factors: Add configure_app hook

Signed-off-by: Lann Martin <[email protected]>

Author: lann

Cargo.lock

@@ -296,6 +296,14 @@ impl<'a, L> AppComponent<'a, L> {
         &self.locked.source
     }
 
+    /// Returns an iterator of environment variable (key, value) pairs.
+    pub fn environment(&self) -> impl IntoIterator<Item = (&str, &str)> {
+        self.locked
+            .env
+            .iter()
+            .map(|(k, v)| (k.as_str(), v.as_str()))
+    }
+
     /// Returns an iterator of [`ContentPath`]s for this component's configured
     /// "directory mounts".
     pub fn files(&self) -> std::slice::Iter<ContentPath> {

crates/app/src/lib.rs

@@ -0,0 +1,16 @@
+[package]
+name = "spin-factor-outbound-networking"
+version = { workspace = true }
+authors = { workspace = true }
+edition = { workspace = true }
+
+[dependencies]
+anyhow = "1"
+ipnet = "2.9.0"
+spin-factor-wasi = { path = "../factor-wasi" }
+spin-factors = { path = "../factors" }
+# TODO: merge with this crate
+spin-outbound-networking = { path = "../outbound-networking" }
+
+[lints]
+workspace = true

crates/factor-outbound-networking/Cargo.toml

@@ -0,0 +1,86 @@
+use std::{collections::HashMap, sync::Arc};
+
+use anyhow::Context;
+use spin_factor_wasi::WasiFactor;
+use spin_factors::{Factor, FactorInstancePreparer, Result, SpinFactors};
+use spin_outbound_networking::{AllowedHostsConfig, HostConfig, PortConfig, ALLOWED_HOSTS_KEY};
+
+pub struct OutboundNetworkingFactor;
+
+impl Factor for OutboundNetworkingFactor {
+    type AppConfig = AppConfig;
+    type InstancePreparer = InstancePreparer;
+    type InstanceState = ();
+
+    fn configure_app<Factors: SpinFactors>(
+        &self,
+        app: &spin_factors::App,
+        _ctx: spin_factors::ConfigureAppContext<Factors>,
+    ) -> Result<Self::AppConfig> {
+        let mut cfg = AppConfig::default();
+        // TODO: resolve resolver resolution
+        let resolver = Default::default();
+        for component in app.components() {
+            if let Some(hosts) = component.get_metadata(ALLOWED_HOSTS_KEY)? {
+                let allowed_hosts = AllowedHostsConfig::parse(&hosts, &resolver)?;
+                cfg.component_allowed_hosts
+                    .insert(component.id().to_string(), Arc::new(allowed_hosts));
+            }
+        }
+        Ok(cfg)
+    }
+}
+
+#[derive(Default)]
+pub struct AppConfig {
+    component_allowed_hosts: HashMap<String, Arc<AllowedHostsConfig>>,
+}
+
+pub struct InstancePreparer {
+    allowed_hosts: Arc<AllowedHostsConfig>,
+}
+
+impl InstancePreparer {
+    pub fn allowed_hosts(&self) -> &Arc<AllowedHostsConfig> {
+        &self.allowed_hosts
+    }
+}
+
+impl FactorInstancePreparer<OutboundNetworkingFactor> for InstancePreparer {
+    fn new<Factors: SpinFactors>(
+        _factor: &OutboundNetworkingFactor,
+        app_component: &spin_factors::AppComponent,
+        mut ctx: spin_factors::PrepareContext<Factors>,
+    ) -> Result<Self> {
+        let allowed_hosts = ctx
+            .app_config::<OutboundNetworkingFactor>()?
+            .component_allowed_hosts
+            .get(app_component.id())
+            .context("missing component")?
+            .clone();
+
+        // Update Wasi socket allowed ports
+        let wasi_preparer = ctx.instance_preparer_mut::<WasiFactor>()?;
+        match &*allowed_hosts {
+            AllowedHostsConfig::All => wasi_preparer.inherit_network(),
+            AllowedHostsConfig::SpecificHosts(configs) => {
+                for config in configs {
+                    if config.scheme().allows_any() {
+                        match (config.host(), config.port()) {
+                            (HostConfig::Cidr(ip_net), PortConfig::Any) => {
+                                wasi_preparer.socket_allow_ports(*ip_net, 0, None)
+                            }
+                            _ => todo!(), // TODO: complete and validate against existing Network TriggerHooks
+                        }
+                    }
+                }
+            }
+        }
+
+        Ok(Self { allowed_hosts })
+    }
+
+    fn prepare(self) -> Result<<OutboundNetworkingFactor as Factor>::InstanceState> {
+        Ok(())
+    }
+}

crates/factor-outbound-networking/src/lib.rs

@@ -5,7 +5,8 @@ authors = { workspace = true }
 edition = { workspace = true }
 
 [dependencies]
-anyhow = "1.0"
+anyhow = "1"
+cap-primitives = "3.0.0"
 spin-factors = { path = "../factors" }
 wasmtime-wasi = { workspace = true }
 

crates/factor-wasi/Cargo.toml

@@ -1,13 +1,28 @@
 pub mod preview1;
 
+use std::path::Path;
+
+use anyhow::ensure;
+use cap_primitives::{ipnet::IpNet, net::Pool};
 use spin_factors::{
-    Factor, FactorInstancePreparer, InitContext, PrepareContext, Result, SpinFactors,
+    AppComponent, Factor, FactorInstancePreparer, InitContext, PrepareContext, Result, SpinFactors,
 };
 use wasmtime_wasi::{ResourceTable, WasiCtx, WasiCtxBuilder, WasiView};
 
-pub struct WasiFactor;
+pub struct WasiFactor {
+    files_mounter: Box<dyn FilesMounter>,
+}
+
+impl WasiFactor {
+    pub fn new(files_mounter: impl FilesMounter + 'static) -> Self {
+        Self {
+            files_mounter: Box::new(files_mounter),
+        }
+    }
+}
 
 impl Factor for WasiFactor {
+    type AppConfig = ();
     type InstancePreparer = InstancePreparer;
     type InstanceState = InstanceState;
 
@@ -44,28 +59,107 @@ impl Factor for WasiFactor {
     }
 }
 
+pub trait FilesMounter {
+    fn mount_files(&self, app_component: &AppComponent, ctx: MountFilesContext) -> Result<()>;
+}
+
+pub struct DummyFilesMounter;
+
+impl FilesMounter for DummyFilesMounter {
+    fn mount_files(&self, app_component: &AppComponent, _ctx: MountFilesContext) -> Result<()> {
+        ensure!(
+            app_component.files().next().is_none(),
+            "DummyFilesMounter can't actually mount files"
+        );
+        Ok(())
+    }
+}
+
+pub struct MountFilesContext<'a> {
+    wasi_ctx: &'a mut WasiCtxBuilder,
+}
+
+impl<'a> MountFilesContext<'a> {
+    pub fn preopened_dir(
+        &mut self,
+        host_path: impl AsRef<Path>,
+        guest_path: impl AsRef<str>,
+        writable: bool,
+    ) -> Result<()> {
+        use wasmtime_wasi::{DirPerms, FilePerms};
+        let (dir_perms, file_perms) = if writable {
+            (DirPerms::all(), FilePerms::all())
+        } else {
+            (DirPerms::READ, FilePerms::READ)
+        };
+        self.wasi_ctx
+            .preopened_dir(host_path, guest_path, dir_perms, file_perms)?;
+        Ok(())
+    }
+}
+
 pub struct InstancePreparer {
     wasi_ctx: WasiCtxBuilder,
+    socket_allow_ports: Pool,
 }
 
 impl FactorInstancePreparer<WasiFactor> for InstancePreparer {
+    // NOTE: Replaces WASI parts of AppComponent::apply_store_config
     fn new<Factors: SpinFactors>(
-        _factor: &WasiFactor,
+        factor: &WasiFactor,
+        app_component: &AppComponent,
         _ctx: PrepareContext<Factors>,
     ) -> Result<Self> {
+        let mut wasi_ctx = WasiCtxBuilder::new();
+
+        // Apply environment variables
+        for (key, val) in app_component.environment() {
+            wasi_ctx.env(key, val);
+        }
+
+        // Mount files
+        let mount_ctx = MountFilesContext {
+            wasi_ctx: &mut wasi_ctx,
+        };
+        factor.files_mounter.mount_files(app_component, mount_ctx)?;
+
         Ok(Self {
-            wasi_ctx: WasiCtxBuilder::new(),
+            wasi_ctx,
+            socket_allow_ports: Default::default(),
         })
     }
 
-    fn prepare(mut self) -> Result<InstanceState> {
+    fn prepare(self) -> Result<InstanceState> {
+        let Self {
+            mut wasi_ctx,
+            socket_allow_ports,
+        } = self;
+
+        // Enforce socket_allow_ports
+        wasi_ctx.socket_addr_check(move |addr, _| socket_allow_ports.check_addr(addr).is_ok());
+
         Ok(InstanceState {
-            ctx: self.wasi_ctx.build(),
+            ctx: wasi_ctx.build(),
             table: Default::default(),
         })
     }
 }
 
+impl InstancePreparer {
+    pub fn inherit_network(&mut self) {
+        self.wasi_ctx.inherit_network();
+    }
+
+    pub fn socket_allow_ports(&mut self, ip_net: IpNet, ports_start: u16, ports_end: Option<u16>) {
+        self.socket_allow_ports.insert_ip_net_port_range(
+            ip_net,
+            ports_start,
+            ports_end,
+            cap_primitives::ambient_authority(),
+        );
+    }
+}
+
 pub struct InstanceState {
     ctx: WasiCtx,
     table: ResourceTable,

crates/factor-wasi/src/lib.rs

@@ -1,11 +1,12 @@
 use spin_factors::{
-    Factor, FactorInstancePreparer, InitContext, PrepareContext, Result, SpinFactors,
+    AppComponent, Factor, FactorInstancePreparer, InitContext, PrepareContext, Result, SpinFactors,
 };
 use wasmtime_wasi::{preview1::WasiP1Ctx, WasiCtxBuilder};
 
 pub struct WasiPreview1Factor;
 
 impl Factor for WasiPreview1Factor {
+    type AppConfig = ();
     type InstancePreparer = InstancePreparer;
     type InstanceState = WasiP1Ctx;
 
@@ -21,6 +22,7 @@ pub struct InstancePreparer {
 impl FactorInstancePreparer<WasiPreview1Factor> for InstancePreparer {
     fn new<Factors: SpinFactors>(
         _factor: &WasiPreview1Factor,
+        _app_component: &AppComponent,
         _ctx: PrepareContext<Factors>,
     ) -> Result<Self> {
         Ok(Self {