Merge pull request #4730 from oasisprotocol/kostko/stable/22.1.x/back…

…port-4729

[BACKPORT/22.1.x] go/runtime/registry: Refresh key manager policy on runtime changes

.changelog/4729.bugfix.md

@@ -0,0 +1,4 @@
+go/runtime/registry: Refresh key manager policy on runtime changes
+
+Since the runtime can change dynamically (due to version upgrades), we
+need to make sure that we notify the new runtime as well.

go/runtime/registry/host.go

@@ -296,9 +296,21 @@ func (n *runtimeHostNotifier) watchPolicyUpdates() {
 	defer stSub.Close()
 	n.logger.Debug("watching policy updates")
 
-	var rtDsc *registry.Runtime
+	// Subscribe to runtime host events.
+	evCh, evSub, err := n.host.WatchEvents(n.ctx)
+	if err != nil {
+		n.logger.Error("failed to subscribe to runtime host events",
+			"err", err,
+		)
+		return
+	}
+	defer evSub.Close()
+
+	var (
+		rtDsc *registry.Runtime
+		st    *keymanager.Status
+	)
 	for {
-		var st *keymanager.Status
 		select {
 		case <-n.ctx.Done():
 			n.logger.Debug("context canceled")
@@ -332,6 +344,16 @@ func (n *runtimeHostNotifier) watchPolicyUpdates() {
 			if rtDsc == nil || !st.ID.Equal(rtDsc.KeyManager) {
 				continue
 			}
+		case ev := <-evCh:
+			// Runtime host changes, make sure to update the policy if runtime is restarted.
+			if ev.Started == nil && ev.Updated == nil {
+				continue
+			}
+		}
+
+		// Make sure that we actually have a policy.
+		if st == nil {
+			continue
 		}
 
 		// Update key manager policy.

keymanager-client/src/client.rs

@@ -75,28 +75,28 @@ impl RemoteClient {
 
     /// Create a new key manager client with runtime-internal transport.
     ///
-    /// Using this method valid enclave identities won't be preset and should
-    /// be obtained via the worker-host protocol and updated with the set_policy
-    /// method. In case of sgx, the session establishment will fail until the
-    /// initial policies will be updated.
+    /// Using this method valid enclave identities won't be preset and should be obtained via the
+    /// worker-host protocol and updated with the set_policy method. In case the signer set is
+    /// non-empty, session establishment will fail until the initial policies will be updated.
     pub fn new_runtime(
         runtime_id: Namespace,
         protocol: Arc<Protocol>,
         rak: Arc<RAK>,
         keys_cache_sizes: usize,
         signers: TrustedPolicySigners,
     ) -> Self {
-        #[cfg(target_env = "sgx")]
+        // When using a non-empty policy signer set we set enclaves to an empty set so until we get
+        // a policy we will not accept any enclave identities (as we don't know what they should
+        // be). When the policy signer set is empty (e.g. in tests) we allow any enclave.
+        let enclaves = if !signers.signers.is_empty() {
+            Some(HashSet::new())
+        } else {
+            None
+        };
+
+        // Configure trusted policy signers.
         set_trusted_policy_signers(signers);
 
-        #[cfg(not(target_env = "sgx"))]
-        let _ = signers;
-
-        #[cfg(target_env = "sgx")]
-        let enclaves = Some(HashSet::new());
-        #[cfg(not(target_env = "sgx"))]
-        let enclaves = None;
-
         Self::new_runtime_with_enclave_identities(
             runtime_id,
             enclaves,

tests/runtimes/simple-keymanager/src/api.rs

@@ -1,7 +1,11 @@
+#[cfg(target_env = "sgx")]
+use std::collections::HashSet;
+
 use oasis_core_keymanager_api_common::*;
+#[cfg(target_env = "sgx")]
 use oasis_core_runtime::common::crypto::signature::PrivateKey as OasisPrivateKey;
-use std::collections::HashSet;
 
+#[cfg(target_env = "sgx")]
 pub fn trusted_policy_signers() -> TrustedPolicySigners {
     TrustedPolicySigners {
         signers: {
@@ -21,3 +25,8 @@ pub fn trusted_policy_signers() -> TrustedPolicySigners {
         threshold: 2,
     }
 }
+
+#[cfg(not(target_env = "sgx"))]
+pub fn trusted_policy_signers() -> TrustedPolicySigners {
+    TrustedPolicySigners::default()
+}