Add ability to construct a new bootstrap capability for each connecting client…

Add ability to construct a new bootstrap capability for each connecting client based on their authenticated VatId.

c++/src/capnp/rpc-prelude.h

@@ -43,7 +43,7 @@ class RpcSystem;
 namespace _ {  // private
 
 class VatNetworkBase {
-  // Non-template version of VatNetwork.  Ignore this class; see VatNetwork, below.
+  // Non-template version of VatNetwork.  Ignore this class; see VatNetwork in rpc.h.
 
 public:
   class Connection;
@@ -59,6 +59,7 @@ public:
     virtual kj::Own<OutgoingRpcMessage> newOutgoingMessage(uint firstSegmentWordSize) = 0;
     virtual kj::Promise<kj::Maybe<kj::Own<IncomingRpcMessage>>> receiveIncomingMessage() = 0;
     virtual kj::Promise<void> shutdown() = 0;
+    virtual AnyStruct::Reader baseGetPeerVatId() = 0;
   };
   virtual kj::Maybe<kj::Own<Connection>> baseConnect(_::StructReader vatId) = 0;
   virtual kj::Promise<kj::Own<Connection>> baseAccept() = 0;
@@ -69,10 +70,20 @@ public:
   virtual Capability::Client baseRestore(AnyPointer::Reader ref) = 0;
 };
 
+class BootstrapFactoryBase {
+  // Non-template version of BootstrapFactory.  Ignore this class; see BootstrapFactory in rpc.h.
+public:
+  virtual Capability::Client baseCreateFor(AnyStruct::Reader clientId) = 0;
+};
+
 class RpcSystemBase {
+  // Non-template version of RpcSystem.  Ignore this class; see RpcSystem in rpc.h.
+
 public:
   RpcSystemBase(VatNetworkBase& network, kj::Maybe<Capability::Client> bootstrapInterface,
                 kj::Maybe<RealmGateway<>::Client> gateway);
+  RpcSystemBase(VatNetworkBase& network, BootstrapFactoryBase& bootstrapFactory,
+                kj::Maybe<RealmGateway<>::Client> gateway);
   RpcSystemBase(VatNetworkBase& network, SturdyRefRestorerBase& restorer);
   RpcSystemBase(RpcSystemBase&& other) noexcept;
   ~RpcSystemBase() noexcept(false);

c++/src/capnp/rpc-test.c++

@@ -302,6 +302,11 @@ public:
       MallocMessageBuilder message;
     };
 
+    test::TestSturdyRefHostId::Reader getPeerVatId() override {
+      // Not actually implemented for the purpose of this test.
+      return test::TestSturdyRefHostId::Reader();
+    }
+
     kj::Own<OutgoingRpcMessage> newOutgoingMessage(uint firstSegmentWordSize) override {
       return kj::heap<OutgoingRpcMessageImpl>(*this, firstSegmentWordSize);
     }

c++/src/capnp/rpc-twoparty-test.c++

@@ -336,6 +336,55 @@ TEST(TwoPartyNetwork, ConvenienceClasses) {
   EXPECT_EQ(1, callCount);
 }
 
+class TestAuthenticatedBootstrapImpl
+    : public test::TestAuthenticatedBootstrap<rpc::twoparty::VatId>::Server {
+public:
+  TestAuthenticatedBootstrapImpl(rpc::twoparty::VatId::Reader clientId) {
+    this->clientId.setRoot(clientId);
+  }
+
+protected:
+  kj::Promise<void> getCallerId(GetCallerIdContext context) override {
+    context.getResults().setCaller(clientId.getRoot<rpc::twoparty::VatId>());
+    return kj::READY_NOW;
+  }
+
+private:
+  MallocMessageBuilder clientId;
+};
+
+class TestBootstrapFactory: public BootstrapFactory<rpc::twoparty::VatId> {
+public:
+  Capability::Client createFor(rpc::twoparty::VatId::Reader clientId) {
+    called = true;
+    EXPECT_EQ(rpc::twoparty::Side::CLIENT, clientId.getSide());
+    return kj::heap<TestAuthenticatedBootstrapImpl>(clientId);
+  }
+
+  bool called = false;
+};
+
+kj::AsyncIoProvider::PipeThread runAuthenticatingServer(
+    kj::AsyncIoProvider& ioProvider, BootstrapFactory<rpc::twoparty::VatId>& bootstrapFactory) {
+  return ioProvider.newPipeThread([&bootstrapFactory](
+      kj::AsyncIoProvider& ioProvider, kj::AsyncIoStream& stream, kj::WaitScope& waitScope) {
+    TwoPartyVatNetwork network(stream, rpc::twoparty::Side::SERVER);
+    auto server = makeRpcServer(network, bootstrapFactory);
+    network.onDisconnect().wait(waitScope);
+  });
+}
+
+TEST(TwoPartyNetwork, BootstrapFactory) {
+  auto ioContext = kj::setupAsyncIo();
+  TestBootstrapFactory bootstrapFactory;
+  auto serverThread = runAuthenticatingServer(*ioContext.provider, bootstrapFactory);
+  TwoPartyClient client(*serverThread.pipe);
+  auto resp = client.bootstrap().castAs<test::TestAuthenticatedBootstrap<rpc::twoparty::VatId>>()
+      .getCallerIdRequest().send().wait(ioContext.waitScope);
+  EXPECT_EQ(rpc::twoparty::Side::CLIENT, resp.getCaller().getSide());
+  EXPECT_TRUE(bootstrapFactory.called);
+}
+
 }  // namespace
 }  // namespace _
 }  // namespace capnp

c++/src/capnp/rpc-twoparty.c++

@@ -27,7 +27,12 @@ namespace capnp {
 
 TwoPartyVatNetwork::TwoPartyVatNetwork(kj::AsyncIoStream& stream, rpc::twoparty::Side side,
                                        ReaderOptions receiveOptions)
-    : stream(stream), side(side), receiveOptions(receiveOptions), previousWrite(kj::READY_NOW) {
+    : stream(stream), side(side), peerVatId(4),
+      receiveOptions(receiveOptions), previousWrite(kj::READY_NOW) {
+  peerVatId.initRoot<rpc::twoparty::VatId>().setSide(
+      side == rpc::twoparty::Side::CLIENT ? rpc::twoparty::Side::SERVER
+                                          : rpc::twoparty::Side::CLIENT);
+
   auto paf = kj::newPromiseAndFulfiller<void>();
   disconnectPromise = paf.promise.fork();
   disconnectFulfiller.fulfiller = kj::mv(paf.fulfiller);
@@ -115,6 +120,10 @@ private:
   kj::Own<MessageReader> message;
 };
 
+rpc::twoparty::VatId::Reader TwoPartyVatNetwork::getPeerVatId() {
+  return peerVatId.getRoot<rpc::twoparty::VatId>();
+}
+
 kj::Own<OutgoingRpcMessage> TwoPartyVatNetwork::newOutgoingMessage(uint firstSegmentWordSize) {
   return kj::refcounted<OutgoingMessageImpl>(*this, firstSegmentWordSize);
 }

c++/src/capnp/rpc-twoparty.h

@@ -71,6 +71,7 @@ private:
 
   kj::AsyncIoStream& stream;
   rpc::twoparty::Side side;
+  MallocMessageBuilder peerVatId;
   ReaderOptions receiveOptions;
   bool accepted = false;
 
@@ -103,6 +104,7 @@ private:
 
   // implements Connection -----------------------------------------------------
 
+  rpc::twoparty::VatId::Reader getPeerVatId() override;
   kj::Own<OutgoingRpcMessage> newOutgoingMessage(uint firstSegmentWordSize) override;
   kj::Promise<kj::Maybe<kj::Own<IncomingRpcMessage>>> receiveIncomingMessage() override;
   kj::Promise<void> shutdown() override;

c++/src/capnp/rpc.c++

@@ -244,12 +244,12 @@ public:
     // Task which is working on sending an abort message and cleanly ending the connection.
   };
 
-  RpcConnectionState(kj::Maybe<Capability::Client> bootstrapInterface,
+  RpcConnectionState(BootstrapFactoryBase& bootstrapFactory,
                      kj::Maybe<RealmGateway<>::Client> gateway,
                      kj::Maybe<SturdyRefRestorerBase&> restorer,
                      kj::Own<VatNetworkBase::Connection>&& connectionParam,
                      kj::Own<kj::PromiseFulfiller<DisconnectInfo>>&& disconnectFulfiller)
-      : bootstrapInterface(kj::mv(bootstrapInterface)), gateway(kj::mv(gateway)),
+      : bootstrapFactory(bootstrapFactory), gateway(kj::mv(gateway)),
         restorer(restorer), disconnectFulfiller(kj::mv(disconnectFulfiller)), tasks(*this) {
     connection.init<Connected>(kj::mv(connectionParam));
     tasks.add(messageLoop());
@@ -502,7 +502,7 @@ private:
   // =======================================================================================
   // OK, now we can define RpcConnectionState's member data.
 
-  kj::Maybe<Capability::Client> bootstrapInterface;
+  BootstrapFactoryBase& bootstrapFactory;
   kj::Maybe<RealmGateway<>::Client> gateway;
   kj::Maybe<SturdyRefRestorerBase&> restorer;
 
@@ -2091,7 +2091,8 @@ private:
       return;
     }
 
-    auto response = connection.get<Connected>()->newOutgoingMessage(
+    VatNetworkBase::Connection& conn = *connection.get<Connected>();
+    auto response = conn.newOutgoingMessage(
         messageSizeHint<rpc::Return>() + sizeInWords<rpc::CapDescriptor>() + 32);
 
     rpc::Return::Builder ret = response->getBody().getAs<rpc::Message>().initReturn();
@@ -2104,17 +2105,16 @@ private:
     // Call the restorer and initialize the answer.
     KJ_IF_MAYBE(exception, kj::runCatchingExceptions([&]() {
       Capability::Client cap = nullptr;
-      KJ_IF_MAYBE(r, restorer) {
-        cap = r->baseRestore(bootstrap.getDeprecatedObjectId());
-      } else KJ_IF_MAYBE(b, bootstrapInterface) {
-        if (bootstrap.hasDeprecatedObjectId()) {
+
+      if (bootstrap.hasDeprecatedObjectId()) {
+        KJ_IF_MAYBE(r, restorer) {
+          cap = r->baseRestore(bootstrap.getDeprecatedObjectId());
+        } else {
           KJ_FAIL_REQUIRE("This vat only supports a bootstrap interface, not the old "
                           "Cap'n-Proto-0.4-style named exports.") { return; }
-        } else {
-          cap = *b;
         }
       } else {
-        KJ_FAIL_REQUIRE("This vat does not expose any public/bootstrap interfaces.") { return; }
+        cap = bootstrapFactory.baseCreateFor(conn.baseGetPeerVatId());
       }
 
       auto payload = ret.initResults();
@@ -2594,16 +2594,22 @@ private:
 
 }  // namespace
 
-class RpcSystemBase::Impl final: public kj::TaskSet::ErrorHandler {
+class RpcSystemBase::Impl final: private BootstrapFactoryBase, private kj::TaskSet::ErrorHandler {
 public:
   Impl(VatNetworkBase& network, kj::Maybe<Capability::Client> bootstrapInterface,
        kj::Maybe<RealmGateway<>::Client> gateway)
       : network(network), bootstrapInterface(kj::mv(bootstrapInterface)),
+        bootstrapFactory(*this), gateway(kj::mv(gateway)), tasks(*this) {
+    tasks.add(acceptLoop());
+  }
+  Impl(VatNetworkBase& network, BootstrapFactoryBase& bootstrapFactory,
+       kj::Maybe<RealmGateway<>::Client> gateway)
+      : network(network), bootstrapFactory(bootstrapFactory),
         gateway(kj::mv(gateway)), tasks(*this) {
     tasks.add(acceptLoop());
   }
   Impl(VatNetworkBase& network, SturdyRefRestorerBase& restorer)
-      : network(network), restorer(restorer), tasks(*this) {
+      : network(network), bootstrapFactory(*this), restorer(restorer), tasks(*this) {
     tasks.add(acceptLoop());
   }
 
@@ -2640,13 +2646,10 @@ public:
     }
   }
 
-  void taskFailed(kj::Exception&& exception) override {
-    KJ_LOG(ERROR, exception);
-  }
-
 private:
   VatNetworkBase& network;
   kj::Maybe<Capability::Client> bootstrapInterface;
+  BootstrapFactoryBase& bootstrapFactory;
   kj::Maybe<RealmGateway<>::Client> gateway;
   kj::Maybe<SturdyRefRestorerBase&> restorer;
   kj::TaskSet tasks;
@@ -2668,7 +2671,7 @@ private:
         tasks.add(kj::mv(info.shutdownPromise));
       }));
       auto newState = kj::refcounted<RpcConnectionState>(
-          bootstrapInterface, gateway, restorer, kj::mv(connection),
+          bootstrapFactory, gateway, restorer, kj::mv(connection),
           kj::mv(onDisconnect.fulfiller));
       RpcConnectionState& result = *newState;
       connections.insert(std::make_pair(connectionPtr, kj::mv(newState)));
@@ -2691,12 +2694,33 @@ private:
       tasks.add(acceptLoop());
     });
   }
+
+  Capability::Client baseCreateFor(AnyStruct::Reader clientId) override {
+    // Implements BootstrapFactory::baseCreateFor() in terms of `bootstrapInterface` or `restorer`,
+    // for use when we were given one of those instead of an actual `bootstrapFactory`.
+
+    KJ_IF_MAYBE(cap, bootstrapInterface) {
+      return *cap;
+    } else KJ_IF_MAYBE(r, restorer) {
+      return r->baseRestore(AnyPointer::Reader());
+    } else {
+      return KJ_EXCEPTION(FAILED, "This vat does not expose any public/bootstrap interfaces.");
+    }
+  }
+
+  void taskFailed(kj::Exception&& exception) override {
+    KJ_LOG(ERROR, exception);
+  }
 };
 
 RpcSystemBase::RpcSystemBase(VatNetworkBase& network,
                              kj::Maybe<Capability::Client> bootstrapInterface,
                              kj::Maybe<RealmGateway<>::Client> gateway)
     : impl(kj::heap<Impl>(network, kj::mv(bootstrapInterface), kj::mv(gateway))) {}
+RpcSystemBase::RpcSystemBase(VatNetworkBase& network,
+                             BootstrapFactoryBase& bootstrapFactory,
+                             kj::Maybe<RealmGateway<>::Client> gateway)
+    : impl(kj::heap<Impl>(network, bootstrapFactory, kj::mv(gateway))) {}
 RpcSystemBase::RpcSystemBase(VatNetworkBase& network, SturdyRefRestorerBase& restorer)
     : impl(kj::heap<Impl>(network, restorer)) {}
 RpcSystemBase::RpcSystemBase(RpcSystemBase&& other) noexcept = default;

c++/src/capnp/rpc.h

@@ -37,6 +37,25 @@ class VatNetwork;
 template <typename SturdyRefObjectId>
 class SturdyRefRestorer;
 
+template <typename VatId>
+class BootstrapFactory: public _::BootstrapFactoryBase {
+  // Interface that constructs per-client bootstrap interfaces. Use this if you want each client
+  // who connects to see a different bootstrap interface based on their (authenticated) VatId.
+  // This allows an application to bootstrap off of the authentication performed at the VatNetwork
+  // level. (Typically VatId is some sort of public key.)
+  //
+  // This is only useful for multi-party networks. For TwoPartyVatNetwork, there's no reason to
+  // use a BootstrapFactory; just specify a single bootstrap capability in this case.
+
+public:
+  virtual Capability::Client createFor(typename VatId::Reader clientId) = 0;
+  // Create a bootstrap capability appropriate for exposing to the given client. VatNetwork will
+  // have authenticated the client VatId before this is called.
+
+private:
+  Capability::Client baseCreateFor(AnyStruct::Reader clientId) override;
+};
+
 template <typename VatId>
 class RpcSystem: public _::RpcSystemBase {
   // Represents the RPC system, which is the portal to objects available on the network.
@@ -60,6 +79,13 @@ public:
       kj::Maybe<Capability::Client> bootstrapInterface,
       kj::Maybe<RealmGateway<>::Client> gateway = nullptr);
 
+  template <typename ProvisionId, typename RecipientId,
+            typename ThirdPartyCapId, typename JoinResult>
+  RpcSystem(
+      VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
+      BootstrapFactory<VatId>& bootstrapFactory,
+      kj::Maybe<RealmGateway<>::Client> gateway = nullptr);
+
   template <typename ProvisionId, typename RecipientId,
             typename ThirdPartyCapId, typename JoinResult,
             typename LocalSturdyRefObjectId>
@@ -115,6 +141,25 @@ RpcSystem<VatId> makeRpcServer(
 // The given RealmGateway is used to translate SturdyRefs between the app's ("internal") format
 // and the network's ("external") format.
 
+template <typename VatId, typename ProvisionId, typename RecipientId,
+          typename ThirdPartyCapId, typename JoinResult>
+RpcSystem<VatId> makeRpcServer(
+    VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
+    BootstrapFactory<VatId>& bootstrapFactory);
+// Make an RPC server that can serve different bootstrap interfaces to different clients via a
+// BootstrapInterface.
+
+template <typename VatId, typename ProvisionId, typename RecipientId,
+          typename ThirdPartyCapId, typename JoinResult, typename RealmGatewayClient,
+          typename InternalRef = _::InternalRefFromRealmGatewayClient<RealmGatewayClient>,
+          typename ExternalRef = _::ExternalRefFromRealmGatewayClient<RealmGatewayClient>>
+RpcSystem<VatId> makeRpcServer(
+    VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
+    BootstrapFactory<VatId>& bootstrapFactory, RealmGatewayClient gateway);
+// Make an RPC server that can serve different bootstrap interfaces to different clients via a
+// BootstrapInterface and communicates with a different realm than the application is in via a
+// RealmGateway.
+
 template <typename VatId, typename LocalSturdyRefObjectId,
           typename ProvisionId, typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(
@@ -264,6 +309,11 @@ public:
   public:
     // Level 0 features ----------------------------------------------
 
+    virtual typename VatId::Reader getPeerVatId() = 0;
+    // Returns the connected vat's authenticated VatId. It is the VatNetwork's responsibility to
+    // authenticate this, so that the caller can be assured that they are really talking to the
+    // identified vat and not an imposter.
+
     virtual kj::Own<OutgoingRpcMessage> newOutgoingMessage(uint firstSegmentWordSize) = 0;
     // Allocate a new message to be sent on this connection.
     //
@@ -278,6 +328,9 @@ public:
     virtual kj::Promise<void> shutdown() KJ_WARN_UNUSED_RESULT = 0;
     // Waits until all outgoing messages have been sent, then shuts down the outgoing stream. The
     // returned promise resolves after shutdown is complete.
+
+  private:
+    AnyStruct::Reader baseGetPeerVatId() override;
   };
 
   // Level 0 features ------------------------------------------------
@@ -310,6 +363,11 @@ private:
 // ***************************************************************************************
 // =======================================================================================
 
+template <typename VatId>
+Capability::Client BootstrapFactory<VatId>::baseCreateFor(AnyStruct::Reader clientId) {
+  return createFor(clientId.as<VatId>());
+}
+
 template <typename SturdyRef, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 kj::Maybe<kj::Own<_::VatNetworkBase::Connection>>
@@ -331,6 +389,14 @@ kj::Promise<kj::Own<_::VatNetworkBase::Connection>>
   });
 }
 
+template <typename SturdyRef, typename ProvisionId, typename RecipientId,
+          typename ThirdPartyCapId, typename JoinResult>
+AnyStruct::Reader VatNetwork<
+    SturdyRef, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>::
+    Connection::baseGetPeerVatId() {
+  return getPeerVatId();
+}
+
 template <typename SturdyRef>
 Capability::Client SturdyRefRestorer<SturdyRef>::baseRestore(AnyPointer::Reader ref) {
 #pragma GCC diagnostic push
@@ -348,6 +414,15 @@ RpcSystem<VatId>::RpcSystem(
       kj::Maybe<RealmGateway<>::Client> gateway)
     : _::RpcSystemBase(network, kj::mv(bootstrap), kj::mv(gateway)) {}
 
+template <typename VatId>
+template <typename ProvisionId, typename RecipientId,
+          typename ThirdPartyCapId, typename JoinResult>
+RpcSystem<VatId>::RpcSystem(
+      VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
+      BootstrapFactory<VatId>& bootstrapFactory,
+      kj::Maybe<RealmGateway<>::Client> gateway)
+    : _::RpcSystemBase(network, bootstrapFactory, kj::mv(gateway)) {}
+
 template <typename VatId>
 template <typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult,
@@ -386,6 +461,23 @@ RpcSystem<VatId> makeRpcServer(
       gateway.template castAs<RealmGateway<>>());
 }
 
+template <typename VatId, typename ProvisionId, typename RecipientId,
+          typename ThirdPartyCapId, typename JoinResult>
+RpcSystem<VatId> makeRpcServer(
+    VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
+    BootstrapFactory<VatId>& bootstrapFactory) {
+  return RpcSystem<VatId>(network, bootstrapFactory);
+}
+
+template <typename VatId, typename ProvisionId, typename RecipientId,
+          typename ThirdPartyCapId, typename JoinResult,
+          typename RealmGatewayClient, typename InternalRef, typename ExternalRef>
+RpcSystem<VatId> makeRpcServer(
+    VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
+    BootstrapFactory<VatId>& bootstrapFactory, RealmGatewayClient gateway) {
+  return RpcSystem<VatId>(network, bootstrapFactory, gateway.template castAs<RealmGateway<>>());
+}
+
 template <typename VatId, typename LocalSturdyRefObjectId,
           typename ProvisionId, typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(

c++/src/capnp/test.capnp

@@ -793,6 +793,10 @@ interface TestKeywordMethods {
   return @3 ();
 }
 
+interface TestAuthenticatedBootstrap(VatId) {
+  getCallerId @0 () -> (caller :VatId);
+}
+
 struct TestSturdyRef {
   hostId @0 :TestSturdyRefHostId;
   objectId @1 :AnyPointer;