Merge pull request #1913 from itowlson/dep-breaking-loader

Break `loader` dependency on wasmtime

Author: itowlson

Cargo.lock

@@ -15,7 +15,7 @@ glob = "0.3.0"
 itertools = "0.10.3"
 lazy_static = "1.4.0"
 mime_guess = { version = "2.0" }
-outbound-http = { path = "../outbound-http" }
+outbound-http = { path = "../outbound-http", default-features = false }
 path-absolutize = "3.0.11"
 regex = "1.5.4"
 reqwest = "0.11.9"
@@ -26,7 +26,6 @@ sha2 = "0.10.8"
 shellexpand = "3.1"
 spin-locked-app = { path = "../locked-app" }
 spin-common = { path = "../common" }
-spin-config = { path = "../config" }
 spin-manifest = { path = "../manifest" }
 tempfile = "3.8.0"
 terminal = { path = "../terminal" }

crates/loader/Cargo.toml

@@ -11,9 +11,14 @@ doctest = false
 anyhow  = "1.0"
 http = "0.2"
 reqwest = { version = "0.11", features = ["gzip"] }
-spin-app = { path = "../app" }
-spin-core = { path = "../core" }
-spin-world = { path = "../world" }
+spin-app = { path = "../app", optional = true }
+spin-core = { path = "../core", optional = true }
+spin-locked-app = { path = "../locked-app" }
+spin-world = { path = "../world", optional = true }
 terminal = { path = "../terminal" }
 tracing = { workspace = true }
 url = "2.2.1"
+
+[features]
+default = ["runtime"]
+runtime = ["dep:spin-app", "dep:spin-core", "dep:spin-world"]

crates/outbound-http/Cargo.toml

@@ -4,7 +4,7 @@ use spin_app::DynamicHostComponent;
 use spin_core::{Data, HostComponent, Linker};
 use spin_world::v1::http;
 
-use crate::{allowed_http_hosts::parse_allowed_http_hosts, OutboundHttp};
+use crate::{allowed_http_hosts::parse_allowed_http_hosts, host_impl::OutboundHttp};
 
 pub struct OutboundHttpComponent;
 

crates/outbound-http/src/host_component.rs

@@ -0,0 +1,172 @@
+use anyhow::Result;
+use http::HeaderMap;
+use reqwest::{Client, Url};
+use spin_core::async_trait;
+use spin_world::v1::{
+    http as outbound_http,
+    http_types::{Headers, HttpError, Method, Request, Response},
+};
+
+use crate::allowed_http_hosts::AllowedHttpHosts;
+
+/// A very simple implementation for outbound HTTP requests.
+#[derive(Default, Clone)]
+pub struct OutboundHttp {
+    /// List of hosts guest modules are allowed to make requests to.
+    pub allowed_hosts: AllowedHttpHosts,
+    /// During an incoming HTTP request, origin is set to the host of that incoming HTTP request.
+    /// This is used to direct outbound requests to the same host when allowed.
+    pub origin: String,
+    client: Option<Client>,
+}
+
+impl OutboundHttp {
+    /// Check if guest module is allowed to send request to URL, based on the list of
+    /// allowed hosts defined by the runtime. If the url passed in is a relative path,
+    /// only allow if allowed_hosts contains `self`. If the list of allowed hosts contains
+    /// `insecure:allow-all`, then all hosts are allowed.
+    /// If `None` is passed, the guest module is not allowed to send the request.
+    fn is_allowed(&mut self, url: &str) -> Result<bool, HttpError> {
+        if url.starts_with('/') {
+            return Ok(self.allowed_hosts.allow_relative_url());
+        }
+
+        let url = Url::parse(url).map_err(|_| HttpError::InvalidUrl)?;
+        Ok(self.allowed_hosts.allow(&url))
+    }
+}
+
+#[async_trait]
+impl outbound_http::Host for OutboundHttp {
+    async fn send_request(&mut self, req: Request) -> Result<Result<Response, HttpError>> {
+        Ok(async {
+            tracing::log::trace!("Attempting to send outbound HTTP request to {}", req.uri);
+            if !self
+                .is_allowed(&req.uri)
+                .map_err(|_| HttpError::RuntimeError)?
+            {
+                tracing::log::info!("Destination not allowed: {}", req.uri);
+                if let Some(host) = host(&req.uri) {
+                    terminal::warn!("A component tried to make a HTTP request to non-allowed host '{host}'.");
+                    eprintln!("To allow requests, add 'allowed_http_hosts = [\"{host}\"]' to the manifest component section.");
+                }
+                return Err(HttpError::DestinationNotAllowed);
+            }
+
+            let method = method_from(req.method);
+
+            let abs_url = if req.uri.starts_with('/') {
+                format!("{}{}", self.origin, req.uri)
+            } else {
+                req.uri.clone()
+            };
+
+            let req_url = Url::parse(&abs_url).map_err(|_| HttpError::InvalidUrl)?;
+
+            let headers = request_headers(req.headers).map_err(|_| HttpError::RuntimeError)?;
+            let body = req.body.unwrap_or_default().to_vec();
+
+            if !req.params.is_empty() {
+                tracing::log::warn!("HTTP params field is deprecated");
+            }
+
+            // Allow reuse of Client's internal connection pool for multiple requests
+            // in a single component execution
+            let client = self.client.get_or_insert_with(Default::default);
+
+            let resp = client
+                .request(method, req_url)
+                .headers(headers)
+                .body(body)
+                .send()
+                .await
+                .map_err(log_reqwest_error)?;
+            tracing::log::trace!("Returning response from outbound request to {}", req.uri);
+            response_from_reqwest(resp).await
+        }
+        .await)
+    }
+}
+
+fn log_reqwest_error(err: reqwest::Error) -> HttpError {
+    let error_desc = if err.is_timeout() {
+        "timeout error"
+    } else if err.is_connect() {
+        "connection error"
+    } else if err.is_body() || err.is_decode() {
+        "message body error"
+    } else if err.is_request() {
+        "request error"
+    } else {
+        "error"
+    };
+    tracing::warn!(
+        "Outbound HTTP {}: URL {}, error detail {:?}",
+        error_desc,
+        err.url()
+            .map(|u| u.to_string())
+            .unwrap_or_else(|| "<unknown>".to_owned()),
+        err
+    );
+    HttpError::RuntimeError
+}
+
+fn method_from(m: Method) -> http::Method {
+    match m {
+        Method::Get => http::Method::GET,
+        Method::Post => http::Method::POST,
+        Method::Put => http::Method::PUT,
+        Method::Delete => http::Method::DELETE,
+        Method::Patch => http::Method::PATCH,
+        Method::Head => http::Method::HEAD,
+        Method::Options => http::Method::OPTIONS,
+    }
+}
+
+async fn response_from_reqwest(res: reqwest::Response) -> Result<Response, HttpError> {
+    let status = res.status().as_u16();
+    let headers = response_headers(res.headers()).map_err(|_| HttpError::RuntimeError)?;
+
+    let body = Some(
+        res.bytes()
+            .await
+            .map_err(|_| HttpError::RuntimeError)?
+            .to_vec(),
+    );
+
+    Ok(Response {
+        status,
+        headers,
+        body,
+    })
+}
+
+fn request_headers(h: Headers) -> anyhow::Result<HeaderMap> {
+    let mut res = HeaderMap::new();
+    for (k, v) in h {
+        res.insert(
+            http::header::HeaderName::try_from(k)?,
+            http::header::HeaderValue::try_from(v)?,
+        );
+    }
+    Ok(res)
+}
+
+fn response_headers(h: &HeaderMap) -> anyhow::Result<Option<Vec<(String, String)>>> {
+    let mut res: Vec<(String, String)> = vec![];
+
+    for (k, v) in h {
+        res.push((
+            k.to_string(),
+            std::str::from_utf8(v.as_bytes())?.to_string(),
+        ));
+    }
+
+    Ok(Some(res))
+}
+
+fn host(url: &str) -> Option<String> {
+    url::Url::parse(url)
+        .ok()
+        .and_then(|u| u.host().map(|h| h.to_string()))
+}