Cleanup history more

.bazelrc-docker

@@ -0,0 +1,36 @@
+try-import %workspace%/gcb/rbe/remote.bazelrc
+
+# TODO(#167): Remove `-Wno-deprecated-declarations` when glog is updated.
+
+build --cxxopt='-std=c++17'
+build --cxxopt='-Wall'
+build --cxxopt='-Wno-deprecated-declarations'
+# Why are we doing this when Souffle-generated C++ clearly uses exceptions?
+# Well, Google famously does not like C++ exceptions in its internal codebase,
+# so we will need to explicitly override that in Raksha files everywhere we
+# build Souffle C++ code to have Raksha build when imported into Google. This
+# default acts as a simulation of that property of Google's internal codebase.
+#build --cxxopt='-fno-exceptions'
+build --host_cxxopt='-std=c++17'
+# Note: We usually try to keep the cxxopt and host_cxxopt consistent. That is
+# not a good idea for this line. It appears that adding -Werror to host_cxxopt
+# causes the compiler to use this flag when building dependencies that we build
+# from source. This causes the build to fail if our source dependencies are not
+# warning-clean. We also comment out -Wall so that we do not receive extra
+# warnings from our third party packages.
+# build --host_cxxopt='-Werror' --host_cxxopt='-Wall'
+build --host_cxxopt='-Wno-deprecated-declarations'
+# Similarly, we should not set this flag that we're using as a debugging
+# assistant when compiling third party libraries.
+# build --host_cxxopt='-fno-exceptions'
+
+# ASAN config for exposing memory errors.
+build:asan --strip=never
+build:asan --copt -fsanitize=address
+build:asan --copt -DADDRESS_SANITIZER
+build:asan --copt -O1
+build:asan --copt -g
+build:asan --copt -fno-omit-frame-pointer
+build:asan --linkopt -fsanitize=address
+startup --output_base=/workspace/.bazel
+

.dockerignore

@@ -0,0 +1,5 @@
+.git
+node_modules
+npm-debug.log
+raksha
+Dockerfile

Dockerfile

@@ -0,0 +1,22 @@
+FROM gcr.io/gcp-runtimes/ubuntu_20_0_4
+
+RUN apt-get update && apt-get install -y curl
+RUN curl -s https://deb.nodesource.com/setup_16.x | bash
+RUN apt-get install nodejs -y
+
+# Create app directory
+WORKDIR /usr/src/app
+
+# Install app dependencies
+# A wildcard is used to ensure both package.json AND package-lock.json are copied
+# where available (npm@5+)
+COPY package*.json ./
+RUN npm install
+
+# Bundle app source
+COPY . .
+
+
+EXPOSE 3000
+CMD [ "node", "index.js" ]
+

cloudbuild.yaml

@@ -0,0 +1,57 @@
+steps:
+  - name: gcr.io/cloud-builders/git
+    args:
+      - clone
+      - 'https://github.com/google-research/raksha.git'
+  - name: ubuntu
+    script: cp .bazelrc-docker raksha/.bazelrc
+  - name: gcr.io/cloud-builders/bazel
+    args:
+      - build
+      - '--remote_cache=https://storage.googleapis.com/arcsjs-bazel-cache'
+      - '--google_default_credentials'
+      - '//src/backends/policy_engine/souffle:check_policy_compliance'
+    dir: raksha
+  - name: ubuntu
+    script: >-
+      cp -pr
+      raksha/bazel-bin/src/backends/policy_engine/souffle/check_policy_compliance
+      raksha/
+  # Pull most recent Docker image.   
+  - id: 'pull-image'
+    name: 'gcr.io/cloud-builders/docker'
+    args: ['pull', '${_DOCKER_IMAGE}']
+
+  - name: gcr.io/cloud-builders/docker
+    args:
+      - build
+      - '--network=cloudbuild'
+      - '--cache-from=${_DOCKER_IMAGE}'
+      - '--tag=${_DOCKER_IMAGE}'
+      - .
+    id: build-image
+  - name: gcr.io/cloud-builders/docker
+    args:
+      - push
+      - '${_DOCKER_IMAGE}'
+    id: push-image
+    waitFor:
+      - build-image
+  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
+    args:
+      - run
+      - deploy
+      - arcsjs-chromium
+      - '--project'
+      - arcsjs
+      - '--image'
+      - '${_DOCKER_IMAGE}'
+      - '--region'
+      - us-central1
+      - '--platform'
+      - managed
+    entrypoint: gcloud
+images:
+  - '${_DOCKER_IMAGE}'
+substitutions:
+  _DOCKER_IMAGE: 'gcr.io/arcsjs/arcsjs-chromium:latest'

index.js

@@ -0,0 +1,40 @@
+import express from "express";
+import bodyParser from "body-parser";
+import fs from "fs";
+import tmp from "tmp";
+import { exec } from "child_process";
+
+const app = express();
+
+app.use(express.static("pkg"));
+app.use(bodyParser.text({ type: 'text/plain' }));
+
+app.get("/", function (req, res) {
+  res.redirect("/demo/quill/index.html");
+});
+
+const RAKSHA_BINARY = '/usr/src/app/raksha/check_policy_compliance';
+const RAKSHA_POLICY = '/usr/src/app/raksha/src/backends/policy_engine/souffle/testdata/arcsjs_policy_rules.txt';
+
+app.post("/raksha", async function (req, res) {
+    const data = req.body;
+    tmp.file(function (err, path, fd, cleanup) {
+      if (err) throw err;
+      fs.appendFile(path, new Buffer(data), function (err) {
+        if (err) {
+          res.send("2");
+        }
+      });
+      exec(`${RAKSHA_BINARY} --ir ${path} --sql_policy_rules=${RAKSHA_POLICY} --policy_engine=`,
+          async (err, stdout, stderr) => {
+        if (err) { console.error(err); res.send("1"); } else {
+          res.send("0");
+        }
+        console.log(stdout);
+      });
+  });
+});
+
+app.listen(3000, function () {
+  console.log("Starting server at port 3000...");
+});

package.json

@@ -1,10 +1,10 @@
 {
   "name": "chromium-arcsjs",
   "author": "[email protected]",
-  "type": "module",
   "license": "ISC",
   "version": "0.0.0",
   "description": "",
+  "type": "module",
   "main": "server.js",
   "engines": {
     "node": ">=14.0.0"
@@ -13,6 +13,9 @@
     "local-web-server": "^4.2.1"
   },
   "dependencies": {
+    "body-parser": "^1.20.0",
+    "express": "^4.18.1",
+    "tmp": "^0.2.1",
     "fastify": "^3.27.4",
     "fastify-static": "^4.6.1"
   },

pkg/Chooser/ChooserApp.js

@@ -22,13 +22,25 @@ export const ChooserApp = class extends App {
     await App.Arcs.addAssembly(assembly, 'user');
   }
 
-  onservice(user, host, {msg, data}) {
+  async onservice(user, host, {msg, data}) {
     switch (msg) {
       case 'currentPolicy':
         return new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToPolicy();
-      case 'currentPolicyIr':
-        return new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToIr();
+      case 'currentPolicyIr': {
+        const ir = new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToIr();
+        const result = await fetch('/raksha', {
+          method: "POST",
+          headers: {
+            "Content-Type": "text/plain"
+          },
+          body: ir
+        });
+        const code = await result.text();
+        return {
+          ir: ir,
+          valid: code.trim() == "0"
+        }
+      }
     }
-    ;
   }
 }

pkg/Library/DevToolsEx/PolicyRenderer.js

@@ -13,15 +13,23 @@
   },
 
   render(inputs, state) {
+    log("Invalid " + !state.policy.valid + " valid " + state.policy.valid);
     return {
-      policy: state.policy,
-      jsonPolicy: {foo: 42, bar: 20}
+      policy: state.policy.ir,
+      jsonPolicy: {foo: 42, bar: 20},
+      invalid: ""+!state.policy.valid,
+      valid: ""+state.policy.valid
     }
   },
 
   get template() {
     return html`
+      <style>
+        [display="false"] { display: none }
+      </style>
 <div>
+  <div style="background-color: red;width: 100%;color:black" display$="{{invalid}}">Policy is Invalid</div>
+  <div style="background-color: green;width: 100%;color:black" display$="{{valid}}">Policy is Valid</div>
   <pre>{{policy}}</pre>
 </div>`;
   }

pkg/demo/policy/Library/SimplePassingRecipe.js

@@ -20,17 +20,22 @@ export const SimplePassingRecipe = {
     },
     public: {
       $tags: ['public'],
+      $type: 'String',
       $value: 'PublicData'
     },
     output: {
       $type: 'String',
+    },
+    intent: {
+      $type: 'String'
     }
   },
   main: {
     $kind: '$local/SimplePassingParticle',
     $inputs: ['private', 'public'],
-    $outputs: ['output'],
+    $outputs: ['output', 'intent'],
     // handler_name -> [tag -> downgraded-tag]
+    // arcsjs.user_consent_to_downgrade[from: 'private', to: 'public']
     $events: {'onClick': ['private', 'public']}
   }
 };

pkg/demo/policy/index.js

@@ -44,8 +44,16 @@ class SimplePassingApp extends App {
 
   onservice(user, host, {msg, data}) {
     switch (msg) {
-      case 'currentPolicy':
-        return new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToPolicy();
+      case 'currentPolicyIr':
+        const ir = new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToIr();
+        fetch('/raksha', {
+          method: "POST",
+          headers: {
+            "Content-Type": "text/plain"
+          },
+          body: ir
+        });
+        return ir;
     }
     ;
   }

pkg/demo/quill/Library/QuillFontPicker.js

@@ -15,7 +15,12 @@
     });
   },
 
-  render({fonts, suggested}) {
+  async update({show}, state, {service}) {
+    const policy = await service({msg: 'currentPolicyIr'});
+    assign(state, {policy});
+  },
+
+  render({fonts, suggested}, {policy}) {
     return {
       styles: {
         models: fonts,
@@ -26,6 +31,7 @@
         models: fonts,
         decorator: 'decorator',
         suggested,
+        policy,
         filter: 'suggestedfilter',
       },
       families: {
@@ -34,6 +40,7 @@
         fonts: {
           collateBy: 'family'
         },
+        policy,
         filter: 'filter'
       }
     };
@@ -47,7 +54,7 @@
     return suggested?.indexOf(name) != -1 && name?.toLowerCase().includes(myFilter?.toLowerCase());
   },
 
-  decorator({family, fullName, weight, style, postscriptName}, {suggested}, {searchFilter}) {
+  decorator({family, fullName, weight, style, postscriptName}, {suggested}, {searchFilter, policy}) {
     const fweight = style.includes('Bold') ? 'bold' : weight;
     const fstyle = style.includes('Italic') ? 'italic' : style.includes('Oblique') ? 'oblique' : '';
     const fontFace =  `@font-face {
@@ -63,12 +70,15 @@
       suggested,
       postscriptName,
       fontFace,
-      displayStyle: `font-family: "${family}"; font-weight: ${fweight}; font-style: ${fstyle};`
+      displayStyle: `font-family: "${family}"; font-weight: ${fweight}; font-style: ${fstyle};`,
+      valid: policy?.valid || false
     };
   },
 
-  onFontClick({eventlet: {key}}) {
-    return {pickedFont: key};
+  onFontClick({eventlet: {key, value}}) {
+    if (value) {
+      return {pickedFont: key};
+    }
   },
 
   onBadFontClick({eventlet: {key}}) {
@@ -153,7 +163,7 @@
 
 <template font_t>
   <div font toolbar>
-    <span flex name xen:style="{{displayStyle}}" on-click="onFontClick" key="{{key}}">{{fullName}}</span>
+    <span flex name xen:style="{{displayStyle}}" on-click="onFontClick" key="{{key}}" value="{{valid}}">{{fullName}}</span>
     <span sample xen:style="{{displayStyle}}" on-click="onBadFontClick" key="{{key}}">Sample</span>
   </div>
 </template>

pkg/demo/quill/Library/QuillFontPickerRecipe.js

@@ -16,23 +16,27 @@ export const QuillFontPickerRecipe = {
   $stores: {
     fonts: {
       $type: `[Key]`,
-      $tags: ['simple']
+      $tags: ['private']
     },
     pickedFont: {
-      $type: `FontKey`
+      $type: `FontKey`,
+      $tags: ['public']
     },
     suggested: {
       $type: `[Key]`,
+      $tags: ['public']
     },
-    baz: {
-      $type: '[String]',
-      value: 10
+    downgrade_intent: {
+      $type: 'Intent',
+      $tags: [],
+      $value: [],
     }
   },
 
   main: {
     $kind: "$local/../../quill/Library/QuillFontPicker",
     $inputs: ['fonts', 'suggested'],
-    $outputs: ['pickedFont'],
+    $outputs: ['pickedFont', 'downgrade_intent'],
+    $events: {'onFontClick': ['private', 'public']}
   },
  };

pkg/policy/ir_test.js

@@ -13,5 +13,6 @@ import {SimpleRecipe} from './simple_recipe.js';
 
 const policyGen = new PolicyGenerator(SimpleRecipe, "SimpleRecipe");
 const ir = policyGen.recipeToIr();
+console.log(ir);
 console.assert(ir.trim() == SimpleRecipeIr.trim(),
     "IR don't match");