litentry · ziming-zung · Dec 12, 2022 · Nov 29, 2022 · Nov 29, 2022 · Nov 30, 2022
diff --git a/pallets/identity-management-mock/src/identity_context.rs b/pallets/identity-management-mock/src/identity_context.rs
@@ -15,13 +15,14 @@
 // along with Litentry.  If not, see <https://www.gnu.org/licenses/>.
 
 use codec::{Decode, Encode, MaxEncodedLen};
+use frame_support::RuntimeDebugNoBound;
 use scale_info::TypeInfo;
 
 use crate::{BlockNumberOf, Config, Metadata};
 
 // The context associated with the (litentry-account, did) pair
 // TODO: maybe we have better naming
-#[derive(Clone, Eq, PartialEq, Debug, Encode, Decode, TypeInfo, MaxEncodedLen)]
+#[derive(Clone, Eq, PartialEq, RuntimeDebugNoBound, Encode, Decode, TypeInfo, MaxEncodedLen)]
 #[scale_info(skip_type_params(T))]
 #[codec(mel_bound())]
 pub struct IdentityContext<T: Config> {

diff --git a/pallets/identity-management-mock/src/lib.rs b/pallets/identity-management-mock/src/lib.rs
@@ -129,28 +129,34 @@ pub mod pallet {
 		IdentityCreatedPlain {
 			account: T::AccountId,
 			identity: Identity,
+			id_graph: Vec<(Identity, IdentityContext<T>)>,
 		},
 		IdentityCreated {
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		},
 		// remove identity
 		IdentityRemovedPlain {
 			account: T::AccountId,
 			identity: Identity,
+			id_graph: Vec<(Identity, IdentityContext<T>)>,
 		},
 		IdentityRemoved {
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		},
 		// verify identity
 		IdentityVerifiedPlain {
 			account: T::AccountId,
 			identity: Identity,
+			id_graph: Vec<(Identity, IdentityContext<T>)>,
 		},
 		IdentityVerified {
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		},
 		// some error happened during processing in TEE, we use string-like
 		// parameters for more "generic" error event reporting
@@ -344,10 +350,12 @@ pub mod pallet {
 			Self::deposit_event(Event::<T>::IdentityCreatedPlain {
 				account: who.clone(),
 				identity: identity.clone(),
+				id_graph: Self::get_id_graph(&who),
 			});
 			Self::deposit_event(Event::<T>::IdentityCreated {
 				account: aes_encrypt_default(&key, who.encode().as_slice()),
 				identity: aes_encrypt_default(&key, identity.encode().as_slice()),
+				id_graph: aes_encrypt_default(&key, Self::get_id_graph(&who).encode().as_slice()),
 			});
 			Ok(())
 		}
@@ -375,10 +383,12 @@ pub mod pallet {
 			Self::deposit_event(Event::<T>::IdentityRemovedPlain {
 				account: who.clone(),
 				identity: identity.clone(),
+				id_graph: Self::get_id_graph(&who),
 			});
 			Self::deposit_event(Event::<T>::IdentityRemoved {
 				account: aes_encrypt_default(&key, who.encode().as_slice()),
 				identity: aes_encrypt_default(&key, identity.encode().as_slice()),
+				id_graph: aes_encrypt_default(&key, Self::get_id_graph(&who).encode().as_slice()),
 			});
 
 			Ok(())
@@ -450,10 +460,15 @@ pub mod pallet {
 				Self::deposit_event(Event::<T>::IdentityVerifiedPlain {
 					account: who.clone(),
 					identity: identity.clone(),
+					id_graph: Self::get_id_graph(&who),
 				});
 				Self::deposit_event(Event::<T>::IdentityVerified {
 					account: aes_encrypt_default(&key, who.encode().as_slice()),
 					identity: aes_encrypt_default(&key, identity.encode().as_slice()),
+					id_graph: aes_encrypt_default(
+						&key,
+						Self::get_id_graph(&who).encode().as_slice(),
+					),
 				});
 				Ok(())
 			})
@@ -487,9 +502,10 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		) -> DispatchResultWithPostInfo {
 			let _ = T::TEECallOrigin::ensure_origin(origin)?;
-			Self::deposit_event(Event::IdentityCreated { account, identity });
+			Self::deposit_event(Event::IdentityCreated { account, identity, id_graph });
 			Ok(Pays::No.into())
 		}
 
@@ -498,9 +514,10 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		) -> DispatchResultWithPostInfo {
 			let _ = T::TEECallOrigin::ensure_origin(origin)?;
-			Self::deposit_event(Event::IdentityRemoved { account, identity });
+			Self::deposit_event(Event::IdentityRemoved { account, identity, id_graph });
 			Ok(Pays::No.into())
 		}
 
@@ -509,9 +526,10 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		) -> DispatchResultWithPostInfo {
 			let _ = T::TEECallOrigin::ensure_origin(origin)?;
-			Self::deposit_event(Event::IdentityVerified { account, identity });
+			Self::deposit_event(Event::IdentityVerified { account, identity, id_graph });
 			Ok(Pays::No.into())
 		}
 
@@ -663,5 +681,9 @@ pub mod pallet {
 			addr[..20].copy_from_slice(&hashed_pk[12..32]);
 			Ok(addr)
 		}
+
+		pub fn get_id_graph(who: &T::AccountId) -> Vec<(Identity, IdentityContext<T>)> {
+			IDGraphs::iter_prefix(who).collect::<Vec<_>>()
+		}
 	}
 }
diff --git a/pallets/identity-management-mock/src/mock.rs b/pallets/identity-management-mock/src/mock.rs
@@ -252,6 +252,7 @@ pub fn setup_create_identity(
 	System::assert_has_event(Event::IdentityManagementMock(crate::Event::IdentityCreatedPlain {
 		account: who,
 		identity: identity.clone(),
+		id_graph: IdentityManagementMock::get_id_graph(&who),
 	}));
 	// encrypt the result
 	let aes_encrypted_account = aes_encrypt_default(&key, who.encode().as_slice());

diff --git a/pallets/identity-management/src/lib.rs b/pallets/identity-management/src/lib.rs
@@ -82,9 +82,9 @@ pub mod pallet {
 		// event that should be triggered by TEECallOrigin
 		UserShieldingKeySet { account: AesOutput },
 		ChallengeCodeGenerated { account: AesOutput, identity: AesOutput, code: AesOutput },
-		IdentityCreated { account: AesOutput, identity: AesOutput },
-		IdentityRemoved { account: AesOutput, identity: AesOutput },
-		IdentityVerified { account: AesOutput, identity: AesOutput },
+		IdentityCreated { account: AesOutput, identity: AesOutput, id_graph: AesOutput },
+		IdentityRemoved { account: AesOutput, identity: AesOutput, id_graph: AesOutput },
+		IdentityVerified { account: AesOutput, identity: AesOutput, id_graph: AesOutput },
 		// some error happened during processing in TEE, we use string-like
 		// parameters for more "generic" error event reporting
 		// TODO: maybe use concrete errors instead of events when we are more sure
@@ -177,9 +177,10 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		) -> DispatchResultWithPostInfo {
 			let _ = T::TEECallOrigin::ensure_origin(origin)?;
-			Self::deposit_event(Event::IdentityCreated { account, identity });
+			Self::deposit_event(Event::IdentityCreated { account, identity, id_graph });
 			Ok(Pays::No.into())
 		}
 
@@ -188,9 +189,10 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		) -> DispatchResultWithPostInfo {
 			let _ = T::TEECallOrigin::ensure_origin(origin)?;
-			Self::deposit_event(Event::IdentityRemoved { account, identity });
+			Self::deposit_event(Event::IdentityRemoved { account, identity, id_graph });
 			Ok(Pays::No.into())
 		}
 
@@ -199,9 +201,10 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			account: AesOutput,
 			identity: AesOutput,
+			id_graph: AesOutput,
 		) -> DispatchResultWithPostInfo {
 			let _ = T::TEECallOrigin::ensure_origin(origin)?;
-			Self::deposit_event(Event::IdentityVerified { account, identity });
+			Self::deposit_event(Event::IdentityVerified { account, identity, id_graph });
 			Ok(Pays::No.into())
 		}
 

diff --git a/runtime/litmus/src/lib.rs b/runtime/litmus/src/lib.rs
@@ -797,7 +797,7 @@ ord_parameter_types! {
 impl pallet_identity_management_mock::Config for Runtime {
 	type Event = Event;
 	type ManageWhitelistOrigin = EnsureRootOrAllCouncil;
-	type MaxVerificationDelay = ConstU32<10>;
+	type MaxVerificationDelay = ConstU32<{ 30 * MINUTES }>;
 	// intentionally use ALICE for the IMP mock
 	type TEECallOrigin = EnsureSignedBy<ALICE, AccountId>;
 }

diff --git a/runtime/rococo/src/lib.rs b/runtime/rococo/src/lib.rs
@@ -871,8 +871,8 @@ ord_parameter_types! {
 
 impl pallet_identity_management_mock::Config for Runtime {
 	type Event = Event;
-	type ManageWhitelistOrigin = EnsureRoot<Self::AccountId>;
-	type MaxVerificationDelay = ConstU32<10>;
+	type ManageWhitelistOrigin = EnsureRootOrAllCouncil;
+	type MaxVerificationDelay = ConstU32<{ 30 * MINUTES }>;
 	// intentionally use ALICE for the IMP mock
 	type TEECallOrigin = EnsureSignedBy<ALICE, AccountId>;
 }

diff --git a/tee-worker/app-libs/sgx-runtime/src/lib.rs b/tee-worker/app-libs/sgx-runtime/src/lib.rs
@@ -77,6 +77,7 @@ pub use sp_runtime::BuildStorage;
 pub use sp_runtime::{Perbill, Permill};
 
 // litentry
+use litentry_primitives::MINUTES;
 pub use pallet_imt::{self, Call as IdentityManagementCall};
 
 /// Block type as expected by this sgx-runtime.
@@ -264,7 +265,7 @@ impl pallet_imt::Config for Runtime {
 	type Event = Event;
 	type ManageOrigin = EnsureRoot<AccountId>;
 	type MaxMetadataLength = ConstU32<128>;
-	type MaxVerificationDelay = ConstU32<20>;
+	type MaxVerificationDelay = ConstU32<{ 30 * MINUTES }>;
 }
 
 // The plain sgx-runtime without the `evm-pallet`

diff --git a/tee-worker/app-libs/stf/src/trusted_call.rs b/tee-worker/app-libs/stf/src/trusted_call.rs
@@ -440,11 +440,14 @@ where
 					Ok(code) => {
 						debug!("create_identity {} OK", account_id_to_string(&who));
 						if let Some(key) = IdentityManagement::user_shielding_keys(&who) {
+							let id_graph =
+								ita_sgx_runtime::pallet_imt::Pallet::<Runtime>::get_id_graph(&who);
 							calls.push(OpaqueCall::from_tuple(&(
 								node_metadata_repo
 									.get_from_metadata(|m| m.identity_created_call_indexes())??,
 								aes_encrypt_default(&key, &who.encode()),
 								aes_encrypt_default(&key, &identity.encode()),
+								aes_encrypt_default(&key, &id_graph.encode()),
 							)));
 							calls.push(OpaqueCall::from_tuple(&(
 								node_metadata_repo.get_from_metadata(|m| {
@@ -486,11 +489,14 @@ where
 					Ok(()) => {
 						debug!("remove_identity {} OK", account_id_to_string(&who));
 						if let Some(key) = IdentityManagement::user_shielding_keys(&who) {
+							let id_graph =
+								ita_sgx_runtime::pallet_imt::Pallet::<Runtime>::get_id_graph(&who);
 							calls.push(OpaqueCall::from_tuple(&(
 								node_metadata_repo
 									.get_from_metadata(|m| m.identity_removed_call_indexes())??,
 								aes_encrypt_default(&key, &who.encode()),
 								aes_encrypt_default(&key, &identity.encode()),
+								aes_encrypt_default(&key, &id_graph.encode()),
 							)));
 						} else {
 							calls.push(OpaqueCall::from_tuple(&(
@@ -535,11 +541,14 @@ where
 					Ok(()) => {
 						debug!("verify_identity {} OK", account_id_to_string(&who));
 						if let Some(key) = IdentityManagement::user_shielding_keys(&who) {
+							let id_graph =
+								ita_sgx_runtime::pallet_imt::Pallet::<Runtime>::get_id_graph(&who);
 							calls.push(OpaqueCall::from_tuple(&(
 								node_metadata_repo
 									.get_from_metadata(|m| m.identity_verified_call_indexes())??,
 								aes_encrypt_default(&key, &who.encode()),
 								aes_encrypt_default(&key, &identity.encode()),
+								aes_encrypt_default(&key, &id_graph.encode()),
 							)));
 						} else {
 							calls.push(OpaqueCall::from_tuple(&(

diff --git a/tee-worker/app-libs/stf/src/trusted_call_litentry.rs b/tee-worker/app-libs/stf/src/trusted_call_litentry.rs
@@ -186,16 +186,13 @@ impl TrustedCallSigned {
 		who: AccountId,
 		assertion: Assertion,
 	) -> StfResult<()> {
-		let v_identity_context =
-			ita_sgx_runtime::pallet_imt::Pallet::<Runtime>::get_identity_and_identity_context(&who);
+		let id_graph = ita_sgx_runtime::pallet_imt::Pallet::<Runtime>::get_id_graph(&who);
 
 		let mut vec_identity: BoundedVec<Identity, MaxIdentityLength> = vec![].try_into().unwrap();
 
-		for identity_ctx in &v_identity_context {
-			if identity_ctx.1.is_verified {
-				vec_identity
-					.try_push(identity_ctx.0.clone())
-					.map_err(|_| StfError::AssertionBuildFail)?;
+		for id in &id_graph {
+			if id.1.is_verified {
+				vec_identity.try_push(id.0.clone()).map_err(|_| StfError::AssertionBuildFail)?;
 			}
 		}
 

diff --git a/tee-worker/litentry/pallets/identity-management/src/lib.rs b/tee-worker/litentry/pallets/identity-management/src/lib.rs
@@ -247,9 +247,7 @@ pub mod pallet {
 	}
 
 	impl<T: Config> Pallet<T> {
-		pub fn get_identity_and_identity_context(
-			who: &T::AccountId,
-		) -> Vec<(Identity, IdentityContext<T>)> {
+		pub fn get_id_graph(who: &T::AccountId) -> Vec<(Identity, IdentityContext<T>)> {
 			IDGraphs::iter_prefix(who).collect::<Vec<_>>()
 		}
 	}

diff --git a/tee-worker/litentry/pallets/identity-management/src/tests.rs b/tee-worker/litentry/pallets/identity-management/src/tests.rs
@@ -113,7 +113,7 @@ fn verify_identity_works() {
 }
 
 #[test]
-fn get_identity_and_identity_context_works() {
+fn get_id_graph_works() {
 	new_test_ext().execute_with(|| {
 		let metadata3: MetadataOf<Test> = vec![0u8; 16].try_into().unwrap();
 		assert_ok!(IMT::create_identity(
@@ -141,8 +141,8 @@ fn get_identity_and_identity_context_works() {
 		));
 		assert_ok!(IMT::verify_identity(Origin::signed(1), 2, alice_web2_identity.clone(), 2));
 
-		let did_contex = IMT::get_identity_and_identity_context(&2);
-		assert_eq!(did_contex.len(), 2);
+		let id_graph = IMT::get_id_graph(&2);
+		assert_eq!(id_graph.len(), 2);
 	});
 }
 

diff --git a/tee-worker/litentry/primitives/src/lib.rs b/tee-worker/litentry/primitives/src/lib.rs
@@ -27,8 +27,8 @@ mod validation_data;
 pub use ethereum_signature::*;
 pub use identity::*;
 pub use parentchain_primitives::{
-	AesOutput, BlockNumber as ParentchainBlockNumber, UserShieldingKeyType, USER_SHIELDING_KEY_LEN,
-	USER_SHIELDING_KEY_NONCE_LEN, USER_SHIELDING_KEY_TAG_LEN,
+	AesOutput, BlockNumber as ParentchainBlockNumber, UserShieldingKeyType, MINUTES,
+	USER_SHIELDING_KEY_LEN, USER_SHIELDING_KEY_NONCE_LEN, USER_SHIELDING_KEY_TAG_LEN,
 };
 // pub use trusted_call::*;
 pub use assertion::*;