pontifex 0.1.4

An abstraction for building and interacting with AWS Nitro enclaves.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

use serde::{Deserialize, Serialize};
use std::{io, sync::Arc};
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio_vsock::{VsockAddr, VsockListener};

pub use crate::utils::CodingKey;
use crate::utils::Stream;

const VMADDR_CID_ANY: u32 = 0xFFFF_FFFF;

/// Errors that can occur when running the server.
#[derive(Debug, thiserror::Error)]
pub enum Error {
	/// Failed to bind to vsock address.
	#[error("Failed to bind to vsock address: {0}")]
	Bind(io::Error),
	/// Failed to connect to NSM.
	#[cfg(feature = "nsm")]
	#[error("Failed to connect to NSM: {0}")]
	NsmConnect(io::Error),
	/// Failed to encode the request payload.
	#[error("encoding failed: {0}")]
	Encoding(rmp_serde::encode::Error),
	/// Failed to decode the request payload.
	#[error("decoding failed: {0}")]
	Decoding(rmp_serde::decode::Error),
	/// Failed to write a payload to the stream.
	#[error("failed to write {0}: {1}")]
	Writing(CodingKey, io::Error),
	/// Failed to read a payload from the stream.
	#[error("failed to read {0}: {1}")]
	Reading(CodingKey, io::Error),
}

/// Listen and process incoming connections on the given port.
///
/// The `process` function is called for each incoming connection and should return a response.
///
/// # Errors
///
/// Errors are returned if the server fails to bind to the given port.
/// Errors will be logged (but not returned) if the server fails to accept a connection or if processing fails.
pub async fn listen<Req, Res, Fut>(
	port: u32,
	process: impl Fn(Req) -> Fut + Send + Sync + 'static,
) -> Result<(), Error>
where
	Res: Serialize + Send,
	Req: for<'de> Deserialize<'de>,
	Fut: Future<Output = Res> + Send,
{
	listen_with_ctx(port, (), move |req, ()| process(req)).await
}

/// Listen and process incoming connections on the given port.
///
/// The `process` function is called for each incoming connection with a copy of the context and should return a response.
///
/// # Errors
///
/// Errors are returned if the server fails to bind to the given port.
/// Errors will be logged (but not returned) if the server fails to accept a connection or if processing fails.
pub async fn listen_with_ctx<Req, Res, Ctx, Fut>(
	port: u32,
	context: Ctx,
	process: impl Fn(Req, Ctx) -> Fut + Send + Sync + 'static,
) -> Result<(), Error>
where
	Res: Serialize + Send,
	Ctx: Clone + Send + 'static,
	Req: for<'de> Deserialize<'de>,
	Fut: Future<Output = Res> + Send,
{
	let listener =
		VsockListener::bind(VsockAddr::new(VMADDR_CID_ANY, port)).map_err(Error::Bind)?;

	tracing::info!("started listening on port {port}");

	// Initialize the secure module global if the feature is enabled.
	#[cfg(feature = "nsm")]
	{
		match crate::SecureModule::connect() {
			Ok(nsm) => {
				crate::nsm::SECURE_MODULE_GLOBAL
					.get_or_init(|| async { nsm })
					.await
			},
			Err(e) => {
				return Err(Error::NsmConnect(e));
			},
		};
	}

	let process = Arc::new(process);
	loop {
		let stream = match listener.accept().await {
			Ok((stream, _)) => Stream::new(stream),
			Err(e) => {
				tracing::debug!("failed to accept connection: {e}");
				continue;
			},
		};

		tracing::trace!("spawning new task to handle connection");

		let context = context.clone();
		let process = process.clone();
		tokio::spawn(async move {
			match process_request(stream, context.clone(), process).await {
				Ok(()) => tracing::debug!("request processed successfully"),
				Err(e) => tracing::error!("failed to process request: {e}"),
			}
		});
	}
}

async fn process_request<Req, Res, Ctx, Fut>(
	mut stream: Stream,
	context: Ctx,
	process: Arc<impl Fn(Req, Ctx) -> Fut + Send + Sync>,
) -> Result<(), Error>
where
	Ctx: Clone,
	Res: Serialize + Send,
	Req: for<'de> Deserialize<'de>,
	Fut: Future<Output = Res> + Send,
{
	let len = stream
		.read_u64()
		.await
		.map_err(|e| Error::Reading(CodingKey::Length, e))?;
	let payload = stream
		.read_exact(len)
		.await
		.map_err(|e| Error::Reading(CodingKey::Payload, e))?;

	let request = rmp_serde::from_slice(&payload).map_err(Error::Decoding)?;

	let response = process(request, context).await;

	let payload = rmp_serde::to_vec(&response).map_err(Error::Encoding)?;
	stream
		.write_u64(payload.len() as u64)
		.await
		.map_err(|e| Error::Writing(CodingKey::Length, e))?;

	stream
		.write_all(&payload)
		.await
		.map_err(|e| Error::Writing(CodingKey::Payload, e))
}