Basic programmability

CMakeLists.txt

@@ -350,6 +350,7 @@ set(CCF_JS_SOURCES
     ${CCF_DIR}/src/js/extensions/ccf/network.cpp
     ${CCF_DIR}/src/js/extensions/ccf/node.cpp
     ${CCF_DIR}/src/js/extensions/ccf/rpc.cpp
+    ${CCF_DIR}/src/js/extensions/ccf/request.cpp
 )
 
 if(COMPILE_TARGET STREQUAL "sgx")
@@ -590,9 +591,7 @@ elseif(COMPILE_TARGET STREQUAL "virtual")
   set(JS_SNP_ATTESTATION_VIRTUAL js_snp_attestation.virtual)
 endif()
 
-set(JS_GENERIC_SOURCES ${CCF_DIR}/src/apps/js_generic/js_generic_base.cpp
-                       ${CCF_DIR}/src/apps/js_generic/request_extension.cpp
-)
+set(JS_GENERIC_SOURCES ${CCF_DIR}/src/apps/js_generic/js_generic_base.cpp)
 if(COMPILE_TARGET STREQUAL "sgx")
   add_enclave_library(js_generic_base.enclave ${JS_GENERIC_SOURCES})
   target_link_libraries(js_generic_base.enclave PUBLIC ccf.enclave)
@@ -1424,6 +1423,11 @@ if(BUILD_TESTS)
                       ${CMAKE_SOURCE_DIR}/samples/apps/logging/js
     )
 
+    add_e2e_test(
+      NAME programmability
+      PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/programmability.py
+    )
+
     # This test uses large requests (so too slow for SAN)
     if(NOT SAN)
       add_e2e_test(

include/ccf/bundle.h

@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+#pragma once
+
+#include "ccf/ds/json.h"
+#include "ccf/endpoint.h"
+
+#include <map>
+#include <string>
+
+namespace ccf::js
+{
+  struct Metadata
+  {
+    std::map<
+      std::string,
+      std::map<std::string, ccf::endpoints::EndpointProperties>>
+      endpoints;
+  };
+  DECLARE_JSON_TYPE(Metadata);
+  DECLARE_JSON_REQUIRED_FIELDS(Metadata, endpoints);
+
+  struct Bundle
+  {
+    std::map<std::string, std::string> modules;
+    Metadata metadata;
+  };
+
+  DECLARE_JSON_TYPE(Bundle);
+  DECLARE_JSON_REQUIRED_FIELDS(Bundle, modules, metadata);
+
+  struct BundleWrapper
+  {
+    Bundle bundle;
+  };
+
+  DECLARE_JSON_TYPE(BundleWrapper);
+  DECLARE_JSON_REQUIRED_FIELDS(BundleWrapper, bundle);
+}

include/ccf/claims_digest.h

@@ -65,4 +65,11 @@ namespace ccf
   {
     ds::json::fill_schema<ClaimsDigest::Digest>(schema);
   }
+
+  static ClaimsDigest empty_claims()
+  {
+    ClaimsDigest cd;
+    cd.set(ClaimsDigest::Digest::Representation());
+    return cd;
+  }
 }

include/ccf/endpoint.h

@@ -28,7 +28,39 @@ namespace ccf::endpoints
       return fmt::format("{} {}", verb.c_str(), uri_path);
     }
   };
+}
+
+namespace kv::serialisers
+{
+  template <>
+  struct BlitSerialiser<ccf::endpoints::EndpointKey>
+  {
+    static SerialisedEntry to_serialised(
+      const ccf::endpoints::EndpointKey& endpoint_key)
+    {
+      auto str =
+        fmt::format("{} {}", endpoint_key.verb.c_str(), endpoint_key.uri_path);
+      return SerialisedEntry(str.begin(), str.end());
+    }
 
+    static ccf::endpoints::EndpointKey from_serialised(
+      const SerialisedEntry& data)
+    {
+      std::string str{data.begin(), data.end()};
+      auto i = str.find(' ');
+      if (i == std::string::npos)
+      {
+        throw std::logic_error("invalid encoding of endpoint key");
+      }
+      auto verb = str.substr(0, i);
+      auto uri_path = str.substr(i + 1);
+      return {uri_path, verb};
+    }
+  };
+}
+
+namespace ccf::endpoints
+{
   DECLARE_JSON_TYPE(EndpointKey);
   DECLARE_JSON_REQUIRED_FIELDS(EndpointKey, uri_path, verb);
 
@@ -467,4 +499,4 @@ struct formatter<ccf::endpoints::ForwardingRequired>
     return format_to(ctx.out(), "{}", s);
   }
 };
-FMT_END_NAMESPACE
+FMT_END_NAMESPACE

include/ccf/endpoints/authentication/js.h

@@ -0,0 +1,150 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+
+#include "ccf/endpoint.h"
+#include "ccf/endpoints/authentication/all_of_auth.h"
+
+namespace ccf
+{
+  using NamedAuthPolicies =
+    std::unordered_map<std::string, std::shared_ptr<ccf::AuthnPolicy>>;
+
+  static inline NamedAuthPolicies& auth_policies_by_name()
+  {
+    static NamedAuthPolicies policies;
+    if (policies.empty())
+    {
+      policies.emplace(
+        ccf::UserCertAuthnPolicy::SECURITY_SCHEME_NAME,
+        ccf::user_cert_auth_policy);
+
+      policies.emplace(
+        ccf::MemberCertAuthnPolicy::SECURITY_SCHEME_NAME,
+        ccf::member_cert_auth_policy);
+
+      policies.emplace(
+        ccf::JwtAuthnPolicy::SECURITY_SCHEME_NAME, ccf::jwt_auth_policy);
+
+      policies.emplace(
+        ccf::UserCOSESign1AuthnPolicy::SECURITY_SCHEME_NAME,
+        ccf::user_cose_sign1_auth_policy);
+
+      policies.emplace(
+        ccf::EmptyAuthnPolicy::SECURITY_SCHEME_NAME, ccf::empty_auth_policy);
+    }
+
+    return policies;
+  }
+
+  static inline std::shared_ptr<ccf::AuthnPolicy> get_policy_by_name(
+    const std::string& name)
+  {
+    auto& policies = auth_policies_by_name();
+    auto it = policies.find(name);
+    if (it == policies.end())
+    {
+      return nullptr;
+    }
+
+    return it->second;
+  }
+
+  template <typename T>
+  static inline constexpr char const* get_policy_name_from_ident(const T*)
+  {
+    if constexpr (std::is_same_v<T, ccf::UserCertAuthnIdentity>)
+    {
+      return ccf::UserCertAuthnPolicy::SECURITY_SCHEME_NAME;
+    }
+    else if constexpr (std::is_same_v<T, ccf::MemberCertAuthnIdentity>)
+    {
+      return ccf::MemberCertAuthnPolicy::SECURITY_SCHEME_NAME;
+    }
+    else if constexpr (std::is_same_v<T, ccf::JwtAuthnIdentity>)
+    {
+      return ccf::JwtAuthnPolicy::SECURITY_SCHEME_NAME;
+    }
+    else if constexpr (std::is_same_v<T, ccf::UserCOSESign1AuthnIdentity>)
+    {
+      return ccf::UserCOSESign1AuthnPolicy::SECURITY_SCHEME_NAME;
+    }
+    else if constexpr (std::is_same_v<T, ccf::MemberCOSESign1AuthnIdentity>)
+    {
+      return ccf::MemberCOSESign1AuthnPolicy::SECURITY_SCHEME_NAME;
+    }
+    else if constexpr (std::is_same_v<T, ccf::EmptyAuthnIdentity>)
+    {
+      return ccf::EmptyAuthnPolicy::SECURITY_SCHEME_NAME;
+    }
+    else
+    {
+      return nullptr;
+    }
+  }
+
+  static inline void instantiate_authn_policies(
+    ccf::endpoints::EndpointDefinition& endpoint)
+  {
+    for (const auto& policy_desc : endpoint.properties.authn_policies)
+    {
+      if (policy_desc.is_string())
+      {
+        const auto policy_name = policy_desc.get<std::string>();
+        auto policy = get_policy_by_name(policy_name);
+        if (policy == nullptr)
+        {
+          throw std::logic_error(
+            fmt::format("Unknown auth policy: {}", policy_name));
+        }
+        endpoint.authn_policies.push_back(std::move(policy));
+      }
+      else
+      {
+        if (policy_desc.is_object())
+        {
+          const auto it = policy_desc.find("all_of");
+          if (it != policy_desc.end())
+          {
+            if (it.value().is_array())
+            {
+              std::vector<std::shared_ptr<ccf::AuthnPolicy>>
+                constituent_policies;
+              for (const auto& val : it.value())
+              {
+                if (!val.is_string())
+                {
+                  constituent_policies.clear();
+                  break;
+                }
+
+                const auto policy_name = val.get<std::string>();
+                auto policy = get_policy_by_name(policy_name);
+                if (policy == nullptr)
+                {
+                  throw std::logic_error(
+                    fmt::format("Unknown auth policy: {}", policy_name));
+                }
+                constituent_policies.push_back(std::move(policy));
+              }
+
+              if (!constituent_policies.empty())
+              {
+                endpoint.authn_policies.push_back(
+                  std::make_shared<ccf::AllOfAuthnPolicy>(
+                    constituent_policies));
+                continue;
+              }
+            }
+          }
+        }
+
+        // Any failure in above checks falls through to this detailed error.
+        throw std::logic_error(fmt::format(
+          "Unsupported auth policy. Policies must be either a string, or an "
+          "object containing an \"all_of\" key with list-of-strings value. "
+          "Unsupported value: {}",
+          policy_desc.dump()));
+      }
+    }
+  }
+}

src/js/core/context.h → include/ccf/js/core/context.h

@@ -2,11 +2,11 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
+#include "ccf/js/core/runtime.h"
+#include "ccf/js/core/wrapped_value.h"
+#include "ccf/js/extensions/extension_interface.h"
+#include "ccf/js/tx_access.h"
 #include "ccf/pal/locking.h"
-#include "js/core/runtime.h"
-#include "js/core/wrapped_value.h"
-#include "js/extensions/extension_interface.h"
-#include "js/tx_access.h"
 
 #include <chrono>
 #include <quickjs/quickjs-exports.h>

src/js/core/runtime.h → include/ccf/js/core/runtime.h

@@ -2,7 +2,7 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
-#include "kv/kv_types.h"
+#include "ccf/tx.h"
 
 #include <chrono>
 #include <quickjs/quickjs.h>

src/js/core/wrapped_property_enum.h → include/ccf/js/core/wrapped_property_enum.h

@@ -2,8 +2,8 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
-#include "js/core/context.h"
-#include "js/core/wrapped_value.h"
+#include "ccf/js/core/context.h"
+#include "ccf/js/core/wrapped_value.h"
 
 #include <quickjs/quickjs.h>
 

src/js/core/wrapped_value.h → include/ccf/js/core/wrapped_value.h

@@ -2,7 +2,7 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
-#include "js/core/constants.h"
+#include "ccf/js/core/constants.h"
 
 #include <quickjs/quickjs.h>
 #include <string>

src/js/extensions/ccf/consensus.h → include/ccf/js/extensions/ccf/consensus.h

@@ -3,7 +3,7 @@
 #pragma once
 
 #include "ccf/base_endpoint_registry.h"
-#include "js/extensions/extension_interface.h"
+#include "ccf/js/extensions/extension_interface.h"
 
 namespace ccf::js::extensions
 {

src/js/extensions/ccf/converters.h → include/ccf/js/extensions/ccf/converters.h

@@ -2,7 +2,7 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
-#include "js/extensions/extension_interface.h"
+#include "ccf/js/extensions/extension_interface.h"
 
 namespace ccf::js::extensions
 {

src/js/extensions/ccf/crypto.h → include/ccf/js/extensions/ccf/crypto.h

@@ -2,7 +2,7 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
-#include "js/extensions/extension_interface.h"
+#include "ccf/js/extensions/extension_interface.h"
 
 namespace ccf::js::extensions
 {

src/js/extensions/ccf/gov_effects.h → include/ccf/js/extensions/ccf/gov_effects.h

@@ -2,8 +2,8 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
+#include "ccf/js/extensions/extension_interface.h"
 #include "ccf/tx.h"
-#include "js/extensions/extension_interface.h"
 
 namespace ccf::js::extensions
 {

src/js/extensions/ccf/historical.h → include/ccf/js/extensions/ccf/historical.h

@@ -3,7 +3,7 @@
 #pragma once
 
 #include "ccf/historical_queries_interface.h"
-#include "js/extensions/extension_interface.h"
+#include "ccf/js/extensions/extension_interface.h"
 
 #include <quickjs/quickjs.h>
 

src/js/extensions/ccf/host.h → include/ccf/js/extensions/ccf/host.h

@@ -2,8 +2,8 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
+#include "ccf/js/extensions/extension_interface.h"
 #include "ccf/node/host_processes_interface.h"
-#include "js/extensions/extension_interface.h"
 
 namespace ccf::js::extensions
 {

src/js/extensions/ccf/kv.h → include/ccf/js/extensions/ccf/kv.h

@@ -2,8 +2,8 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
+#include "ccf/js/extensions/extension_interface.h"
 #include "ccf/tx.h"
-#include "js/extensions/extension_interface.h"
 
 #include <memory>