Allow IDHCS to create identity on users' behalf

.github/workflows/tee-worker-ci.yml

@@ -163,7 +163,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: check-file-change
     if: needs.check-file-change.outputs.src == 'true'
-    container: "integritee/integritee-dev:0.1.9"
+    container: "integritee/integritee-dev:0.1.10"
     steps:
       - uses: actions/checkout@v3
       - name: init rust

pallets/identity-management-mock/src/lib.rs

@@ -79,19 +79,25 @@ pub mod pallet {
 	pub trait Config: frame_system::Config {
 		/// Event
 		type RuntimeEvent: From<Event<Self>> + IsType<<Self as frame_system::Config>::RuntimeEvent>;
-		/// origin to manage caller whitelist
-		type ManageWhitelistOrigin: EnsureOrigin<Self::RuntimeOrigin>;
 		// maximum delay in block numbers between creating an identity and verifying an identity
 		#[pallet::constant]
 		type MaxVerificationDelay: Get<BlockNumberOf<Self>>;
 		// some extrinsics should only be called by origins from TEE
 		type TEECallOrigin: EnsureOrigin<Self::RuntimeOrigin>;
+		/// origin to manage authorised delegatee list
+		type DelegateeAdminOrigin: EnsureOrigin<Self::RuntimeOrigin>;
 	}
 
 	#[pallet::event]
 	#[pallet::generate_deposit(pub(super) fn deposit_event)]
 	pub enum Event<T: Config> {
 		// Events from this pallet
+		DelegateeAdded {
+			account: T::AccountId,
+		},
+		DelegateeRemoved {
+			account: T::AccountId,
+		},
 		CreateIdentityRequested {
 			shard: ShardIdentifier,
 		},
@@ -171,8 +177,10 @@ pub mod pallet {
 	/// These are the errors that are immediately emitted from this mock pallet
 	#[pallet::error]
 	pub enum Error<T> {
-		/// caller is not in whitelist (therefore disallowed to call some extrinsics)
-		CallerNotWhitelisted,
+		/// a delegatee doesn't exist
+		DelegateeNotExist,
+		/// a `create_identity` request from unauthorised user
+		UnauthorisedUser,
 		/// Error when decrypting using TEE'shielding key
 		ShieldingKeyDecryptionFailed,
 		/// unexpected decoded type
@@ -209,10 +217,11 @@ pub mod pallet {
 		UnexpectedMessage,
 	}
 
+	/// delegatees who are authorised to send extrinsics(currently only `create_identity`)
+	/// on behalf of the users
 	#[pallet::storage]
-	#[pallet::getter(fn whitelisted_callers)]
-	pub type WhitelistedCallers<T: Config> =
-		StorageMap<_, Twox64Concat, T::AccountId, (), OptionQuery>;
+	#[pallet::getter(fn delegatee)]
+	pub type Delegatee<T: Config> = StorageMap<_, Blake2_128Concat, T::AccountId, (), OptionQuery>;
 
 	/// user shielding key is per Litentry account
 	#[pallet::storage]
@@ -248,22 +257,23 @@ pub mod pallet {
 
 	#[pallet::call]
 	impl<T: Config> Pallet<T> {
-		/// add an account to the whitelist
+		/// add an account to the delegatees
 		#[pallet::weight(195_000_000)]
-		pub fn add_to_whitelist(origin: OriginFor<T>, account: T::AccountId) -> DispatchResult {
-			let _ = T::ManageWhitelistOrigin::ensure_origin(origin)?;
-			WhitelistedCallers::<T>::insert(account, ());
+		pub fn add_delegatee(origin: OriginFor<T>, account: T::AccountId) -> DispatchResult {
+			let _ = T::DelegateeAdminOrigin::ensure_origin(origin)?;
+			// we don't care if `account` already exists
+			Delegatee::<T>::insert(account.clone(), ());
+			Self::deposit_event(Event::DelegateeAdded { account });
 			Ok(())
 		}
 
-		/// remove an account from the whitelist
+		/// remove an account from the delegatees
 		#[pallet::weight(195_000_000)]
-		pub fn remove_from_whitelist(
-			origin: OriginFor<T>,
-			account: T::AccountId,
-		) -> DispatchResult {
-			let _ = T::ManageWhitelistOrigin::ensure_origin(origin)?;
-			WhitelistedCallers::<T>::remove(account);
+		pub fn remove_delegatee(origin: OriginFor<T>, account: T::AccountId) -> DispatchResult {
+			let _ = T::DelegateeAdminOrigin::ensure_origin(origin)?;
+			ensure!(Delegatee::<T>::contains_key(&account), Error::<T>::DelegateeNotExist);
+			Delegatee::<T>::remove(account.clone());
+			Self::deposit_event(Event::DelegateeRemoved { account });
 			Ok(())
 		}
 
@@ -275,7 +285,6 @@ pub mod pallet {
 			encrypted_key: Vec<u8>,
 		) -> DispatchResult {
 			let who = ensure_signed(origin)?;
-			ensure!(WhitelistedCallers::<T>::contains_key(&who), Error::<T>::CallerNotWhitelisted);
 			Self::deposit_event(Event::SetUserShieldingKeyRequested { shard });
 
 			let decrypted_key = Self::decrypt_with_tee_shielding_key(&encrypted_key)?;
@@ -294,11 +303,15 @@ pub mod pallet {
 		pub fn create_identity(
 			origin: OriginFor<T>,
 			shard: ShardIdentifier,
+			user: T::AccountId,
 			encrypted_identity: Vec<u8>,
 			encrypted_metadata: Option<Vec<u8>>,
 		) -> DispatchResult {
 			let who = ensure_signed(origin)?;
-			ensure!(WhitelistedCallers::<T>::contains_key(&who), Error::<T>::CallerNotWhitelisted);
+			ensure!(
+				who == user || Delegatee::<T>::contains_key(&who),
+				Error::<T>::UnauthorisedUser
+			);
 			Self::deposit_event(Event::CreateIdentityRequested { shard });
 
 			let decrypted_identitty = Self::decrypt_with_tee_shielding_key(&encrypted_identity)?;
@@ -368,7 +381,6 @@ pub mod pallet {
 			encrypted_identity: Vec<u8>,
 		) -> DispatchResult {
 			let who = ensure_signed(origin)?;
-			ensure!(WhitelistedCallers::<T>::contains_key(&who), Error::<T>::CallerNotWhitelisted);
 			Self::deposit_event(Event::RemoveIdentityRequested { shard });
 
 			let decrypted_identitty = Self::decrypt_with_tee_shielding_key(&encrypted_identity)?;
@@ -403,7 +415,6 @@ pub mod pallet {
 			encrypted_validation_data: Vec<u8>,
 		) -> DispatchResult {
 			let who = ensure_signed(origin)?;
-			ensure!(WhitelistedCallers::<T>::contains_key(&who), Error::<T>::CallerNotWhitelisted);
 			Self::deposit_event(Event::VerifyIdentityRequested { shard });
 
 			let now = <frame_system::Pallet<T>>::block_number();

pallets/identity-management-mock/src/mock.rs

@@ -121,9 +121,9 @@ ord_parameter_types! {
 
 impl pallet_identity_management_mock::Config for Test {
 	type RuntimeEvent = RuntimeEvent;
-	type ManageWhitelistOrigin = EnsureRoot<Self::AccountId>;
 	type MaxVerificationDelay = ConstU64<10>;
 	type TEECallOrigin = EnsureSignedBy<One, u64>;
+	type DelegateeAdminOrigin = EnsureRoot<Self::AccountId>;
 }
 
 pub fn new_test_ext() -> sp_io::TestExternalities {
@@ -135,8 +135,6 @@ pub fn new_test_ext() -> sp_io::TestExternalities {
 
 	let mut ext = sp_io::TestExternalities::new(t);
 	ext.execute_with(|| {
-		// add to `One` to whitelist
-		let _ = IdentityManagementMock::add_to_whitelist(RuntimeOrigin::root(), 1u64);
 		System::set_block_number(1);
 	});
 	ext
@@ -214,7 +212,6 @@ pub fn setup_user_shieding_key(
 	let shielding_key = Aes256Gcm::generate_key(&mut OsRng);
 	let encrpted_shielding_key = tee_encrypt(&shielding_key);
 	// whitelist caller
-	assert_ok!(IdentityManagementMock::add_to_whitelist(RuntimeOrigin::root(), who));
 	assert_ok!(IdentityManagementMock::set_user_shielding_key(
 		RuntimeOrigin::signed(who),
 		H256::random(),
@@ -246,6 +243,7 @@ pub fn setup_create_identity(
 	assert_ok!(IdentityManagementMock::create_identity(
 		RuntimeOrigin::signed(who),
 		H256::random(),
+		who,
 		encrypted_identity.to_vec(),
 		None
 	));

pallets/identity-management-mock/src/tests.rs

@@ -20,20 +20,6 @@ use codec::Encode;
 use frame_support::assert_noop;
 use sp_core::{blake2_256, Pair, H256};
 
-#[test]
-fn unpriveledged_origin_call_fails() {
-	new_test_ext().execute_with(|| {
-		assert_noop!(
-			IdentityManagementMock::set_user_shielding_key(
-				RuntimeOrigin::signed(2),
-				H256::random(),
-				vec![]
-			),
-			Error::<Test>::CallerNotWhitelisted
-		);
-	});
-}
-
 #[test]
 fn set_user_shielding_key_works() {
 	new_test_ext().execute_with(|| {
@@ -118,6 +104,7 @@ fn create_twitter_identity_after_verification_fails() {
 			IdentityManagementMock::create_identity(
 				RuntimeOrigin::signed(who),
 				H256::random(),
+				who,
 				encrypted_identity.to_vec(),
 				None
 			),

pallets/identity-management/src/benchmarking.rs

@@ -32,15 +32,14 @@ fn assert_last_event<T: Config>(generic_event: <T as Config>::RuntimeEvent) {
 }
 
 benchmarks! {
-
 	// Benchmark `create_identity`. There are no worst conditions. The benchmark showed that
 	// execution time is constant irrespective of encrypted_data size.
 	create_identity {
-		let caller = whitelisted_caller();
+		let caller = whitelisted_caller::<T::AccountId>();
 		let shard = H256::from_slice(&TEST_MRENCLAVE);
 		let encrypted_did = vec![1u8; 2048];
 		let encrypted_metadata = Some(vec![1u8; 2048]);
-	}: _(RawOrigin::Signed(caller), shard, encrypted_did, encrypted_metadata)
+	}: _(RawOrigin::Signed(caller.clone()), shard, caller.clone(), encrypted_did, encrypted_metadata)
 	verify {
 		assert_last_event::<T>(Event::CreateIdentityRequested{ shard }.into());
 	}

pallets/identity-management/src/lib.rs

@@ -47,12 +47,6 @@ pub use pallet::*;
 pub use primitives::{AesOutput, ShardIdentifier};
 use sp_std::vec::Vec;
 
-// fn types for handling inside tee-worker
-pub type SetUserShieldingKeyFn = ([u8; 2], ShardIdentifier, Vec<u8>);
-pub type CreateIdentityFn = ([u8; 2], ShardIdentifier, Vec<u8>, Option<Vec<u8>>);
-pub type RemoveIdentityFn = ([u8; 2], ShardIdentifier, Vec<u8>);
-pub type VerifyIdentityFn = ([u8; 2], ShardIdentifier, Vec<u8>, Vec<u8>);
-
 #[frame_support::pallet]
 pub mod pallet {
 	use super::{AesOutput, ShardIdentifier, Vec, WeightInfo};
@@ -69,11 +63,15 @@ pub mod pallet {
 		type WeightInfo: WeightInfo;
 		// some extrinsics should only be called by origins from TEE
 		type TEECallOrigin: EnsureOrigin<Self::RuntimeOrigin>;
+		/// origin to manage authorised delegatee list
+		type DelegateeAdminOrigin: EnsureOrigin<Self::RuntimeOrigin>;
 	}
 
 	#[pallet::event]
 	#[pallet::generate_deposit(pub(super) fn deposit_event)]
 	pub enum Event<T: Config> {
+		DelegateeAdded { account: T::AccountId },
+		DelegateeRemoved { account: T::AccountId },
 		// TODO: do we need account as event parameter? This needs to be decided by F/E
 		CreateIdentityRequested { shard: ShardIdentifier },
 		RemoveIdentityRequested { shard: ShardIdentifier },
@@ -92,11 +90,42 @@ pub mod pallet {
 		SomeError { func: Vec<u8>, error: Vec<u8> },
 	}
 
+	/// delegatees who are authorised to send extrinsics(currently only `create_identity`)
+	/// on behalf of the users
+	#[pallet::storage]
+	#[pallet::getter(fn delegatee)]
+	pub type Delegatee<T: Config> = StorageMap<_, Blake2_128Concat, T::AccountId, (), OptionQuery>;
+
 	#[pallet::error]
-	pub enum Error<T> {}
+	pub enum Error<T> {
+		/// a delegatee doesn't exist
+		DelegateeNotExist,
+		/// a `create_identity` request from unauthorised user
+		UnauthorisedUser,
+	}
 
 	#[pallet::call]
 	impl<T: Config> Pallet<T> {
+		/// add an account to the delegatees
+		#[pallet::weight(195_000_000)]
+		pub fn add_delegatee(origin: OriginFor<T>, account: T::AccountId) -> DispatchResult {
+			let _ = T::DelegateeAdminOrigin::ensure_origin(origin)?;
+			// we don't care if `account` already exists
+			Delegatee::<T>::insert(account.clone(), ());
+			Self::deposit_event(Event::DelegateeAdded { account });
+			Ok(())
+		}
+
+		/// remove an account from the delegatees
+		#[pallet::weight(195_000_000)]
+		pub fn remove_delegatee(origin: OriginFor<T>, account: T::AccountId) -> DispatchResult {
+			let _ = T::DelegateeAdminOrigin::ensure_origin(origin)?;
+			ensure!(Delegatee::<T>::contains_key(&account), Error::<T>::DelegateeNotExist);
+			Delegatee::<T>::remove(account.clone());
+			Self::deposit_event(Event::DelegateeRemoved { account });
+			Ok(())
+		}
+
 		/// Set or update user's shielding key
 		#[pallet::weight(<T as Config>::WeightInfo::set_user_shielding_key())]
 		pub fn set_user_shielding_key(
@@ -110,14 +139,22 @@ pub mod pallet {
 		}
 
 		/// Create an identity
+		/// We do the origin check for this extrinsic, it has to be
+		/// - either the caller him/herself, i.e. ensure_signed(origin)? == who
+		/// - or from a delegatee in the list
 		#[pallet::weight(<T as Config>::WeightInfo::create_identity())]
 		pub fn create_identity(
 			origin: OriginFor<T>,
 			shard: ShardIdentifier,
+			user: T::AccountId,
 			encrypted_identity: Vec<u8>,
 			encrypted_metadata: Option<Vec<u8>>,
 		) -> DispatchResultWithPostInfo {
-			let _ = ensure_signed(origin)?;
+			let who = ensure_signed(origin)?;
+			ensure!(
+				who == user || Delegatee::<T>::contains_key(&who),
+				Error::<T>::UnauthorisedUser
+			);
 			Self::deposit_event(Event::CreateIdentityRequested { shard });
 			Ok(().into())
 		}

pallets/identity-management/src/mock.rs

@@ -28,6 +28,7 @@ use sp_runtime::{
 	testing::Header,
 	traits::{BlakeTwo256, IdentityLookup},
 };
+use system::EnsureRoot;
 
 type UncheckedExtrinsic = frame_system::mocking::MockUncheckedExtrinsic<Test>;
 type Block = frame_system::mocking::MockBlock<Test>;
@@ -135,13 +136,16 @@ impl pallet_identity_management::Config for Test {
 	type RuntimeEvent = RuntimeEvent;
 	type WeightInfo = ();
 	type TEECallOrigin = EnsureEnclaveSigner;
+	type DelegateeAdminOrigin = EnsureRoot<Self::AccountId>;
 }
 
 pub fn new_test_ext() -> sp_io::TestExternalities {
 	let t = system::GenesisConfig::default().build_storage::<Test>().unwrap();
 
 	let mut ext = sp_io::TestExternalities::new(t);
 	ext.execute_with(|| {
+		// add `5` to delegatee
+		let _ = IdentityManagement::add_delegatee(RuntimeOrigin::root(), 5u64);
 		System::set_block_number(1);
 	});
 	ext