1471 check shielding key inside pallet

tee-worker/litentry/core/data-providers/src/graphql.rs

@@ -65,6 +65,7 @@ impl From<SubstrateNetwork> for VerifiedCredentialsNetwork {
 			SubstrateNetwork::Polkadot => Self::Polkadot,
 			SubstrateNetwork::Kusama => Self::Kusama,
 			SubstrateNetwork::Khala => Self::Khala,
+			SubstrateNetwork::TestNet => todo!(),
 		}
 	}
 }

tee-worker/litentry/pallets/identity-management/src/lib.rs

@@ -93,6 +93,8 @@ pub mod pallet {
 	pub enum Error<T> {
 		/// challenge code doesn't exist
 		ChallengeCodeNotExist,
+		/// Invalid user shielding Key
+		InvalidUserShieldingKey,
 		/// the pair (litentry-account, identity) already verified when creating an identity
 		IdentityAlreadyVerified,
 		/// the pair (litentry-account, identity) doesn't exist
@@ -200,6 +202,8 @@ pub mod pallet {
 			parent_ss58_prefix: u16,
 		) -> DispatchResult {
 			T::ManageOrigin::ensure_origin(origin)?;
+			ensure!(Self::user_shielding_keys(&who).is_some(), Error::<T>::InvalidUserShieldingKey);
+
 			if let Some(c) = IDGraphs::<T>::get(&who, &identity) {
 				ensure!(
 					!(c.is_verified && c.creation_request_block != Some(0)),
@@ -218,7 +222,7 @@ pub mod pallet {
 			}
 
 			let prime_id = Identity::Substrate {
-				network: SubstrateNetwork::Litentry,
+				network: SubstrateNetwork::get_network(parent_ss58_prefix),
 				address: prime_user_address,
 			};
 			if IDGraphs::<T>::get(&who, &prime_id).is_none() {
@@ -250,6 +254,7 @@ pub mod pallet {
 			identity: Identity,
 		) -> DispatchResult {
 			T::ManageOrigin::ensure_origin(origin)?;
+			ensure!(Self::user_shielding_keys(&who).is_some(), Error::<T>::InvalidUserShieldingKey);
 			ensure!(IDGraphs::<T>::contains_key(&who, &identity), Error::<T>::IdentityNotExist);
 			if let Some(IdentityContext::<T> {
 				metadata,
@@ -281,6 +286,7 @@ pub mod pallet {
 			verification_request_block: ParentchainBlockNumber,
 		) -> DispatchResult {
 			T::ManageOrigin::ensure_origin(origin)?;
+			ensure!(Self::user_shielding_keys(&who).is_some(), Error::<T>::InvalidUserShieldingKey);
 			IDGraphs::<T>::try_mutate(&who, &identity, |context| -> DispatchResult {
 				let mut c = context.take().ok_or(Error::<T>::IdentityNotExist)?;
 

tee-worker/litentry/pallets/identity-management/src/tests.rs

@@ -46,6 +46,13 @@ fn set_user_shielding_key_works() {
 #[test]
 fn create_identity_works() {
 	new_test_ext().execute_with(|| {
+		let shielding_key: UserShieldingKeyType = [0u8; USER_SHIELDING_KEY_LEN];
+		assert_ok!(IMT::set_user_shielding_key(
+			RuntimeOrigin::signed(ALICE),
+			BOB,
+			shielding_key.clone()
+		));
+
 		let ss58_prefix = 131_u16;
 		let metadata: MetadataOf<Test> = vec![0u8; 16].try_into().unwrap();
 		assert_ok!(IMT::create_identity(
@@ -71,8 +78,15 @@ fn create_identity_works() {
 #[test]
 fn remove_identity_works() {
 	new_test_ext().execute_with(|| {
+		let shielding_key: UserShieldingKeyType = [0u8; USER_SHIELDING_KEY_LEN];
+		assert_ok!(IMT::set_user_shielding_key(
+			RuntimeOrigin::signed(ALICE),
+			BOB,
+			shielding_key.clone()
+		));
+
 		let metadata: MetadataOf<Test> = vec![0u8; 16].try_into().unwrap();
-		let ss58_prefix = 131_u16;
+		let ss58_prefix = 31_u16;
 		assert_noop!(
 			IMT::remove_identity(RuntimeOrigin::signed(ALICE), BOB, alice_web3_identity()),
 			Error::<Test>::IdentityNotExist
@@ -115,6 +129,13 @@ fn remove_identity_works() {
 #[test]
 fn verify_identity_works() {
 	new_test_ext().execute_with(|| {
+		let shielding_key: UserShieldingKeyType = [0u8; USER_SHIELDING_KEY_LEN];
+		assert_ok!(IMT::set_user_shielding_key(
+			RuntimeOrigin::signed(ALICE),
+			BOB,
+			shielding_key.clone()
+		));
+
 		let metadata: MetadataOf<Test> = vec![0u8; 16].try_into().unwrap();
 		let ss58_prefix = 131_u16;
 		assert_ok!(IMT::create_identity(
@@ -146,6 +167,13 @@ fn verify_identity_works() {
 #[test]
 fn get_id_graph_works() {
 	new_test_ext().execute_with(|| {
+		let shielding_key: UserShieldingKeyType = [0u8; USER_SHIELDING_KEY_LEN];
+		assert_ok!(IMT::set_user_shielding_key(
+			RuntimeOrigin::signed(ALICE),
+			BOB,
+			shielding_key.clone()
+		));
+
 		let metadata3: MetadataOf<Test> = vec![0u8; 16].try_into().unwrap();
 		let ss58_prefix = 131_u16;
 		assert_ok!(IMT::create_identity(
@@ -195,6 +223,13 @@ fn verify_identity_fails_when_too_early() {
 		const CREATION_REQUEST_BLOCK: ParentchainBlockNumber = 2;
 		const VERIFICATION_REQUEST_BLOCK: ParentchainBlockNumber = 1;
 
+		let shielding_key: UserShieldingKeyType = [0u8; USER_SHIELDING_KEY_LEN];
+		assert_ok!(IMT::set_user_shielding_key(
+			RuntimeOrigin::signed(ALICE),
+			BOB,
+			shielding_key.clone()
+		));
+
 		let metadata: MetadataOf<Test> = vec![0u8; 16].try_into().unwrap();
 		let ss58_prefix = 131_u16;
 		assert_ok!(IMT::create_identity(
@@ -232,6 +267,12 @@ fn verify_identity_fails_when_too_late() {
 		const CREATION_REQUEST_BLOCK: ParentchainBlockNumber = 1;
 		const VERIFICATION_REQUEST_BLOCK: ParentchainBlockNumber = 5;
 
+		let shielding_key: UserShieldingKeyType = [0u8; USER_SHIELDING_KEY_LEN];
+		assert_ok!(IMT::set_user_shielding_key(
+			RuntimeOrigin::signed(ALICE),
+			BOB,
+			shielding_key.clone()
+		));
 		let metadata: MetadataOf<Test> = vec![0u8; 16].try_into().unwrap();
 		let ss58_prefix = 131_u16;
 		assert_ok!(IMT::create_identity(
@@ -266,6 +307,13 @@ fn verify_identity_fails_when_too_late() {
 #[test]
 fn get_id_graph_with_max_len_works() {
 	new_test_ext().execute_with(|| {
+		let shielding_key: UserShieldingKeyType = [0u8; USER_SHIELDING_KEY_LEN];
+		assert_ok!(IMT::set_user_shielding_key(
+			RuntimeOrigin::signed(ALICE),
+			BOB,
+			shielding_key.clone()
+		));
+
 		// fill in 21 identities, starting from 1 to reserve place for prime_id
 		for i in 1..22 {
 			assert_ok!(IMT::create_identity(
@@ -292,6 +340,6 @@ fn get_id_graph_with_max_len_works() {
 		let id_graph = IMT::get_id_graph_with_max_len(&BOB, 30);
 		assert_eq!(id_graph.len(), 22);
 		assert_eq!(String::from_utf8(id_graph.get(0).unwrap().0.flat()).unwrap(), "did:twitter:web2:_:alice21");
-		assert_eq!(String::from_utf8(id_graph.get(21).unwrap().0.flat()).unwrap(), "did:litentry:web3:substrate:0x0202020202020202020202020202020202020202020202020202020202020202");
+		assert_eq!(String::from_utf8(id_graph.get(21).unwrap().0.flat()).unwrap(), "did:litmus:web3:substrate:0x0202020202020202020202020202020202020202020202020202020202020202");
 	});
 }

tee-worker/litentry/primitives/src/identity.rs

@@ -73,6 +73,7 @@ pub enum SubstrateNetwork {
 	Litentry,
 	Litmus,
 	Khala,
+	TestNet,
 }
 
 impl SubstrateNetwork {
@@ -84,6 +85,18 @@ impl SubstrateNetwork {
 			Self::Litentry => 31,
 			Self::Litmus => 131,
 			Self::Khala => 30,
+			Self::TestNet => 13,
+		}
+	}
+
+	pub fn get_network(prefix: u16) -> Self {
+		match prefix {
+			0 => Self::Polkadot,
+			2 => Self::Kusama,
+			31 => Self::Litentry,
+			131 => Self::Litmus,
+			30 => Self::Khala,
+			_ => Self::TestNet,
 		}
 	}
 }

tee-worker/ts-tests/identity.test.ts

@@ -128,6 +128,18 @@ describeLitentry('Test Identity', (context) => {
     var signature_ethereum;
     var signature_substrate;
 
+    step('Invalid user shielding key', async function () {
+        const encode = context.api.createType('LitentryIdentity', substrateIdentity).toHex();
+        const ciphertext = encryptWithTeeShieldingKey(context.teeShieldingKey, encode).toString('hex');
+        const tx = context.api.tx.identityManagement.createIdentity(context.mrEnclave, context.defaultSigner[0].address, `0x${ciphertext}`, null);
+        await sendTxUntilInBlock(context.api, tx, context.defaultSigner[0]);
+
+        const events = await listenEvent(context.api, 'identityManagement', ['StfError']);
+        expect(events.length).to.be.equal(1);
+
+        await checkFailReason(events, 'InvalidUserShieldingKey', true);
+    })
+
     step('set user shielding key', async function () {
         const alice = await setUserShieldingKey(context, context.defaultSigner[0], aesKey, true);
         assert.equal(alice, u8aToHex(context.defaultSigner[0].addressRaw), 'check caller error');
@@ -331,7 +343,8 @@ describeLitentry('Test Identity', (context) => {
         const substratePrimeIdentity = <LitentryIdentity>{
             Substrate: <SubstrateIdentity>{
                 address: `0x${Buffer.from(context.defaultSigner[0].publicKey).toString('hex')}`,
-                network: 'Litentry',
+                // When testing with integritee-node, change network to: TestNet
+                network: 'Litmus',
             },
         };
 
@@ -342,7 +355,8 @@ describeLitentry('Test Identity', (context) => {
 
         const events = await listenEvent(context.api, 'identityManagement', ['StfError']);
         expect(events.length).to.be.equal(1);
-        const result = events[0].method as string;
+
+        await checkFailReason(events, 'RemovePrimeIdentityDisallowed', true);
     });
 
     step('remove error identities', async function () {
@@ -359,8 +373,9 @@ describeLitentry('Test Identity', (context) => {
 
         await checkFailReason(resp_not_exist_identities, 'IdentityNotExist', true);
 
-        //remove a challenge code before the code is set
         //context.defaultSigner[2] doesn't have a challenge code
+        const bob = await setUserShieldingKey(context, context.defaultSigner[2], aesKey, true);
+        assert.equal(bob, u8aToHex(context.defaultSigner[2].addressRaw), 'check caller error');
         const resp_not_created_identities = (await removeErrorIdentities(
             context,
             context.defaultSigner[2],

tee-worker/ts-tests/type-definitions.ts

@@ -90,7 +90,7 @@ export const teeTypes = {
         _enum: ['Twitter', 'Discord', 'Github'],
     },
     SubstrateNetwork: {
-        _enum: ['Polkadot', 'Kusama', 'Litentry', 'Litmus'],
+        _enum: ['Polkadot', 'Kusama', 'Litentry', 'Litmus', 'Khala', 'TestNet'],
     },
     EvmNetwork: {
         _enum: ['Ethereum', 'BSC'],
@@ -275,7 +275,7 @@ export type Web3Network = {
 };
 
 export type Web2Network = 'Twitter' | 'Discord' | 'Github';
-export type SubstrateNetwork = 'Polkadot' | 'Kusama' | 'Litentry' | 'Litmus';
+export type SubstrateNetwork = 'Polkadot' | 'Kusama' | 'Litentry' | 'Litmus' | 'Khala' | 'TestNet';
 export type EvmNetwork = 'Ethereum' | 'BSC';
 
 export type IdentityGenericEvent = {