cellos-supervisor 0.5.1

CellOS execution-cell runner — boots cells in Firecracker microVMs or gVisor, enforces narrow typed authority, emits signed CloudEvents.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

//! HTTP/2 frame layer (RFC 7540 §4 + §6).
//!
//! Pure-byte parsing: takes a slice, returns frame header + payload + the
//! remaining bytes after. No I/O, no allocation beyond the slices it
//! returns.

use super::error::H2ParseError;

/// Default `SETTINGS_MAX_FRAME_SIZE` (RFC 7540 §6.5.2).
pub const DEFAULT_MAX_FRAME_SIZE: u32 = 16_384;

/// HTTP/2 frame types we care about.
#[allow(dead_code)] // referenced in tests + reassembly classifier
pub const FRAME_TYPE_DATA: u8 = 0x0;
pub const FRAME_TYPE_HEADERS: u8 = 0x1;
pub const FRAME_TYPE_SETTINGS: u8 = 0x4;
pub const FRAME_TYPE_CONTINUATION: u8 = 0x9;

/// HEADERS / CONTINUATION frame flags (RFC 7540 §6.2 + §6.10).
pub const FLAG_END_HEADERS: u8 = 0x4;
pub const FLAG_PADDED: u8 = 0x8;
pub const FLAG_PRIORITY: u8 = 0x20;

/// SETTINGS frame flags (RFC 7540 §6.5).
#[allow(dead_code)]
pub const FLAG_SETTINGS_ACK: u8 = 0x1;

/// Fixed-size view of the 9-byte frame header.
pub struct FrameHeader {
    pub length: u32,
    pub frame_type: u8,
    pub flags: u8,
    /// Stream id with the high reserved bit cleared (RFC 7540 §4.1).
    /// scope: required so the per-stream reassembler can key on it
    /// without re-parsing the frame header bytes; legacy single-stream
    /// header reassembly callers ignore the value.
    pub stream_id: u32,
}

/// (header, payload-slice, rest-of-buffer-after-payload).
pub type ParsedFrame<'a> = (FrameHeader, &'a [u8], &'a [u8]);

/// Try to parse one frame off the front of `buf`. Returns `Ok(None)` if
/// fewer than `9 + length` bytes are present.
pub fn parse_one_frame(buf: &[u8]) -> Result<Option<ParsedFrame<'_>>, H2ParseError> {
    const FRAME_HEADER_LEN: usize = 9;
    if buf.len() < FRAME_HEADER_LEN {
        return Ok(None);
    }
    let length = u32::from_be_bytes([0, buf[0], buf[1], buf[2]]);
    if length > DEFAULT_MAX_FRAME_SIZE {
        return Err(H2ParseError::OversizedFrame {
            declared: length,
            max: DEFAULT_MAX_FRAME_SIZE,
        });
    }
    let frame_type = buf[3];
    let flags = buf[4];
    // RFC 7540 §4.1: 1-bit reserved + 31-bit stream identifier.
    let stream_id = u32::from_be_bytes([buf[5], buf[6], buf[7], buf[8]]) & 0x7FFF_FFFF;
    let payload_start = FRAME_HEADER_LEN;
    let payload_end = payload_start
        .checked_add(length as usize)
        .ok_or(H2ParseError::MalformedHeaders)?;
    if buf.len() < payload_end {
        return Ok(None);
    }
    let header = FrameHeader {
        length,
        frame_type,
        flags,
        stream_id,
    };
    let payload = &buf[payload_start..payload_end];
    let rest = &buf[payload_end..];
    Ok(Some((header, payload, rest)))
}

/// Peel an optional pad-length prefix and an optional 5-byte PRIORITY
/// section off a HEADERS payload, returning the inner header-block fragment.
pub fn strip_headers_padding_and_priority(
    payload: &[u8],
    flags: u8,
) -> Result<&[u8], H2ParseError> {
    let mut cursor = payload;

    let mut pad_len: usize = 0;
    if flags & FLAG_PADDED != 0 {
        if cursor.is_empty() {
            return Err(H2ParseError::MalformedHeaders);
        }
        pad_len = cursor[0] as usize;
        cursor = &cursor[1..];
    }

    if flags & FLAG_PRIORITY != 0 {
        if cursor.len() < 5 {
            return Err(H2ParseError::MalformedHeaders);
        }
        cursor = &cursor[5..];
    }

    if pad_len > cursor.len() {
        return Err(H2ParseError::PaddingOverflow);
    }
    let inner_len = cursor.len() - pad_len;
    Ok(&cursor[..inner_len])
}