Skip to content

Commit

Permalink
feat: restrict builtins, aqua-ipfs, worker-spell alias [NET-551,NET-730,
Browse files Browse the repository at this point in the history 
NET-729,NET-792] (#2141)

- Make some builtins available only to Host, Worker-Spell, and Host Manager
- Make aqua-ipfs available only to Host, Worker-Spell, and Host Manager.
- Allow calling services and spells worker-spell only Host and Host Manager
- Fix incorrect spell resubscription for workers
  • Loading branch information
@kmd-fl
kmd-fl committed Mar 13, 2024
1 parent fe423ff commit 0f27f20
Show file tree
Hide file tree
Showing 15 changed files with 856 additions and 380 deletions.
25 changes: 11 additions & 14 deletions crates/created-swarm/src/swarm.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,14 +138,9 @@ where
.await
}

pub async fn make_swarms_with_keypair(
n: usize,
keypair: KeyPair,
spell_base_dir: Option<String>,
) -> Vec<CreatedSwarm> {
pub async fn make_swarms_with_keypair(n: usize, host_keypair: KeyPair) -> Vec<CreatedSwarm> {
make_swarms_with_cfg(n, move |mut cfg| {
cfg.keypair = keypair.clone();
cfg.spell_base_dir = spell_base_dir.clone().map(PathBuf::from);
cfg.keypair = host_keypair.clone();
cfg
})
.await
Expand Down Expand Up @@ -258,9 +253,11 @@ async fn wait_connected_on_addrs(addrs: Vec<SocketAddr>) {
#[derivative(Debug)]
pub struct SwarmConfig {
#[derivative(Debug = "ignore")]
pub keypair: fluence_keypair::KeyPair,
pub keypair: KeyPair,
#[derivative(Debug = "ignore")]
pub management_keypair: KeyPair,
#[derivative(Debug = "ignore")]
pub builtins_keypair: fluence_keypair::KeyPair,
pub builtins_keypair: KeyPair,
pub bootstraps: Vec<Multiaddr>,
pub listen_on: Multiaddr,
pub transport: Transport,
Expand Down Expand Up @@ -288,8 +285,9 @@ impl SwarmConfig {
let tmp_dir = tempfile::tempdir().expect("Could not create temp dir");
let tmp_dir = Arc::new(tmp_dir);
Self {
keypair: fluence_keypair::KeyPair::generate_ed25519(),
builtins_keypair: fluence_keypair::KeyPair::generate_ed25519(),
keypair: KeyPair::generate_ed25519(),
management_keypair: KeyPair::generate_ed25519(),
builtins_keypair: KeyPair::generate_ed25519(),
bootstraps,
listen_on,
transport,
Expand Down Expand Up @@ -428,8 +426,7 @@ pub async fn create_swarm_with_runtime<RT: AquaRuntime>(
resolved.system_services.decider.network_api_endpoint = endpoint;
}

let management_kp = fluence_keypair::KeyPair::generate_ed25519();
let management_peer_id = libp2p::identity::Keypair::from(management_kp.clone())
let management_peer_id = libp2p::identity::Keypair::from(config.management_keypair.clone())
.public()
.to_peer_id();
resolved.node_config.management_peer_id = management_peer_id;
Expand Down Expand Up @@ -459,7 +456,7 @@ pub async fn create_swarm_with_runtime<RT: AquaRuntime>(
"some version",
system_service_distros,
);
(node, management_kp, resolved)
(node, config.management_keypair.clone(), resolved)
});

let mut node = node
Expand Down
11 changes: 7 additions & 4 deletions crates/nox-tests/tests/boolean_test.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,13 @@ async fn pass_boolean() {
enable_logs();
let swarms = make_swarms(1).await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();
let tetraplets_service = create_service(
&mut client,
"tetraplets",
Expand Down
119 changes: 80 additions & 39 deletions crates/nox-tests/tests/builtin.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,13 @@ async fn big_identity() {
async fn remove_service() {
let swarms = make_swarms(1).await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

let tetraplets_service = create_service(
&mut client,
Expand Down Expand Up @@ -155,12 +158,24 @@ async fn remove_service() {
#[tokio::test]
async fn remove_service_restart() {
let kp = KeyPair::generate_ed25519();
let swarms = make_swarms_with_keypair(1, kp.clone(), None).await;
let manager_kp = KeyPair::generate_ed25519();

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let swarm_kp = kp.clone();
let swarm_manager_kp = manager_kp.clone();
let swarms = make_swarms_with_cfg(1, move |mut cfg| {
cfg.keypair = swarm_kp.clone();
cfg.management_keypair = swarm_manager_kp.clone();
cfg
})
.await;

let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(manager_kp.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

let tetraplets_service = create_service(
&mut client,
Expand Down Expand Up @@ -204,11 +219,19 @@ async fn remove_service_restart() {
.into_iter()
.map(|s| s.exit_outlet.send(()))
.for_each(drop);
let swarms = make_swarms_with_keypair(1, kp, None).await;
let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let swarm_kp = kp.clone();
let swarm_manager_kp = manager_kp.clone();
let swarms = make_swarms_with_cfg(1, move |mut cfg| {
cfg.keypair = swarm_kp.clone();
cfg.management_keypair = swarm_manager_kp.clone();
cfg
})
.await;
let mut client =
ConnectedClient::connect_with_keypair(swarms[0].multiaddr.clone(), Some(manager_kp))
.await
.wrap_err("connect client")
.unwrap();

client
.send_particle(
Expand Down Expand Up @@ -290,10 +313,13 @@ async fn remove_service_by_alias() {
async fn non_owner_remove_service() {
let swarms = make_swarms(1).await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

let mut client2 = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
Expand Down Expand Up @@ -1547,10 +1573,13 @@ async fn index_by_math() {
async fn service_mem() {
let swarms = make_swarms(1).await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

let tetraplets_service = create_service(
&mut client,
Expand Down Expand Up @@ -1587,10 +1616,13 @@ async fn service_mem() {
async fn service_stats() {
let swarms = make_swarms(1).await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

let tetraplets_service = create_service(
&mut client,
Expand Down Expand Up @@ -1691,10 +1723,13 @@ async fn service_stats() {
async fn service_stats_uninitialized() {
let swarms = make_swarms(1).await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

let tetraplets_service = create_service(
&mut client,
Expand Down Expand Up @@ -1813,10 +1848,13 @@ async fn sign_invalid_tetraplets() {
})
.await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

let relay = client.node.to_string();
let wrong_peer = swarms[1].peer_id.to_base58();
Expand Down Expand Up @@ -1881,10 +1919,13 @@ async fn sig_verify_invalid_signature() {
})
.await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.wrap_err("connect client")
.unwrap();
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.wrap_err("connect client")
.unwrap();

client.send_particle(
r#"
Expand Down Expand Up @@ -2226,7 +2267,7 @@ async fn add_alias_list() {
#[tokio::test]
async fn aliases_restart() {
let kp = KeyPair::generate_ed25519();
let swarms = make_swarms_with_keypair(1, kp.clone(), None).await;
let swarms = make_swarms_with_keypair(1, kp.clone()).await;
let tmp_dir = swarms[0].tmp_dir.clone();

let mut client = ConnectedClient::connect_with_keypair(
Expand Down
67 changes: 60 additions & 7 deletions crates/nox-tests/tests/modules.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ use service_modules::load_module;

#[tokio::test]
async fn test_add_module_mounted_binaries() {
let swarms = make_swarms_with_cfg(1, |mut cfg| {
let swarms = make_swarms_with_cfg(1, move |mut cfg| {
cfg.allowed_effectors = hashmap! {
"bafkreiepzclggkt57vu7yrhxylfhaafmuogtqly7wel7ozl5k2ehkd44oe".to_string() => hashmap! {
"ls".to_string() => "/bin/ls".to_string()
Expand All @@ -33,9 +33,12 @@ async fn test_add_module_mounted_binaries() {
})
.await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.expect("connect client");
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.expect("connect client");
let module = load_module("tests/effector/artifacts", "effector").expect("load module");

let config = json!(
Expand Down Expand Up @@ -80,9 +83,12 @@ async fn test_add_module_mounted_binaries() {
async fn test_add_module_effectors_forbidden() {
let swarms = make_swarms(1).await;

let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.expect("connect client");
let mut client = ConnectedClient::connect_with_keypair(
swarms[0].multiaddr.clone(),
Some(swarms[0].management_keypair.clone()),
)
.await
.expect("connect client");
let module = load_module("tests/effector/artifacts", "effector").expect("load module");

let config = json!(
Expand Down Expand Up @@ -122,3 +128,50 @@ async fn test_add_module_effectors_forbidden() {
panic!("can't receive response from node");
}
}

#[tokio::test]
async fn test_add_module_by_other_forbidden() {
let swarms = make_swarms(1).await;
let mut client = ConnectedClient::connect_to(swarms[0].multiaddr.clone())
.await
.unwrap();
let module = load_module("tests/effector/artifacts", "effector").expect("load module");

let config = json!(
{
"name": "tetraplets",
"mem_pages_count": 100,
"logger_enabled": true,
"wasi": {
"envs": json!({}),
"mapped_dirs": json!({}),
},
"mounted_binaries": json!({"cmd": "/usr/bin/behbehbeh"})
});

let script = r#"
(xor
(seq
(call node ("dist" "add_module") [module_bytes module_config])
(call client ("return" "") ["shouldn't add module"])
)
(call client ("return" "") [%last_error%.$.message])
)
"#;

let data = hashmap! {
"client" => json!(client.peer_id.to_string()),
"node" => json!(client.node.to_string()),
"module_bytes" => json!(base64.encode(&module)),
"module_config" => config,
};
let response = client.execute_particle(script, data).await.unwrap();
assert!(
response[0]
.as_str()
.unwrap()
.contains("function is only available to the host or worker spells"),
"got {:?}",
response[0]
);
}
Loading

0 comments on commit 0f27f20

Please sign in to comment.