As a request from the Oracle execute a script in the server and return the result (with capped length).

One possibility for creating the computation:

• Create an archive in IPFS and upload the binary or script, dependencies and dockerfile in it.
• First argument can be the IPFS multihash that specifies the archive location. The rest of the arguments can be passed to the execution environment as environment variables.

Alternative solutions always welcome :)

It is hard to understand SGX capabilities by business people. Solve that issue by creating a high level presentation about SGX that shows what are the benefits of it from use case point of view - and to allow a differentiation from ones where SGX cannot help.

After it's done. run it with @imacoindev and Sylwia.

Currently, running npm audit shows multiple security vulnerabilities, due to unsafe package version.

Fix it, according to best npm standards. This task is done when we have 0 security vulnerabilities after running npm audit

So far it seems that Oracle does not have a SGX integration in their Blockchain Platform. We should look into what are the benefits that we can offer to them by integrating Gardener to their platform.

Think of this in terms of:

• Oracle's core business is selling database licenses and hosting to enterprises.

• They have a PaaS Blockchain Platform that uses Fabric to allow their clients to have business logic on top of their stored data. This allows to automate business processes and create innovative solutions.

• Oracle's clients come from all possible industries.

• For example, their client uses MySQL to store their supply chain data. They want to build an automation to their workflow by implementing chain code that automates a large chunk of their process and removes risk for errors when people make entries manually across the supply chain.

• How can Gardener improve the security of their Blockchain Platform and benefit their clients. For example, if they don't have remote attestation and sealing implemented, how would that benefit them and their clients?

More details of their platform can be found in:
https://www.oracle.com/application-development/cloud-services/blockchain-platform/

IntelSGX proof for URL and random data sources

TLS Notary proof for URL and random data sources

Computation data source without proof

IntelSGX and TLSNotary proofs for Computation

Configure Gardener with PERSISTENCE=MONGODB
Send any query to Oracle
Query is processed by gardener-server
Expected: query response is sent to blockchain and no error messages are shown
Actual: sending query response fails with following error message:

Sending response failed [requestId=0xa2b8357552a4ae3ae94e99949a5ea45ff35f7e9e74657207cdcc2d5b2ec9c955] Error: No "from" address specified in neither the given options, nor the default options.
    at Object._executeMethod (/usr/src/app/node_modules/web3-eth-contract/src/index.js:832:45)
    at EthereumOracleAdapter._sendPendingResponse (/usr/src/app/src/infrastructure/blockchain/ethereum/EthereumOracleAdapter.js:73:20)
    at process._tickCallback (internal/process/next_tick.js:68:7)

XPath not handled correctly for node attributes

Example of good behavior:

xml(http://samples.openweathermap.org/data/2.5/weather?q=London&mode=xml&appid=b6907d289e10d714a6e88b30761fae22)/current/city/country

Returns:

// correct
value: "GB"
error: 0

Example of bad behavior:

xml(http://samples.openweathermap.org/data/2.5/weather?q=London&mode=xml&appid=b6907d289e10d714a6e88b30761fae22)/current/temperature/@value

Returns nothing and throw error on server side but should:

value: "280.15"
error: 0

Currently our test files live next to source files. This leads to some awkwardness like:

• inability to configure app and test environment distinctly
• in some cases, app source, test source and test data living in same package (yikes!)
• reducing code readibility

Objectives of this tasks are:

• Move all test sources - *.spec.ts and *.integration.ts to a location separate from source code. Look up what are TS standards for this, but my idea is a "Java-like" approach with src/ root for source code and test/ root for test stuff.
• Provide a distinct configuration (tsconfig.json) for app and tests. Test config and app config will likely derive from some root config (use "extends" keyword)

1. Go to https://monitor.gardeneroracle.io/
2. Execute any query
3. Investigate server logs (ssh to oracle-demo.espeo.pl in order to get to those)

Expected: fetched data is sent to blockchain
Actual: Data is fetched but sending it to blockchain fails with a following error:

Sending response failed [requestId=0x38b681e93ed93ca529c65bd81c9ff50d0ba0cee250846bc0a9eb95bbca99cb6c] Error: Returned error: gas required exceeds allowance (8000000) or always failing transaction
    at Object.ErrorResponse (/usr/src/app/node_modules/web3-core-helpers/src/errors.js:29:16)
    at /usr/src/app/node_modules/web3-core-requestmanager/src/index.js:140:36
    at XMLHttpRequest.request.onreadystatechange (/usr/src/app/node_modules/web3-providers-http/src/index.js:91:13)
    at XMLHttpRequestEventTarget.dispatchEvent (/usr/src/app/node_modules/xhr2-cookies/xml-http-request-event-target.ts:44:13)
    at XMLHttpRequest._setReadyState (/usr/src/app/node_modules/xhr2-cookies/xml-http-request.ts:219:8)
    at XMLHttpRequest._onHttpResponseEnd (/usr/src/app/node_modules/xhr2-cookies/xml-http-request.ts:345:8)
    at IncomingMessage.<anonymous> (/usr/src/app/node_modules/xhr2-cookies/xml-http-request.ts:311:39)
    at IncomingMessage.emit (events.js:203:15)
    at IncomingMessage.EventEmitter.emit (domain.js:448:20)
    at endReadableNT (_stream_readable.js:1129:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)

Before investigating this, resolve #60 - it might help.

Currently only in memory storage is supported so data disappears during server recreation. More persistant storage needed. MongoDB would be a good shot. Even if someone want something different hexagonal architecture allows easily create new adapters for the same interfaces.

Create access for APIs that need authentication.

Currently only responses for valid requests are generated. We should support also failed ones with proper codes in order to know what exactly happens from the smart contracts perspective.

Integrate IPFS as a data source.

Integrate Gardener with Hyperledger Fabric. It should be seamless - all the smart contracts that currently work on Ethereum should also on Fabric. Server-side part of Gardener should remain unchanged.

Integrate Intel SGX to prove data validity.

Gardener-server should deliver random data when requested.

1. Call oracle with a malformed URL, for example UsingOracle.deployed().then(instance => instance.request("json(badUrl"))
2. Wait for a transaction to be mined

Expected: A stacktrace of InvalidUrlError is found in the logs
Expected: 1000 error code is being logged
Actual: No error logging at all
Actual: No error code is logged: Created response [response={"requestId":"0x3b7602292b26ffa4b1bea411d4594bcbd24a9b288169cd3f739c88a19c604cf4","state":{"name":"Processed"},"errorCode":0}]

This is just an example, such a case is also true for other custom errors, namely HttpError and InvalidContentTypeError.

I suggest to migrate npm to yarn and stop freezing packages manually.

Yarn has more intuitive commands than npm, and doesn't allow user to e.g. install lib without adding it to package.json or install node_modules with update lock file.

We could create a web app that demonstrates what Gardener can do to new users and developers. This is what I suggest as a high level overview of the app:

• Persistent: The app is online all the time and can be accessed via browser.
• Allows the user to request data by sending a request to a deployed Gardener smart contract and returns the result of the request to the browser to be seen by the user. It is a live demo of what a Gardener instance can do.
• It demonstrates different data sources. For example, allows to select what type of data the user wants (random, url, etc). The amount of data sources can be increased as we integrate more to the server.
• It demonstrates different proofs that can be used to verify the validity of data. For example, user can choose to use IntelSGX or NotaryTLS to verify a data source.
• The on-chain contents are deployed in Ethereum testnet. Our requests are visible in the testnet for anyone to verify that they are actually executed on-chain.

Similar type of demo has been done by Provable: http://app.provable.xyz/home/test_query

Some user stories(all features are not ready, but we should be able to add them to the app later):

• As a user I can have a simple demonstration of obtaining data using Gardener.
• As a user I can select different data sources
• As a user I can select different proofs to validate the data that is delivered is not tampered with.
• As a user I can see that the style and design of the site matches that of https://gardeneroracle.io/
• The demo can be accessed through demo.gardeneroracle.io

Currently we're using beta versions of web3.js:

    "web3": "1.0.0-beta.36",
    "web3-eth-contract": "1.0.0-beta.55",
    "web3-utils": "1.0.0-beta.55",

In scope of this task, please update all web3 packages to a stable version as per https://www.npmjs.com/package/web3 . Test application thoroughly and adjust code if needed.

Doing this might fix #57 or at least shed some light on it.

Verify the that the computation has been performed correctly.

After #32 and #42 , some logic that is specific to contentType is still being done outside of RequestStrategy. This leads to code duplication, worse testability and maintainability.

In scope of this task, refactor exisiting solution to move contentType-speciic logic into RequestStrategy. This will probably mean that contentType enum will be interoduced, Request class will be made abstract and some extensions to it will be created and RequestUrlParser logic will be moved to RequestStrategy. Refer to Code Review comments in #32 and #42 .

While you're at it, it would be nice to add more tests around RequestExecutor logic.

When data part doesn't exists in existing response oracle should return 404 not 0 errorCode.

Currently for:

//misspell, correctly should be .chartName
json(https://api.coindesk.com/v1/bpi/currentprice.json).chartname

is:

value: ""
error: 0

should be:

value: ""
error: 4004

Currently, many of the Gardener tests use custom, promitive mocking mechanism. An example of that can be found in ExecuteReadyRequestsUseCase.spec.ts . They look like this:
const fetchDataUseCase = () => ({ fetchData: () => Promise.resolve('fetchedData'), });

In scope of this task, refactor entire gardener-server codebase to use some standard mock mechanism instead. A specific technnique to be used is left to be researched but this looks promising: https://jestjs.io/docs/en/es6-class-mocks#automatic-mock .

Design the architecture of the off chain oracle network based on Schnorr signatures.

• Each node signs the data with their portion of the ring signature. After ring is completed the agreed value is broadcast to the blockchain layer.
• Consider de incentivizing freeloading by inputting same value as previous node in the ring.
• Consider security in the p2p connections between nodes.

As our whole server is written in OOP, it would be very useful from developer perspective to have more restrictions on object or parameter type. It would speed up development and be less error prone.

Investigate how to hire an AWS instance that supports SGX. It needs to have a SGX-ready processor which is any modern Intel processor as well as SGX enabled in BIOS.

After we have an AWS instance, deploy a gardener stack on it.

This needs to be done as a prerequisite of SGX-powered Random Number Generator demo : #39
This task requires #22 in master to be finished.

Javascript doesn't allow to specify input/output types. As this is the essence of ports which we are using in hexagonal architecture it would be nice to get clean view of these parameters. It can be achieved by adding JSDocs comments.

Currently, a process of generating random value in Enclave is vulnerable to man-in-the-middle attack - should attacker take control of a machine that hosts gardener-server, he could replace generated value with one of his choice.

To remedy that, we should use SGX Sealing mechanism to hardcode user's public key (assymetric cryptography, does not necessarily have anything to do with blockchain keys - even though it could) . This public key would be used to encrypt generated data in enclave and send it to the user - decrypting value with his private key would be user's responsibility.

Potential security risk: attacker could take control of user's public key, intercept gardener-server machine and generate encrypted value. This means that IF such attack is feasible, then instead of just hardcoding user's public key, we could go for Diffie-Hellman Key Exchange.

Finishing this task is the last milestone for SGX implementation in the context of RNG for gambling, since having it guarantees that the only Third Trusted Party in entire RNG process is Intel - user does not even have to trust a party that hosts gardener-server.

Because gardener-monitor will be used for demos and error code won't mean anything to anyone but Gardener devs.

Current setup guide https://gardener.readthedocs.io/en/latest/getting-started.html does not work on Windows. This is a problem since users that would like to take advantage of SGX will be most likely running Windows.

In scope of this task, adjust Gardener codebase (all projects) to be as compatible with Windows as possible and also update https://gardener.readthedocs.io/en/latest/getting-started.html

In package.json web3 is used with version 1.0.0-beta.36 instead of 1.0.0-beta.55.