Runtime: Support initial HTTP-based bundle sources (#17)

This commit implements support for the following HTTP-based
bundle sources:

 - No auth HTTP/HTTPS (default)
 - Bearer auth

Several config parsing bugs were also fixed.

Signed-off-by: Philip Conrad <philip_conrad@apple.com>

Author: philipaconrad

Package.swift

@@ -16,6 +16,8 @@ let package = Package(
     ],
     dependencies: [
         .package(url: "https://github.com/open-policy-agent/swift-opa", branch: "main"),
+        .package(url: "https://github.com/apple/swift-nio.git", from: "2.81.0"),
+        .package(url: "https://github.com/apple/swift-nio-ssl.git", from: "2.30.0"),
         .package(url: "https://github.com/swift-server/async-http-client", from: "1.21.0"),
         // TODO: Swap for whatever our solution ends up being. This is not the most recent commit,
         // but it is the last one that supports macOS 13 as a target.
@@ -65,7 +67,12 @@ let package = Package(
         ),
         .testTarget(
             name: "RuntimeTests",
-            dependencies: ["Runtime"]
+            dependencies: [
+                "Runtime",
+                .product(name: "NIOCore", package: "swift-nio"),
+                .product(name: "NIOPosix", package: "swift-nio"),
+                .product(name: "NIOHTTP1", package: "swift-nio"),
+            ]
         ),
     ]
 )

Sources/Config/BundleConfig.swift

@@ -168,7 +168,7 @@ extension OPA {
         /// in separate top-level config sections and aren't available at decode
         /// time. The parent config calls this method during its resolution phase
         /// to produce a fully-populated instance.
-        public func resolved(withKeys keys: [String: KeyConfig]) throws -> BundleSourceConfig {
+        public func resolved(withKeys keys: [String: KeyConfig], name: String) throws -> BundleSourceConfig {
             var resolvedSigning = try self.signing?.resolved(withKeys: keys)
             if !keys.isEmpty && resolvedSigning == nil {
                 resolvedSigning = BundleVerificationConfig(publicKeys: keys, keyID: "", scope: "", exclude: [])
@@ -177,7 +177,7 @@ extension OPA {
             return try BundleSourceConfig(
                 downloaderConfig: downloaderConfig,
                 service: service,
-                resource: resource,
+                resource: resource ?? "/bundle/\(name)",
                 signing: resolvedSigning,
                 persist: persist,
                 sizeLimitBytes: sizeLimitBytes

Sources/Config/Config.swift

@@ -63,7 +63,9 @@ extension OPA {
 
             // Some nested structures require cross-config context, so we resolve those parts out here.
             self.discovery = try discovery?.resolved(withKeys: keys)
-            self.bundles = try bundles.mapValues({ try $0.resolved(withKeys: keys) })
+            self.bundles = Dictionary(
+                uniqueKeysWithValues: try bundles.map({ try ($0.key, $0.value.resolved(withKeys: keys, name: $0.key)) })
+            )
             self.keys = keys
 
             try self.validate()
@@ -80,7 +82,7 @@ extension OPA {
                 self.services = services
             } catch {
                 let servicesArray = try container.decodeIfPresent([ServiceConfig].self, forKey: .services) ?? []
-                var services = [String: ServiceConfig]()
+                var services = [String: ServiceConfig](minimumCapacity: servicesArray.count)
                 for (idx, service) in servicesArray.enumerated() {
                     guard let name = service.name else {
                         throw OPA.ConfigError(
@@ -111,7 +113,9 @@ extension OPA {
 
             // Some nested structures require cross-config context, so we resolve those parts out here.
             self.discovery = try discovery?.resolved(withKeys: keys)
-            self.bundles = try bundles.mapValues({ try $0.resolved(withKeys: keys) })
+            self.bundles = Dictionary(
+                uniqueKeysWithValues: try bundles.map({ try ($0.key, $0.value.resolved(withKeys: keys, name: $0.key)) })
+            )
             self.keys = keys
 
             try self.validate()

Sources/Config/ServiceConfig.swift

@@ -46,7 +46,7 @@ extension OPA {
             self.allowInsecureTLS = allowInsecureTLS
             self.responseHeaderTimeoutSeconds = responseHeaderTimeoutSeconds
             self.tls = tls
-            let credentials = credentials
+            let credentials = credentials ?? .defaultNoAuth
             self.type = type
 
             if case .bearer(let plugin) = credentials {
@@ -67,7 +67,7 @@ extension OPA {
             self.responseHeaderTimeoutSeconds = try container.decodeIfPresent(
                 Int64.self, forKey: .responseHeaderTimeoutSeconds)
             self.tls = try container.decodeIfPresent(ServerTLSConfig.self, forKey: .tls)
-            let credentials = try container.decodeIfPresent(Credentials.self, forKey: .credentials)
+            let credentials = try container.decodeIfPresent(Credentials.self, forKey: .credentials) ?? .defaultNoAuth
             self.type = try container.decodeIfPresent(String.self, forKey: .type)
 
             if case .bearer(let plugin) = credentials {
@@ -88,6 +88,7 @@ extension OPA {
         /// config keys in this section-- any configuration will appear under the
         /// `plugins` section.
         public enum Credentials: Codable, Sendable, Equatable {
+            case defaultNoAuth
             case bearer(BearerAuthPlugin)
             case oauth2([String: AnyCodable])
             case clientTLS(ClientTLSAuthPlugin)
@@ -112,49 +113,62 @@ extension OPA {
                 // Check if plugin field is present.
                 if let pluginName = try container.decodeIfPresent(String.self, forKey: .custom) {
                     self = .custom(pluginName)
-                } else {
-                    // Fall back to trying each credential type.
-                    let attemptedCredentialTypes: [Credentials?] = [
-                        try? container.decodeIfPresent(BearerAuthPlugin.self, forKey: .bearer).map { .bearer($0) },
-                        try? container.decodeIfPresent([String: AnyCodable].self, forKey: .oauth2).map { .oauth2($0) },
-                        try? container.decodeIfPresent(ClientTLSAuthPlugin.self, forKey: .clientTLS).map {
-                            .clientTLS($0)
-                        },
-                        try? container.decodeIfPresent([String: AnyCodable].self, forKey: .s3Signing).map {
-                            .s3Signing($0)
-                        },
-                        try? container.decodeIfPresent(GCPMetadataAuthPlugin.self, forKey: .gcpMetadata).map {
-                            .gcpMetadata($0)
-                        },
-                        try? container.decodeIfPresent(
-                            AzureManagedIdentitiesAuthPlugin.self, forKey: .azureManagedIdentity
-                        )
-                        .map {
-                            .azureManagedIdentity($0)
-                        },
-                    ]
-
-                    let foundCredentials = attemptedCredentialTypes.compactMap { $0 }
-
-                    guard foundCredentials.count == 1 else {
-                        throw DecodingError.dataCorrupted(
-                            DecodingError.Context(
-                                codingPath: container.codingPath,
-                                debugDescription: foundCredentials.isEmpty
-                                    ? "No valid credential type found"
-                                    : "Expected exactly one credential type, but found \(foundCredentials.count)"
-                            )
+                    return
+                }
+
+                // Determine which credential keys are actually present in the payload.
+                let credentialKeys: [CodingKeys] = [
+                    .bearer, .oauth2, .clientTLS, .s3Signing, .gcpMetadata, .azureManagedIdentity,
+                ]
+                let presentKeys = credentialKeys.filter { container.contains($0) }
+
+                guard presentKeys.count <= 1 else {
+                    throw DecodingError.dataCorrupted(
+                        DecodingError.Context(
+                            codingPath: container.codingPath,
+                            debugDescription:
+                                "Expected at most one credential type, but found \(presentKeys.count)"
                         )
-                    }
+                    )
+                }
 
-                    self = foundCredentials[0]
+                // No credential keys present (e.g. empty `{}`): default to no auth.
+                guard let key = presentKeys.first else {
+                    self = .defaultNoAuth
+                    return
+                }
+
+                // Exactly one key present — decode it strictly so misconfigurations propagate.
+                switch key {
+                case .bearer:
+                    self = .bearer(try container.decode(BearerAuthPlugin.self, forKey: .bearer))
+                case .oauth2:
+                    self = .oauth2(try container.decode([String: AnyCodable].self, forKey: .oauth2))
+                case .clientTLS:
+                    self = .clientTLS(try container.decode(ClientTLSAuthPlugin.self, forKey: .clientTLS))
+                case .s3Signing:
+                    self = .s3Signing(try container.decode([String: AnyCodable].self, forKey: .s3Signing))
+                case .gcpMetadata:
+                    self = .gcpMetadata(try container.decode(GCPMetadataAuthPlugin.self, forKey: .gcpMetadata))
+                case .azureManagedIdentity:
+                    self = .azureManagedIdentity(
+                        try container.decode(AzureManagedIdentitiesAuthPlugin.self, forKey: .azureManagedIdentity))
+                default:
+                    throw DecodingError.dataCorrupted(
+                        DecodingError.Context(
+                            codingPath: container.codingPath,
+                            debugDescription: "Unexpected credential key: \(key.stringValue)"
+                        )
+                    )
                 }
             }
 
             public func encode(to encoder: Encoder) throws {
                 var container = encoder.container(keyedBy: CodingKeys.self)
 
                 switch self {
+                case .defaultNoAuth:
+                    break
                 case .bearer(let plugin):
                     try container.encode(plugin, forKey: .bearer)
                 case .oauth2(let config):
@@ -175,6 +189,16 @@ extension OPA {
 
         // Validates struct-local constraints.
         public func validate() throws {
+            // Ensure URL is a valid HTTP/HTTPS URL.
+            guard let scheme = self.url.scheme?.lowercased(),
+                scheme == "http" || scheme == "https",
+                self.url.host != nil
+            else {
+                throw OPA.ConfigError(
+                    code: .internalError, message: "Expected a valid http/https URL, got: \(self.url)")
+            }
+
+            // For credentials types that need extra context, we validate those here.
             switch self.credentials {
             case .clientTLS(let plugin):
                 try plugin.validateWithContext(serviceTLS: self.tls)

Sources/Runtime/BundleProvider.swift

@@ -1,5 +1,4 @@
 import AST
-import Config
 import Foundation
 import Rego
 
@@ -8,73 +7,6 @@ extension OPA {
     /// It is expected that implementations each have to be created
     /// from an OPA config's service / resource definitions.
     public protocol BundleLoader {
-        func load() -> Result<Bundle, any Swift.Error>
-    }
-
-    /// DiskBasedBundleSource abstracts over folder and tarball bundles.
-    public struct DiskBasedBundleLoader: BundleLoader {
-        public let name: String
-        public let fetchURL: URL
-
-        public init(services: [String: ServiceConfig], name: String, resource: BundleSourceConfig) throws {
-            self.name = name
-            guard let url = URL(string: resource.resource ?? "") else {
-                throw RuntimeError(
-                    code: .internalError,
-                    message: "Invalid URL for bundle config \(name): \(resource.resource ?? "")"
-                )
-            }
-            // If no bundle service specified to fetch from, make sure we have a file URL to load from disk.
-            guard !(resource.service.isEmpty && url.scheme != "file") else {
-                throw RuntimeError(
-                    code: .internalError,
-                    message: "No service config or file:// URL was provided for bundle config \(name)."
-                )
-            }
-            self.fetchURL = url
-        }
-
-        public func load() -> Result<Bundle, any Swift.Error> {
-            var isDirectory: ObjCBool = false
-            if FileManager.default.fileExists(atPath: self.fetchURL.path, isDirectory: &isDirectory) {
-                if isDirectory.boolValue {
-                    // Assert directory not empty before attempting to load it as a bundle.
-                    do {
-                        guard !(try FileManager.default.contentsOfDirectory(atPath: self.fetchURL.path).isEmpty)
-                        else {
-                            throw OPA.Bundle.LoadError.unsupported("Directory was empty")
-                        }
-                    } catch {
-                        return .failure(
-                            RuntimeError(
-                                code: .internalError,
-                                message:
-                                    "bundle \(name) failed to load with error: \(error)"
-                            ))
-                    }
-                    // Directory not empty.
-                    do {
-                        let bundle = try Bundle.decodeFromDirectory(fromDir: self.fetchURL)
-                        return .success(bundle)
-                    } catch {
-                        return .failure(error)
-                    }
-                } else {
-                    do {
-                        let bundleData = try Data(contentsOf: self.fetchURL)
-                        let bundle = try Bundle.decodeFromTarball(from: bundleData)
-                        return .success(bundle)
-                    } catch {
-                        return .failure(error)
-                    }
-                }
-            }
-            return .failure(
-                RuntimeError(
-                    code: .internalError,
-                    message:
-                        "bundle \(name) failed to load. No file or directory found."
-                ))
-        }
+        func load() async -> Result<Bundle, any Swift.Error>
     }
 }

Sources/Runtime/DiskBasedBundleProvider.swift

@@ -0,0 +1,77 @@
+import Config
+import Foundation
+import Rego
+
+extension OPA {
+    /// DiskBasedBundleLoader abstracts over folder and tarball bundles.
+    public struct DiskBasedBundleLoader: BundleLoader {
+        public let name: String
+        public let fetchURL: URL
+
+        public init(services: [String: ServiceConfig], name: String, resource: BundleSourceConfig) throws {
+            self.name = name
+            guard let url = URL(string: resource.resource ?? "") else {
+                throw RuntimeError(
+                    code: .internalError,
+                    message: "Invalid URL for bundle config \(name): \(resource.resource ?? "")"
+                )
+            }
+            // If no bundle service specified to fetch from, make sure we have a file URL to load from disk.
+            guard !(resource.service.isEmpty && url.scheme != "file") else {
+                throw RuntimeError(
+                    code: .internalError,
+                    message: "No service config or file:// URL was provided for bundle config \(name)."
+                )
+            }
+            self.fetchURL = url
+        }
+
+        // If the resource is a file URL, we can load it.
+        public static func compatibleWithConfig(resource: BundleSourceConfig) -> Bool {
+            return (URL(string: resource.resource ?? "")?.scheme == "file")
+        }
+
+        public func load() async -> Result<Bundle, any Swift.Error> {
+            var isDirectory: ObjCBool = false
+            if FileManager.default.fileExists(atPath: self.fetchURL.path, isDirectory: &isDirectory) {
+                if isDirectory.boolValue {
+                    // Assert directory not empty before attempting to load it as a bundle.
+                    do {
+                        guard !(try FileManager.default.contentsOfDirectory(atPath: self.fetchURL.path).isEmpty)
+                        else {
+                            throw OPA.Bundle.LoadError.unsupported("Directory was empty")
+                        }
+                    } catch {
+                        return .failure(
+                            RuntimeError(
+                                code: .internalError,
+                                message:
+                                    "bundle \(name) failed to load with error: \(error)"
+                            ))
+                    }
+                    // Directory not empty.
+                    do {
+                        let bundle = try Bundle.decodeFromDirectory(fromDir: self.fetchURL)
+                        return .success(bundle)
+                    } catch {
+                        return .failure(error)
+                    }
+                } else {
+                    do {
+                        let bundleData = try Data(contentsOf: self.fetchURL)
+                        let bundle = try Bundle.decodeFromTarball(from: bundleData)
+                        return .success(bundle)
+                    } catch {
+                        return .failure(error)
+                    }
+                }
+            }
+            return .failure(
+                RuntimeError(
+                    code: .internalError,
+                    message:
+                        "bundle \(name) failed to load. No file or directory found."
+                ))
+        }
+    }
+}