squib-api 0.2.0

Firecracker-compatible HTTP API server for squib (axum on a Unix domain socket)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

//! Error type and the wire-shape Firecracker uses for failed requests.
//!
//! Status code mapping (per [20-firecracker-api.md §
//! 3](../../../specs/20-firecracker-api.md#3-error-envelope)):
//!
//! - **400 Bad Request** — malformed JSON, missing required fields, invalid enum values, illegal
//!   state transitions, unknown paths (Firecracker collapses 404 to 400 for the wire compat-suite
//!   shape), validation failures.
//! - **413 Payload Too Large** — bodies above `--http-api-max-payload-size`, oversized MMDS data
//!   store mutations.
//! - **500 Internal Server Error** — VMM event loop is gone; rare and logged at `error`.
//! - **504 Gateway Timeout** — squib-only; emitted when a per-action-class timeout ([70-security.md
//!   § 6](../../../specs/70-security.md#6-resource-limits)) fires while the controller awaits the
//!   VMM. Upstream Firecracker has no 504; orchestrators should retry with the same idempotency
//!   key. Documented in `docs/api-deviations.md`.
//!
//! Successful PUT/PATCH/DELETE produce `204 No Content` directly without an `ApiError`.

use axum::{
    Json,
    http::StatusCode,
    response::{IntoResponse, Response},
};
use serde::{Deserialize, Serialize};
use thiserror::Error;

/// Result alias used throughout `squib-api`.
pub type Result<T, E = ApiError> = core::result::Result<T, E>;

/// The exact JSON body upstream Firecracker emits on every failed API call.
///
/// Wire shape:
/// ```json
/// {"fault_message": "Block device with ID 'rootfs' already exists"}
/// ```
///
/// No additional fields, ever — sniffed verbatim by SDKs and `firectl`.
#[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)]
pub struct FaultMessage {
    /// Human-readable description of what went wrong. Squib makes a best-effort
    /// attempt to mirror upstream's phrasing for known failure modes.
    pub fault_message: String,
}

impl FaultMessage {
    /// Construct a [`FaultMessage`] from a string-like value.
    pub fn new(reason: impl Into<String>) -> Self {
        Self {
            fault_message: reason.into(),
        }
    }
}

/// Errors produced by API handlers, each carrying the HTTP status code Firecracker
/// returns for that class of failure.
///
/// Status codes match upstream where they exist (200 / 204 / 400 / 413 / 500). 504 is
/// squib-only and surfaces the per-action-class timeout taxonomy from [70-security.md
/// § 6](../../../specs/70-security.md#6-resource-limits).
#[derive(Debug, Error)]
pub enum ApiError {
    /// Generic 400 error with a custom fault message — the bulk of validation /
    /// state-machine / parse failures land here.
    #[error("{0}")]
    BadRequest(String),

    /// 413 Payload Too Large — used by the body-size limit middleware and by MMDS
    /// endpoints when the data store would exceed `--mmds-size-limit`.
    #[error("{0}")]
    PayloadTooLarge(String),

    /// 404 Not Found — the path does not match any registered route. We translate this
    /// to a 400 in the response (axum's default 404 is overridden); Firecracker has no
    /// 404 in its surface.
    #[error("Resource not found: {0}")]
    NotFound(String),

    /// 504 Gateway Timeout — squib-only. Emitted when a per-action-class timeout fires
    /// while the controller awaits the VMM. The action remains pending at the VMM
    /// (cancelling it would leave undefined state); the controller logs at `error`.
    /// `&'static str` because the action class name is always known at the call site.
    #[error("VMM action timed out: {0}")]
    Timeout(&'static str),

    /// 500 Internal Server Error — used when the VMM event loop has shut down and a
    /// handler can no longer dispatch. Rare; logged at `error`.
    #[error("internal error: {0}")]
    Internal(String),
}

impl ApiError {
    /// Status code this error variant maps to.
    pub fn status(&self) -> StatusCode {
        match self {
            Self::BadRequest(_) | Self::NotFound(_) => StatusCode::BAD_REQUEST,
            Self::PayloadTooLarge(_) => StatusCode::PAYLOAD_TOO_LARGE,
            Self::Timeout(_) => StatusCode::GATEWAY_TIMEOUT,
            Self::Internal(_) => StatusCode::INTERNAL_SERVER_ERROR,
        }
    }

    /// The exact `fault_message` body string this error surfaces.
    pub fn fault_message(&self) -> String {
        match self {
            Self::BadRequest(s) | Self::PayloadTooLarge(s) | Self::Internal(s) => s.clone(),
            Self::NotFound(path) => format!("No such resource: {path}"),
            Self::Timeout(class) => format!("VMM action timed out: {class}"),
        }
    }
}

impl IntoResponse for ApiError {
    fn into_response(self) -> Response {
        let status = self.status();
        let body = FaultMessage::new(self.fault_message());
        (status, Json(body)).into_response()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn fault_message_serializes_with_correct_field_name() {
        let msg = FaultMessage::new("oops");
        let json = serde_json::to_string(&msg).unwrap();
        assert_eq!(json, r#"{"fault_message":"oops"}"#);
    }

    #[test]
    fn fault_message_round_trips_through_serde() {
        let original = FaultMessage::new("kernel image not found");
        let json = serde_json::to_string(&original).unwrap();
        let back: FaultMessage = serde_json::from_str(&json).unwrap();
        assert_eq!(original, back);
    }

    #[test]
    fn bad_request_maps_to_400() {
        let err = ApiError::BadRequest("bad".into());
        assert_eq!(err.status(), StatusCode::BAD_REQUEST);
    }

    #[test]
    fn payload_too_large_maps_to_413() {
        let err = ApiError::PayloadTooLarge("too big".into());
        assert_eq!(err.status(), StatusCode::PAYLOAD_TOO_LARGE);
    }

    #[test]
    fn not_found_maps_to_400_for_firecracker_parity() {
        let err = ApiError::NotFound("/missing".into());
        assert_eq!(err.status(), StatusCode::BAD_REQUEST);
    }

    #[test]
    fn timeout_maps_to_504() {
        let err = ApiError::Timeout("PUT /actions {InstanceStart}");
        assert_eq!(err.status(), StatusCode::GATEWAY_TIMEOUT);
        assert!(err.fault_message().contains("InstanceStart"));
    }

    #[test]
    fn internal_maps_to_500() {
        let err = ApiError::Internal("event loop gone".into());
        assert_eq!(err.status(), StatusCode::INTERNAL_SERVER_ERROR);
    }

    #[test]
    fn not_found_fault_message_contains_path() {
        let err = ApiError::NotFound("/no-such".into());
        assert_eq!(err.fault_message(), "No such resource: /no-such");
    }
}