrigin::ensure_origin(origin)?; - VCRegistry::::try_mutate(index, |context| { let mut c = context.take().ok_or(Error::::VCNotExist)?; ensure!(who == c.subject, Error::::VCSubjectMismatch); @@ -225,7 +242,6 @@ pub mod pallet { #[pallet::weight(195_000_000)] pub fn revoke_vc(origin: OriginFor, index: VCIndex) -> DispatchResultWithPostInfo { let who = T::ExtrinsicWhitelistOrigin::ensure_origin(origin)?; - let context = VCRegistry::::get(index).ok_or(Error::::VCNotExist)?; ensure!(who == context.subject, Error::::VCSubjectMismatch); VCRegistry::::remove(index); @@ -233,71 +249,19 @@ pub mod pallet { Ok(().into()) } - /// --------------------------------------------------- - /// The following extrinsics are supposed to be called by TEE only - /// --------------------------------------------------- #[pallet::call_index(3)] #[pallet::weight(195_000_000)] - pub fn vc_issued( - origin: OriginFor, - account: T::AccountId, - assertion: Assertion, - index: H256, - hash: H256, - vc: AesOutput, - req_ext_hash: H256, - ) -> DispatchResultWithPostInfo { - let _ = T::TEECallOrigin::ensure_origin(origin)?; - ensure!(!VCRegistry::::contains_key(index), Error::::VCAlreadyExists); - VCRegistry::::insert( - index, - VCContext::::new(account.clone(), assertion.clone(), hash), - ); - Self::deposit_event(Event::VCIssued { account, assertion, index, vc, req_ext_hash }); - Ok(Pays::No.into()) - } - - #[pallet::call_index(4)] - #[pallet::weight(195_000_000)] - pub fn some_error( - origin: OriginFor, - account: Option, - error: VCMPError, - req_ext_hash: H256, - ) -> DispatchResultWithPostInfo { - let _ = T::TEECallOrigin::ensure_origin(origin)?; - match error { - VCMPError::RequestVCFailed(assertion, detail) => - Self::deposit_event(Event::RequestVCFailed { - account, - assertion, - detail, - req_ext_hash, - }), - VCMPError::UnclassifiedError(detail) => - Self::deposit_event(Event::UnclassifiedError { account, detail, req_ext_hash }), - } - Ok(Pays::No.into()) - } - - // Change the schema Admin account - #[pallet::call_index(5)] - #[pallet::weight(195_000_000)] - pub fn set_schema_admin( - origin: OriginFor, - new: T::AccountId, - ) -> DispatchResultWithPostInfo { + pub fn set_admin(origin: OriginFor, new: T::AccountId) -> DispatchResultWithPostInfo { T::SetAdminOrigin::ensure_origin(origin)?; - Self::deposit_event(Event::SchemaAdminChanged { - old_admin: Self::schema_admin(), + Self::deposit_event(Event::AdminChanged { + old_admin: Self::admin(), new_admin: Some(new.clone()), }); - >::put(new); + >::put(new); Ok(Pays::No.into()) } - // It requires the schema Admin account - #[pallet::call_index(6)] + #[pallet::call_index(4)] #[pallet::weight(195_000_000)] pub fn add_schema( origin: OriginFor, @@ -306,7 +270,7 @@ pub mod pallet { content: Vec, ) -> DispatchResultWithPostInfo { let sender = ensure_signed(origin)?; - ensure!(Some(sender.clone()) == Self::schema_admin(), Error::::RequireSchemaAdmin); + ensure!(Some(sender.clone()) == Self::admin(), Error::::RequireAdmin); ensure!((id.len() as u32) <= SCHEMA_ID_LEN, Error::::LengthMismatch); ensure!((content.len() as u32) <= SCHEMA_CONTENT_LEN, Error::::LengthMismatch); @@ -323,8 +287,7 @@ pub mod pallet { Ok(().into()) } - // It requires the schema Admin account - #[pallet::call_index(7)] + #[pallet::call_index(5)] #[pallet::weight(195_000_000)] pub fn disable_schema( origin: OriginFor, @@ -332,8 +295,7 @@ pub mod pallet { index: SchemaIndex, ) -> DispatchResultWithPostInfo { let sender = ensure_signed(origin)?; - ensure!(Some(sender.clone()) == Self::schema_admin(), Error::::RequireSchemaAdmin); - + ensure!(Some(sender.clone()) == Self::admin(), Error::::RequireAdmin); SchemaRegistry::::try_mutate(index, |context| { let mut c = context.take().ok_or(Error::::SchemaNotExists)?; ensure!(c.status == Status::Active, Error::::SchemaAlreadyDisabled); @@ -344,8 +306,7 @@ pub mod pallet { }) } - // It requires the schema Admin account - #[pallet::call_index(8)] + #[pallet::call_index(6)] #[pallet::weight(195_000_000)] pub fn activate_schema( origin: OriginFor, @@ -353,7 +314,7 @@ pub mod pallet { index: SchemaIndex, ) -> DispatchResultWithPostInfo { let sender = ensure_signed(origin)?; - ensure!(Some(sender.clone()) == Self::schema_admin(), Error::::RequireSchemaAdmin); + ensure!(Some(sender.clone()) == Self::admin(), Error::::RequireAdmin); SchemaRegistry::::try_mutate(index, |context| { let mut c = context.take().ok_or(Error::::SchemaNotExists)?; ensure!(c.status == Status::Disabled, Error::::SchemaAlreadyActivated); @@ -364,8 +325,7 @@ pub mod pallet { }) } - // It requires the schema Admin account - #[pallet::call_index(9)] + #[pallet::call_index(7)] #[pallet::weight(195_000_000)] pub fn revoke_schema( origin: OriginFor, @@ -373,19 +333,14 @@ pub mod pallet { index: SchemaIndex, ) -> DispatchResultWithPostInfo { let sender = ensure_signed(origin)?; - ensure!(Some(sender.clone()) == Self::schema_admin(), Error::::RequireSchemaAdmin); - + ensure!(Some(sender.clone()) == Self::admin(), Error::::RequireAdmin); let _ = SchemaRegistry::::get(index).ok_or(Error::::SchemaNotExists)?; SchemaRegistry::::remove(index); Self::deposit_event(Event::SchemaRevoked { account: sender, shard, index }); Ok(().into()) } - /// --------------------------------------------------- - /// The following extrinsics are supposed to be called by Sudo/Council only - /// This is the temporary function for manual operation of VCRegistry storage - /// --------------------------------------------------- - #[pallet::call_index(10)] + #[pallet::call_index(8)] #[pallet::weight(195_000_000)] pub fn add_vc_registry_item( origin: OriginFor, @@ -394,7 +349,8 @@ pub mod pallet { assertion: Assertion, hash: H256, ) -> DispatchResultWithPostInfo { - T::SetAdminOrigin::ensure_origin(origin)?; + let sender = ensure_signed(origin)?; + ensure!(Some(sender) == Self::admin(), Error::::RequireAdmin); ensure!(!VCRegistry::::contains_key(index), Error::::VCAlreadyExists); VCRegistry::::insert( index, @@ -404,27 +360,76 @@ pub mod pallet { Ok(().into()) } - #[pallet::call_index(11)] + #[pallet::call_index(9)] #[pallet::weight(195_000_000)] pub fn remove_vc_registry_item( origin: OriginFor, index: VCIndex, ) -> DispatchResultWithPostInfo { - T::SetAdminOrigin::ensure_origin(origin)?; + let sender = ensure_signed(origin)?; + ensure!(Some(sender) == Self::admin(), Error::::RequireAdmin); let _ = VCRegistry::::get(index).ok_or(Error::::VCNotExist)?; VCRegistry::::remove(index); Self::deposit_event(Event::VCRegistryItemRemoved { index }); Ok(().into()) } - #[pallet::call_index(12)] + #[pallet::call_index(10)] #[pallet::weight(195_000_000)] pub fn clear_vc_registry(origin: OriginFor) -> DispatchResultWithPostInfo { - T::SetAdminOrigin::ensure_origin(origin)?; + let sender = ensure_signed(origin)?; + ensure!(Some(sender) == Self::admin(), Error::::RequireAdmin); // If more than u32 max, the map itself is overflow, so no worry let _ = VCRegistry::::clear(u32::max_value(), None); Self::deposit_event(Event::VCRegistryCleared); Ok(().into()) } + + /// --------------------------------------------------- + /// The following extrinsics are supposed to be called by TEE only + /// --------------------------------------------------- + #[pallet::call_index(30)] + #[pallet::weight(195_000_000)] + pub fn vc_issued( + origin: OriginFor, + account: T::AccountId, + assertion: Assertion, + index: H256, + hash: H256, + vc: AesOutput, + req_ext_hash: H256, + ) -> DispatchResultWithPostInfo { + let _ = T::TEECallOrigin::ensure_origin(origin)?; + ensure!(!VCRegistry::::contains_key(index), Error::::VCAlreadyExists); + VCRegistry::::insert( + index, + VCContext::::new(account.clone(), assertion.clone(), hash), + ); + Self::deposit_event(Event::VCIssued { account, assertion, index, vc, req_ext_hash }); + Ok(Pays::No.into()) + } + + #[pallet::call_index(31)] + #[pallet::weight(195_000_000)] + pub fn some_error( + origin: OriginFor, + account: Option, + error: VCMPError, + req_ext_hash: H256, + ) -> DispatchResultWithPostInfo { + let _ = T::TEECallOrigin::ensure_origin(origin)?; + match error { + VCMPError::RequestVCFailed(assertion, detail) => + Self::deposit_event(Event::RequestVCFailed { + account, + assertion, + detail, + req_ext_hash, + }), + VCMPError::UnclassifiedError(detail) => + Self::deposit_event(Event::UnclassifiedError { account, detail, req_ext_hash }), + } + Ok(Pays::No.into()) + } } } diff --git a/pallets/vc-management/src/mock.rs b/pallets/vc-management/src/mock.rs index aa624054f0..eaeaa5a084 100644 --- a/pallets/vc-management/src/mock.rs +++ b/pallets/vc-management/src/mock.rs @@ -21,13 +21,12 @@ use frame_support::{ ord_parameter_types, parameter_types, traits::{ConstU128, ConstU16, ConstU32, ConstU64, Everything}, }; -use frame_system as system; +use frame_system::{EnsureRoot, EnsureSignedBy}; use sp_core::H256; use sp_runtime::{ testing::Header, traits::{BlakeTwo256, IdentityLookup}, }; -use system::EnsureSignedBy; type UncheckedExtrinsic = frame_system::mocking::MockUncheckedExtrinsic; type Block = frame_system::mocking::MockBlock; @@ -53,7 +52,7 @@ parameter_types! { pub const BlockHashCount: u64 = 250; } -impl system::Config for Test { +impl frame_system::Config for Test { type BaseCallFilter = Everything; type BlockWeights = (); type BlockLength = (); @@ -106,7 +105,7 @@ ord_parameter_types! { impl pallet_vc_management::Config for Test { type RuntimeEvent = RuntimeEvent; type TEECallOrigin = EnsureSignedBy; - type SetAdminOrigin = EnsureSignedBy; + type SetAdminOrigin = EnsureRoot; type ExtrinsicWhitelistOrigin = VCMPExtrinsicWhitelist; } @@ -116,12 +115,12 @@ impl pallet_group::Config for Test { } pub fn new_test_ext() -> sp_io::TestExternalities { - let t = system::GenesisConfig::default().build_storage::().unwrap(); + let t = frame_system::GenesisConfig::default().build_storage::().unwrap(); let mut ext = sp_io::TestExternalities::new(t); ext.execute_with(|| { System::set_block_number(1); - let _ = VCManagement::set_schema_admin(RuntimeOrigin::signed(1), 1); + let _ = VCManagement::set_admin(RuntimeOrigin::root(), 1); }); ext } diff --git a/pallets/vc-management/src/tests.rs b/pallets/vc-management/src/tests.rs index e64fdd6893..89c485e5f4 100644 --- a/pallets/vc-management/src/tests.rs +++ b/pallets/vc-management/src/tests.rs @@ -202,12 +202,12 @@ fn revoke_vc_with_other_subject_fails() { } #[test] -fn set_schema_admin_works() { +fn set_admin_works() { new_test_ext().execute_with(|| { - assert_eq!(VCManagement::schema_admin().unwrap(), 1); - assert_ok!(VCManagement::set_schema_admin(RuntimeOrigin::signed(1), 2)); - assert_eq!(VCManagement::schema_admin().unwrap(), 2); - System::assert_last_event(RuntimeEvent::VCManagement(crate::Event::SchemaAdminChanged { + assert_eq!(VCManagement::admin().unwrap(), 1); + assert_ok!(VCManagement::set_admin(RuntimeOrigin::root(), 2)); + assert_eq!(VCManagement::admin().unwrap(), 2); + System::assert_last_event(RuntimeEvent::VCManagement(crate::Event::AdminChanged { old_admin: Some(1), new_admin: Some(2), })); @@ -215,14 +215,14 @@ fn set_schema_admin_works() { } #[test] -fn set_schema_admin_fails_with_unprivileged_origin() { +fn set_admin_fails_with_unprivileged_origin() { new_test_ext().execute_with(|| { - assert_eq!(VCManagement::schema_admin().unwrap(), 1); + assert_eq!(VCManagement::admin().unwrap(), 1); assert_noop!( - VCManagement::set_schema_admin(RuntimeOrigin::signed(2), 2), + VCManagement::set_admin(RuntimeOrigin::signed(2), 2), sp_runtime::DispatchError::BadOrigin ); - assert_eq!(VCManagement::schema_admin().unwrap(), 1); + assert_eq!(VCManagement::admin().unwrap(), 1); }); } @@ -251,7 +251,7 @@ fn add_schema_with_unpriviledged_origin_fails() { let shard: ShardIdentifier = H256::from_slice(&TEST_MRENCLAVE); assert_noop!( VCManagement::add_schema(RuntimeOrigin::signed(2), shard, id, content), - Error::::RequireSchemaAdmin + Error::::RequireAdmin ); }); } @@ -314,7 +314,7 @@ fn disable_schema_with_unpriviledged_origin_fails() { assert_ok!(VCManagement::add_schema(RuntimeOrigin::signed(1), shard, id, content)); assert_noop!( VCManagement::disable_schema(RuntimeOrigin::signed(2), shard, 0), - Error::::RequireSchemaAdmin + Error::::RequireAdmin ); }); } @@ -385,7 +385,7 @@ fn revoke_schema_with_unprivileged_origin_fails() { assert_ok!(VCManagement::add_schema(RuntimeOrigin::signed(1), shard, id, content)); assert_noop!( VCManagement::revoke_schema(RuntimeOrigin::signed(2), shard, 0), - Error::::RequireSchemaAdmin + Error::::RequireAdmin ); }); } @@ -407,7 +407,7 @@ fn manual_add_remove_vc_registry_item_works() { Assertion::A1, VC_HASH ), - sp_runtime::DispatchError::BadOrigin + Error::::RequireAdmin ); // Successfully add vc assert_ok!(VCManagement::add_vc_registry_item( @@ -427,7 +427,7 @@ fn manual_add_remove_vc_registry_item_works() { // Unauthorized party can not remove vc assert_noop!( VCManagement::remove_vc_registry_item(RuntimeOrigin::signed(2), VC_INDEX), - sp_runtime::DispatchError::BadOrigin + Error::::RequireAdmin ); // Successfully remove vc assert_ok!(VCManagement::remove_vc_registry_item(RuntimeOrigin::signed(1), VC_INDEX)); @@ -451,7 +451,7 @@ fn manual_add_clear_vc_registry_item_works() { Assertion::A1, VC_HASH ), - sp_runtime::DispatchError::BadOrigin + Error::::RequireAdmin ); // Successfully add vc assert_ok!(VCManagement::add_vc_registry_item( @@ -471,7 +471,7 @@ fn manual_add_clear_vc_registry_item_works() { // Unauthorized party can not clear vc assert_noop!( VCManagement::clear_vc_registry(RuntimeOrigin::signed(2)), - sp_runtime::DispatchError::BadOrigin + Error::::RequireAdmin ); // Successfully clear vc assert_ok!(VCManagement::clear_vc_registry(RuntimeOrigin::signed(1))); diff --git a/runtime/litmus/src/lib.rs b/runtime/litmus/src/lib.rs index 3a6f29366f..ba132f52cd 100644 --- a/runtime/litmus/src/lib.rs +++ b/runtime/litmus/src/lib.rs @@ -794,7 +794,7 @@ impl pallet_teerex::Config for Runtime { type Currency = Balances; type MomentsPerDay = MomentsPerDay; type WeightInfo = (); - type SetEnclaveAdminOrigin = EnsureRootOrAllCouncil; + type SetAdminOrigin = EnsureRootOrHalfCouncil; } impl pallet_sidechain::Config for Runtime { diff --git a/runtime/rococo/src/lib.rs b/runtime/rococo/src/lib.rs index da6ea55e72..30f42c1346 100644 --- a/runtime/rococo/src/lib.rs +++ b/runtime/rococo/src/lib.rs @@ -876,7 +876,7 @@ impl pallet_teerex::Config for Runtime { // we are missing `register_dcap_enclave` and `register_quoting_enclave` // it should be re-benchmarked once the upstream fixes it type WeightInfo = (); - type SetEnclaveAdminOrigin = EnsureRootOrAllCouncil; + type SetAdminOrigin = EnsureRootOrHalfCouncil; } impl pallet_sidechain::Config for Runtime { diff --git a/tee-worker/cli/src/base_cli/commands/litentry/set_heartbeat_timeout.rs b/tee-worker/cli/src/base_cli/commands/litentry/set_heartbeat_timeout.rs index b23831df59..deba3fc8ff 100644 --- a/tee-worker/cli/src/base_cli/commands/litentry/set_heartbeat_timeout.rs +++ b/tee-worker/cli/src/base_cli/commands/litentry/set_heartbeat_timeout.rs @@ -15,13 +15,13 @@ // along with Litentry. If not, see . use crate::{ - command_utils::{get_accountid_from_str, get_chain_api, get_pair_from_str}, + command_utils::{get_chain_api, get_pair_from_str}, Cli, }; use itp_node_api::api_client::TEEREX; use log::*; -use substrate_api_client::{compose_call, compose_extrinsic, UncheckedExtrinsicV4, XtStatus}; +use substrate_api_client::{compose_extrinsic, UncheckedExtrinsicV4, XtStatus}; #[derive(Parser)] pub struct SetHeartbeatTimeoutCommand { @@ -33,19 +33,11 @@ impl SetHeartbeatTimeoutCommand { pub(crate) fn run(&self, cli: &Cli) { let chain_api = get_chain_api(cli); + // has to be //Alice as this is the genesis admin for teerex pallet, + // otherwise `set_heartbeat_timeout` call won't work let alice = get_pair_from_str("//Alice"); let chain_api = chain_api.set_signer(alice.into()); - // set //Alice as enclave admin - let call = compose_call!( - chain_api.metadata, - TEEREX, - "set_enclave_admin", - get_accountid_from_str("//Alice") - ); - let xt: UncheckedExtrinsicV4<_, _> = compose_extrinsic!(chain_api, "Sudo", "sudo", call); - let _ = chain_api.send_extrinsic(xt.hex_encode(), XtStatus::Finalized).unwrap(); - // call set_heartbeat_timeout let xt: UncheckedExtrinsicV4<_, _> = compose_extrinsic!(chain_api, TEEREX, "set_heartbeat_timeout", self.timeout);