feat: Support for external libraries in JS sandbox (#47)

Author: cdata

Cargo.lock

@@ -1,7 +1,8 @@
 [workspace]
 members = [
   "rust/usuba",
-  "rust/usuba-compat"
+  "rust/usuba-compat",
+  "rust/usuba-bundle"
 ]
 
 # See: https://github.com/rust-lang/rust/issues/90148#issuecomment-949194352
@@ -13,11 +14,16 @@ async-trait = { version = "0.1" }
 axum = { version = "0.7" }
 blake3 = { version = "1.5" }
 bytes = { version = "1" }
+deno_emit = { version = "0.42" }
+deno_graph = { version = "0.78" }
+http = { version = "1.1" }
+http-body-util = { version = "0.1" }
 hyper-util = { version = "0.1", features = ["client", "client-legacy"] }
 js-component-bindgen = { version = "1", features = ["transpile-bindgen"] }
 js-sys = { version = "0.3" }
 mime_guess = { version = "2" }
 redb = { version = "2" }
+reqwest = { version = "0.12", default-features = false  }
 rust-embed = { version = "8.4" }
 serde = { version = "1" }
 serde_json = { version = "1" }
@@ -28,6 +34,8 @@ tower-http = { version = "0.5" }
 tracing = { version = "0.1" }
 tracing-subscriber = { version = "0.3", features = ["env-filter", "tracing-log", "json"] }
 tracing-web = { version = "0.1" }
+url = { version = "2" }
+usuba-bundle = { path = "./rust/usuba-bundle" }
 utoipa = { version = "4" }
 utoipa-swagger-ui = { version = "7" }
 wasm-bindgen = { version = "0.2" }

Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "usuba-bundle"
+description = "Code preparation steps for Common modules"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = { workspace = true }
+bytes = { workspace = true }
+deno_emit = { workspace = true }
+deno_graph = { workspace = true }
+reqwest = { workspace = true, default-features = false, features = ["rustls-tls", "charset", "http2", "macos-system-configuration"] }
+tokio = { workspace = true, features = ["rt-multi-thread", "io-util", "process", "fs"] }
+tracing = { workspace = true }
+url = { workspace = true }
+
+[dev-dependencies]
+tracing-subscriber = { workspace = true }

rust/usuba-bundle/Cargo.toml

@@ -0,0 +1,191 @@
+#[macro_use]
+extern crate tracing;
+
+use anyhow::{anyhow, Result};
+use bytes::Bytes;
+use deno_emit::{
+    bundle, BundleOptions, BundleType, EmitOptions, LoadFuture, LoadOptions, Loader,
+    ModuleSpecifier, SourceMapOption, TranspileOptions,
+};
+use deno_graph::source::LoadResponse;
+use url::Url;
+
+pub struct JavaScriptLoader {
+    root: Option<Bytes>,
+}
+
+impl JavaScriptLoader {
+    pub fn new(root: Option<Bytes>) -> Self {
+        Self { root }
+    }
+}
+
+impl Loader for JavaScriptLoader {
+    fn load(&self, specifier: &ModuleSpecifier, _options: LoadOptions) -> LoadFuture {
+        let root = self.root.clone();
+        let specifier = specifier.clone();
+
+        debug!("Attempting to load '{}'", specifier);
+
+        Box::pin(async move {
+            match specifier.scheme() {
+                "usuba" => {
+                    debug!("Usuba!");
+                    Ok(Some(LoadResponse::Module {
+                        content: root
+                            .ok_or_else(|| {
+                                anyhow!("Attempted to load root module, but no root was specified!")
+                            })?
+                            .to_vec()
+                            .into(),
+                        specifier,
+                        maybe_headers: None,
+                    }))
+                }
+                "common" => {
+                    debug!("Common!");
+                    Ok(Some(LoadResponse::External {
+                        specifier: specifier.clone(),
+                    }))
+                }
+                "https" => {
+                    debug!("Https!");
+                    let response = reqwest::get(specifier.clone()).await?;
+                    let headers = response.headers().to_owned();
+                    let bytes = response.bytes().await?;
+                    let content = bytes.to_vec().into();
+
+                    trace!("Loaded remote module: {}", String::from_utf8_lossy(&bytes));
+                    Ok(Some(LoadResponse::Module {
+                        content,
+                        specifier,
+                        maybe_headers: Some(
+                            headers
+                                .into_iter()
+                                .filter_map(|(h, v)| {
+                                    h.map(|header| {
+                                        (
+                                            header.to_string(),
+                                            v.to_str().unwrap_or_default().to_string(),
+                                        )
+                                    })
+                                })
+                                .collect(),
+                        ),
+                    }))
+                }
+                "node" | "npm" => Err(anyhow!(
+                    "Could not import '{specifier}'. Node.js and NPM modules are not supported."
+                )),
+                _ => Err(anyhow!(
+                    "Could not import '{specifier}'. Unrecognize specifier format.'"
+                )),
+            }
+        })
+    }
+}
+
+pub struct JavaScriptBundler {}
+
+impl JavaScriptBundler {
+    fn bundle_options() -> BundleOptions {
+        BundleOptions {
+            bundle_type: BundleType::Module,
+            transpile_options: TranspileOptions::default(),
+            emit_options: EmitOptions {
+                source_map: SourceMapOption::None,
+                source_map_file: None,
+                inline_sources: false,
+                remove_comments: true,
+            },
+            emit_ignore_directives: false,
+            minify: false,
+        }
+    }
+
+    pub async fn bundle_url(url: Url) -> Result<String> {
+        let mut loader = JavaScriptLoader::new(None);
+        let emit = bundle(url, &mut loader, None, Self::bundle_options()).await?;
+        Ok(emit.code)
+    }
+
+    pub async fn bundle_module(module: Bytes) -> Result<String> {
+        let mut loader = JavaScriptLoader::new(Some(module));
+        let emit = bundle(
+            Url::parse("usuba:root")?,
+            &mut loader,
+            None,
+            Self::bundle_options(),
+        )
+        .await?;
+        Ok(emit.code)
+    }
+}
+
+#[cfg(test)]
+pub mod tests {
+    use anyhow::Result;
+    use url::Url;
+
+    use crate::JavaScriptBundler;
+
+    #[tokio::test]
+    async fn it_loads_a_module_from_esm_sh() -> Result<()> {
+        let candidate = Url::parse("https://esm.sh/canvas-confetti@1.6.0")?;
+        let bundle = JavaScriptBundler::bundle_url(candidate).await?;
+
+        assert!(bundle.len() > 0);
+
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn it_loads_a_module_from_deno_land() -> Result<()> {
+        let candidate = Url::parse("https://deno.land/x/zod@v3.16.1/mod.ts")?;
+        let bundle = JavaScriptBundler::bundle_url(candidate).await?;
+
+        assert!(bundle.len() > 0);
+
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn it_can_bundle_a_module_file() -> Result<()> {
+        let candidate = format!(
+            r#"export * from "https://esm.sh/canvas-confetti@1.6.0";
+"#
+        );
+        let bundle = JavaScriptBundler::bundle_module(candidate.into()).await?;
+
+        assert!(bundle.len() > 0);
+
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn it_skips_common_modules_when_bundling() -> Result<()> {
+        let candidate = format!(
+            r#"
+import {{ read, write }} from "common:io/state@0.0.1";
+
+// Note: must use imports else they are tree-shaken
+// Caveat: cannot re-export built-ins as it provokes bundling
+console.log(read, write);
+"#
+        );
+
+        let bundle = JavaScriptBundler::bundle_module(candidate.into())
+            .await
+            .map_err(|error| {
+                error!("{}", error);
+                error
+            })
+            .unwrap();
+
+        debug!("{bundle}");
+
+        assert!(bundle.contains("import { read, write } from \"common:io/state@0.0.1\""));
+
+        Ok(())
+    }
+}

rust/usuba-bundle/src/lib.rs

@@ -1,6 +1,6 @@
 [package]
 name = "usuba"
-description = "An anything-to-Common-Wasm build server"
+description = "A Common server"
 version = "0.1.0"
 edition = "2021"
 
@@ -24,6 +24,7 @@ tokio = { workspace = true, features = ["rt-multi-thread", "io-util", "process",
 tower-http = { workspace = true, features = ["cors"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
+usuba-bundle = { workspace = true }
 utoipa = { workspace = true, features = ["axum_extras"] }
 utoipa-swagger-ui = { workspace = true, features = ["axum"] }
 wit-parser = { workspace = true }

rust/usuba/Cargo.toml

@@ -7,6 +7,7 @@ use tempfile::TempDir;
 
 use tokio::process::Command;
 use tokio::task::JoinSet;
+use usuba_bundle::JavaScriptBundler;
 
 use crate::write_file;
 
@@ -18,7 +19,7 @@ impl Bake for JavaScriptBaker {
     #[instrument]
     async fn bake(
         &self,
-        world: &str,
+        _world: &str,
         wit: Vec<Bytes>,
         source_code: Bytes,
         library: Vec<Bytes>,
@@ -29,6 +30,12 @@ impl Bake for JavaScriptBaker {
             workspace.path().display()
         );
 
+        let bundled_source_code = tokio::task::spawn_blocking(move || {
+            tokio::runtime::Handle::current()
+                .block_on(JavaScriptBundler::bundle_module(source_code))
+        })
+        .await??;
+
         let wasm_path = workspace.path().join("module.wasm");
         let js_path = workspace.path().join("module.js");
 
@@ -44,7 +51,10 @@ impl Bake for JavaScriptBaker {
         wit.into_iter()
             .enumerate()
             .map(|(i, wit)| write_file(wit_path.join(format!("module{}.wit", i)), wit))
-            .chain([write_file(js_path.clone(), source_code)])
+            .chain([write_file(
+                js_path.clone(),
+                Bytes::from(bundled_source_code),
+            )])
             .chain(
                 library.into_iter().enumerate().map(|(i, wit)| {
                     write_file(wit_deps_path.join(format!("library{}.wit", i)), wit)

rust/usuba/src/bake/javascript.rs

@@ -3,14 +3,13 @@ extern crate tracing;
 
 use std::net::SocketAddr;
 
-use tracing::Level;
-use tracing_subscriber::{fmt::Layer, layer::SubscriberExt, FmtSubscriber};
+use tracing_subscriber::{fmt::Layer, layer::SubscriberExt, EnvFilter, FmtSubscriber};
 use usuba::{serve, UsubaError};
 
 #[tokio::main]
 pub async fn main() -> Result<(), UsubaError> {
     let subscriber = FmtSubscriber::builder()
-        .with_max_level(Level::TRACE)
+        .with_env_filter(EnvFilter::from_default_env())
         .finish();
     tracing::subscriber::set_global_default(subscriber.with(Layer::default().pretty()))?;
 

rust/usuba/src/bin/usuba.rs

@@ -1,17 +1,22 @@
 use utoipa::OpenApi;
 
 use crate::{
-    routes::{BuildModuleRequest, BuildModuleResponse},
+    routes::{BuildModuleRequest, BuildModuleResponse, BundleRequest},
     ErrorResponse,
 };
 
 #[derive(OpenApi)]
 #[openapi(
-    paths(crate::routes::build_module, crate::routes::retrieve_module),
+    paths(
+        crate::routes::build_module,
+        crate::routes::retrieve_module,
+        crate::routes::bundle_javascript
+    ),
     components(
         schemas(BuildModuleResponse),
         schemas(ErrorResponse),
-        schemas(BuildModuleRequest)
+        schemas(BuildModuleRequest),
+        schemas(BundleRequest)
     )
 )]
 pub struct OpenApiDocs;

rust/usuba/src/openapi.rs

@@ -0,0 +1,45 @@
+use axum::extract::Multipart;
+use usuba_bundle::JavaScriptBundler;
+use utoipa::ToSchema;
+
+use crate::UsubaError;
+
+#[derive(ToSchema)]
+pub struct BundleRequest {
+    pub source: Vec<Vec<u8>>,
+}
+
+#[utoipa::path(
+  post,
+  path = "/api/v0/bundle",
+  request_body(content = BundleRequest, content_type = "multipart/form-data"),
+  responses(
+    (status = 200, description = "Successfully built the module", body = String, content_type = "text/javascript"),
+    (status = 400, description = "Bad request body", body = ErrorResponse),
+    (status = 500, description = "Internal error", body = ErrorResponse)
+  )
+)]
+pub async fn bundle_javascript(mut form_data: Multipart) -> Result<String, UsubaError> {
+    let first_field = if let Some(field) = form_data.next_field().await? {
+        field
+    } else {
+        return Err(UsubaError::BadRequest);
+    };
+
+    match first_field.name() {
+        Some("source") => match first_field.file_name() {
+            Some(name) if name.ends_with(".js") => {
+                let source_code = first_field.bytes().await?;
+                return Ok(tokio::task::spawn_blocking(move || {
+                    tokio::runtime::Handle::current()
+                        .block_on(JavaScriptBundler::bundle_module(source_code))
+                })
+                .await??);
+            }
+            _ => warn!("Skipping unexpected content type"),
+        },
+        _ => warn!("Skipping unexpected multipart content"),
+    }
+
+    Err(UsubaError::BadRequest)
+}

rust/usuba/src/routes/bundle/javascript.rs

@@ -0,0 +1,3 @@
+mod javascript;
+
+pub use javascript::*;