|
cannam@147
|
1 // Copyright (c) 2013-2014 Sandstorm Development Group, Inc. and contributors
|
|
cannam@147
|
2 // Licensed under the MIT License:
|
|
cannam@147
|
3 //
|
|
cannam@147
|
4 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
cannam@147
|
5 // of this software and associated documentation files (the "Software"), to deal
|
|
cannam@147
|
6 // in the Software without restriction, including without limitation the rights
|
|
cannam@147
|
7 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
cannam@147
|
8 // copies of the Software, and to permit persons to whom the Software is
|
|
cannam@147
|
9 // furnished to do so, subject to the following conditions:
|
|
cannam@147
|
10 //
|
|
cannam@147
|
11 // The above copyright notice and this permission notice shall be included in
|
|
cannam@147
|
12 // all copies or substantial portions of the Software.
|
|
cannam@147
|
13 //
|
|
cannam@147
|
14 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
cannam@147
|
15 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
cannam@147
|
16 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
cannam@147
|
17 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
cannam@147
|
18 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
cannam@147
|
19 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
cannam@147
|
20 // THE SOFTWARE.
|
|
cannam@147
|
21
|
|
cannam@147
|
22 #ifndef CAPNP_RPC_H_
|
|
cannam@147
|
23 #define CAPNP_RPC_H_
|
|
cannam@147
|
24
|
|
cannam@147
|
25 #if defined(__GNUC__) && !defined(CAPNP_HEADER_WARNINGS)
|
|
cannam@147
|
26 #pragma GCC system_header
|
|
cannam@147
|
27 #endif
|
|
cannam@147
|
28
|
|
cannam@147
|
29 #include "capability.h"
|
|
cannam@147
|
30 #include "rpc-prelude.h"
|
|
cannam@147
|
31
|
|
cannam@147
|
32 namespace capnp {
|
|
cannam@147
|
33
|
|
cannam@147
|
34 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
35 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
36 class VatNetwork;
|
|
cannam@147
|
37 template <typename SturdyRefObjectId>
|
|
cannam@147
|
38 class SturdyRefRestorer;
|
|
cannam@147
|
39
|
|
cannam@147
|
40 template <typename VatId>
|
|
cannam@147
|
41 class BootstrapFactory: public _::BootstrapFactoryBase {
|
|
cannam@147
|
42 // Interface that constructs per-client bootstrap interfaces. Use this if you want each client
|
|
cannam@147
|
43 // who connects to see a different bootstrap interface based on their (authenticated) VatId.
|
|
cannam@147
|
44 // This allows an application to bootstrap off of the authentication performed at the VatNetwork
|
|
cannam@147
|
45 // level. (Typically VatId is some sort of public key.)
|
|
cannam@147
|
46 //
|
|
cannam@147
|
47 // This is only useful for multi-party networks. For TwoPartyVatNetwork, there's no reason to
|
|
cannam@147
|
48 // use a BootstrapFactory; just specify a single bootstrap capability in this case.
|
|
cannam@147
|
49
|
|
cannam@147
|
50 public:
|
|
cannam@147
|
51 virtual Capability::Client createFor(typename VatId::Reader clientId) = 0;
|
|
cannam@147
|
52 // Create a bootstrap capability appropriate for exposing to the given client. VatNetwork will
|
|
cannam@147
|
53 // have authenticated the client VatId before this is called.
|
|
cannam@147
|
54
|
|
cannam@147
|
55 private:
|
|
cannam@147
|
56 Capability::Client baseCreateFor(AnyStruct::Reader clientId) override;
|
|
cannam@147
|
57 };
|
|
cannam@147
|
58
|
|
cannam@147
|
59 template <typename VatId>
|
|
cannam@147
|
60 class RpcSystem: public _::RpcSystemBase {
|
|
cannam@147
|
61 // Represents the RPC system, which is the portal to objects available on the network.
|
|
cannam@147
|
62 //
|
|
cannam@147
|
63 // The RPC implementation sits on top of an implementation of `VatNetwork`. The `VatNetwork`
|
|
cannam@147
|
64 // determines how to form connections between vats -- specifically, two-way, private, reliable,
|
|
cannam@147
|
65 // sequenced datagram connections. The RPC implementation determines how to use such connections
|
|
cannam@147
|
66 // to manage object references and make method calls.
|
|
cannam@147
|
67 //
|
|
cannam@147
|
68 // See `makeRpcServer()` and `makeRpcClient()` below for convenient syntax for setting up an
|
|
cannam@147
|
69 // `RpcSystem` given a `VatNetwork`.
|
|
cannam@147
|
70 //
|
|
cannam@147
|
71 // See `ez-rpc.h` for an even simpler interface for setting up RPC in a typical two-party
|
|
cannam@147
|
72 // client/server scenario.
|
|
cannam@147
|
73
|
|
cannam@147
|
74 public:
|
|
cannam@147
|
75 template <typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
76 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
77 RpcSystem(
|
|
cannam@147
|
78 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
79 kj::Maybe<Capability::Client> bootstrapInterface,
|
|
cannam@147
|
80 kj::Maybe<RealmGateway<>::Client> gateway = nullptr);
|
|
cannam@147
|
81
|
|
cannam@147
|
82 template <typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
83 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
84 RpcSystem(
|
|
cannam@147
|
85 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
86 BootstrapFactory<VatId>& bootstrapFactory,
|
|
cannam@147
|
87 kj::Maybe<RealmGateway<>::Client> gateway = nullptr);
|
|
cannam@147
|
88
|
|
cannam@147
|
89 template <typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
90 typename ThirdPartyCapId, typename JoinResult,
|
|
cannam@147
|
91 typename LocalSturdyRefObjectId>
|
|
cannam@147
|
92 RpcSystem(
|
|
cannam@147
|
93 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
94 SturdyRefRestorer<LocalSturdyRefObjectId>& restorer);
|
|
cannam@147
|
95
|
|
cannam@147
|
96 RpcSystem(RpcSystem&& other) = default;
|
|
cannam@147
|
97
|
|
cannam@147
|
98 Capability::Client bootstrap(typename VatId::Reader vatId);
|
|
cannam@147
|
99 // Connect to the given vat and return its bootstrap interface.
|
|
cannam@147
|
100
|
|
cannam@147
|
101 Capability::Client restore(typename VatId::Reader hostId, AnyPointer::Reader objectId)
|
|
cannam@147
|
102 KJ_DEPRECATED("Please transition to using a bootstrap interface instead.");
|
|
cannam@147
|
103 // ** DEPRECATED **
|
|
cannam@147
|
104 //
|
|
cannam@147
|
105 // Restores the given SturdyRef from the network and return the capability representing it.
|
|
cannam@147
|
106 //
|
|
cannam@147
|
107 // `hostId` identifies the host from which to request the ref, in the format specified by the
|
|
cannam@147
|
108 // `VatNetwork` in use. `objectId` is the object ID in whatever format is expected by said host.
|
|
cannam@147
|
109 //
|
|
cannam@147
|
110 // This method will be removed in a future version of Cap'n Proto. Instead, please transition
|
|
cannam@147
|
111 // to using bootstrap(), which is equivalent to calling restore() with a null `objectId`.
|
|
cannam@147
|
112 // You may emulate the old concept of object IDs by exporting a bootstrap interface which has
|
|
cannam@147
|
113 // methods that can be used to obtain other capabilities by ID.
|
|
cannam@147
|
114
|
|
cannam@147
|
115 void setFlowLimit(size_t words);
|
|
cannam@147
|
116 // Sets the incoming call flow limit. If more than `words` worth of call messages have not yet
|
|
cannam@147
|
117 // received responses, the RpcSystem will not read further messages from the stream. This can be
|
|
cannam@147
|
118 // used as a crude way to prevent a resource exhaustion attack (or bug) in which a peer makes an
|
|
cannam@147
|
119 // excessive number of simultaneous calls that consume the receiver's RAM.
|
|
cannam@147
|
120 //
|
|
cannam@147
|
121 // There are some caveats. When over the flow limit, all messages are blocked, including returns.
|
|
cannam@147
|
122 // If the outstanding calls are themselves waiting on calls going in the opposite direction, the
|
|
cannam@147
|
123 // flow limit may prevent those calls from completing, leading to deadlock. However, a
|
|
cannam@147
|
124 // sufficiently high limit should make this unlikely.
|
|
cannam@147
|
125 //
|
|
cannam@147
|
126 // Note that a call's parameter size counts against the flow limit until the call returns, even
|
|
cannam@147
|
127 // if the recipient calls releaseParams() to free the parameter memory early. This is because
|
|
cannam@147
|
128 // releaseParams() may simply indicate that the parameters have been forwarded to another
|
|
cannam@147
|
129 // machine, but are still in-memory there. For illustration, say that Alice made a call to Bob
|
|
cannam@147
|
130 // who forwarded the call to Carol. Bob has imposed a flow limit on Alice. Alice's calls are
|
|
cannam@147
|
131 // being forwarded to Carol, so Bob never keeps the parameters in-memory for more than a brief
|
|
cannam@147
|
132 // period. However, the flow limit counts all calls that haven't returned, even if Bob has
|
|
cannam@147
|
133 // already freed the memory they consumed. You might argue that the right solution here is
|
|
cannam@147
|
134 // instead for Carol to impose her own flow limit on Bob. This has a serious problem, though:
|
|
cannam@147
|
135 // Bob might be forwarding requests to Carol on behalf of many different parties, not just Alice.
|
|
cannam@147
|
136 // If Alice can pump enough data to hit the Bob -> Carol flow limit, then those other parties
|
|
cannam@147
|
137 // will be disrupted. Thus, we can only really impose the limit on the Alice -> Bob link, which
|
|
cannam@147
|
138 // only affects Alice. We need that one flow limit to limit Alice's impact on the whole system,
|
|
cannam@147
|
139 // so it has to count all in-flight calls.
|
|
cannam@147
|
140 //
|
|
cannam@147
|
141 // In Sandstorm, flow limits are imposed by the supervisor on calls coming out of a grain, in
|
|
cannam@147
|
142 // order to prevent a grain from inundating the system with in-flight calls. In practice, the
|
|
cannam@147
|
143 // main time this happens is when a grain is pushing a large file download and doesn't implement
|
|
cannam@147
|
144 // proper cooperative flow control.
|
|
cannam@147
|
145 };
|
|
cannam@147
|
146
|
|
cannam@147
|
147 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
148 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
149 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
150 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
151 Capability::Client bootstrapInterface);
|
|
cannam@147
|
152 // Make an RPC server. Typical usage (e.g. in a main() function):
|
|
cannam@147
|
153 //
|
|
cannam@147
|
154 // MyEventLoop eventLoop;
|
|
cannam@147
|
155 // kj::WaitScope waitScope(eventLoop);
|
|
cannam@147
|
156 // MyNetwork network;
|
|
cannam@147
|
157 // MyMainInterface::Client bootstrap = makeMain();
|
|
cannam@147
|
158 // auto server = makeRpcServer(network, bootstrap);
|
|
cannam@147
|
159 // kj::NEVER_DONE.wait(waitScope); // run forever
|
|
cannam@147
|
160 //
|
|
cannam@147
|
161 // See also ez-rpc.h, which has simpler instructions for the common case of a two-party
|
|
cannam@147
|
162 // client-server RPC connection.
|
|
cannam@147
|
163
|
|
cannam@147
|
164 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
165 typename ThirdPartyCapId, typename JoinResult, typename RealmGatewayClient,
|
|
cannam@147
|
166 typename InternalRef = _::InternalRefFromRealmGatewayClient<RealmGatewayClient>,
|
|
cannam@147
|
167 typename ExternalRef = _::ExternalRefFromRealmGatewayClient<RealmGatewayClient>>
|
|
cannam@147
|
168 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
169 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
170 Capability::Client bootstrapInterface, RealmGatewayClient gateway);
|
|
cannam@147
|
171 // Make an RPC server for a VatNetwork that resides in a different realm from the application.
|
|
cannam@147
|
172 // The given RealmGateway is used to translate SturdyRefs between the app's ("internal") format
|
|
cannam@147
|
173 // and the network's ("external") format.
|
|
cannam@147
|
174
|
|
cannam@147
|
175 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
176 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
177 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
178 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
179 BootstrapFactory<VatId>& bootstrapFactory);
|
|
cannam@147
|
180 // Make an RPC server that can serve different bootstrap interfaces to different clients via a
|
|
cannam@147
|
181 // BootstrapInterface.
|
|
cannam@147
|
182
|
|
cannam@147
|
183 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
184 typename ThirdPartyCapId, typename JoinResult, typename RealmGatewayClient,
|
|
cannam@147
|
185 typename InternalRef = _::InternalRefFromRealmGatewayClient<RealmGatewayClient>,
|
|
cannam@147
|
186 typename ExternalRef = _::ExternalRefFromRealmGatewayClient<RealmGatewayClient>>
|
|
cannam@147
|
187 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
188 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
189 BootstrapFactory<VatId>& bootstrapFactory, RealmGatewayClient gateway);
|
|
cannam@147
|
190 // Make an RPC server that can serve different bootstrap interfaces to different clients via a
|
|
cannam@147
|
191 // BootstrapInterface and communicates with a different realm than the application is in via a
|
|
cannam@147
|
192 // RealmGateway.
|
|
cannam@147
|
193
|
|
cannam@147
|
194 template <typename VatId, typename LocalSturdyRefObjectId,
|
|
cannam@147
|
195 typename ProvisionId, typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
196 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
197 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
198 SturdyRefRestorer<LocalSturdyRefObjectId>& restorer)
|
|
cannam@147
|
199 KJ_DEPRECATED("Please transition to using a bootstrap interface instead.");
|
|
cannam@147
|
200 // ** DEPRECATED **
|
|
cannam@147
|
201 //
|
|
cannam@147
|
202 // Create an RPC server which exports multiple main interfaces by object ID. The `restorer` object
|
|
cannam@147
|
203 // can be used to look up objects by ID.
|
|
cannam@147
|
204 //
|
|
cannam@147
|
205 // Please transition to exporting only one interface, which is known as the "bootstrap" interface.
|
|
cannam@147
|
206 // For backwards-compatibility with old clients, continue to implement SturdyRefRestorer, but
|
|
cannam@147
|
207 // return the new bootstrap interface when the request object ID is null. When new clients connect
|
|
cannam@147
|
208 // and request the bootstrap interface, they will get that interface. Eventually, once all clients
|
|
cannam@147
|
209 // are updated to request only the bootstrap interface, stop implementing SturdyRefRestorer and
|
|
cannam@147
|
210 // switch to passing the bootstrap capability itself as the second parameter to `makeRpcServer()`.
|
|
cannam@147
|
211
|
|
cannam@147
|
212 template <typename VatId, typename ProvisionId,
|
|
cannam@147
|
213 typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
214 RpcSystem<VatId> makeRpcClient(
|
|
cannam@147
|
215 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network);
|
|
cannam@147
|
216 // Make an RPC client. Typical usage (e.g. in a main() function):
|
|
cannam@147
|
217 //
|
|
cannam@147
|
218 // MyEventLoop eventLoop;
|
|
cannam@147
|
219 // kj::WaitScope waitScope(eventLoop);
|
|
cannam@147
|
220 // MyNetwork network;
|
|
cannam@147
|
221 // auto client = makeRpcClient(network);
|
|
cannam@147
|
222 // MyCapability::Client cap = client.restore(hostId, objId).castAs<MyCapability>();
|
|
cannam@147
|
223 // auto response = cap.fooRequest().send().wait(waitScope);
|
|
cannam@147
|
224 // handleMyResponse(response);
|
|
cannam@147
|
225 //
|
|
cannam@147
|
226 // See also ez-rpc.h, which has simpler instructions for the common case of a two-party
|
|
cannam@147
|
227 // client-server RPC connection.
|
|
cannam@147
|
228
|
|
cannam@147
|
229 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
230 typename ThirdPartyCapId, typename JoinResult, typename RealmGatewayClient,
|
|
cannam@147
|
231 typename InternalRef = _::InternalRefFromRealmGatewayClient<RealmGatewayClient>,
|
|
cannam@147
|
232 typename ExternalRef = _::ExternalRefFromRealmGatewayClient<RealmGatewayClient>>
|
|
cannam@147
|
233 RpcSystem<VatId> makeRpcClient(
|
|
cannam@147
|
234 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
235 RealmGatewayClient gateway);
|
|
cannam@147
|
236 // Make an RPC client for a VatNetwork that resides in a different realm from the application.
|
|
cannam@147
|
237 // The given RealmGateway is used to translate SturdyRefs between the app's ("internal") format
|
|
cannam@147
|
238 // and the network's ("external") format.
|
|
cannam@147
|
239
|
|
cannam@147
|
240 template <typename SturdyRefObjectId>
|
|
cannam@147
|
241 class SturdyRefRestorer: public _::SturdyRefRestorerBase {
|
|
cannam@147
|
242 // ** DEPRECATED **
|
|
cannam@147
|
243 //
|
|
cannam@147
|
244 // In Cap'n Proto 0.4.x, applications could export multiple main interfaces identified by
|
|
cannam@147
|
245 // object IDs. The callback used to map object IDs to objects was `SturdyRefRestorer`, as we
|
|
cannam@147
|
246 // imagined this would eventually be used for restoring SturdyRefs as well. In practice, it was
|
|
cannam@147
|
247 // never used for real SturdyRefs, only for exporting singleton objects under well-known names.
|
|
cannam@147
|
248 //
|
|
cannam@147
|
249 // The new preferred strategy is to export only a _single_ such interface, called the
|
|
cannam@147
|
250 // "bootstrap interface". That interface can itself have methods for obtaining other objects, of
|
|
cannam@147
|
251 // course, but that is up to the app. `SturdyRefRestorer` exists for backwards-compatibility.
|
|
cannam@147
|
252 //
|
|
cannam@147
|
253 // Hint: Use SturdyRefRestorer<capnp::Text> to define a server that exports services under
|
|
cannam@147
|
254 // string names.
|
|
cannam@147
|
255
|
|
cannam@147
|
256 public:
|
|
cannam@147
|
257 virtual Capability::Client restore(typename SturdyRefObjectId::Reader ref)
|
|
cannam@147
|
258 KJ_DEPRECATED(
|
|
cannam@147
|
259 "Please transition to using bootstrap interfaces instead of SturdyRefRestorer.") = 0;
|
|
cannam@147
|
260 // Restore the given object, returning a capability representing it.
|
|
cannam@147
|
261
|
|
cannam@147
|
262 private:
|
|
cannam@147
|
263 Capability::Client baseRestore(AnyPointer::Reader ref) override final;
|
|
cannam@147
|
264 };
|
|
cannam@147
|
265
|
|
cannam@147
|
266 // =======================================================================================
|
|
cannam@147
|
267 // VatNetwork
|
|
cannam@147
|
268
|
|
cannam@147
|
269 class OutgoingRpcMessage {
|
|
cannam@147
|
270 // A message to be sent by a `VatNetwork`.
|
|
cannam@147
|
271
|
|
cannam@147
|
272 public:
|
|
cannam@147
|
273 virtual AnyPointer::Builder getBody() = 0;
|
|
cannam@147
|
274 // Get the message body, which the caller may fill in any way it wants. (The standard RPC
|
|
cannam@147
|
275 // implementation initializes it as a Message as defined in rpc.capnp.)
|
|
cannam@147
|
276
|
|
cannam@147
|
277 virtual void send() = 0;
|
|
cannam@147
|
278 // Send the message, or at least put it in a queue to be sent later. Note that the builder
|
|
cannam@147
|
279 // returned by `getBody()` remains valid at least until the `OutgoingRpcMessage` is destroyed.
|
|
cannam@147
|
280 };
|
|
cannam@147
|
281
|
|
cannam@147
|
282 class IncomingRpcMessage {
|
|
cannam@147
|
283 // A message received from a `VatNetwork`.
|
|
cannam@147
|
284
|
|
cannam@147
|
285 public:
|
|
cannam@147
|
286 virtual AnyPointer::Reader getBody() = 0;
|
|
cannam@147
|
287 // Get the message body, to be interpreted by the caller. (The standard RPC implementation
|
|
cannam@147
|
288 // interprets it as a Message as defined in rpc.capnp.)
|
|
cannam@147
|
289 };
|
|
cannam@147
|
290
|
|
cannam@147
|
291 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
292 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
293 class VatNetwork: public _::VatNetworkBase {
|
|
cannam@147
|
294 // Cap'n Proto RPC operates between vats, where a "vat" is some sort of host of objects.
|
|
cannam@147
|
295 // Typically one Cap'n Proto process (in the Unix sense) is one vat. The RPC system is what
|
|
cannam@147
|
296 // allows calls between objects hosted in different vats.
|
|
cannam@147
|
297 //
|
|
cannam@147
|
298 // The RPC implementation sits on top of an implementation of `VatNetwork`. The `VatNetwork`
|
|
cannam@147
|
299 // determines how to form connections between vats -- specifically, two-way, private, reliable,
|
|
cannam@147
|
300 // sequenced datagram connections. The RPC implementation determines how to use such connections
|
|
cannam@147
|
301 // to manage object references and make method calls.
|
|
cannam@147
|
302 //
|
|
cannam@147
|
303 // The most common implementation of VatNetwork is TwoPartyVatNetwork (rpc-twoparty.h). Most
|
|
cannam@147
|
304 // simple client-server apps will want to use it. (You may even want to use the EZ RPC
|
|
cannam@147
|
305 // interfaces in `ez-rpc.h` and avoid all of this.)
|
|
cannam@147
|
306 //
|
|
cannam@147
|
307 // TODO(someday): Provide a standard implementation for the public internet.
|
|
cannam@147
|
308
|
|
cannam@147
|
309 public:
|
|
cannam@147
|
310 class Connection;
|
|
cannam@147
|
311
|
|
cannam@147
|
312 struct ConnectionAndProvisionId {
|
|
cannam@147
|
313 // Result of connecting to a vat introduced by another vat.
|
|
cannam@147
|
314
|
|
cannam@147
|
315 kj::Own<Connection> connection;
|
|
cannam@147
|
316 // Connection to the new vat.
|
|
cannam@147
|
317
|
|
cannam@147
|
318 kj::Own<OutgoingRpcMessage> firstMessage;
|
|
cannam@147
|
319 // An already-allocated `OutgoingRpcMessage` associated with `connection`. The RPC system will
|
|
cannam@147
|
320 // construct this as an `Accept` message and send it.
|
|
cannam@147
|
321
|
|
cannam@147
|
322 Orphan<ProvisionId> provisionId;
|
|
cannam@147
|
323 // A `ProvisionId` already allocated inside `firstMessage`, which the RPC system will use to
|
|
cannam@147
|
324 // build the `Accept` message.
|
|
cannam@147
|
325 };
|
|
cannam@147
|
326
|
|
cannam@147
|
327 class Connection: public _::VatNetworkBase::Connection {
|
|
cannam@147
|
328 // A two-way RPC connection.
|
|
cannam@147
|
329 //
|
|
cannam@147
|
330 // This object may represent a connection that doesn't exist yet, but is expected to exist
|
|
cannam@147
|
331 // in the future. In this case, sent messages will automatically be queued and sent once the
|
|
cannam@147
|
332 // connection is ready, so that the caller doesn't need to know the difference.
|
|
cannam@147
|
333
|
|
cannam@147
|
334 public:
|
|
cannam@147
|
335 // Level 0 features ----------------------------------------------
|
|
cannam@147
|
336
|
|
cannam@147
|
337 virtual typename VatId::Reader getPeerVatId() = 0;
|
|
cannam@147
|
338 // Returns the connected vat's authenticated VatId. It is the VatNetwork's responsibility to
|
|
cannam@147
|
339 // authenticate this, so that the caller can be assured that they are really talking to the
|
|
cannam@147
|
340 // identified vat and not an imposter.
|
|
cannam@147
|
341
|
|
cannam@147
|
342 virtual kj::Own<OutgoingRpcMessage> newOutgoingMessage(uint firstSegmentWordSize) override = 0;
|
|
cannam@147
|
343 // Allocate a new message to be sent on this connection.
|
|
cannam@147
|
344 //
|
|
cannam@147
|
345 // If `firstSegmentWordSize` is non-zero, it should be treated as a hint suggesting how large
|
|
cannam@147
|
346 // to make the first segment. This is entirely a hint and the connection may adjust it up or
|
|
cannam@147
|
347 // down. If it is zero, the connection should choose the size itself.
|
|
cannam@147
|
348
|
|
cannam@147
|
349 virtual kj::Promise<kj::Maybe<kj::Own<IncomingRpcMessage>>> receiveIncomingMessage() override = 0;
|
|
cannam@147
|
350 // Wait for a message to be received and return it. If the read stream cleanly terminates,
|
|
cannam@147
|
351 // return null. If any other problem occurs, throw an exception.
|
|
cannam@147
|
352
|
|
cannam@147
|
353 virtual kj::Promise<void> shutdown() override KJ_WARN_UNUSED_RESULT = 0;
|
|
cannam@147
|
354 // Waits until all outgoing messages have been sent, then shuts down the outgoing stream. The
|
|
cannam@147
|
355 // returned promise resolves after shutdown is complete.
|
|
cannam@147
|
356
|
|
cannam@147
|
357 private:
|
|
cannam@147
|
358 AnyStruct::Reader baseGetPeerVatId() override;
|
|
cannam@147
|
359 };
|
|
cannam@147
|
360
|
|
cannam@147
|
361 // Level 0 features ------------------------------------------------
|
|
cannam@147
|
362
|
|
cannam@147
|
363 virtual kj::Maybe<kj::Own<Connection>> connect(typename VatId::Reader hostId) = 0;
|
|
cannam@147
|
364 // Connect to a VatId. Note that this method immediately returns a `Connection`, even
|
|
cannam@147
|
365 // if the network connection has not yet been established. Messages can be queued to this
|
|
cannam@147
|
366 // connection and will be delivered once it is open. The caller must attempt to read from the
|
|
cannam@147
|
367 // connection to verify that it actually succeeded; the read will fail if the connection
|
|
cannam@147
|
368 // couldn't be opened. Some network implementations may actually start sending messages before
|
|
cannam@147
|
369 // hearing back from the server at all, to avoid a round trip.
|
|
cannam@147
|
370 //
|
|
cannam@147
|
371 // Returns nullptr if `hostId` refers to the local host.
|
|
cannam@147
|
372
|
|
cannam@147
|
373 virtual kj::Promise<kj::Own<Connection>> accept() = 0;
|
|
cannam@147
|
374 // Wait for the next incoming connection and return it.
|
|
cannam@147
|
375
|
|
cannam@147
|
376 // Level 4 features ------------------------------------------------
|
|
cannam@147
|
377 // TODO(someday)
|
|
cannam@147
|
378
|
|
cannam@147
|
379 private:
|
|
cannam@147
|
380 kj::Maybe<kj::Own<_::VatNetworkBase::Connection>>
|
|
cannam@147
|
381 baseConnect(AnyStruct::Reader hostId) override final;
|
|
cannam@147
|
382 kj::Promise<kj::Own<_::VatNetworkBase::Connection>> baseAccept() override final;
|
|
cannam@147
|
383 };
|
|
cannam@147
|
384
|
|
cannam@147
|
385 // =======================================================================================
|
|
cannam@147
|
386 // ***************************************************************************************
|
|
cannam@147
|
387 // Inline implementation details start here
|
|
cannam@147
|
388 // ***************************************************************************************
|
|
cannam@147
|
389 // =======================================================================================
|
|
cannam@147
|
390
|
|
cannam@147
|
391 template <typename VatId>
|
|
cannam@147
|
392 Capability::Client BootstrapFactory<VatId>::baseCreateFor(AnyStruct::Reader clientId) {
|
|
cannam@147
|
393 return createFor(clientId.as<VatId>());
|
|
cannam@147
|
394 }
|
|
cannam@147
|
395
|
|
cannam@147
|
396 template <typename SturdyRef, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
397 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
398 kj::Maybe<kj::Own<_::VatNetworkBase::Connection>>
|
|
cannam@147
|
399 VatNetwork<SturdyRef, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>::
|
|
cannam@147
|
400 baseConnect(AnyStruct::Reader ref) {
|
|
cannam@147
|
401 auto maybe = connect(ref.as<SturdyRef>());
|
|
cannam@147
|
402 return maybe.map([](kj::Own<Connection>& conn) -> kj::Own<_::VatNetworkBase::Connection> {
|
|
cannam@147
|
403 return kj::mv(conn);
|
|
cannam@147
|
404 });
|
|
cannam@147
|
405 }
|
|
cannam@147
|
406
|
|
cannam@147
|
407 template <typename SturdyRef, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
408 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
409 kj::Promise<kj::Own<_::VatNetworkBase::Connection>>
|
|
cannam@147
|
410 VatNetwork<SturdyRef, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>::baseAccept() {
|
|
cannam@147
|
411 return accept().then(
|
|
cannam@147
|
412 [](kj::Own<Connection>&& connection) -> kj::Own<_::VatNetworkBase::Connection> {
|
|
cannam@147
|
413 return kj::mv(connection);
|
|
cannam@147
|
414 });
|
|
cannam@147
|
415 }
|
|
cannam@147
|
416
|
|
cannam@147
|
417 template <typename SturdyRef, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
418 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
419 AnyStruct::Reader VatNetwork<
|
|
cannam@147
|
420 SturdyRef, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>::
|
|
cannam@147
|
421 Connection::baseGetPeerVatId() {
|
|
cannam@147
|
422 return getPeerVatId();
|
|
cannam@147
|
423 }
|
|
cannam@147
|
424
|
|
cannam@147
|
425 template <typename SturdyRef>
|
|
cannam@147
|
426 Capability::Client SturdyRefRestorer<SturdyRef>::baseRestore(AnyPointer::Reader ref) {
|
|
cannam@147
|
427 #pragma GCC diagnostic push
|
|
cannam@147
|
428 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
|
cannam@147
|
429 return restore(ref.getAs<SturdyRef>());
|
|
cannam@147
|
430 #pragma GCC diagnostic pop
|
|
cannam@147
|
431 }
|
|
cannam@147
|
432
|
|
cannam@147
|
433 template <typename VatId>
|
|
cannam@147
|
434 template <typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
435 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
436 RpcSystem<VatId>::RpcSystem(
|
|
cannam@147
|
437 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
438 kj::Maybe<Capability::Client> bootstrap,
|
|
cannam@147
|
439 kj::Maybe<RealmGateway<>::Client> gateway)
|
|
cannam@147
|
440 : _::RpcSystemBase(network, kj::mv(bootstrap), kj::mv(gateway)) {}
|
|
cannam@147
|
441
|
|
cannam@147
|
442 template <typename VatId>
|
|
cannam@147
|
443 template <typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
444 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
445 RpcSystem<VatId>::RpcSystem(
|
|
cannam@147
|
446 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
447 BootstrapFactory<VatId>& bootstrapFactory,
|
|
cannam@147
|
448 kj::Maybe<RealmGateway<>::Client> gateway)
|
|
cannam@147
|
449 : _::RpcSystemBase(network, bootstrapFactory, kj::mv(gateway)) {}
|
|
cannam@147
|
450
|
|
cannam@147
|
451 template <typename VatId>
|
|
cannam@147
|
452 template <typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
453 typename ThirdPartyCapId, typename JoinResult,
|
|
cannam@147
|
454 typename LocalSturdyRefObjectId>
|
|
cannam@147
|
455 RpcSystem<VatId>::RpcSystem(
|
|
cannam@147
|
456 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
457 SturdyRefRestorer<LocalSturdyRefObjectId>& restorer)
|
|
cannam@147
|
458 : _::RpcSystemBase(network, restorer) {}
|
|
cannam@147
|
459
|
|
cannam@147
|
460 template <typename VatId>
|
|
cannam@147
|
461 Capability::Client RpcSystem<VatId>::bootstrap(typename VatId::Reader vatId) {
|
|
cannam@147
|
462 return baseBootstrap(_::PointerHelpers<VatId>::getInternalReader(vatId));
|
|
cannam@147
|
463 }
|
|
cannam@147
|
464
|
|
cannam@147
|
465 template <typename VatId>
|
|
cannam@147
|
466 Capability::Client RpcSystem<VatId>::restore(
|
|
cannam@147
|
467 typename VatId::Reader hostId, AnyPointer::Reader objectId) {
|
|
cannam@147
|
468 return baseRestore(_::PointerHelpers<VatId>::getInternalReader(hostId), objectId);
|
|
cannam@147
|
469 }
|
|
cannam@147
|
470
|
|
cannam@147
|
471 template <typename VatId>
|
|
cannam@147
|
472 inline void RpcSystem<VatId>::setFlowLimit(size_t words) {
|
|
cannam@147
|
473 baseSetFlowLimit(words);
|
|
cannam@147
|
474 }
|
|
cannam@147
|
475
|
|
cannam@147
|
476 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
477 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
478 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
479 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
480 Capability::Client bootstrapInterface) {
|
|
cannam@147
|
481 return RpcSystem<VatId>(network, kj::mv(bootstrapInterface));
|
|
cannam@147
|
482 }
|
|
cannam@147
|
483
|
|
cannam@147
|
484 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
485 typename ThirdPartyCapId, typename JoinResult,
|
|
cannam@147
|
486 typename RealmGatewayClient, typename InternalRef, typename ExternalRef>
|
|
cannam@147
|
487 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
488 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
489 Capability::Client bootstrapInterface, RealmGatewayClient gateway) {
|
|
cannam@147
|
490 return RpcSystem<VatId>(network, kj::mv(bootstrapInterface),
|
|
cannam@147
|
491 gateway.template castAs<RealmGateway<>>());
|
|
cannam@147
|
492 }
|
|
cannam@147
|
493
|
|
cannam@147
|
494 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
495 typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
496 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
497 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
498 BootstrapFactory<VatId>& bootstrapFactory) {
|
|
cannam@147
|
499 return RpcSystem<VatId>(network, bootstrapFactory);
|
|
cannam@147
|
500 }
|
|
cannam@147
|
501
|
|
cannam@147
|
502 template <typename VatId, typename ProvisionId, typename RecipientId,
|
|
cannam@147
|
503 typename ThirdPartyCapId, typename JoinResult,
|
|
cannam@147
|
504 typename RealmGatewayClient, typename InternalRef, typename ExternalRef>
|
|
cannam@147
|
505 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
506 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
507 BootstrapFactory<VatId>& bootstrapFactory, RealmGatewayClient gateway) {
|
|
cannam@147
|
508 return RpcSystem<VatId>(network, bootstrapFactory, gateway.template castAs<RealmGateway<>>());
|
|
cannam@147
|
509 }
|
|
cannam@147
|
510
|
|
cannam@147
|
511 template <typename VatId, typename LocalSturdyRefObjectId,
|
|
cannam@147
|
512 typename ProvisionId, typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
513 RpcSystem<VatId> makeRpcServer(
|
|
cannam@147
|
514 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
515 SturdyRefRestorer<LocalSturdyRefObjectId>& restorer) {
|
|
cannam@147
|
516 return RpcSystem<VatId>(network, restorer);
|
|
cannam@147
|
517 }
|
|
cannam@147
|
518
|
|
cannam@147
|
519 template <typename VatId, typename ProvisionId,
|
|
cannam@147
|
520 typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
|
|
cannam@147
|
521 RpcSystem<VatId> makeRpcClient(
|
|
cannam@147
|
522 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network) {
|
|
cannam@147
|
523 return RpcSystem<VatId>(network, nullptr);
|
|
cannam@147
|
524 }
|
|
cannam@147
|
525
|
|
cannam@147
|
526 template <typename VatId, typename ProvisionId,
|
|
cannam@147
|
527 typename RecipientId, typename ThirdPartyCapId, typename JoinResult,
|
|
cannam@147
|
528 typename RealmGatewayClient, typename InternalRef, typename ExternalRef>
|
|
cannam@147
|
529 RpcSystem<VatId> makeRpcClient(
|
|
cannam@147
|
530 VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
|
|
cannam@147
|
531 RealmGatewayClient gateway) {
|
|
cannam@147
|
532 return RpcSystem<VatId>(network, nullptr, gateway.template castAs<RealmGateway<>>());
|
|
cannam@147
|
533 }
|
|
cannam@147
|
534
|
|
cannam@147
|
535 } // namespace capnp
|
|
cannam@147
|
536
|
|
cannam@147
|
537 #endif // CAPNP_RPC_H_
|
