Merge #355

355: Ensure incoming `TcpStream` connections are closed r=Pagten a=raoulstrackx

Nitro enclaves can bind to a `TcpListener` in the runner. Incoming `TcpStream` connections will be forwarded to the enclave. When the client terminates its connections, the proxy connection in the runner need to be terminated as well.

Co-authored-by: Raoul Strackx <[email protected]>

Author: bors[bot]

Cargo.lock

@@ -4,6 +4,7 @@ members = [
     "fortanix-vme/fortanix-vme-runner",
     "fortanix-vme/tests/outgoing_connection",
     "fortanix-vme/tests/incoming_connection",
+    "fortanix-vme/tests/iron",
     "intel-sgx/aesm-client",
     "intel-sgx/dcap-provider",
     "intel-sgx/dcap-ql-sys",

Cargo.toml

@@ -100,7 +100,7 @@ function cargo_test {
             echo "Success"
 	fi
     else
-	${elf} -- --nocapture > ${out} 2> ${err}
+	RUST_BACKTRACE=full ${elf} -- --nocapture > ${out} 2> ${err}
 
         out=$(cat ${out} | grep -v "#" || true)
         expected=$(cat ./out.expected)

fortanix-vme/ci-common.sh

@@ -51,7 +51,10 @@ function run_tests {
     fi
 }
 
-run_tests outgoing_connection incoming_connection
+run_tests\
+	outgoing_connection \
+	incoming_connection \
+	iron
 
 echo "********************************"
 echo "**    All tests succeeded!    **"

fortanix-vme/ci-fortanixvme.sh

@@ -65,6 +65,7 @@ impl From<SocketAddr> for Addr {
 #[derive(Debug, PartialEq, Eq, Serialize, Deserialize)]
 pub enum Response {
     Connected {
+        /// The vsock port the proxy is listening on for an incoming connection
         proxy_port: u32,
     },
     Bound {

fortanix-vme/fortanix-vme-abi/src/lib.rs

@@ -297,13 +297,29 @@ impl Server {
 
             if let Ok(_num) = select(None, Some(&mut read_set), None, None, None) {
                 if read_set.contains(remote.0.as_raw_fd()) {
-                    if let Err(_) = Self::transfer_data(remote.0, remote.1, proxy.0, proxy.1) {
-                        break;
+                    match Self::transfer_data(remote.0, remote.1, proxy.0, proxy.1) {
+                        Ok(0)  => {
+                            // According to the `Read` threat documentation, reading 0 bytes
+                            // indicates that the connection has been shutdown correctly. So we
+                            // close the proxy service
+                            // https://doc.rust-lang.org/std/io/trait.Read.html#tymethod.read
+                            break
+                        },
+                        Ok(_)  => (),
+                        Err(e) => {
+                            eprintln!("transfer from remote failed: {:?}", e);
+                            break;
+                        }
                     }
                 }
                 if read_set.contains(proxy.0.as_raw_fd()) {
-                    if let Err(_) = Self::transfer_data(proxy.0, proxy.1, remote.0, remote.1) {
-                        break;
+                    match Self::transfer_data(proxy.0, proxy.1, remote.0, remote.1) {
+                        Ok(0)  => break,
+                        Ok(_)  => (),
+                        Err(e) => {
+                            eprintln!("transfer from proxy failed: {:?}", e);
+                            break;
+                        }
                     }
                 }
             }

fortanix-vme/fortanix-vme-runner/src/lib.rs

@@ -0,0 +1,10 @@
+[package]
+name = "iron"
+version = "0.1.0"
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+iron = "0.6.1"
+time = "0.3.5"

fortanix-vme/tests/iron/Cargo.toml

@@ -0,0 +1,3 @@
+count = 0
+count = 1
+count = 2

fortanix-vme/tests/iron/out.expected

@@ -0,0 +1,49 @@
+#![feature(once_cell)]
+use iron::prelude::*;
+use iron::{BeforeMiddleware, AfterMiddleware, typemap};
+use std::lazy::SyncOnceCell;
+use std::sync::Mutex;
+use time;
+
+static NUM_SUCCEEDING_CONNECTIONS: SyncOnceCell<Mutex<u32>> = SyncOnceCell::new();
+
+fn signal_success() {
+    let mut count = NUM_SUCCEEDING_CONNECTIONS.get_or_init(|| Mutex::new(0)).lock().unwrap();
+    println!("count = {}", count);
+    *count = *count + 1;
+    if *count == 3 {
+        std::process::exit(0);
+    }
+}
+
+struct ResponseTime;
+
+impl typemap::Key for ResponseTime { type Value = time::Instant; }
+
+impl BeforeMiddleware for ResponseTime {
+    fn before(&self, req: &mut Request) -> IronResult<()> {
+        req.extensions.insert::<ResponseTime>(time::Instant::now());
+        Ok(())
+    }
+}
+
+impl AfterMiddleware for ResponseTime {
+    fn after(&self, req: &mut Request, res: Response) -> IronResult<Response> {
+        let delta = time::Instant::now() - *req.extensions.get::<ResponseTime>().unwrap();
+        println!("# Request took: {} ns", delta.whole_nanoseconds());
+        signal_success();
+        Ok(res)
+    }
+}
+
+fn hello_world(_: &mut Request) -> IronResult<Response> {
+    Ok(Response::with((iron::status::Ok, "Hello World")))
+}
+
+fn main() {
+    let mut chain = Chain::new(hello_world);
+    chain.link_before(ResponseTime);
+    chain.link_after(ResponseTime);
+    let iron = Iron::new(chain);
+    iron.http("127.0.0.1:3000").unwrap();
+}

fortanix-vme/tests/iron/src/main.rs

@@ -0,0 +1,8 @@
+#!/bin/bash -ex
+
+while [ true ]
+do
+  echo "Interacting with test"
+  timeout 1s curl -k localhost:3000 || true
+  sleep 5s
+done