Merge pull request #1953 from oasisprotocol/kostko/feature/rofl-endor…

…se-ent-nort

runtime-sdk/modules/rofl: Allow entity endorsement without runtime

client-sdk/go/modules/rofl/policy.go

@@ -29,9 +29,9 @@ type AppAuthPolicy struct {
 type AllowedEndorsement struct {
 	// Any specifies that any node can endorse the enclave.
 	Any *struct{} `json:"any,omitempty" yaml:"any,omitempty"`
-	// ComputeRole specifies that a compute node can endorse the enclave.
+	// ComputeRole specifies that a compute node for the current runtime can endorse the enclave.
 	ComputeRole *struct{} `json:"role_compute,omitempty" yaml:"role_compute,omitempty"`
-	// ObserverRole specifies that an observer node can endorse the enclave.
+	// ObserverRole specifies that an observer node for the current runtime can endorse the enclave.
 	ObserverRole *struct{} `json:"role_observer,omitempty" yaml:"role_observer,omitempty"`
 	// Entity specifies that a registered node from a specific entity can endorse the enclave.
 	Entity *signature.PublicKey `json:"entity,omitempty" yaml:"entity,omitempty"`

runtime-sdk/src/modules/rofl/mod.rs

@@ -335,9 +335,6 @@ impl<Cfg: Config> Module<Cfg> {
 
         // Attempt to resolve the node that endorsed the enclave. It may be that the node is not
         // even registered in the consensus layer which may be acceptable for some policies.
-        //
-        // But if the node is registered, it must be registered for this runtime, otherwise it is
-        // treated as if it is not registered.
         let node = || -> Result<Option<Node>, Error> {
             let registry = RegistryImmutableState::new(ctx.consensus_state());
             let node = registry
@@ -352,32 +349,34 @@ impl<Cfg: Config> Module<Cfg> {
             if node.expiration < ctx.epoch() {
                 return Ok(None);
             }
-            // Ensure node is registered for this runtime.
-            let version = &<C::Runtime as Runtime>::VERSION;
-            if node.get_runtime(ctx.runtime_id(), version).is_none() {
-                return Ok(None);
-            }
 
             Ok(Some(node))
         }()?;
 
+        // Ensure node is registered for this runtime.
+        let has_runtime = |node: &Node| -> bool {
+            let version = &<C::Runtime as Runtime>::VERSION;
+            node.get_runtime(ctx.runtime_id(), version).is_some()
+        };
+
         for allowed in &app_policy.endorsements {
             match (allowed, &node) {
                 (AllowedEndorsement::Any, _) => {
                     // Any node is allowed.
                     return Ok(());
                 }
                 (AllowedEndorsement::ComputeRole, Some(node)) => {
-                    if node.has_roles(RolesMask::ROLE_COMPUTE_WORKER) {
+                    if node.has_roles(RolesMask::ROLE_COMPUTE_WORKER) && has_runtime(node) {
                         return Ok(());
                     }
                 }
                 (AllowedEndorsement::ObserverRole, Some(node)) => {
-                    if node.has_roles(RolesMask::ROLE_OBSERVER) {
+                    if node.has_roles(RolesMask::ROLE_OBSERVER) && has_runtime(node) {
                         return Ok(());
                     }
                 }
                 (AllowedEndorsement::Entity(entity_id), Some(node)) => {
+                    // If a specific entity is required, it may be registered for any runtime.
                     if &node.entity_id == entity_id {
                         return Ok(());
                     }

runtime-sdk/src/modules/rofl/policy.rs

@@ -28,10 +28,10 @@ pub enum AllowedEndorsement {
     /// Any node can endorse the enclave.
     #[cbor(rename = "any", as_struct)]
     Any,
-    /// Compute node can endorse the enclave.
+    /// Compute node for the current runtime can endorse the enclave.
     #[cbor(rename = "role_compute", as_struct)]
     ComputeRole,
-    /// Observer node can endorse the enclave.
+    /// Observer node for the current runtime can endorse the enclave.
     #[cbor(rename = "role_observer", as_struct)]
     ObserverRole,
     /// Registered node from a specific entity can endorse the enclave.