Skip to content

add http-acl to wasi-http#6808

Closed
veeshi wants to merge 5 commits intobytecodealliance:mainfrom
nethunterslabs:wasi-http-acl
Closed

add http-acl to wasi-http#6808
veeshi wants to merge 5 commits intobytecodealliance:mainfrom
nethunterslabs:wasi-http-acl

Conversation

@veeshi
Copy link

@veeshi veeshi commented Aug 5, 2023

Similar to #6401 I added support to use our http-acl crate which allows settings ACL rules to allow/deny HTTP requests based on the:

  • method
  • host
  • port
  • scheme
  • resolved IP addresses if they are in an allowed or denied range
  • blocking private IP addresses
  • setting the default action if no ACL match is found

This also fixes the broken IPv6 authority support in the wasi-http crate which currently just splits the authority on : and then takes the second split value as the port.

@veeshi veeshi requested review from a team as code owners August 5, 2023 00:01
@veeshi veeshi requested review from fitzgen and removed request for a team August 5, 2023 00:01
@veeshi veeshi force-pushed the wasi-http-acl branch 4 times, most recently from d41bc38 to 655d584 Compare August 5, 2023 15:57
@pchickey pchickey requested review from pchickey and removed request for fitzgen August 7, 2023 15:36
@elliottt elliottt removed the request for review from a team August 9, 2023 16:01
alexcrichton and others added 5 commits August 10, 2023 13:58
@alexcrichton
[12.0.0] Revert "Require wasmtime options are first when running modu…
7fb064a 
…les (bytecodealliance#6737)" (bytecodealliance#6830)

* [12.0.0] Revert "Require wasmtime options are first when running modules (bytecodealliance#6737)"

This reverts commit 8091556. The
fallout of this change has been larger than expected so revert this on
the 12.0.0 branch to provide more time to discuss this and figure out
the best course of action.

* Revert addition of one more test
@wasmtime-publish @alexcrichton
Release Wasmtime 12.0.0 (bytecodealliance#6864)
54cbe5f 
* Release Wasmtime 12.0.0

[automatically-tag-and-release-this-commit]

* Update release date to today

* Update release notes for 12.0.0

---------

Co-authored-by: Wasmtime Publish <wasmtime-publish@users.noreply.github.com>
Co-authored-by: Alex Crichton <alex@alexcrichton.com>
@TimonPost @cfallin
Backport: "Cranelift: avoid quadratic behavior in label-fixup process…
ee7cc00 
…ing" to 12.0.1 (bytecodealliance#6897)

* Cranelift: avoid quadratic behavior in label-fixup processing (bytecodealliance#6804)

* WIP: two-tier processing for MachBuffer veneer processing in island emission

* Unconditionally emit veneers for label forward-refs that cross islands.

* Clean up and fix tests

* Review feedback

* Add some more detailed comments.

* Update the releases file to reflect the patch

---------

Co-authored-by: Chris Fallin <chris@cfallin.org>
@wasmtime-publish @alexcrichton
Release Wasmtime 12.0.1 (bytecodealliance#6901)
6116aae 
* Release Wasmtime 12.0.1

[automatically-tag-and-release-this-commit]

* Update cargo-vet metadata

---------

Co-authored-by: Wasmtime Publish <wasmtime-publish@users.noreply.github.com>
Co-authored-by: Alex Crichton <alex@alexcrichton.com>
@veeshi
add http-acl to wasi-http
0b024af
@veeshi veeshi requested a review from a team as a code owner August 30, 2023 19:58
@veeshi veeshi requested review from cfallin and removed request for a team August 30, 2023 19:58
@jameysharp
Copy link
Contributor

jameysharp commented Aug 30, 2023

This looks like a rebase that went wrong and is pulling in commits from other branches. I think only 0b024af was supposed to be in this PR, and GitHub automatically tagging in Cranelift folks is a false positive as a result. So I'm removing the review request for Chris.

@jameysharp jameysharp removed the request for review from cfallin August 30, 2023 20:12
@github-actions github-actions bot added cranelift Issues related to the Cranelift code generator cranelift:area:machinst Issues related to instruction selection and the new MachInst backend. cranelift:area:aarch64 Issues related to AArch64 backend. cranelift:meta Everything related to the meta-language. cranelift:module cranelift:wasm isle Related to the ISLE domain-specific language wasmtime:c-api Issues pertaining to the C API. labels Aug 30, 2023
@github-actions github-actions bot added the wasmtime:docs Issues related to Wasmtime's documentation label Aug 30, 2023
@github-actions
Copy link

github-actions bot commented Aug 30, 2023

Subscribe to Label Action

cc @cfallin, @fitzgen, @peterhuene

Details This issue or pull request has been labeled: "cranelift", "cranelift:area:aarch64", "cranelift:area:machinst", "cranelift:meta", "cranelift:module", "cranelift:wasm", "isle", "wasmtime:c-api", "wasmtime:docs"

Thus the following users have been cc'd because of the following labels:

  • cfallin: isle
  • fitzgen: isle
  • peterhuene: wasmtime:c-api

To subscribe or unsubscribe from this label, edit the .github/subscribe-to-label.json configuration file.

Learn more.

@veeshi
Copy link
Author

veeshi commented Aug 31, 2023

I rebased on the 12.0 release branch so we can use this in our platform. I can see in the 13.0 pre-release wasi-http has a WasiHttp trait so this PR will no longer be needed.

@jameysharp
Copy link
Contributor

jameysharp commented Aug 31, 2023

I'm not particularly familiar with the status of wasi-http, but it sounds to me like you don't expect to merge this PR because we have a different solution that will meet your needs. In that case, can we close this PR?

@pchickey
Copy link
Contributor

pchickey commented Aug 31, 2023

Sorry I didn't chime in earlier. We have had various wasi-http implementation plans we would get to "real soon now" for a while now.

The short version is: I don't believe that we should implement ACLs as a host functionality in any of our component interfaces, including HTTP. Instead, we want to see ACLs implemented as a component which attenuates component interfaces.

Over in the wasi-virt project, Guy has been demonstrating some of the patterns possible for component composition which interpose between the host and the user's component. In that project, he is demonstrating providing extra environment variables, a read-only filesystem image, and other basic on/off functionality for wasi interfaces.

I think the best design for an http ACL is a component generator like wasi-virt that, given an ACL, generates a component that exports a wasi-http interface to the user's component, and imports a wasi-http implementation. When wiring that export to that import, the ACL component will make any access control checks and accept (by forwarding) or reject (by returning an error) the user's import calls.

This has a bunch of advantages over building it into the host: 1. it works on any component runtime, not just wasmtime, 2. it minimizes the amount of code we need to trust in the host. practically this shows up when we cargo vet our dependencies, but that only covers safety and not correctness. 3. users (embedders) get to pick and choose whatever ACL implementation they like. For instance, #6401 is a similar, but different, implementation of this same sort of ACL. Which one is better? I personally don't know, but the person embedding wasmtime to provide some service is in a better position to know, so I want the decision be as late-binding as possible. I'd like the embedder to choose whatever attenuators that are appropriate for their needs, wasm-compose them with their user's component, and load them into wasmtime.

@veeshi
Copy link
Author

veeshi commented Aug 31, 2023

I'm not particularly familiar with the status of wasi-http, but it sounds to me like you don't expect to merge this PR because we have a different solution that will meet your needs. In that case, can we close this PR?

Yep this PR can be closed. It was more of a proof of concept to highlight one possible solution to this problem and to give us something to work with in our platform.

I think the best design for an http ACL is a component generator like wasi-virt that, given an ACL, generates a component that exports a wasi-http interface to the user's component, and imports a wasi-http implementation. When wiring that export to that import, the ACL component will make any access control checks and accept (by forwarding) or reject (by returning an error) the user's import calls.

I wasn't aware of wasi-virt till now but it is a better approach and one which gives flexibility to end users.

@veeshi veeshi closed this Aug 31, 2023
@pchickey
Copy link
Contributor

pchickey commented Aug 31, 2023

Thanks. Please stay in touch with what your platform needs from wasmtime, whether here or on the bytecode alliance discord.

@brendandburns brendandburns mentioned this pull request Sep 5, 2023
Closed
@veeshi veeshi mentioned this pull request Apr 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pchickey pchickey Awaiting requested review from pchickey

Assignees

No one assigned

Labels

cranelift:area:aarch64 Issues related to AArch64 backend. cranelift:area:machinst Issues related to instruction selection and the new MachInst backend. cranelift:meta Everything related to the meta-language. cranelift:module cranelift:wasm cranelift Issues related to the Cranelift code generator isle Related to the ISLE domain-specific language wasmtime:c-api Issues pertaining to the C API. wasmtime:docs Issues related to Wasmtime's documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@veeshi @jameysharp @pchickey @alexcrichton @wasmtime-publish @TimonPost