|
Chris@47
|
1 # Copyright (c) 2013-2014 Sandstorm Development Group, Inc. and contributors
|
|
Chris@47
|
2 # Licensed under the MIT License:
|
|
Chris@47
|
3 #
|
|
Chris@47
|
4 # Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
Chris@47
|
5 # of this software and associated documentation files (the "Software"), to deal
|
|
Chris@47
|
6 # in the Software without restriction, including without limitation the rights
|
|
Chris@47
|
7 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
Chris@47
|
8 # copies of the Software, and to permit persons to whom the Software is
|
|
Chris@47
|
9 # furnished to do so, subject to the following conditions:
|
|
Chris@47
|
10 #
|
|
Chris@47
|
11 # The above copyright notice and this permission notice shall be included in
|
|
Chris@47
|
12 # all copies or substantial portions of the Software.
|
|
Chris@47
|
13 #
|
|
Chris@47
|
14 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
Chris@47
|
15 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
Chris@47
|
16 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
Chris@47
|
17 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
Chris@47
|
18 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
Chris@47
|
19 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
Chris@47
|
20 # THE SOFTWARE.
|
|
Chris@47
|
21
|
|
Chris@47
|
22 @0xa184c7885cdaf2a1;
|
|
Chris@47
|
23 # This file defines the "network-specific parameters" in rpc.capnp to support a network consisting
|
|
Chris@47
|
24 # of two vats. Each of these vats may in fact be in communication with other vats, but any
|
|
Chris@47
|
25 # capabilities they forward must be proxied. Thus, to each end of the connection, all capabilities
|
|
Chris@47
|
26 # received from the other end appear to live in a single vat.
|
|
Chris@47
|
27 #
|
|
Chris@47
|
28 # Two notable use cases for this model include:
|
|
Chris@47
|
29 # - Regular client-server communications, where a remote client machine (perhaps living on an end
|
|
Chris@47
|
30 # user's personal device) connects to a server. The server may be part of a cluster, and may
|
|
Chris@47
|
31 # call on other servers in the cluster to help service the user's request. It may even obtain
|
|
Chris@47
|
32 # capabilities from these other servers which it passes on to the user. To simplify network
|
|
Chris@47
|
33 # common traversal problems (e.g. if the user is behind a firewall), it is probably desirable to
|
|
Chris@47
|
34 # multiplex all communications between the server cluster and the client over the original
|
|
Chris@47
|
35 # connection rather than form new ones. This connection should use the two-party protocol, as
|
|
Chris@47
|
36 # the client has no interest in knowing about additional servers.
|
|
Chris@47
|
37 # - Applications running in a sandbox. A supervisor process may execute a confined application
|
|
Chris@47
|
38 # such that all of the confined app's communications with the outside world must pass through
|
|
Chris@47
|
39 # the supervisor. In this case, the connection between the confined app and the supervisor might
|
|
Chris@47
|
40 # as well use the two-party protocol, because the confined app is intentionally prevented from
|
|
Chris@47
|
41 # talking to any other vat anyway. Any external resources will be proxied through the supervisor,
|
|
Chris@47
|
42 # and so to the contained app will appear as if they were hosted by the supervisor itself.
|
|
Chris@47
|
43 #
|
|
Chris@47
|
44 # Since there are only two vats in this network, there is never a need for three-way introductions,
|
|
Chris@47
|
45 # so level 3 is free. Moreover, because it is never necessary to form new connections, the
|
|
Chris@47
|
46 # two-party protocol can be used easily anywhere where a two-way byte stream exists, without regard
|
|
Chris@47
|
47 # to where that byte stream goes or how it was initiated. This makes the two-party runtime library
|
|
Chris@47
|
48 # highly reusable.
|
|
Chris@47
|
49 #
|
|
Chris@47
|
50 # Joins (level 4) _could_ be needed in cases where one or both vats are participating in other
|
|
Chris@47
|
51 # networks that use joins. For instance, if Alice and Bob are speaking through the two-party
|
|
Chris@47
|
52 # protocol, and Bob is also participating on another network, Bob may send Alice two or more
|
|
Chris@47
|
53 # proxied capabilities which, unbeknownst to Bob at the time, are in fact pointing at the same
|
|
Chris@47
|
54 # remote object. Alice may then request to join these capabilities, at which point Bob will have
|
|
Chris@47
|
55 # to forward the join to the other network. Note, however, that if Alice is _not_ participating on
|
|
Chris@47
|
56 # any other network, then Alice will never need to _receive_ a Join, because Alice would always
|
|
Chris@47
|
57 # know when two locally-hosted capabilities are the same and would never export a redundant alias
|
|
Chris@47
|
58 # to Bob. So, Alice can respond to all incoming joins with an error, and only needs to implement
|
|
Chris@47
|
59 # outgoing joins if she herself desires to use this feature. Also, outgoing joins are relatively
|
|
Chris@47
|
60 # easy to implement in this scenario.
|
|
Chris@47
|
61 #
|
|
Chris@47
|
62 # What all this means is that a level 4 implementation of the confined network is barely more
|
|
Chris@47
|
63 # complicated than a level 2 implementation. However, such an implementation allows the "client"
|
|
Chris@47
|
64 # or "confined" app to access the server's/supervisor's network with equal functionality to any
|
|
Chris@47
|
65 # native participant. In other words, an application which implements only the two-party protocol
|
|
Chris@47
|
66 # can be paired with a proxy app in order to participate in any network.
|
|
Chris@47
|
67 #
|
|
Chris@47
|
68 # So, when implementing Cap'n Proto in a new language, it makes sense to implement only the
|
|
Chris@47
|
69 # two-party protocol initially, and then pair applications with an appropriate proxy written in
|
|
Chris@47
|
70 # C++, rather than implement other parameterizations of the RPC protocol directly.
|
|
Chris@47
|
71
|
|
Chris@47
|
72 using Cxx = import "/capnp/c++.capnp";
|
|
Chris@47
|
73 $Cxx.namespace("capnp::rpc::twoparty");
|
|
Chris@47
|
74
|
|
Chris@47
|
75 # Note: SturdyRef is not specified here. It is up to the application to define semantics of
|
|
Chris@47
|
76 # SturdyRefs if desired.
|
|
Chris@47
|
77
|
|
Chris@47
|
78 enum Side {
|
|
Chris@47
|
79 server @0;
|
|
Chris@47
|
80 # The object lives on the "server" or "supervisor" end of the connection. Only the
|
|
Chris@47
|
81 # server/supervisor knows how to interpret the ref; to the client, it is opaque.
|
|
Chris@47
|
82 #
|
|
Chris@47
|
83 # Note that containers intending to implement strong confinement should rewrite SturdyRefs
|
|
Chris@47
|
84 # received from the external network before passing them on to the confined app. The confined
|
|
Chris@47
|
85 # app thus does not ever receive the raw bits of the SturdyRef (which it could perhaps
|
|
Chris@47
|
86 # maliciously leak), but instead receives only a thing that it can pass back to the container
|
|
Chris@47
|
87 # later to restore the ref. See:
|
|
Chris@47
|
88 # http://www.erights.org/elib/capability/dist-confine.html
|
|
Chris@47
|
89
|
|
Chris@47
|
90 client @1;
|
|
Chris@47
|
91 # The object lives on the "client" or "confined app" end of the connection. Only the client
|
|
Chris@47
|
92 # knows how to interpret the ref; to the server/supervisor, it is opaque. Most clients do not
|
|
Chris@47
|
93 # actually know how to persist capabilities at all, so use of this is unusual.
|
|
Chris@47
|
94 }
|
|
Chris@47
|
95
|
|
Chris@47
|
96 struct VatId {
|
|
Chris@47
|
97 side @0 :Side;
|
|
Chris@47
|
98 }
|
|
Chris@47
|
99
|
|
Chris@47
|
100 struct ProvisionId {
|
|
Chris@47
|
101 # Only used for joins, since three-way introductions never happen on a two-party network.
|
|
Chris@47
|
102
|
|
Chris@47
|
103 joinId @0 :UInt32;
|
|
Chris@47
|
104 # The ID from `JoinKeyPart`.
|
|
Chris@47
|
105 }
|
|
Chris@47
|
106
|
|
Chris@47
|
107 struct RecipientId {}
|
|
Chris@47
|
108 # Never used, because there are only two parties.
|
|
Chris@47
|
109
|
|
Chris@47
|
110 struct ThirdPartyCapId {}
|
|
Chris@47
|
111 # Never used, because there is no third party.
|
|
Chris@47
|
112
|
|
Chris@47
|
113 struct JoinKeyPart {
|
|
Chris@47
|
114 # Joins in the two-party case are simplified by a few observations.
|
|
Chris@47
|
115 #
|
|
Chris@47
|
116 # First, on a two-party network, a Join only ever makes sense if the receiving end is also
|
|
Chris@47
|
117 # connected to other networks. A vat which is not connected to any other network can safely
|
|
Chris@47
|
118 # reject all joins.
|
|
Chris@47
|
119 #
|
|
Chris@47
|
120 # Second, since a two-party connection bisects the network -- there can be no other connections
|
|
Chris@47
|
121 # between the networks at either end of the connection -- if one part of a join crosses the
|
|
Chris@47
|
122 # connection, then _all_ parts must cross it. Therefore, a vat which is receiving a Join request
|
|
Chris@47
|
123 # off some other network which needs to be forwarded across the two-party connection can
|
|
Chris@47
|
124 # collect all the parts on its end and only forward them across the two-party connection when all
|
|
Chris@47
|
125 # have been received.
|
|
Chris@47
|
126 #
|
|
Chris@47
|
127 # For example, imagine that Alice and Bob are vats connected over a two-party connection, and
|
|
Chris@47
|
128 # each is also connected to other networks. At some point, Alice receives one part of a Join
|
|
Chris@47
|
129 # request off her network. The request is addressed to a capability that Alice received from
|
|
Chris@47
|
130 # Bob and is proxying to her other network. Alice goes ahead and responds to the Join part as
|
|
Chris@47
|
131 # if she hosted the capability locally (this is important so that if not all the Join parts end
|
|
Chris@47
|
132 # up at Alice, the original sender can detect the failed Join without hanging). As other parts
|
|
Chris@47
|
133 # trickle in, Alice verifies that each part is addressed to a capability from Bob and continues
|
|
Chris@47
|
134 # to respond to each one. Once the complete set of join parts is received, Alice checks if they
|
|
Chris@47
|
135 # were all for the exact same capability. If so, she doesn't need to send anything to Bob at
|
|
Chris@47
|
136 # all. Otherwise, she collects the set of capabilities (from Bob) to which the join parts were
|
|
Chris@47
|
137 # addressed and essentially initiates a _new_ Join request on those capabilities to Bob. Alice
|
|
Chris@47
|
138 # does not forward the Join parts she received herself, but essentially forwards the Join as a
|
|
Chris@47
|
139 # whole.
|
|
Chris@47
|
140 #
|
|
Chris@47
|
141 # On Bob's end, since he knows that Alice will always send all parts of a Join together, he
|
|
Chris@47
|
142 # simply waits until he's received them all, then performs a join on the respective capabilities
|
|
Chris@47
|
143 # as if it had been requested locally.
|
|
Chris@47
|
144
|
|
Chris@47
|
145 joinId @0 :UInt32;
|
|
Chris@47
|
146 # A number identifying this join, chosen by the sender. May be reused once `Finish` messages are
|
|
Chris@47
|
147 # sent corresponding to all of the `Join` messages.
|
|
Chris@47
|
148
|
|
Chris@47
|
149 partCount @1 :UInt16;
|
|
Chris@47
|
150 # The number of capabilities to be joined.
|
|
Chris@47
|
151
|
|
Chris@47
|
152 partNum @2 :UInt16;
|
|
Chris@47
|
153 # Which part this request targets -- a number in the range [0, partCount).
|
|
Chris@47
|
154 }
|
|
Chris@47
|
155
|
|
Chris@47
|
156 struct JoinResult {
|
|
Chris@47
|
157 joinId @0 :UInt32;
|
|
Chris@47
|
158 # Matches `JoinKeyPart`.
|
|
Chris@47
|
159
|
|
Chris@47
|
160 succeeded @1 :Bool;
|
|
Chris@47
|
161 # All JoinResults in the set will have the same value for `succeeded`. The receiver actually
|
|
Chris@47
|
162 # implements the join by waiting for all the `JoinKeyParts` and then performing its own join on
|
|
Chris@47
|
163 # them, then going back and answering all the join requests afterwards.
|
|
Chris@47
|
164
|
|
Chris@47
|
165 cap @2 :AnyPointer;
|
|
Chris@47
|
166 # One of the JoinResults will have a non-null `cap` which is the joined capability.
|
|
Chris@47
|
167 #
|
|
Chris@47
|
168 # TODO(cleanup): Change `AnyPointer` to `Capability` when that is supported.
|
|
Chris@47
|
169 }
|
