feat: give starred users benefits

- Allow for the max main.wasm size to be set via the CLI.
- Allow starred workload size/lifetime to be set via the CLI.
- Increase defaults for workload size/lifetimes.
- Determine if a user is logged in via server side templates instead of a cookie.
- Use minutes instead of seconds for specifying the lifetime of workloads.

Signed-off-by: Nicholas Farshidmehr <nicholas@profian.com>

Author: definitelynobody

Cargo.lock

@@ -218,16 +218,19 @@ in
       axum = rustPackages."registry+https://github.com/rust-lang/crates.io-index".axum."0.5.11" { inherit profileName; };
       clap = rustPackages."registry+https://github.com/rust-lang/crates.io-index".clap."3.2.8" { inherit profileName; };
       enarx_config = rustPackages."registry+https://github.com/rust-lang/crates.io-index".enarx-config."0.6.1" { inherit profileName; };
+      humansize = rustPackages."registry+https://github.com/rust-lang/crates.io-index".humansize."1.1.1" { inherit profileName; };
       num_cpus = rustPackages."registry+https://github.com/rust-lang/crates.io-index".num_cpus."1.13.1" { inherit profileName; };
       once_cell = rustPackages."registry+https://github.com/rust-lang/crates.io-index".once_cell."1.13.0" { inherit profileName; };
       openidconnect = rustPackages."registry+https://github.com/rust-lang/crates.io-index".openidconnect."2.3.2" { inherit profileName; };
       serde = rustPackages."registry+https://github.com/rust-lang/crates.io-index".serde."1.0.138" { inherit profileName; };
+      serde_json = rustPackages."registry+https://github.com/rust-lang/crates.io-index".serde_json."1.0.82" { inherit profileName; };
       tempfile = rustPackages."registry+https://github.com/rust-lang/crates.io-index".tempfile."3.3.0" { inherit profileName; };
       tokio = rustPackages."registry+https://github.com/rust-lang/crates.io-index".tokio."1.19.2" { inherit profileName; };
       toml = rustPackages."registry+https://github.com/rust-lang/crates.io-index".toml."0.5.9" { inherit profileName; };
       tower_http = rustPackages."registry+https://github.com/rust-lang/crates.io-index".tower-http."0.3.4" { inherit profileName; };
       tracing = rustPackages."registry+https://github.com/rust-lang/crates.io-index".tracing."0.1.35" { inherit profileName; };
       tracing_subscriber = rustPackages."registry+https://github.com/rust-lang/crates.io-index".tracing-subscriber."0.3.14" { inherit profileName; };
+      ureq = rustPackages."registry+https://github.com/rust-lang/crates.io-index".ureq."2.5.0" { inherit profileName; };
       uuid = rustPackages."registry+https://github.com/rust-lang/crates.io-index".uuid."1.1.2" { inherit profileName; };
     };
   });
@@ -697,6 +700,13 @@ in
     src = fetchCratesIo { inherit name version; sha256 = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421"; };
   });
 
+  "registry+https://github.com/rust-lang/crates.io-index".humansize."1.1.1" = overridableMkRustCrate (profileName: rec {
+    name = "humansize";
+    version = "1.1.1";
+    registry = "registry+https://github.com/rust-lang/crates.io-index";
+    src = fetchCratesIo { inherit name version; sha256 = "02296996cb8796d7c6e3bc2d9211b7802812d36999a51bb754123ead7d37d026"; };
+  });
+  
   "registry+https://github.com/rust-lang/crates.io-index".hyper."0.14.19" = overridableMkRustCrate (profileName: rec {
     name = "hyper";
     version = "0.14.19";
@@ -1051,7 +1061,7 @@ in
       serde_path_to_error = rustPackages."registry+https://github.com/rust-lang/crates.io-index".serde_path_to_error."0.1.7" { inherit profileName; };
       sha2 = rustPackages."registry+https://github.com/rust-lang/crates.io-index".sha2."0.10.2" { inherit profileName; };
       thiserror = rustPackages."registry+https://github.com/rust-lang/crates.io-index".thiserror."1.0.31" { inherit profileName; };
-      ureq = rustPackages."registry+https://github.com/rust-lang/crates.io-index".ureq."2.4.0" { inherit profileName; };
+      ureq = rustPackages."registry+https://github.com/rust-lang/crates.io-index".ureq."2.5.0" { inherit profileName; };
       url = rustPackages."registry+https://github.com/rust-lang/crates.io-index".url."2.2.2" { inherit profileName; };
     };
   });
@@ -1984,11 +1994,11 @@ in
     src = fetchCratesIo { inherit name version; sha256 = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"; };
   });
 
-  "registry+https://github.com/rust-lang/crates.io-index".ureq."2.4.0" = overridableMkRustCrate (profileName: rec {
+  "registry+https://github.com/rust-lang/crates.io-index".ureq."2.5.0" = overridableMkRustCrate (profileName: rec {
     name = "ureq";
-    version = "2.4.0";
+    version = "2.5.0";
     registry = "registry+https://github.com/rust-lang/crates.io-index";
-    src = fetchCratesIo { inherit name version; sha256 = "9399fa2f927a3d327187cbd201480cee55bee6ac5d3c77dd27f0c6814cff16d5"; };
+    src = fetchCratesIo { inherit name version; sha256 = "b97acb4c28a254fd7a4aeec976c46a7fa404eac4d7c134b30c75144846d7cb8f"; };
     features = builtins.concatLists [
       [ "default" ]
       [ "flate2" ]

Cargo.nix

@@ -14,10 +14,13 @@ uuid = { version = "*", features = ["v4"] }
 once_cell = "1.12.0"
 tempfile = "3.3.0"
 anyhow = { version = "1.0.57", default-features = false, features = ["std"] }
+ureq = { version = "2.5.0", default-features = false }
 clap = { version = "3.2.3", default-features = false, features = ["derive", "std"] }
 openidconnect = { version = "2.3.1", default-features = false, features = ["ureq"] }
 toml = { version = "0.5.9", default-features = false }
 num_cpus = "1.13.1"
 serde = { version = "1.0.136", default-features = false }
-# TODO: use enarx-config when a new version is published
+serde_json = { version = "1.0.82", default-features = false }
 enarx-config = { version = "0.6.1", default-features = false }
+humansize = { version = "1.1.1", default-features = false }
+

Cargo.toml

@@ -3,8 +3,9 @@
 
 use std::ops::Deref;
 
-use crate::redirect;
+use crate::{github, redirect};
 
+use anyhow::{anyhow, bail};
 use axum::extract::{Extension, FromRequest, Query, RequestParts};
 use axum::headers;
 use axum::http::header::SET_COOKIE;
@@ -61,6 +62,22 @@ impl IntoResponse for ClaimsError {
 #[derive(Clone, Debug)]
 pub struct Claims(CoreUserInfoClaims);
 
+impl Claims {
+    // TODO: use auth0 for this instead of github directly: https://github.com/profianinc/benefice/issues/71
+    pub fn has_starred(&self, repo_full_name: &str) -> anyhow::Result<bool> {
+        let (user_type, user_id) = self
+            .subject()
+            .split_once('|')
+            .ok_or_else(|| anyhow!("Failed to extract user id from OpenID subject"))?;
+
+        if user_type != "github" {
+            bail!("Cannot get the stars of a non-github user");
+        }
+
+        github::has_starred(user_id, repo_full_name)
+    }
+}
+
 impl Deref for Claims {
     type Target = CoreUserInfoClaims;
 

src/auth.rs

@@ -0,0 +1,26 @@
+// SPDX-FileCopyrightText: 2022 Profian Inc. <opensource@profian.com>
+// SPDX-License-Identifier: AGPL-3.0-only
+
+use anyhow::{bail, Context};
+use serde::Deserialize;
+
+#[derive(Debug, Deserialize)]
+struct Repo {
+    pub full_name: String,
+}
+
+pub fn has_starred(github_id: &str, repo_full_name: &str) -> anyhow::Result<bool> {
+    let response = ureq::get(&format!("https://api.github.com/user/{github_id}/starred")).call()?;
+
+    if response.status() != 200 {
+        bail!("Failed to get starred repos for user {github_id}");
+    }
+
+    let body = response
+        .into_string()
+        .with_context(|| "Failed to get body from /starred request")?;
+    let repos = serde_json::from_str::<Vec<Repo>>(&body)
+        .with_context(|| "Failed to parse body from /starred request")?;
+
+    Ok(repos.iter().any(|repo| repo.full_name == *repo_full_name))
+}

src/github.rs

@@ -5,9 +5,11 @@
 #![warn(clippy::all, rust_2018_idioms, unused_lifetimes)]
 
 mod auth;
+mod github;
 mod redirect;
 mod templates;
 
+use crate::auth::{Claims, ClaimsError};
 use crate::templates::{HtmlTemplate, RootGetTemplate, UuidGetTemplate};
 
 use std::collections::HashMap;
@@ -18,7 +20,6 @@ use std::process::Stdio;
 use std::sync::Arc;
 use std::time::Duration;
 
-use auth::{Claims, ClaimsError};
 use axum::extract::Multipart;
 use axum::extract::{Extension, Path};
 use axum::http::StatusCode;
@@ -28,6 +29,7 @@ use axum::{Router, Server};
 
 use anyhow::{bail, Context as _};
 use clap::Parser;
+use humansize::{file_size_opts as options, FileSize};
 use once_cell::sync::Lazy;
 use openidconnect::core::{CoreClient, CoreProviderMetadata};
 use openidconnect::ureq::http_client;
@@ -39,12 +41,12 @@ use tokio::process::{Child, Command};
 use tokio::sync::{Mutex, RwLock};
 use tokio::time::{sleep, timeout};
 use tower_http::trace::TraceLayer;
-use tracing::error;
+use tracing::{debug, error};
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 use uuid::Uuid;
 
+const ENARX_REPO: &str = "enarx/enarx";
 const READ_TIMEOUT: Duration = Duration::from_secs(5);
-const WASM_MAX: usize = 50 * 1024 * 1024; // 50 MiB
 const TOML_MAX: usize = 256 * 1024; // 256 KiB
 
 #[allow(dead_code)]
@@ -81,10 +83,22 @@ struct Args {
     #[clap(long, default_value_t = num_cpus::get())]
     jobs: usize,
 
-    /// Job timeout (in seconds).
-    #[clap(long, default_value_t = 15)]
+    /// Max Wasm file size (in bytes, default is 50 MB).
+    #[clap(long, default_value_t = 50 * 1024 * 1024)]
+    workload_max: usize,
+
+    /// Max Wasm file size for starred users (in bytes, default is 50 MB).
+    #[clap(long, default_value_t = 50 * 1024 * 1024)]
+    workload_max_starred: usize,
+
+    /// Job timeout (in minutes).
+    #[clap(long, default_value_t = 5)]
     timeout: u64,
 
+    /// Job timeout for starred users (in minutes).
+    #[clap(long, default_value_t = 30)]
+    timeout_starred: u64,
+
     /// Command to execute, normally path to `enarx` binary.
     /// This command will be executed as: `<cmd> run --wasmcfgfile <path-to-config> <path-to-wasm>`
     #[clap(long, default_value = "enarx")]
@@ -109,7 +123,10 @@ async fn main() -> anyhow::Result<()> {
         addr,
         url,
         jobs,
+        workload_max,
+        workload_max_starred,
         timeout,
+        timeout_starred,
         command,
         oidc_issuer,
         oidc_client,
@@ -185,7 +202,23 @@ async fn main() -> anyhow::Result<()> {
         .route("/:uuid/err", post(uuid_err_post))
         .route(
             "/",
-            get(root_get).post(move |claims, mp| root_post(claims, mp, command, timeout, jobs)),
+            get(move |claims| {
+                root_get(
+                    claims,
+                    (workload_max, workload_max_starred),
+                    (timeout, timeout_starred),
+                )
+            })
+            .post(move |claims, mp| {
+                root_post(
+                    claims,
+                    mp,
+                    command,
+                    (workload_max, workload_max_starred),
+                    (timeout, timeout_starred),
+                    jobs,
+                )
+            }),
         )
         .layer(Extension(openid_client))
         .layer(TraceLayer::new_for_http());
@@ -194,8 +227,43 @@ async fn main() -> anyhow::Result<()> {
     Ok(())
 }
 
-async fn root_get() -> impl IntoResponse {
+async fn root_get(
+    claims: Option<Claims>,
+    workload_max: (usize, usize),
+    timeouts: (u64, u64),
+) -> impl IntoResponse {
+    let logged_in = claims.is_some();
+    let starred = claims
+        .map(|claims| {
+            claims.has_starred(ENARX_REPO).unwrap_or_else(|e| {
+                let user = claims.subject().to_string();
+                error!("Failed to get stars for user {user}: {e}");
+                false
+            })
+        })
+        .unwrap_or(false);
+
     HtmlTemplate(RootGetTemplate {
+        logged_in,
+        starred,
+        workload_upload_limits: (
+            // NOTE: This will only fail if sized are negative: https://docs.rs/humansize/latest/humansize/trait.FileSize.html#errors
+            workload_max
+                .0
+                .file_size(options::CONVENTIONAL)
+                .unwrap_or_else(|e| {
+                    error!("Failed to get human readable size string: {e}");
+                    "?".to_string()
+                }),
+            workload_max
+                .1
+                .file_size(options::CONVENTIONAL)
+                .unwrap_or_else(|e| {
+                    error!("Failed to get human readable size string: {e}");
+                    "?".to_string()
+                }),
+        ),
+        workload_timeouts: timeouts,
         enarx_toml_template: enarx_config::CONFIG_TEMPLATE,
     })
 }
@@ -205,11 +273,26 @@ async fn root_post(
     claims: Result<Claims, ClaimsError>,
     mut multipart: Multipart,
     command: String,
-    timeout: u64,
+    workload_max: (usize, usize),
+    timeouts: (u64, u64),
     jobs: usize,
 ) -> impl IntoResponse {
     let claims = claims.map_err(|e| e.redirect_response().into_response())?;
     let user = claims.subject().to_string();
+    let (wasm_max, timeout) = match claims.has_starred(ENARX_REPO) {
+        Err(e) => {
+            error!("Failed to get stars for user {user}: {e}");
+            return Err(redirect::internal_error().into_response());
+        }
+        Ok(false) => {
+            debug!("{user} is NOT a starred user");
+            (workload_max.0, timeouts.0)
+        }
+        Ok(true) => {
+            debug!("{user} IS a starred user");
+            (workload_max.1, timeouts.1)
+        }
+    };
 
     // Detect too many jobs early.
     {
@@ -257,7 +340,7 @@ async fn root_post(
                     .map_err(|_| StatusCode::BAD_REQUEST.into_response())?
                 {
                     len += chunk.len();
-                    if len > WASM_MAX {
+                    if len > wasm_max {
                         return Err(StatusCode::PAYLOAD_TOO_LARGE.into_response());
                     }
 
@@ -338,6 +421,8 @@ async fn root_post(
     );
 
     tokio::spawn(async move {
+        // Convert from minutes to seconds.
+        let timeout = timeout * 60;
         sleep(Duration::from_secs(timeout)).await;
         OUT.write().await.remove(&uuid);
     });

src/main.rs

@@ -10,6 +10,10 @@ use axum::{
 #[derive(Template)]
 #[template(path = "root_get.html")]
 pub struct RootGetTemplate {
+    pub logged_in: bool,
+    pub starred: bool,
+    pub workload_upload_limits: (String, String),
+    pub workload_timeouts: (u64, u64),
     pub enarx_toml_template: &'static str,
 }