feat: restrict effectors (#2110)

- generate configs inside nox - add new method to add module that doesn't accept config - other methods still accept it, but use only the name - make curl (from the config example) a default effector - System services still use the config from distro - Marine configs are still stored when we add module distro (TODO: fix it) - allowd_binaries in the peer info API now prints the list of paths used in effectors
fluencelabs · Feb 26, 2024 · a4485ab · a4485ab
1 parent 69974e5
commit a4485ab
Show file tree

Hide file tree

Showing 27 changed files with 846 additions and 89 deletions.
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -84,13 +84,15 @@ jobs:
       - nox-snapshot
     uses: fluencelabs/cli/.github/workflows/tests.yml@main
     with:
+      ref: up-spell-and-fixes
       nox-image: "${{ needs.nox-snapshot.outputs.nox-image }}"
 
   js-client:
     needs:
       - nox-snapshot
     uses: fluencelabs/js-client/.github/workflows/tests.yml@master
     with:
+      ref: js-client-v0.8.4
       nox-image: "${{ needs.nox-snapshot.outputs.nox-image }}"
 
   aqua:

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -106,13 +106,14 @@ types = { path = "crates/types" }
 core-manager = { path = "crates/core-manager" }
 
 # spell
-fluence-spell-dtos = "=0.7.4"
-fluence-spell-distro = "=0.7.4"
+fluence-spell-dtos = "=0.7.5"
+fluence-spell-distro = "=0.7.5"
 
 # marine
 fluence-app-service = "0.35.0"
 marine-utils = "0.5.1"
 marine-it-parser = "0.16.0"
+marine-module-info-parser = "0.15.0"
 
 # avm
 avm-server = "=0.35.0"
@@ -177,7 +178,6 @@ ccp-shared = { git = "https://github.com/fluencelabs/capacity-commitment-prover/
 ccp-rpc-client = { git = "https://github.com/fluencelabs/capacity-commitment-prover.git", branch = "main" }
 
 
-# Enable a small amount of optimization in debug mode
 [profile.dev]
 opt-level = 0
 

diff --git a/crates/cid-utils/src/hash.rs b/crates/cid-utils/src/hash.rs
@@ -34,7 +34,7 @@ use crate::unixfs::Data as UnixFsMetadata;
 /// It should be used everywhere in the Fluence stack to produce the same CIDs.
 const CHUNK_SIZE: usize = 262144;
 
-#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+#[derive(Clone, PartialEq, Eq, Hash, Debug)]
 pub struct Hash(pub Cid);
 
 impl Hash {

diff --git a/crates/created-swarm/Cargo.toml b/crates/created-swarm/Cargo.toml
@@ -21,6 +21,7 @@ toy-vms = { workspace = true }
 system-services = { workspace = true }
 tempfile = { workspace = true }
 core-manager = { workspace = true }
+cid-utils = { workspace = true }
 
 fluence-keypair = { workspace = true }
 log = { workspace = true }

diff --git a/crates/created-swarm/src/swarm.rs b/crates/created-swarm/src/swarm.rs
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+use std::collections::HashMap;
 use std::convert::identity;
 use std::net::SocketAddr;
 use std::sync::Arc;
@@ -31,6 +32,7 @@ use air_interpreter_fs::{air_interpreter_path, write_default_air_interpreter};
 use aquamarine::{AVMRunner, AquamarineApi};
 use aquamarine::{AquaRuntime, DataStoreConfig, VmConfig};
 use base64::{engine::general_purpose::STANDARD as base64, Engine};
+use cid_utils::Hash;
 use core_manager::manager::DummyCoreManager;
 use fluence_libp2p::random_multiaddr::{create_memory_maddr, create_tcp_maddr};
 use fluence_libp2p::Transport;
@@ -267,6 +269,7 @@ pub struct SwarmConfig {
     pub builtins_dir: Option<PathBuf>,
     pub spell_base_dir: Option<PathBuf>,
     pub allowed_binaries: Vec<String>,
+    pub allowed_effectors: HashMap<String, HashMap<String, String>>,
     pub enabled_system_services: Vec<String>,
     pub extend_system_services: Vec<system_services::PackageDistro>,
     pub override_system_services_config: Option<system_services_config::SystemServicesConfig>,
@@ -295,6 +298,7 @@ impl SwarmConfig {
             builtins_dir: None,
             spell_base_dir: None,
             allowed_binaries: vec!["/usr/bin/ipfs".to_string(), "/usr/bin/curl".to_string()],
+            allowed_effectors: HashMap::new(),
             enabled_system_services: vec![],
             extend_system_services: vec![],
             override_system_services_config: None,
@@ -402,6 +406,11 @@ pub async fn create_swarm_with_runtime<RT: AquaRuntime>(
 
         resolved.node_config.allowed_binaries = config.allowed_binaries.clone();
 
+        let allowed_effectors = config.allowed_effectors.iter().map(|(cid, binaries)| {
+            (Hash::from_string(cid).unwrap(), binaries.clone())
+        }).collect::<_>();
+        resolved.node_config.allowed_effectors = allowed_effectors;
+
         if let Some(config) = config.override_system_services_config.clone() {
             resolved.system_services = config;
         }