Updated rawInput() / rawOutput() to throw error, instead of returning null on error
v1.1 - 2014-10-11
Dropped INFO_COOKIES and INFO_USER_AGENT (were not used)
Added concept of ChannelContext/INFO_CHANNEL_CONTEXT
HTTPChannelContext is defined in scope of FTN5: HTTP Integration
Added INFO_HAVE_RAW_RESULT
Dropped ignoreInvokerAbort() and replaced with ChannelContext.onInvokerAbort()
(would be broken backward compatibility, if used somewhere)
Changed context() to executor() to avoid ambiguity
(would be broken backward compatibility, if used somewhere)
v1.0 - 2014-10-03
Warning
This specification IS NOT mandatory. It is just a reference model.
Any implementation IS ALLOWED to provide own architecture with
drawback of breaking easy migration from one to another.
1. Concept
There must be a generic object type, which can represent both
request and response message data and/or communication channels.
There must be a wrapper, which holds current request-response info
and potentially a set of standard utilities.
There must be a generic request Executor, which knows all registered
interfaces and their implementations.
Executor implementation is not limited in internal behavior, but should
have standardized interface even for helper tools, like FutoIn interface
compilers and/or converters.
Executor is responsible for (actions are done in AsyncSteps):
converting request from transport-level representation to internal message format
gathering basic request-response info
checking interface constraints
checking message authentication code (MAC) or authenticating user by credentials
passing control to implementation of specific interfaces with required major version
catching exceptions or normal result
converting response to transport-level representation
maintaining persistent communication channel, if needed
Executor should be tighly integrated with MasterService implementation, if supported.
General FutoIn message verification should be based on MAC checking.
Executor should also integrate with AuthService as consumer, if real human users expected to use the service.
Note: Executor is allowed to pass control to implementation only if requested major version of
interfaces exactly matches implemented version and minor version is greater than or equal
to requested minor version.
All actions are implemented through AsyncSteps interface (FTN12: Async API).
For backward compatibility with pre-FutoIn code and/or complex logic, it is possible to make blocking
implementation. Such implementations run in dedicated worker threads/processes and receive only RequestInfo
object reference.
All true asynchronous implementations must implement special FutoIn AsyncImplementation interface to
clearly distinguish more advanced one.
Note: if BlockingMethod or AsyncMethod returns result then its fields are added to already existing
result fields in reqinfo object.
1.1. FutoIn interfaces
Interfaces must get converted according to language/platform-specific
convention into native interfaces, which can depend only on
standard runtime and native language/platform-specific interfaces
of Executor and related objects.
1.2. Executor security
Besides standard authentication and authorization mechanisms, peer with executor capabilities
must create separate Executor objects to minimize risk of security flaws in such mechanisms.
Example:
A single process implements:
public services with Master/Slave key exchange authentication
private services with Basic login/password authentication
internal services like Logger DB access
The correct way would be:
Create a single CCM object
Create bare Executor for internal service implementation
Create HTTP/WS Executor for public services
Create Executor for private services
Either local-transport Executor in scope of single operating system
Or HTTP/WS Executor, but accessible from private network only
The "sec" field is normally used for Basic Auth in "{user}:{password}" format.
However, a special "-hmac" user name is reserved for HMAC message signature.
The HMAC signature has the following format:
"-hmac:{user}:{algo}:{signature}"
Where:
{user} - user name
{algo} - on of pre-defined algorithms identifiers or custom extension
{signature} - Base64 encoded hash
1.3.3. Predefined HMAC algorithms
Note: deprecated, use FTN8 MAC format
"MD5" - MD5 128-bit (acceptably secure, even though MD5 itself is weak)
"SHA224" - SHA v2 224-bit (acceptably secure)
"SHA256" - SHA v2 256-bit (acceptably secure)
"SHA384" - SHA v2 384-bit (acceptably secure)
"SHA512" - SHA v2 512-bit (acceptably secure)
"SHA3-*" - SHA v3 224/256/384/512-bit (high secure at the moment)
Note: MD5 and SHA2 are mandatory to be implemented on server, SHA3 - if supported by runtime.
However, server may reject unsupported algorithms through configuration
1.3.4. Response "sec" field with HMAC
Note: deprecated, use FTN8 MAC format
If request comes signed with HMAC then response must also be signed
with HMAC using exactly the same secret key and hashing algorithm.
Only Base64-encoded signature in sent back in the "sec" field.
1.4. Internal system calls security
If internal communication channel is used, a special "-internal" user
name can be passed in "sec" field.
Such internal calls must bypass Auth Service processing and trust
on-behalf-of data in request message. Otherwise, user info must
"-internal" for both local and global user ID, SL_SYSTEM must be set
as security level.
Normally, internal channel can exist only with the same process.
1.5. External call limits
For general service stability and fair use, it is required to limit both
concurrent requests and requests per period from single client. Such
limits should apply as soon as possible before any other processing. As a
consequence, all requested are treated as anonymous.
However, authorized users may need much higher resource quota. It should
be possible to apply specialized limits based on the following strategies:
assign custom limit to stateful channel after first successful request
select custom limit based on static list of client's network addresses
select custom limit based on dynamic list of client's network addresses
can be populated after first successful request
entries should have meaningful time-to-live (60-3600 seconds)
There must be the "default" limit which should match FTN7 Invoker defaults.
All limits must apply process-wide, but can its statistics can be aggregated and
processed by defense system asynchronously.
2. Native Executor interface requirements
Language/platform should support runtime introspection and
exceptions. For other cases, platform/language-specific workarounds
are assumed.
2.1. FutoIn interface
Each FutoIn interfaces is represented as simple native
interface type with only abstract methods for each
FutoIn interface function
Each abstract method should return no value and take exactly one
Request Info object as argument for blocking implementation. Or
AsyncSteps and RequestInfo objects as arguments for asynchronous
implementation.
Implementation method can assume that all request parameters defined
in spec can be accessed from request data
Access to unexpected request and/or response parameters
should raise InternalError
Throw of unexpected error should raise InternalError
Each implementation method should have public access
There must be no public method which is not part of the
specific FutoIn interface definition
All native interfaces should inherit from single
native interface with no public abstract methods
2.2. Request Info
constants:
SL_ANONYMOUS = "Anonymous"
SL_INFO = "Info"
SL_SAFE_OPS = "SafeOps"
SL_PRIVILEGED_OPS = "PrivilegedOps"
SL_EXCEPTIONAL_OPS = "ExceptionalOps"
SL_SYSTEM = "System"
INFO_X509_CN - validated x509 certificate CN field
INFO_PUBKEY - public key, if present
INFO_CLIENT_ADDR - SourceAddress object of request external to current system
(e.g. without trusted reverse proxies, gateways, etc.)
INFO_SECURE_CHANNEL - boolean - is request coming through secure channel?
INFO_REQUEST_TIME_FLOAT - platform-specific timestamp of request processing start
INFO_SECURITY_LEVEL - one of pre-defined security levels of current processing
INFO_USER_INFO - user information object
INFO_RAW_REQUEST - raw request object
INFO_RAW_RESPONSE - raw response object
INFO_DERIVED_KEY - derived key object
INFO_HAVE_RAW_UPLOAD - boolean - have raw upload (e.g. can open rawInput())
INFO_HAVE_RAW_RESULT - boolean - have raw result (e.g. should open rawOutput())
map params() - return reference to request parameter map
map result([replace]) - return reference to response parameter map
NOTE: replaced result may be of any type expected by interface definition
map info() - return reference to info parameter map, keys (defined as const with INFO_ prefix):
Note: info() is not merged to AsyncSteps only for minor security reasons
stream rawInput() - return raw input stream or throws error
stream rawOutput() - return raw output stream (no result variables are expected) or throws error
Executor executor() - get reference to Executor
CCM ccm() - shortcut for executor().ccm()
ChannelContext channel() - get reference to ChannelContext
void cancelAfter( timeout_ms ) - set to abort request after specified timeout_ms from the
moment of call. It must override any previous cancelAfter() call.
Note: it is different from as.setTimeout() as inner step timeout does not override outer step
timeout.
timeout_ms - timeout in miliseconds to cancel after. 0 - disable timeout
UserInfo userInfo() - shortcut for info()[INFO_USER_INFO]
Language-specic get accessor for info properties
2.3. User info
string localID() - get user ID as seen by trusted AuthService
There is little use of extended AsyncSteps to provide additional API.
Instead, by convention, "reqinfo" AsyncSteps state field must point to
associated RequestInfo instance.
2.8. Executor
AdvancedCCM ccm() - get reference to Invoker CCM, if any