multiple parentchain handlers (#1420)

* [enclave-runtime/initialization] lift some code out of the innermost function

* [enclave-runtime/initialization] rename `EnclaveIndirectExecutor` to `TeerexParentchainIndirectExecutor`

* [enclave-runtime/initialization] rename stuff that is only for the primary parentchain containing the teerex pallet

* [enclave-runtime/initialization] naively add second set of components needed for a second parachain

* [enclave-runtime/initialization] introduce second nonce cache for the second parachain

* [enclave-runtime/initialization/global_components] fix wrong type arg

* [indirect-calls-executor] fix `DenyAll` implementation

* [enclave-runtime/initialization] code compiles for instantiating a secondary parachain parentchain handler.

* [enclave-runtime/initialization] fmt

* [enclave-runtime/initialization] add second set of solochain parentchain handler

* [enclave-runtime/initialization] extend parentchain init params with the secondary parentchains

* [enclave-runtime/initialization] add second light-client seal

* change parentchain init params enum, and add full code for initialization.

* fix some comments and naming

* [service] add cli options for the secondary node

* extract `init_parentchain` function in service and add `parentchain_id` to `set_nonce` and `set_metadata` ecalls (id is not used yet in the enclave)

* rename `get_node_metadata_repository_from_solo_or_parachain` to `get_node_metadata_repository_from_teerex_solo_or_parachain` and add `get_node_metadata_repository_from_secondary_solo_or_parachain`

* [enclave-runtime] `set_nonce` takes into account the parentchain id now

* fix test compilation

* add complete code for secondary parentchain

* [service/config] fix cli naming

* [service] indicate in logs that they are for the secondary parentchain

* [service] fix clippy

* [service] fix tests

* [enclave-runtime] fix: don't initialize second light client seal on the global for the first client

* [service/setup] fix purging second light client db.

* [service] print block number at which the enclave registered.

* [parentchain] remove some unnecessary trait bounds (simplify error message)

* [enclave-runtime] remove unused unit test

* OnchainOcallApi does not take a paramenter such that it nows, which parentchain to talk to.

* [stf-executor] remove code that executes a state update upon before stf execution as it is apparently no longer needed

* [service] propagate parentchain id throughout the codebase

* [service] fix tests

* [local-setup] prepare configs to run multiple nodes

* [stf-executor/executor] fix wrong import

* [local-setup] add a config that spawns two nodes

* [service] remove unnecessary traitbounds

* [service] minor logging fixes

* `sync_parentchain` and `trigger_parentchain_block_import` have the `ParentchainId` are too now.

* [service/worker_onchain_ocall] log to which parentchain we want to send the extrinsic

* [service/ocall_bridge] fix log typo

* [enclave-runtime] supress clippy warning

* [service] fix: fund enclave on secondary parentchain

* [service/worker_on_chain_ocall] improve log for extrinsic

* [local-setup] sleep 18 between setting up nodes, so that the logs are easier to distinguish

* add new indirect calls filer, which checks for transfers to alice to shield these funds

* [indirect-executor] use correct type in `TransferToAliceShieldsFundsFilter`

* [indirect-executor] better logging

* [local-setup/tmux_logger_two_nodes] only use three panes as the last one was unused

* [indirect-executor] remove unused imports

* [indirect-executor/transfer_to_alice_shields_funds] fix alice account

* [local-setup] use trace in indirect executor

* [cli] add `demo_shielding_unshielding_two_nodes` (working)

* rename `ParentchainId` enum variants to `Integritee` and `TargetA`

* [node-api/metadata] format pallet_balances licence header.

* [indirect-calls-executor] fix documentation

* [indirect-calls-executor] rename `ALICE_ENCODED` to `ALICE_SEED`

* [Enclave.edl] fix indents

* rename `get_node_metadata_from_teerex_solo_or_parachain` to `get_node_metadata_repository_from_integritee_solo_or_parachain`

* [enclave-runtime] rename error `NoTeerexParentchainAssigned` to `NoIntegriteeParentchainAssigned`

* [enclave-runtime] rename error `NoSecondaryParentchainAssigned` to `NoTargetAParentchainAssigned`

* [itp-nonce-cache] rename caches to `INTEGRITEE_NONCE_CACHE` and `TARGET_A_PARENTCHAIN_NONCE_CACHE`

* move nonce caches to the enclave-runtimes global components

* [enclave-runtime] change doc comments to regular comments were suitable

* [itp-settings] rename light-client db paths

* [enclave-runtime/initialization] rename parachain.rs to integritee_parachain.rs and `FullParachainHandler` to `IntegriteeParachainHandler`

* [enclave-runtime/initialization] rename parachain2.rs to target_a_parachain.rs and `FullParachainHandler2` to `TargetAParachainHandler`

* [enclave-runtime/initialization] rename solochain.rs to integritee_solochain.rs and `FullSolochainHandler` to `IntegriteeSolochainHandler`

* [enclave-runtime/initialization] rename solochain2.rs to target_a_solochain.rs and `FullSolochainHandler2` to `TargetASolochainHandler`

* [enclave-runtime/initialization] reflect previous changes in global components naming

* [enclave-runtime/initialization] consistent naming in global components

* [enclave-runtime/initialization] rename Teerex... types to Integritee... types

* [enclave-runtime/initialization] rename Secondary... types to TargetA... types

* [enclave-runtime/initialization] better distinguish the two light-client seals

* [enclave-runtime] some more minor renamings for new scheme

* [itp-settings] fix naming of target_a light client db path

* [enclave-runtime/global_components] fix grammar in doc

* [enclave-runtime/global_components] minor doc fixes

* [enclave-runtime/initialization] fix naming of light-client-db variables

* [cli] rename cli args in demo scripts to be more readable and use new names for parentchains

* fmt

* [enclave-runtime] more ergonomic code due to shorter variable names.

* [indirect-calls-executor] simplify creation of alice's account id

* [indirect-calls-executor] add an assert_eq in the doc test

* [service] update cli arguments to new parentchain naming

* [service/config] fix missing renamings

* [service/node_api_factory] add endpoint renamings

* [service/main] rename node_api to integritee_rpc_api

* [service/main] rename `init_parentchain` and `init_secondary_parentchain` to `init_integritee_parentchain` and `init_target_a_parentchain`

* [service/config] fix naming

* [service/main] fix moving of variables

* [service] fix tests

* [service/bridge-api] rename error to new chain naming

* [service/ocall_bridge] rename api factories for new naming

* consisten naming change remaning: target_a_chain -> target_a_parentchain

* fix missing minor renamings

* clippy

* [enclave-runtime/global-components] fix misallocation of `IntegriteeBlockImporter` to a Target A parentchain type. (this did not have any effect in the offchain-worker case)

app-libs/stf/src/stf_sgx.rs

@@ -31,7 +31,7 @@ use itp_stf_interface::{
 };
 use itp_stf_primitives::types::ShardIdentifier;
 use itp_storage::storage_value_key;
-use itp_types::OpaqueCall;
+use itp_types::{parentchain::ParentchainId, OpaqueCall};
 use itp_utils::stringify::account_id_to_string;
 use log::*;
 use sp_runtime::traits::StaticLookup;
@@ -114,9 +114,12 @@ where
 		});
 	}
 
-	fn storage_hashes_to_update_on_block() -> Vec<Vec<u8>> {
+	fn storage_hashes_to_update_on_block(parentchain_id: &ParentchainId) -> Vec<Vec<u8>> {
 		// Get all shards that are currently registered.
-		vec![shards_key_hash()]
+		match parentchain_id {
+			ParentchainId::Integritee => vec![shards_key_hash()],
+			ParentchainId::TargetA => vec![],
+		}
 	}
 }
 

cli/demo_direct_call.sh

@@ -27,46 +27,49 @@ while getopts ":m:p:P:t:u:V:C:" opt; do
             TEST=$OPTARG
             ;;
         m)
-            READMRENCLAVE=$OPTARG
+            READ_MRENCLAVE=$OPTARG
             ;;
         p)
-            NPORT=$OPTARG
+            INTEGRITEE_RPC_PORT=$OPTARG
             ;;
         P)
-            WORKER1PORT=$OPTARG
+            WORKER_1_PORT=$OPTARG
             ;;
         u)
-            NODEURL=$OPTARG
+            INTEGRITEE_RPC_URL=$OPTARG
             ;;
         V)
-            WORKER1URL=$OPTARG
+            WORKER_1_URL=$OPTARG
             ;;
         C)
             CLIENT_BIN=$OPTARG
             ;;
+        *)
+            echo "invalid arg ${OPTARG}"
+            exit 1
     esac
 done
 
 # Using default port if none given as arguments.
-NPORT=${NPORT:-9944}
-NODEURL=${NODEURL:-"ws://127.0.0.1"}
+INTEGRITEE_RPC_PORT=${INTEGRITEE_RPC_PORT:-9944}
+INTEGRITEE_RPC_URL=${INTEGRITEE_RPC_URL:-"ws://127.0.0.1"}
 
-WORKER1PORT=${WORKER1PORT:-2000}
-WORKER1URL=${WORKER1URL:-"wss://127.0.0.1"}
+WORKER_1_PORT=${WORKER_1_PORT:-2000}
+WORKER_1_URL=${WORKER_1_URL:-"wss://127.0.0.1"}
 
 CLIENT_BIN=${CLIENT_BIN:-"./../bin/integritee-cli"}
 
 echo "Using client binary ${CLIENT_BIN}"
 ${CLIENT_BIN} --version
-echo "Using node uri ${NODEURL}:${NPORT}"
-echo "Using trusted-worker uri ${WORKER1URL}:${WORKER1PORT}"
+echo "Using node uri ${INTEGRITEE_RPC_URL}:${INTEGRITEE_RPC_PORT}"
+echo "Using trusted-worker uri ${WORKER_1_URL}:${WORKER_1_PORT}"
 echo ""
 
 
 AMOUNTSHIELD=50000000000
 AMOUNTTRANSFER=40000000000
 
-CLIENT="${CLIENT_BIN} -p ${NPORT} -P ${WORKER1PORT} -u ${NODEURL} -U ${WORKER1URL}"
+CLIENT="${CLIENT_BIN} -p ${INTEGRITEE_RPC_PORT} -P ${WORKER_1_PORT} -u ${INTEGRITEE_RPC_URL} -U ${WORKER_1_URL}"
 read -r MRENCLAVE <<< "$($CLIENT list-workers | awk '/  MRENCLAVE: / { print $2; exit }')"
 
 echo ""

cli/demo_direct_call_2_workers.sh

@@ -30,6 +30,9 @@ while getopts ":p:A:B:u:W:V:C:" opt; do
         C)
             CLIENT_BIN=$OPTARG
             ;;
+        *)
+            echo "invalid arg ${OPTARG}"
+            exit 1
     esac
 done
 

cli/demo_indirect_invocation.sh

@@ -8,51 +8,54 @@ set -euo pipefail
 while getopts ":p:A:B:u:W:V:C:" opt; do
     case $opt in
         p)
-            NPORT=$OPTARG
+            INTEGRITEE_RPC_PORT=$OPTARG
             ;;
         A)
-            WORKER1PORT=$OPTARG
+            WORKER_1_PORT=$OPTARG
             ;;
         B)
-            WORKER2PORT=$OPTARG
+            WORKER_2_PORT=$OPTARG
             ;;
         u)
-            NODEURL=$OPTARG
+            INTEGRITEE_RPC_URL=$OPTARG
             ;;
         V)
-            WORKER1URL=$OPTARG
+            WORKER_1_URL=$OPTARG
             ;;
         W)
-            WORKER2URL=$OPTARG
+            WORKER_2_URL=$OPTARG
             ;;
         C)
             CLIENT_BIN=$OPTARG
             ;;
+        *)
+            echo "invalid arg ${OPTARG}"
+            exit 1
     esac
 done
 
 # Using default port if none given as arguments.
-NPORT=${NPORT:-9944}
-NODEURL=${NODEURL:-"ws://127.0.0.1"}
+INTEGRITEE_RPC_PORT=${INTEGRITEE_RPC_PORT:-9944}
+INTEGRITEE_RPC_URL=${INTEGRITEE_RPC_URL:-"ws://127.0.0.1"}
 
-WORKER1PORT=${WORKER1PORT:-2000}
-WORKER1URL=${WORKER1URL:-"wss://127.0.0.1"}
+WORKER_1_PORT=${WORKER_1_PORT:-2000}
+WORKER_1_URL=${WORKER_1_URL:-"wss://127.0.0.1"}
 
-WORKER2PORT=${WORKER2PORT:-3000}
-WORKER2URL=${WORKER2URL:-"wss://127.0.0.1"}
+WORKER_2_PORT=${WORKER_2_PORT:-3000}
+WORKER_2_URL=${WORKER_2_URL:-"wss://127.0.0.1"}
 
 CLIENT_BIN=${CLIENT_BIN:-"./../bin/integritee-cli"}
 
 echo "Using client binary ${CLIENT_BIN}"
 ${CLIENT_BIN} --version
-echo "Using node uri ${NODEURL}:${NPORT}"
-echo "Using trusted-worker 1 uri ${WORKER1URL}:${WORKER1PORT}"
-echo "Using trusted-worker 2 uri ${WORKER2URL}:${WORKER2PORT}"
+echo "Using node uri ${INTEGRITEE_RPC_URL}:${INTEGRITEE_RPC_PORT}"
+echo "Using trusted-worker 1 uri ${WORKER_1_URL}:${WORKER_1_PORT}"
+echo "Using trusted-worker 2 uri ${WORKER_2_URL}:${WORKER_2_PORT}"
 echo ""
 
 SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 
-"${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${NPORT}" -u "${NODEURL}" -V "${WORKER1URL}" -P "${WORKER1PORT}" -C "${CLIENT_BIN}" -t first
-"${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${NPORT}" -u "${NODEURL}" -V "${WORKER2URL}" -P "${WORKER2PORT}" -C "${CLIENT_BIN}" -t second
+"${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_1_URL}" -P "${WORKER_1_PORT}" -C "${CLIENT_BIN}" -t first
+"${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_2_URL}" -P "${WORKER_2_PORT}" -C "${CLIENT_BIN}" -t second
 
 exit 0

cli/demo_shield_on_second_node_with_transfer_to_alice.sh

@@ -0,0 +1,149 @@
+#!/bin/bash
+set -euo pipefail
+
+# Verifies that shielding from the Target A parentchain works by sending a transfer to //Alice
+
+while getopts ":m:p:A:B:u:W:V:x:y:C:" opt; do
+    case $opt in
+        p)
+            INTEGRITEE_RPC_PORT=$OPTARG
+            ;;
+        A)
+            WORKER_1_PORT=$OPTARG
+            ;;
+        B)
+            WORKER_2_PORT=$OPTARG
+            ;;
+        u)
+            INTEGRITEE_RPC_URL=$OPTARG
+            ;;
+        V)
+            WORKER_1_URL=$OPTARG
+            ;;
+        W)
+            WORKER_2_URL=$OPTARG
+            ;;
+        x)
+            TARGET_A_PARENTCHAIN_RPC_URL=$OPTARG
+            ;;
+        y)
+            TARGET_A_PARENTCHAIN_RPC_PORT=$OPTARG
+            ;;
+        C)
+            CLIENT_BIN=$OPTARG
+            ;;
+        *)
+            echo "invalid arg ${OPTARG}"
+            exit 1
+    esac
+done
+
+# Using default port if none given as arguments.
+INTEGRITEE_RPC_PORT=${INTEGRITEE_RPC_PORT:-9944}
+INTEGRITEE_RPC_URL=${INTEGRITEE_RPC_URL:-"ws://127.0.0.1"}
+TARGET_A_PARENTCHAIN_RPC_PORT=${TARGET_A_PARENTCHAIN_RPC_PORT:-9966}
+TARGET_A_PARENTCHAIN_RPC_URL=${TARGET_A_PARENTCHAIN_RPC_URL:-"ws://127.0.0.1"}
+
+WORKER_1_PORT=${WORKER_1_PORT:-2000}
+WORKER_1_URL=${WORKER_1_URL:-"wss://127.0.0.1"}
+
+WORKER_2_PORT=${WORKER_2_PORT:-3000}
+WORKER_2_URL=${WORKER_2_URL:-"wss://127.0.0.1"}
+
+CLIENT_BIN=${CLIENT_BIN:-"./../bin/integritee-cli"}
+
+echo "Using client binary ${CLIENT_BIN}"
+${CLIENT_BIN} --version
+echo "Using node uri ${INTEGRITEE_RPC_URL}:${INTEGRITEE_RPC_PORT}"
+echo "Using node 2 uri ${TARGET_A_PARENTCHAIN_RPC_URL}:${TARGET_A_PARENTCHAIN_RPC_PORT}"
+echo "Using trusted-worker 1 uri ${WORKER_1_URL}:${WORKER_1_PORT}"
+echo "Using trusted-worker 2 uri ${WORKER_2_URL}:${WORKER_2_PORT}"
+echo ""
+
+# the parentchain token is 12 decimal
+UNIT=$(( 10 ** 12 ))
+
+# make these amounts greater than ED
+AMOUNT_SHIELD=$(( 6 * UNIT ))
+AMOUNT_TRANSFER=$(( 2 * UNIT ))
+AMOUNT_UNSHIELD=$(( 1 * UNIT ))
+
+CLIENT="${CLIENT_BIN} -p ${INTEGRITEE_RPC_PORT} -P ${WORKER_1_PORT} -u ${INTEGRITEE_RPC_URL} -U ${WORKER_1_URL}"
+CLIENT2="${CLIENT_BIN} -p ${TARGET_A_PARENTCHAIN_RPC_PORT} -P ${WORKER_1_PORT} -u ${TARGET_A_PARENTCHAIN_RPC_URL} -U ${WORKER_1_URL}"
+
+# interval and max rounds to wait to check the given account balance in sidechain
+WAIT_INTERVAL_SECONDS=10
+WAIT_ROUNDS=20
+
+# Poll and assert the given account's state is equal to expected,
+# with timeout WAIT_INTERVAL_SECONDS * WAIT_ROUNDS
+# usage:
+#   wait_assert_state <mrenclave> <account> <state-name> <expected-state>
+#   the `state-name` has to be the supported subcommand, e.g. `balance`, `nonce`
+function wait_assert_state()
+{
+    for i in $(seq 1 $WAIT_ROUNDS); do
+        sleep $WAIT_INTERVAL_SECONDS
+        state=$(${CLIENT} trusted --mrenclave "$1" "$3" "$2")
+        if [ $state -eq "$4" ]; then
+            return
+        else
+            :
+        fi
+    done
+    echo
+    echo "Assert $2 $3 failed, expected = $4, actual = $state"
+    exit 1
+}
+
+# Do a live query and assert the given account's state is equal to expected
+# usage:
+#   assert_state <mrenclave> <account> <state-name> <expected-state>
+function assert_state()
+{
+    state=$(${CLIENT} trusted --mrenclave "$1" "$3" "$2")
+    if [ -z "$state" ]; then
+        echo "Query $2 $3 failed"
+        exit 1
+    fi
+
+    if [ $state -eq "$4" ]; then
+        return
+    fi
+    echo
+    echo "Assert $2 $3 failed, expected = $4, actual = $state"
+    exit 1
+}
+
+echo "* Query on-chain enclave registry:"
+${CLIENT} list-workers
+echo ""
+
+# this will always take the first MRENCLAVE found in the registry !!
+read MRENCLAVE <<< $($CLIENT list-workers | awk '/  MRENCLAVE: / { print $2; exit }')
+echo "Reading MRENCLAVE from worker list: ${MRENCLAVE}"
+
+[[ -z $MRENCLAVE ]] && { echo "MRENCLAVE is empty. cannot continue" ; exit 1; }
+
+ALICETRUSTEDACCOUNT=//Alice
+echo "  Alice's trusted account (same as public account) = ${ALICETRUSTEDACCOUNT}"
+echo ""
+
+# Assert the initial trusted balance of Alice incognito
+TRUSTED_BALANCE_ALICE=1000000000000000
+wait_assert_state ${MRENCLAVE} ${ALICETRUSTEDACCOUNT} balance ${TRUSTED_BALANCE_ALICE}
+
+
+echo "* Send ${AMOUNT_SHIELD} from //Alice to //Alice on L1, which should trigger the demo shield process"
+${CLIENT2} transfer //Alice ${ALICETRUSTEDACCOUNT} ${AMOUNT_SHIELD}
+echo ""
+
+echo "* Wait and assert Alice's incognito account balance, should be $(( TRUSTED_BALANCE_ALICE + AMOUNT_SHIELD ))"
+wait_assert_state ${MRENCLAVE} ${ALICETRUSTEDACCOUNT} balance $(( TRUSTED_BALANCE_ALICE + AMOUNT_SHIELD ))
+echo "✔ ok"
+
+echo ""
+echo "-----------------------"
+echo "✔ The test passed!"
+echo "-----------------------"
+echo ""

cli/demo_shielding_unshielding.sh

@@ -30,39 +30,42 @@ while getopts ":m:p:P:t:u:V:C:" opt; do
             TEST=$OPTARG
             ;;
         m)
-            READMRENCLAVE=$OPTARG
+            READ_MRENCLAVE=$OPTARG
             ;;
         p)
-            NPORT=$OPTARG
+            INTEGRITEE_RPC_PORT=$OPTARG
             ;;
         P)
-            WORKER1PORT=$OPTARG
+            WORKER_1_PORT=$OPTARG
             ;;
         u)
-            NODEURL=$OPTARG
+            INTEGRITEE_RPC_URL=$OPTARG
             ;;
         V)
-            WORKER1URL=$OPTARG
+            WORKER_1_URL=$OPTARG
             ;;
         C)
             CLIENT_BIN=$OPTARG
             ;;
+        *)
+            echo "invalid arg ${OPTARG}"
+            exit 1
     esac
 done
 
 # Using default port if none given as arguments.
-NPORT=${NPORT:-9944}
-NODEURL=${NODEURL:-"ws://127.0.0.1"}
+INTEGRITEE_RPC_PORT=${INTEGRITEE_RPC_PORT:-9944}
+INTEGRITEE_RPC_URL=${INTEGRITEE_RPC_URL:-"ws://127.0.0.1"}
 
-WORKER1PORT=${WORKER1PORT:-2000}
-WORKER1URL=${WORKER1URL:-"wss://127.0.0.1"}
+WORKER_1_PORT=${WORKER_1_PORT:-2000}
+WORKER_1_URL=${WORKER_1_URL:-"wss://127.0.0.1"}
 
 CLIENT_BIN=${CLIENT_BIN:-"./../bin/integritee-cli"}
 
 echo "Using client binary ${CLIENT_BIN}"
 ${CLIENT_BIN} --version
-echo "Using node uri ${NODEURL}:${NPORT}"
-echo "Using trusted-worker uri ${WORKER1URL}:${WORKER1PORT}"
+echo "Using node uri ${INTEGRITEE_RPC_URL}:${INTEGRITEE_RPC_PORT}"
+echo "Using trusted-worker uri ${WORKER_1_URL}:${WORKER_1_PORT}"
 echo ""
 
 # the parentchain token is 12 decimal
@@ -73,7 +76,7 @@ AMOUNT_SHIELD=$(( 6 * UNIT ))
 AMOUNT_TRANSFER=$(( 2 * UNIT ))
 AMOUNT_UNSHIELD=$(( 1 * UNIT ))
 
-CLIENT="${CLIENT_BIN} -p ${NPORT} -P ${WORKER1PORT} -u ${NODEURL} -U ${WORKER1URL}"
+CLIENT="${CLIENT_BIN} -p ${INTEGRITEE_RPC_PORT} -P ${WORKER_1_PORT} -u ${INTEGRITEE_RPC_URL} -U ${WORKER_1_URL}"
 
 # offchain-worker only suppports indirect calls
 CALLTYPE=
@@ -131,7 +134,7 @@ echo "* Query on-chain enclave registry:"
 ${CLIENT} list-workers
 echo ""
 
-if [ "$READMRENCLAVE" = "file" ]
+if [ "$READ_MRENCLAVE" = "file" ]
 then
     read MRENCLAVE <<< $(cat ~/mrenclave.b58)
     echo "Reading MRENCLAVE from file: ${MRENCLAVE}"