feat(p3): implement wasi:tls#12174
feat(p3): implement wasi:tls#12174rvolosatovs wants to merge 7 commits intobytecodealliance:mainfrom
wasi:tls#12174Conversation
github-actions
bot
added
the
wasmtime:api
rvolosatovs
force-pushed
the
feat/wasip3-tls
branch
3 times, most recently
from
4c9f3b8 to
187b386
Compare
rvolosatovs
force-pushed
the
feat/wasip3-tls
branch
from
187b386 to
84b3548
Compare
alexcrichton
left a comment
alexcrichton
left a comment
There was a problem hiding this comment.
I'm finding host/mod.rs pretty gnarly here especially with Waker logic and such to the point that I'd have to dig more into what rustls is offering here to double-check all the logic. That being said I'd also be fine to defer to @badeend in terms of review on that.
I'll note though that this is a pretty beefy implementation with relatively light testing. Would it be possible to enhance the tests here or does the current test basically not pass unless all the bits and bobs are present?
There was a problem hiding this comment.
I realize that this is duplicating the p2 tests already present, but given that this is basically modeled as "run the thing" that could also be modeled as a p3_cli_* test run as part of tests/all/cli_tests.rs where it bottoms out in wasmtime run -S... foo.wasm.
I might recommend moving more in that direction than having librarified test here to make it a bit more uniform to run tests
crates/wasi-tls/src/p3/host/mod.rs
Outdated
| mod client; | ||
| mod types; | ||
|
|
||
| macro_rules! mk_push { |
There was a problem hiding this comment.
I'm not sure if this was copied from elsewhere, but personally I'd say that these macros are probably overkill given the that they're mostly one-liners around table.$method(thing) and the type annotations on Resource<T> is typically enough to guide everything type-inference wide. The benefit of these macros would be the extra error context information, but given how rarely these will all be triggered I'm not sure it's worth the complexity.
| )) | ||
| } | ||
|
|
||
| async fn connect<T>( |
There was a problem hiding this comment.
connect should perform the handshake and not return before that has succeeded or failed. But in its current form this method doesn't do any I/O.
There was a problem hiding this comment.
In its new form connect awaits the handshake, but doesn't report the status.
Failures during the handshake phase are reported as "success" and only surfaced later on on its streams.
Maybe the easiest way to validate the intended behavior is to update test_tls_invalid_certificate to only rely on the result returned by connect and don't attempt any I/O on the streams/futures afterwards
There was a problem hiding this comment.
Indeed. I would also prefer connect to return an error on connection failures - the only "simple" way of doing that with the existing API I can come up with would be changing handshake oneshot element value to be a Result, would that address your concern?
connectand don't attempt any I/O on the streams/futures afterwards
In current design the guest drives the I/O, so receive stream must be polled for connect to be able to do work. With the existing Wasmtime API, the only way for the host to consume data from a StreamReader is to pipe it into a consumer implementation, that's what receive and send do now - they "register" a consumer. There is no way to deregister a consumer at a later point and there is an additional hazard in that dropping an unpiped StreamReader would leak it. So even if the relevant StreamReaders would be plumbed through to connect implementation and proper bookkeeping would be implemented in drop, we would not be able to directly read bytes from the stream in connect.
The only other option then is for consumer itself to spawn a (Tokio) task - given wasip3 implementation direction and design so far, I believe we want to avoid having to do that unless absolutely necessary. In my personal opinion if we cannot use Rust async machinery directly in host implementation without relying on Tokio tasks and message-passing, it suggests that we should probably revisit the Wasmtime's async support APIs to fix that. I don't think we should be reimplementing https://github.com/bytecodealliance/wasmtime/blob/d42d0b6df22d8d7be21212899a9cae21767c6992/crates/wasi/src/p2/write_stream.rs in wasip3
There was a problem hiding this comment.
The WIT file mentions:
Closing the
cleartextstream will cause aclose_notifypacket to be emitted on the returned output stream.
I don't see where graceful shutdown is handled in the current implementation. I would expect a call to send_close_notify somewhere
There was a problem hiding this comment.
That is what I originally had, but have eventually removed and brought back. The challenge is that send_close_notify can only be called after handshake has finished. I made sure that's the case by carefully arranging the oneshot sends from connect
There was a problem hiding this comment.
The wasi-tls create already has a bunch of these types in crates/wasi-tls/src/lib.rs. E.g. WasiTls<'a>, WasiTlsCtx, WasiTlsCtxBuilder. Can the P3 implementation make use of those existing ones?
There was a problem hiding this comment.
Eventually, these should be unified. The current approach is consistent with all other p3 interface implementations and we do not know yet what will be necessary to implement #12174 (comment)
crates/wasi-tls/src/p3/host/mod.rs
Outdated
| return Poll::Pending; | ||
| } | ||
|
|
||
| let state = match conn.process_new_packets() { |
There was a problem hiding this comment.
I notice process_new_packets appear multiple times in this file.
The rustls documentation mentions that this method should only be called after a successful call to Connection::read_tls. This lines up with how e.g. tokio-rustls does it, where the term process_new_packets appears only once in the entire crate, right after the call to read_tls.
I think only CiphertextConsumer has to use process_new_packets, and the other ones can get by without:
- The returned
statevariable is used as a heuristic for the capacity of.as_direct(..). A fixed size could work too, optionally bounded bydst.remaining(). peer_has_closedis also surfaced from the regularreadcall, when it returns Ok(0)
crates/wasi-tls/src/p3/host/mod.rs
Outdated
| ciphertext_producer.take().map(Waker::wake); | ||
| plaintext_consumer.take().map(Waker::wake); | ||
| plaintext_producer.take().map(Waker::wake); |
There was a problem hiding this comment.
The error returned by process_new_packets only affects the read_tls side. The other directions may still continue to work. From rustls docs:
After an error is received from process_new_packets, you should not call read_tls any more (it will fill up buffers to no purpose). However, you may call the other methods on the connection, including write, send_close_notify, and write_tls. Most likely you will want to call write_tls to send any alerts queued by the error and then close the underlying connection.
So I don't know if waking everybody up is the right thing to do.
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
rvolosatovs
force-pushed
the
feat/wasip3-tls
branch
from
19db609 to
cd81196
Compare
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
There was a problem hiding this comment.
@alexcrichton I've given mod.rs & client.rs two review passes by now.
Once the remaining comments are resolved, I think it mostly checks out albeit still being quite verbose with all the state-machine'y & waker stuff. Don't know how much time we should spend polishing this right now, because if we want to support other backends (see comment above) much of this will need to be revisited anyway.
I'll leave it up for you to decide.
|
|
||
| let Connector { | ||
| receive_tx: Some((receive_prod_tx, receive_cons_tx, receive_err_tx)), | ||
| send_tx: Some((send_prod_tx, send_cons_tx, _send_err_tx)), |
There was a problem hiding this comment.
Is it intentional for _send_err_tx to be dropped here?
There was a problem hiding this comment.
There is no scenario, when an error could be sent on the future returned by send, so yes.
| )) | ||
| } | ||
|
|
||
| async fn connect<T>( |
There was a problem hiding this comment.
In its new form connect awaits the handshake, but doesn't report the status.
Failures during the handshake phase are reported as "success" and only surfaced later on on its streams.
Maybe the easiest way to validate the intended behavior is to update test_tls_invalid_certificate to only rely on the result returned by connect and don't attempt any I/O on the streams/futures afterwards
There was a problem hiding this comment.
I was intending to follow-up on this later in the week, but as I received another review from @badeend I'll just go ahead and write a reply now:
First, for context, the implementation was done for the original version of the interface I proposed in WebAssembly/wasi-tls@91f93ce - it was later hastily adapted to match the OOP-centric design that was suggested in WebAssembly/wasi-tls#17 (comment)
The intention of this PR was only to build a PoC - that has now been achieved.
In it's current state the implementation is very brittle and PoC quality at best. That said, I struggle to see a way to implement this "nicely" given the APIs we have today. I do believe that the original interface version I proposed in WebAssembly/wasi-tls@91f93ce would allow for a much nicer and simpler host implementation.
Short-term I will not have either the time or incentive to fully address feedback on this PR and/or maintain this code. I don't think I will work on this PR any time soon (if ever).
I would not like to stall progress on this, therefore, I see a few options:
| )) | ||
| } | ||
|
|
||
| async fn connect<T>( |
There was a problem hiding this comment.
Indeed. I would also prefer connect to return an error on connection failures - the only "simple" way of doing that with the existing API I can come up with would be changing handshake oneshot element value to be a Result, would that address your concern?
connectand don't attempt any I/O on the streams/futures afterwards
In current design the guest drives the I/O, so receive stream must be polled for connect to be able to do work. With the existing Wasmtime API, the only way for the host to consume data from a StreamReader is to pipe it into a consumer implementation, that's what receive and send do now - they "register" a consumer. There is no way to deregister a consumer at a later point and there is an additional hazard in that dropping an unpiped StreamReader would leak it. So even if the relevant StreamReaders would be plumbed through to connect implementation and proper bookkeeping would be implemented in drop, we would not be able to directly read bytes from the stream in connect.
The only other option then is for consumer itself to spawn a (Tokio) task - given wasip3 implementation direction and design so far, I believe we want to avoid having to do that unless absolutely necessary. In my personal opinion if we cannot use Rust async machinery directly in host implementation without relying on Tokio tasks and message-passing, it suggests that we should probably revisit the Wasmtime's async support APIs to fix that. I don't think we should be reimplementing https://github.com/bytecodealliance/wasmtime/blob/d42d0b6df22d8d7be21212899a9cae21767c6992/crates/wasi/src/p2/write_stream.rs in wasip3
|
|
||
| let Connector { | ||
| receive_tx: Some((receive_prod_tx, receive_cons_tx, receive_err_tx)), | ||
| send_tx: Some((send_prod_tx, send_cons_tx, _send_err_tx)), |
There was a problem hiding this comment.
There is no scenario, when an error could be sent on the future returned by send, so yes.
There was a problem hiding this comment.
That is what I originally had, but have eventually removed and brought back. The challenge is that send_close_notify can only be called after handshake has finished. I made sure that's the case by carefully arranging the oneshot sends from connect
|
I'm not familiar with the current design of wasi-tls much less the async-aware wasip3 version so I can only comment at a sort of high-level as opposed to offering thoughts on specifics. From that perspective I'd personally lean towards leaving this as a PR to avoid having too much mostly-unmaintained code in-tree. It sounds like @badeend you'd ideally see this built on the preexisting abstractions and @rvolosatovs you don't have the time/motivation right now to pursue such a refactoring. I'd personally prefer to avoid an interim-state landed in Wasmtime where there are no plans for improvement and no one's quite satisfied with the current implementation. Does that sound reasonable enough to leave this as a PR for now, and revisit once time/motivation/energy have been unblocked? |
3 participants
This is the implementation of current p3 draft WebAssembly/wasi-tls#17
refs #12102