microsoft · jumaffre · Jun 23, 2022 · Jun 13, 2022 · Jun 13, 2022 · Jun 13, 2022
@@ -1 +1 @@
-Splicer
+......
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Added
+
+- New per-interface configuration entries (`network.rpc_interfaces.http_configuration`) are added to let operators cap the maximum size of body, header value size and number of headers in client HTTP requests. The client session is automatically closed if the HTTP request exceeds one of these limits (#3941).
+
 ## [3.0.0-dev0]
 
 ### Added

@@ -71,6 +71,27 @@
                 "default": 1010,
                 "description": "The maximum number of active client sessions on that interface after which clients sessions will be terminated, before the TLS handshake is complete. Note that its value must be greater than the value of ``max_open_sessions_soft``"
               },
+              "http_configuration": {
+                "type": "object",
+                "properties": {
+                  "max_body_size": {
+                    "type": "string",
+                    "default": "1MB",
+                    "description": "Maximum size (size string) of a single HTTP request body. Submitting a request with a payload larger than this value will result in the client session being automatically closed."
+                  },
+                  "max_header_size": {
+                    "type": "string",
+                    "default": "16KB",
+                    "description": "Maximum size (size string) of a single HTTP request header (key or value). Submitting a request with a header larger than this value will result in the client session being automatically closed."
+                  },
+                  "max_headers_count": {
+                    "type": "integer",
+                    "default": 256,
+                    "description": "Maximum number of headers in a single HTTP request. Submitting a request with more headers than this value will result in the session being automatically closed."
+                  }
+                },
+                "additionalProperties": false
+              },
               "endorsement": {
                 "type": "object",
                 "properties": {

@@ -139,6 +139,17 @@ namespace ds
     s = j.get<std::string_view>();
   }
 
+  inline std::string schema_name(const SizeString*)
+  {
+    return "TimeString";
+  }
+
+  inline void fill_json_schema(nlohmann::json& schema, const SizeString*)
+  {
+    schema["type"] = "string";
+    schema["pattern"] = "^[0-9]+(B|KB|MB|GB|TB|PB)?$";
+  }
+
   struct TimeString : UnitString
   {
     std::chrono::microseconds value;
@@ -181,4 +192,15 @@ namespace ds
   {
     s = j.get<std::string_view>();
   }
+
+  inline std::string schema_name(const TimeString*)
+  {
+    return "TimeString";
+  }
+
+  inline void fill_json_schema(nlohmann::json& schema, const TimeString*)
+  {
+    schema["type"] = "string";
+    schema["pattern"] = "^[0-9]+(us|ms|s|min|h)?$";
+  }
 }
@@ -0,0 +1,29 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+#pragma once
+
+#include "ccf/ds/json.h"
+#include "ccf/ds/unit_strings.h"
+
+#include <optional>
+
+namespace http
+{
+  struct ParserConfiguration
+  {
+    ds::SizeString max_body_size = {"1MB"};
+    ds::SizeString max_header_size = {"16KB"};
+    size_t max_headers_count = 256;
+
+    bool operator==(const ParserConfiguration& other) const
+    {
+      return max_body_size == other.max_body_size &&
+        max_header_size == other.max_header_size &&
+        max_headers_count == other.max_headers_count;
+    }
+  };
+  DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(ParserConfiguration);
+  DECLARE_JSON_REQUIRED_FIELDS(ParserConfiguration);
+  DECLARE_JSON_OPTIONAL_FIELDS(
+    ParserConfiguration, max_body_size, max_header_size, max_headers_count);
+}
@@ -51,6 +51,8 @@ namespace ccf
     ERROR(RequestNotSigned)
     ERROR(UnsupportedHttpVerb)
     ERROR(UnsupportedContentType)
+    ERROR(RequestBodyTooLarge)
+    ERROR(RequestHeaderTooLarge)
 
     // CCF-specific errors
     // client-facing:

@@ -5,6 +5,7 @@
 
 #include "ccf/ds/json.h"
 #include "ccf/ds/nonstd.h"
+#include "ccf/http_configuration.h"
 
 #include <string>
 
@@ -60,6 +61,9 @@ namespace ccf
       std::optional<size_t> max_open_sessions_soft = std::nullopt;
       std::optional<size_t> max_open_sessions_hard = std::nullopt;
 
+      std::optional<http::ParserConfiguration> http_configuration =
+        std::nullopt;
+
       std::optional<Endorsement> endorsement = std::nullopt;
 
       bool operator==(const NetInterface& other) const
@@ -69,7 +73,8 @@ namespace ccf
           protocol == other.protocol &&
           max_open_sessions_soft == other.max_open_sessions_soft &&
           max_open_sessions_hard == other.max_open_sessions_hard &&
-          endorsement == other.endorsement;
+          endorsement == other.endorsement &&
+          http_configuration == other.http_configuration;
       }
     };
 
@@ -78,6 +83,7 @@ namespace ccf
     NetInterface node_to_node_interface;
     RpcInterfaces rpc_interfaces;
   };
+
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(NodeInfoNetwork_v2::NetInterface);
   DECLARE_JSON_REQUIRED_FIELDS(NodeInfoNetwork_v2::NetInterface, bind_address);
   DECLARE_JSON_OPTIONAL_FIELDS(
@@ -86,7 +92,8 @@ namespace ccf
     max_open_sessions_soft,
     max_open_sessions_hard,
     published_address,
-    protocol);
+    protocol,
+    http_configuration);
   DECLARE_JSON_TYPE(NodeInfoNetwork_v2);
   DECLARE_JSON_REQUIRED_FIELDS(
     NodeInfoNetwork_v2, node_to_node_interface, rpc_interfaces);
@@ -168,8 +175,7 @@ namespace ccf
   }
 }
 
-FMT_BEGIN_NAMESPACE
-template <>
+FMT_BEGIN_NAMESPACE template <>
 struct formatter<ccf::Authority>
 {
   template <typename ParseContext>

@@ -6,12 +6,12 @@
 #include "ccf/crypto/curve.h"
 #include "ccf/crypto/pem.h"
 #include "ccf/ds/logger.h"
+#include "ccf/ds/unit_strings.h"
 #include "ccf/service/node_info_network.h"
 #include "ccf/service/tables/members.h"
 #include "common/enclave_interface_types.h"
 #include "consensus/consensus_types.h"
 #include "ds/oversized.h"
-#include "ds/unit_strings.h"
 #include "enclave/consensus_type.h"
 #include "enclave/reconfiguration_type.h"
 #include "service/tables/config.h"

@@ -2,9 +2,9 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
+#include "ccf/ds/unit_strings.h"
 #include "ccf/service/tables/nodes.h"
 #include "ccf/tx_id.h"
-#include "ds/unit_strings.h"
 #include "enclave/consensus_type.h"
 
 #include <stdint.h>

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the Apache 2.0 License.
 
-#include "ds/unit_strings.h"
+#include "ccf/ds/unit_strings.h"
 
 #include <cmath>
 #include <doctest/doctest.h>

@@ -44,6 +44,7 @@ namespace ccf
       size_t max_open_sessions_soft;
       size_t max_open_sessions_hard;
       ccf::Endorsement endorsement;
+      http::ParserConfiguration http_configuration;
       ccf::SessionMetrics::Errors errors;
     };
     std::map<ListenInterfaceID, ListenInterface> listening_interfaces;
@@ -146,6 +147,23 @@ namespace ccf
       return id;
     }
 
+    ListenInterface& get_interface_from_session_id(tls::ConnID id)
+    {
+      // Lock must be first acquired and held while accessing returned interface
+      auto search = sessions.find(id);
+      if (search != sessions.end())
+      {
+        auto it = listening_interfaces.find(search->second.first);
+        if (it != listening_interfaces.end())
+        {
+          return it->second;
+        }
+      }
+
+      throw std::logic_error(
+        fmt::format("No RPC interface for session ID {}", id));
+    }
+
   public:
     RPCSessions(
       ringbuffer::AbstractWriterFactory& writer_factory,
@@ -159,16 +177,19 @@ namespace ccf
     void report_parsing_error(tls::ConnID id) override
     {
       std::lock_guard<std::mutex> guard(lock);
+      get_interface_from_session_id(id).errors.parsing++;
+    }
 
-      auto search = sessions.find(id);
-      if (search != sessions.end())
-      {
-        auto it = listening_interfaces.find(search->second.first);
-        if (it != listening_interfaces.end())
-        {
-          it->second.errors.parsing++;
-        }
-      }
+    void report_request_payload_too_large_error(tls::ConnID id) override
+    {
+      std::lock_guard<std::mutex> guard(lock);
+      get_interface_from_session_id(id).errors.request_payload_too_large++;
+    }
+
+    void report_request_header_too_large_error(tls::ConnID id) override
+    {
+      std::lock_guard<std::mutex> guard(lock);
+      get_interface_from_session_id(id).errors.request_header_too_large++;
     }
 
     void update_listening_interface_options(
@@ -188,6 +209,14 @@ namespace ccf
 
         li.endorsement = interface.endorsement.value_or(endorsement_default);
 
+        if (!interface.http_configuration.has_value())
+        {
+          throw std::logic_error(
+            fmt::format("RPC Interface {} has no HTTP configuration", name));
+        }
+
+        li.http_configuration = interface.http_configuration.value();
+
         LOG_INFO_FMT(
           "Setting max open sessions on interface \"{}\" ({}) to [{}, "
           "{}] and endorsement authority to {}",
@@ -353,6 +382,7 @@ namespace ccf
             listen_interface_id,
             writer_factory,
             std::move(ctx),
+            per_listen_interface.http_configuration,
             shared_from_this());
           sessions.insert(std::make_pair(
             id, std::make_pair(listen_interface_id, std::move(session))));

diff --git a/src/enclave/tls_endpoint.h b/src/enclave/tls_endpoint.h
@@ -26,6 +26,7 @@ namespace ccf
     {
       handshake,
       ready,
+      closing,
       closed,
       authfail,
       error
@@ -57,6 +58,13 @@ namespace ccf
     std::unique_ptr<tls::Context> ctx;
     Status status;
 
+    bool can_send()
+    {
+      // Closing endpoint should still be able to respond to clients (e.g. to
+      // report errors)
+      return status == ready || status == closing;
+    }
+
   public:
     TLSEndpoint(
       int64_t session_id_,
@@ -104,17 +112,18 @@ namespace ccf
     // used by caller.
     size_t read(uint8_t* data, size_t size, bool exact = false)
     {
-      LOG_TRACE_FMT("Requesting up to {} bytes", size);
-
       // This will return empty if the connection isn't
       // ready, but it will not block on the handshake.
       do_handshake();
 
       if (status != ready)
       {
+        LOG_TRACE_FMT("Not ready to read {} bytes", size);
         return 0;
       }
 
+      LOG_TRACE_FMT("Requesting up to {} bytes", size);
+
       // Send pending writes.
       flush();
 
@@ -255,8 +264,10 @@ namespace ccf
         return;
       }
 
-      if (status != ready)
+      if (!can_send())
+      {
         return;
+      }
 
       pending_write.insert(pending_write.end(), data.begin(), data.end());
 
@@ -282,8 +293,10 @@ namespace ccf
 
       do_handshake();
 
-      if (status != ready)
+      if (!can_send())
+      {
         return;
+      }
 
       while (pending_write.size() > 0)
       {
@@ -318,6 +331,7 @@ namespace ccf
 
     void close()
     {
+      status = closing;
       auto msg = std::make_unique<threading::Tmsg<EmptyMsg>>(&close_cb);
       msg->data.self = this->shared_from_this();
 
@@ -342,6 +356,7 @@ namespace ccf
         }
 
         case ready:
+        case closing:
         {
           int r = ctx->close();
 
@@ -478,6 +493,7 @@ namespace ccf
 
       switch (status)
       {
+        case closing:
         case closed:
         {
           RINGBUFFER_WRITE_MESSAGE(

@@ -3,8 +3,8 @@
 
 #pragma once
 
+#include "ccf/ds/unit_strings.h"
 #include "common/configuration.h"
-#include "ds/unit_strings.h"
 
 #include <optional>
 #include <string>