Rework on the permission check for (remote) clients.

veracruz-project · ShaleXIONG · Jul 25, 2023 · Jul 25, 2023 · Jul 25, 2023 · Aug 22, 2023
commit ade56f74469993ed75fddf426e7567a16d29c7d8
diff --git a/crates/execution-engine/src/engines/wasmtime.rs b/crates/execution-engine/src/engines/wasmtime.rs
@@ -22,7 +22,7 @@ use std::{
     fs::{create_dir_all, File},
 };
 use wasmtime::{Config, Engine, Linker, Module, Store};
-use wasmtime_wasi::sync::{Dir, WasiCtxBuilder};
+use wasmtime_wasi::sync::{Dir, WasiCtxBuilder, TcpListener};
 use policy_utils::principal::PrincipalPermission;
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -32,6 +32,8 @@ use policy_utils::principal::PrincipalPermission;
 pub struct WasmtimeRuntimeState {
     permissions: PrincipalPermission,
     environment: Environment,
+    // Careful on the type name conflict, here we want the TcpListener from std.
+    sockets: Vec<(u32,std::net::TcpListener)>,
 }
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -45,6 +47,7 @@ impl WasmtimeRuntimeState {
         Ok(Self {
             permissions,
             environment,
+            sockets: Vec::new(),
         })
     }
 }
@@ -98,6 +101,12 @@ impl ExecutionEngine for WasmtimeRuntimeState {
             Ok(wasm_build.preopened_dir(Dir::from_std_file(file), path)?)
         })?;
 
+        let wasm_build = self.sockets.iter().fold(Ok(wasm_build), |acc : Result<WasiCtxBuilder>, (fd,listener)| {
+            let wasm_build = acc?;
+            info!("bind fd {:?}", fd);
+            Ok(wasm_build.preopened_socket(*fd, TcpListener::from_std(listener.try_clone()?))?)
+        })?;
+
         let wasi = wasm_build.build();
         let mut store = Store::new(&engine, wasi);
         let module = Module::new(&engine, program)?;

diff --git a/crates/execution-engine/src/pipeline.rs b/crates/execution-engine/src/pipeline.rs
@@ -40,7 +40,7 @@ fn is_wasm_binary(path_string: &String) -> bool {
 /// The function will return the error code.
 pub fn execute_pipeline(
     strategy: &ExecutionStrategy,
-    permissions: &PrincipalPermission,
+    execution_permissions: &PrincipalPermission,
     pipeline: Box<Expr>,
     env: &Environment,
 ) -> Result<u32> {
@@ -53,7 +53,7 @@ pub fn execute_pipeline(
                 // Read and call execute_WASM program
                 let binary = fs::read(path)?;
                 let return_code =
-                    execute_program(strategy, permissions, binary, env)?;
+                    execute_program(strategy, execution_permissions, binary, env)?;
                 Ok(return_code)
             } else {
                 info!("Invoke native binary: {}", path);
@@ -79,7 +79,7 @@ pub fn execute_pipeline(
         Seq(vec) => {
             info!("Seq {:?}", vec);
             for expr in vec {
-                let return_code = execute_pipeline(strategy, permissions, expr, env)?;
+                let return_code = execute_pipeline(strategy, execution_permissions, expr, env)?;
 
                 // An error occurs
                 if return_code != 0 {
@@ -93,10 +93,10 @@ pub fn execute_pipeline(
         IfElse(cond, true_branch, false_branch) => {
             info!("IfElse {:?} true -> {:?} false -> {:?}", cond, true_branch, false_branch);
             let return_code = if Path::new(&cond).exists() {
-                execute_pipeline(strategy, permissions, true_branch, env)?
+                execute_pipeline(strategy, execution_permissions, true_branch, env)?
             } else {
                 match false_branch {
-                    Some(f) => execute_pipeline(strategy, permissions, f, env)?,
+                    Some(f) => execute_pipeline(strategy, execution_permissions, f, env)?,
                     None => 0,
                 }
             };

diff --git a/crates/policy-utils/src/parsers.rs b/crates/policy-utils/src/parsers.rs
@@ -18,7 +18,7 @@
 use crate::pipeline::Expr;
 use lalrpop_util::lalrpop_mod;
 #[cfg(feature = "std")]
-use std::{ffi, path};
+use std::path;
 
 lalrpop_mod!(pipeline);
 

diff --git a/crates/policy-utils/src/policy.rs b/crates/policy-utils/src/policy.rs
@@ -37,7 +37,7 @@
 use super::{
     error::PolicyError,
     expiry::Timepoint,
-    principal::{PermissionTable, FilePermissions, ExecutionStrategy, FileHash, Identity, NativeModule, Pipeline, Principal, Program},
+    principal::{PrincipalPermission, FilePermissions, ExecutionStrategy, FileHash, Identity, NativeModule, Pipeline, Principal, Program},
     Platform,
 };
 use anyhow::{anyhow, Result};
@@ -292,10 +292,10 @@ impl Policy {
             identity.assert_valid()?;
 
             // check IDs of all the participants
-            if client_ids.contains(identity.id()) {
+            if client_ids.contains(&identity.id()) {
                 return Err(anyhow!(PolicyError::FormatError));
             }
-            client_ids.push(*identity.id());
+            client_ids.push(identity.id());
         }
 
         // Check the ciphersuite
@@ -314,49 +314,52 @@ impl Policy {
     /// of requesting a shutdown of the computation.  At the moment, only the
     /// principals who can request the result can also request shutdown.
     pub fn expected_shutdown_list(&self) -> Vec<u64> {
-        self.identities()
+        self.identities
             .iter()
-            .fold(Vec::new(), |mut acc, identity| {
-                acc.push(*identity.id() as u64);
-                acc
-            })
+            .map(|identity| identity.id_u64())
+            .collect()
     }
 
     /// Returns `Ok(identity)` if a principal with a certificate matching the
     /// X509 certificate, `cert`, is present within the list of
     /// identities/principals associated with this policy.  Otherwise, returns
     /// an error.
     pub fn check_client_id(&self, cert: &str) -> Result<u64> {
-        for identity in self.identities().iter() {
+        for identity in self.identities.iter() {
             if identity.certificate().as_str() == cert {
-                return Ok(*identity.id() as u64);
+                return Ok(identity.id_u64());
             }
         }
         Err(anyhow!(PolicyError::InvalidClientCertificateError(
             cert.to_string()
         )))
     }
 
-    /// Return the CapabilityTable in this policy. It contains capabilities related to all
-    /// participants and programs.
-    pub fn get_rights_table(&self) -> PermissionTable {
-        let mut table = HashMap::new();
-        for identity in self.identities() {
-            let id = Principal::Participant(*identity.id() as u64);
-            let right_map = identity.file_rights_map();
-            table.insert(id, right_map);
-        }
-        for program in &self.programs {
-            let id = Principal::Program(program.program_file_name().to_string());
-            let right_map = program.file_rights_map();
-            table.insert(id, right_map);
-        }
-        for program in &self.pipelines {
-            let id = Principal::Pipeline(program.name().to_string());
-            let right_map = program.file_rights_map();
-            table.insert(id, right_map);
+    pub fn get_permission(&self, principal: &Principal) -> Result<PrincipalPermission> {
+        match principal {
+            Principal::InternalSuperUser | Principal::NoCap => return Err(anyhow!("SuperUser or NoCap")),
+            Principal::Participant(id) => {
+                if let Some(principal) = self.identities.iter().find(|x| *id == x.id_u64()) {
+                    return Ok(principal.file_rights_map())
+                }
+            },
+            Principal::Program(path) => {
+                if let Some(principal) = self.programs.iter().find(|x| path == x.program_file_name()) {
+                    return Ok(principal.file_rights_map())
+                }
+            },
+            Principal::Pipeline(name) => {
+                if let Some(principal) = self.pipelines.iter().find(|x| name == x.name()) {
+                    return Ok(principal.file_rights_map())
+                }
+            },
+            Principal::NativeModule(name) => {
+                if let Some(principal) = self.pipelines.iter().find(|x| name == x.name()) {
+                    return Ok(principal.file_rights_map())
+                }
+            },                   
         }
-        table
+        Err(anyhow!("Cannot find {:?}", principal))
     }
 
     /// Return the file hash table, mapping filenames to their expected hashes.

diff --git a/crates/policy-utils/src/principal.rs b/crates/policy-utils/src/principal.rs
@@ -16,7 +16,7 @@ use super::error::PolicyError;
 use crate::{parsers::parse_pipeline, pipeline::Expr};
 use anyhow::{anyhow, Result};
 use serde::{Deserialize, Serialize, Serializer, Deserializer};
-use std::{collections::HashMap, fmt::Debug, path::PathBuf, string::String};
+use std::{collections::HashMap, fmt::Debug, path::{Path, PathBuf}, string::String};
 
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -44,6 +44,36 @@ pub enum Principal {
 pub type PrincipalPermission = HashMap<PathBuf, FilePermissions>;
 pub type PermissionTable = HashMap<Principal, PrincipalPermission>;
 
+/// Check if the `target_path` is allowed to perform `target_permission` in the `table`.
+pub fn check_permission<T: AsRef<Path>>(
+    table: &PrincipalPermission,
+    target_path: T,
+    target_permission: &FilePermissions,
+) -> bool {
+    table
+       .iter()
+       // Find the permission corresponding to the longest prefix.
+       .fold((0, false), |(max_length, result), (path, permission)|{
+           if !target_path.as_ref().starts_with(path){
+               // prefix of target_path does not match path
+               // return the previous result
+               return (max_length, result);
+           }  
+
+           let size = path.as_os_str().len();
+
+           if size <= max_length {
+               // The matched path is shorted than previous one
+               // return the previous result
+               return (max_length, result);
+           }
+
+           // If reaching here, find a longer prefix match
+           (size, permission.allows(target_permission))
+
+       }).1
+}
+
 /// Defines a file entry in the policy, containing the name and `Right`, the allowed op.
 #[derive(Clone, Debug, PartialEq)]
 pub struct FilePermissions {
@@ -58,6 +88,20 @@ impl FilePermissions {
     pub fn new(read: bool, write: bool, execute: bool) -> Self {
         Self { read, write, execute }
     }
+
+    /// Check if the current permission allows `request`
+    pub fn allows(&self, request: &Self) -> bool {
+        // request -> (logic imply) self
+        // This means, if `request` needs a true, 
+        // then check the permission in `self`. Otherwise, `request` 
+        // is false and the entire formulae is true.
+        //
+        // Noting that A -> B is logically equivalent to
+        // ~(A /\ ~B) where ~ means negation and /\ means logical and.
+        !(request.read & !self.read)
+        & !(request.write & !self.write)
+        & !(request.execute & !self.execute)
+    }
 }
 
 /// Custom serialize and deserialize to "rwx"
@@ -363,8 +407,14 @@ impl<U> Identity<U> {
 
     /// Returns the ID associated with this identity.
     #[inline]
-    pub fn id(&self) -> &u32 {
-        &self.id
+    pub fn id(&self) -> u32 {
+        self.id
+    }
+
+    /// Returns the ID associated with this identity.
+    #[inline]
+    pub fn id_u64(&self) -> u64 {
+        self.id as u64
     }
 }