cannam@147: // Copyright (c) 2015 Sandstorm Development Group, Inc. and contributors cannam@147: // Licensed under the MIT License: cannam@147: // cannam@147: // Permission is hereby granted, free of charge, to any person obtaining a copy cannam@147: // of this software and associated documentation files (the "Software"), to deal cannam@147: // in the Software without restriction, including without limitation the rights cannam@147: // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell cannam@147: // copies of the Software, and to permit persons to whom the Software is cannam@147: // furnished to do so, subject to the following conditions: cannam@147: // cannam@147: // The above copyright notice and this permission notice shall be included in cannam@147: // all copies or substantial portions of the Software. cannam@147: // cannam@147: // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR cannam@147: // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, cannam@147: // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE cannam@147: // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER cannam@147: // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, cannam@147: // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN cannam@147: // THE SOFTWARE. cannam@147: cannam@147: #ifndef CAPNP_MEMBRANE_H_ cannam@147: #define CAPNP_MEMBRANE_H_ cannam@147: // In capability theory, a "membrane" is a wrapper around a capability which (usually) forwards cannam@147: // calls but recursively wraps capabilities in those calls in the same membrane. The purpose of a cannam@147: // membrane is to enforce a barrier between two capabilities that cannot be bypassed by merely cannam@147: // introducing new objects. cannam@147: // cannam@147: // The most common use case for a membrane is revocation: Say Alice wants to give Bob a capability cannam@147: // to access Carol, but wants to be able to revoke this capability later. Alice can accomplish this cannam@147: // by wrapping Carol in a revokable wrapper which passes through calls until such a time as Alice cannam@147: // indicates it should be revoked, after which all calls through the wrapper will throw exceptions. cannam@147: // However, a naive wrapper approach has a problem: if Bob makes a call to Carol and sends a new cannam@147: // capability in that call, or if Carol returns a capability to Bob in the response to a call, then cannam@147: // the two are now able to communicate using this new capability, which Alice cannot revoke. In cannam@147: // order to avoid this problem, Alice must use not just a wrapper but a "membrane", which cannam@147: // recursively wraps all objects that pass through it in either direction. Thus, all connections cannam@147: // formed between Bob and Carol (originating from Alice's original introduction) can be revoked cannam@147: // together by revoking the membrane. cannam@147: // cannam@147: // Note that when a capability is passed into a membrane and then passed back out, the result is cannam@147: // the original capability, not a double-membraned capability. This means that in our revocation cannam@147: // example, if Bob uses his capability to Carol to obtain another capability from her, then send cannam@147: // it back to her, the capability Carol receives back will NOT be revoked when Bob's access to cannam@147: // Carol is revoked. Thus Bob can create long-term irrevocable connections. In most practical use cannam@147: // cases, this is what you want. APIs commonly rely on the fact that a capability obtained and then cannam@147: // passed back can be recognized as the original capability. cannam@147: // cannam@147: // Mark Miller on membranes: http://www.eros-os.org/pipermail/e-lang/2003-January/008434.html cannam@147: cannam@147: #include "capability.h" cannam@147: cannam@147: namespace capnp { cannam@147: cannam@147: class MembranePolicy { cannam@147: // Applications may implement this interface to define a membrane policy, which allows some cannam@147: // calls crossing the membrane to be blocked or redirected. cannam@147: cannam@147: public: cannam@147: virtual kj::Maybe inboundCall( cannam@147: uint64_t interfaceId, uint16_t methodId, Capability::Client target) = 0; cannam@147: // Given an inbound call (a call originating "outside" the membrane destined for an object cannam@147: // "inside" the membrane), decides what to do with it. The policy may: cannam@147: // cannam@147: // - Return null to indicate that the call should proceed to the destination. All capabilities cannam@147: // in the parameters or result will be properly wrapped in the same membrane. cannam@147: // - Return a capability to have the call redirected to that capability. Note that the redirect cannam@147: // capability will be treated as outside the membrane, so the params and results will not be cannam@147: // auto-wrapped; however, the callee can easily wrap the returned capability in the membrane cannam@147: // itself before returning to achieve this effect. cannam@147: // - Throw an exception to cause the call to fail with that exception. cannam@147: // cannam@147: // `target` is the underlying capability (*inside* the membrane) for which the call is destined. cannam@147: // Generally, the only way you should use `target` is to wrap it in some capability which you cannam@147: // return as a redirect. The redirect capability may modify the call in some way and send it to cannam@147: // `target`. Be careful to use `copyIntoMembrane()` and `copyOutOfMembrane()` as appropriate when cannam@147: // copying parameters or results across the membrane. cannam@147: // cannam@147: // Note that since `target` is inside the capability, if you were to directly return it (rather cannam@147: // than return null), the effect would be that the membrane would be broken: the call would cannam@147: // proceed directly and any new capabilities introduced through it would not be membraned. You cannam@147: // generally should not do that. cannam@147: cannam@147: virtual kj::Maybe outboundCall( cannam@147: uint64_t interfaceId, uint16_t methodId, Capability::Client target) = 0; cannam@147: // Like `inboundCall()`, but applies to calls originating *inside* the membrane and terminating cannam@147: // outside. cannam@147: // cannam@147: // Note: It is strongly recommended that `outboundCall()` returns null in exactly the same cases cannam@147: // that `inboundCall()` return null. Conversely, for any case where `inboundCall()` would cannam@147: // redirect or throw, `outboundCall()` should also redirect or throw. Otherwise, you can run cannam@147: // into inconsistent behavion when a promise is returned across a membrane, and that promise cannam@147: // later resolves to a capability on the other side of the membrane: calls on the promise cannam@147: // will enter and then exit the membrane, but calls on the eventual resolution will not cross cannam@147: // the membrane at all, so it is important that these two cases behave the same. cannam@147: cannam@147: virtual kj::Own addRef() = 0; cannam@147: // Return a new owned pointer to the same policy. cannam@147: // cannam@147: // Typically an implementation of MembranePolicy should also inherit kj::Refcounted and implement cannam@147: // `addRef()` as `return kj::addRef(*this);`. cannam@147: // cannam@147: // Note that the membraning system considers two membranes created with the same MembranePolicy cannam@147: // object actually to be the *same* membrane. This is relevant when an object passes into the cannam@147: // membrane and then back out (or out and then back in): instead of double-wrapping the object, cannam@147: // the wrapping will be removed. cannam@147: }; cannam@147: cannam@147: Capability::Client membrane(Capability::Client inner, kj::Own policy); cannam@147: // Wrap `inner` in a membrane specified by `policy`. `inner` is considered "inside" the membrane, cannam@147: // while the returned capability should only be called from outside the membrane. cannam@147: cannam@147: Capability::Client reverseMembrane(Capability::Client outer, kj::Own policy); cannam@147: // Like `membrane` but treat the input capability as "outside" the membrane, and return a cannam@147: // capability appropriate for use inside. cannam@147: // cannam@147: // Applications typically won't use this directly; the membraning code automatically sets up cannam@147: // reverse membranes where needed. cannam@147: cannam@147: template cannam@147: ClientType membrane(ClientType inner, kj::Own policy); cannam@147: template cannam@147: ClientType reverseMembrane(ClientType inner, kj::Own policy); cannam@147: // Convenience templates which return the same interface type as the input. cannam@147: cannam@147: template cannam@147: typename ServerType::Serves::Client membrane( cannam@147: kj::Own inner, kj::Own policy); cannam@147: template cannam@147: typename ServerType::Serves::Client reverseMembrane( cannam@147: kj::Own inner, kj::Own policy); cannam@147: // Convenience templates which input a capability server type and return the appropriate client cannam@147: // type. cannam@147: cannam@147: template cannam@147: Orphan::Reads> copyIntoMembrane( cannam@147: Reader&& from, Orphanage to, kj::Own policy); cannam@147: // Copy a Cap'n Proto object (e.g. struct or list), adding the given membrane to any capabilities cannam@147: // found within it. `from` is interpreted as "outside" the membrane while `to` is "inside". cannam@147: cannam@147: template cannam@147: Orphan::Reads> copyOutOfMembrane( cannam@147: Reader&& from, Orphanage to, kj::Own policy); cannam@147: // Like copyIntoMembrane() except that `from` is "inside" the membrane and `to` is "outside". cannam@147: cannam@147: // ======================================================================================= cannam@147: // inline implementation details cannam@147: cannam@147: template cannam@147: ClientType membrane(ClientType inner, kj::Own policy) { cannam@147: return membrane(Capability::Client(kj::mv(inner)), kj::mv(policy)) cannam@147: .castAs(); cannam@147: } cannam@147: template cannam@147: ClientType reverseMembrane(ClientType inner, kj::Own policy) { cannam@147: return reverseMembrane(Capability::Client(kj::mv(inner)), kj::mv(policy)) cannam@147: .castAs(); cannam@147: } cannam@147: cannam@147: template cannam@147: typename ServerType::Serves::Client membrane( cannam@147: kj::Own inner, kj::Own policy) { cannam@147: return membrane(Capability::Client(kj::mv(inner)), kj::mv(policy)) cannam@147: .castAs(); cannam@147: } cannam@147: template cannam@147: typename ServerType::Serves::Client reverseMembrane( cannam@147: kj::Own inner, kj::Own policy) { cannam@147: return reverseMembrane(Capability::Client(kj::mv(inner)), kj::mv(policy)) cannam@147: .castAs(); cannam@147: } cannam@147: cannam@147: namespace _ { // private cannam@147: cannam@147: OrphanBuilder copyOutOfMembrane(PointerReader from, Orphanage to, cannam@147: kj::Own policy, bool reverse); cannam@147: OrphanBuilder copyOutOfMembrane(StructReader from, Orphanage to, cannam@147: kj::Own policy, bool reverse); cannam@147: OrphanBuilder copyOutOfMembrane(ListReader from, Orphanage to, cannam@147: kj::Own policy, bool reverse); cannam@147: cannam@147: } // namespace _ (private) cannam@147: cannam@147: template cannam@147: Orphan::Reads> copyIntoMembrane( cannam@147: Reader&& from, Orphanage to, kj::Own policy) { cannam@147: return _::copyOutOfMembrane( cannam@147: _::PointerHelpers::Reads>::getInternalReader(from), cannam@147: to, kj::mv(policy), true); cannam@147: } cannam@147: cannam@147: template cannam@147: Orphan::Reads> copyOutOfMembrane( cannam@147: Reader&& from, Orphanage to, kj::Own policy) { cannam@147: return _::copyOutOfMembrane( cannam@147: _::PointerHelpers::Reads>::getInternalReader(from), cannam@147: to, kj::mv(policy), false); cannam@147: } cannam@147: cannam@147: } // namespace capnp cannam@147: cannam@147: #endif // CAPNP_MEMBRANE_H_