Merge pull request #1 from unisoncomputing/architecture-docs

Add architecture and security docs

Author: ceedubs

docs/architecture/README.md

@@ -0,0 +1,142 @@
+# Unison Cloud architecture
+
+At a high level, the system architecture for Unison Cloud looks like this:
+
+```mermaid
+flowchart LR
+    dev("🧑‍💻 Developer<br/>ucm, @unison/cloud library")
+    browser("🌐 Client <br/>browser, curl, external service, etc")
+    internet("🌐 Public internet")
+    subgraph data-plane["☁️ Data plane (your infra)"]
+        reverse-proxy("Reverse proxy<br/>(optional)<br>Nginx, Caddy, etc")
+        subgraph nimbus["Nimbus instance"]
+            nimbus-public@{ shape: comment, label: "Public HTTP port" }
+            nimbus-gossip@{ shape: brace-r, label: "Gossip port" }
+        end
+        other-nimbus-instances@{ shape: processes, label: "Other nimbus instances" }
+        storage[("Storage (DynamoDB)")]
+        blobstore[("Blobs (S3)")]
+        secrets[("Secret store (Vault)")]
+        outbound-proxy["Outbound proxy<br/>(optional)"]
+    end
+    control-plane("☁️ Control plane<br/>(Unison Computing infra)")
+    dev -->|Cloud.run auth| control-plane
+    dev -->|Cloud.run| reverse-proxy
+    reverse-proxy --> nimbus-public
+    browser -->|HTTP request to user-deployed service| reverse-proxy
+    nimbus --> storage
+    nimbus --> blobstore
+    nimbus --> secrets
+    nimbus --->|Persistent WebSocket| control-plane
+    nimbus --> outbound-proxy --> internet
+    nimbus-gossip <--> other-nimbus-instances
+```
+
+The server side of Unison Cloud is divided between the [control plane](#control-plane) and the [data plane](#data-plane). The **control plane** is in charge of authentication/authorization and coordination, while the **data plane** runs user jobs/services and houses user data.
+
+To understand the connections between these components it may be helpful to see a diagram of the sequence of events when a developer deploys a Unison Cloud web service and then another user accesses it:
+
+```mermaid
+sequenceDiagram
+    box rgba(128,128,128, 0.1) Control Plane<br/>#40;Unison Computing infra#41;
+        participant cloud-api as cloud-api
+    end
+    actor dev as developer (via cloud client lib)
+    box rgba(128,128,128, 0.1) Data Plane #40;your infra#41;
+        participant nimbus
+    end
+    actor consumer as service consumer (browser, external service, etc)
+    dev->>+cloud-api: deploy service to env `task-app-prod` (auth token)
+    cloud-api->>dev: `task-app-prod` access confirmed (scoped token)
+    dev->>+nimbus: Deploy service (scoped token, code)
+    nimbus->>dev: Service deployed! (service URL)
+    consumer->>nimbus: GET /s/task-app/tasks
+    nimbus->>consumer: ["dishes", "laundry"]
+```
+
+## Control plane
+
+The control plane is in charge of authentication/authorization and coordination of Unison Cloud clusters. It typically runs on centralized Unison Computing infrastructure (but contact us if you have other needs) and does not have access to the user/application secrets, code, or data that are housed in the data plane.
+
+Interactions with the control plane go through an HTTP API that you may see referred to as `cloud-api`.
+
+### Authentication and authorization
+
+The control plane manages two separate types of **authentication**:
+
+- Nimbus nodes requesting to join a cluster
+- Developers or CI/CD servers submitting jobs, deploying services, creating databases, etc. These requests typically come from the [cloud client][cloud-client].
+
+While **authentication** uses long-lived credentials, **authorization** for job submissions, service deployments, etc is enabled via narrowly-scoped per-request tokens.
+
+See [the security guide][auth] for details about authentication and authorization.
+
+### Cluster membership and orchestration
+
+One of the primary functions of the control plane is to keep track of cluster membership. As each Nimbus node starts up, it establishes a persistent connection to the control plane, registering with a location ID and address (URI). The control plane then broadcasts a message to other connected Nimbus nodes to inform them about the new cluster member. It sends periodic health checks to each Nimbus instance and will alert other nodes if one disconnects or fails health checks.
+
+As the source of truth on cluster membership, the control plane also orchestrates cluster operations. For example it informs each node which [daemons][daemons] it should run.
+
+### Cluster events
+
+The control plane broadcasts messages to each connected Nimbus node to keep it updated on cluster events. In many cases these events are used to optimize/invalidate local caches. Events include:
+
+- members joining, leaving, or failing health checks (mentioned above)
+- [Environment][Environment] changes, such as a [Config][env-config] value changing
+- user service changes, such as a new implementation being assigned to a [service name][ServiceName]
+
+## Data plane
+
+### Nimbus
+
+Nimbus instances are the primary workers of a Unison Cloud cluster. They run user-submitted jobs (via [Cloud.submit][Cloud.submit]) and services (via [Cloud.deploy][Cloud.deploy]), supporting the [Remote ability][Remote] for distributed programs.
+
+Nimbus is itself implemented in Unison and greatly benefits from the Unison programming language's support for distributed computation:
+
+- Values and entire programs/services can be serialized and sent to another node to distribute computation.
+- Thanks to content-addressed code there are never runtime dependency conflicts or name collisions, even in a shared cluster.
+- User code is sandboxed with fine-grained control of which operations are permitted.
+
+Nimbus serves a few different types of requests:
+
+- Authenticated developer requests to run jobs, deploy services, and other functionality provided by the [cloud client][cloud-client]. These arrive via the public HTTP port.
+- Unauthorized requests to user-deployed services that arrive via the public HTTP port under dedicated `/s/` (service name) and `/h/` (service hash) endpoints. The underlying user-defined web service may implement its own authentication, but Nimbus itself considers these endpoints to be public.
+- Nimbus cluster peer requests that arrive via the gossip port. These are requests supporting distributed computation such as "run this program in a new thread", "cancel this thread", "atomically modify this mutable reference", and "read this promise and send me the result when it is available".
+
+For more details on Nimbus authentication and ports see the [security documentation][security].
+
+### Transactional Storage
+
+The transactional storage provider of the data plane supports the [Storage][Storage] ability. Currently the only supported backend is [DynamoDB][DynamoDB].
+
+### Blob store
+
+The blob store provider of the data plane supports the [Blobs][Blobs] ability. Currently blob stores with an [s3][s3]-compatible API are supported.
+
+### Secrets
+
+The secrets provider of the data plane supports the [Environment][Environment] and [Environment.Config][Environment.Config] abilities. Currently [Vault][vault] is supported, but we plan to support other secrets providers as requested.
+
+### Outbound proxy
+
+The data plane can optionally configure an outbound network proxy that will be used for all user [{Http}][Http] and [{Tcp}][Tcp] requests. This may be your existing corporate proxy or could be a custom [squid][squid] proxy that only lets user code connect to vetted domains/ports/IPs/etc.
+
+[auth]: security.md
+[Blobs]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/Blobs
+[cloud-client]: https://share.unison-lang.org/@unison/cloud
+[Cloud.deploy]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/terms/Cloud/deploy
+[Cloud.submit]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/terms/Cloud/submit
+[daemons]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/Daemon
+[DynamoDb]: https://docs.aws.amazon.com/dynamodb/
+[Environment]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/Environment
+[Environment.Config]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/Environment/Config
+[env-config]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/Environment/Config
+[Http]: https://share.unison-lang.org/@unison/http/code/releases/5.0.2/latest/types/client/Http
+[Remote]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/Remote
+[security]: security.md
+[ServiceName]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/ServiceName
+[s3]: https://aws.amazon.com/s3/
+[squid]: https://www.squid-cache.org/
+[Storage]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/Storage
+[Tcp]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/types/provisional/Remote/Tcp
+[vault]: https://www.hashicorp.com/en/products/vault

docs/architecture/security.md

@@ -0,0 +1,106 @@
+# Unison Cloud security
+
+This document provides a security overview of Unison Cloud. It will be helpful to first familiarize yourself with the [Unison Cloud architecture][architecture].
+
+## User (developer) authentication
+
+Before allowing a developer (or a CI/CD job) to create an environment, submit a job, deploy a service, we must validate their identity.
+
+[Unison Share][Share] acts as the authentication server for Unison Cloud. It implements [OAuth2](https://datatracker.ietf.org/doc/html/rfc6749) with
+the [PKCE extension](https://www.oauth.com/oauth2-servers/pkce/), and a subset of the [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html) and [OpenID Discovery specifications](https://openid.net/specs/openid-connect-discovery-1_0.html). Its open-source auth implementation can be found [here][share-auth]. Its current JSON Web Key Set can be found at its [.well-known/jwks.json endpoint](https://api.unison-lang.org/.well-known/jwks.json).
+
+## User (developer) authorization
+
+While **authentication** uses long-lived OAuth credentials, **authorization** for job submissions, service deployments, etc is enabled via narrowly-scoped per-request JWT. The developer first requests a request token from the control plane, which verifies that they have authorization to act on the requested environment/service/etc. It then provides the developer a narrowly-scoped request token along with a redirect to the data plane. The data plane verifies the request token and then performs the requested token.
+
+An example sequence of requests and responses when a developer deploys a Unison Cloud web service and then another user sends the service a request might look like this:
+
+```mermaid
+sequenceDiagram
+    box rgba(128,128,128, 0.1) Control Plane<br/>#40;Unison Computing infra#41;
+        participant cloud-api as cloud-api
+    end
+    actor dev as developer (via cloud client lib)
+    box rgba(128,128,128, 0.1) Data Plane #40;your infra#41;
+        participant nimbus
+    end
+    actor consumer as service consumer (browser, external service, etc)
+    dev->>+cloud-api: deploy service to env `task-app-prod` (auth token)
+    cloud-api->>dev: `task-app-prod` access confirmed (scoped token)
+    dev->>+nimbus: Deploy service (scoped token, code)
+    nimbus->>dev: Service deployed! (service URL)
+    consumer->>nimbus: GET /s/task-app/tasks
+    nimbus->>consumer: ["dishes", "laundry"]
+```
+
+## Cluster member authentication
+
+When a Nimbus member connects to the control plane to join the cluster, it authenticates using a random token generated by the control plane at cluster creation time. At any time a cluster administrator can make an authenticated request to the control plane to generate new tokens and revoke old tokens.
+
+## Service authentication and authorization
+
+When a developer deploys a Unison Cloud service via [Cloud.deploy], by the default the service is public and does _not_ perform any authentication. If developers want to secure the service they can do so in their Unison code, such as by utilizing the [@unison/auth library][unison-auth].
+
+## Network security
+
+### VPC/firewall
+
+It's best practice to run Nimbus nodes (and as much of the data plane as practical) within a VPC or limited-access network. Nimbus nodes initiate requests to the control plane and establish a persistent WebSocket connection on startup, so there is no need for them to allow incoming connections from the control plane or anyone else.
+
+### Nimbus gossip port
+
+The most important security consideration when deploying nimbus is:
+
+✋ **The Nimbus gossip port is trusted and should remain private** ✋
+
+Nimbus assumes that requests coming in through its gossip port are from Nimbus peers and trusts them. Nimbus instances need to be able to talk to their peers' gossip ports, but nobody else should need to. You may want to deploy a small sidecar proxy (such as [Envoy][envoy]) next to each Nimbus instance to gate access to its gossip port.
+
+If this is a concern for you and you aren't in a good position to secure the gossip port via other means, reach out to Unison Cloud support to discuss options.
+
+### Nimbus public HTTP port
+
+The Nimbus public HTTP port is considered safe to expose publicly. It handles:
+
+- HTTP requests to user-deployed Unison Cloud services. These are public or implement their own auth. See [service auth][service-auth].
+- Developer requests from the [cloud client][cloud-client] to run a job, deploy a service, etc. These validate narrowly-scoped tokens generated by the control plane. See [User (developer) authorization][developer-authorization].
+
+You'll likely want to deploy a reverse proxy/load balancer in front of Nimbus's public port to distribute service requests across nodes and to terminate TLS.
+
+While it's referred to as the "public" HTTP port, there is no _need_ to make it publicly accessible. If your requests should only come from other services within a VPC or from clients connected to your VPN, then there's no reason to expose your instances beyond that network.
+
+## User-provided code execution
+
+Like Hadoop/Spark clusters, Kubernetes/Nomad clusters, and many other cloud offerings, nimbus nodes run user-provided code in submitted jobs and deployed services. Let's be real: at some level this is remote code execution as a service. However, Nimbus is able to lean on the strengths of the Unison programming language to mitigate the risks of running arbitrary code.
+
+### Content-addressed code
+
+All code in Unison (and by extension user code submitted to Nimbus) is content-addressed. When a user (or cluster peer) sends a computation to a Nimbus node, they don't say that they want to run `Environment.Config.expect`; they specify that they want to run the function with the hash `01bga3jq5u8ev85lsatbqip9hkrgr4jtr4li520b0r5gpvmi9el30`. If the receiving node already has a definition for `01bga3jq5u8ev85lsatbqip9hkrgr4jtr4li520b0r5gpvmi9el30` then it can proceed with the computation. If it does _not_ know the definition that hashes to `01bga3jq5u8ev85lsatbqip9hkrgr4jtr4li520b0r5gpvmi9el30`, then it will ask for a definition. Upon receiving the requested definition it verifies that the provided code matches the specified hash.
+
+This unique approach provides significant benefits:
+
+- Two versions of `Environment.Config.expect` never collide. They aren't identified by the string `Environment.Config.expect` in a mutable bag of strings known as a classpath. User code specifies the _exact_ version of `Environment.Config.expect` via hash and the runtime is never aware that the two distinct definitions happened to both be named `Environment.Config.expect` at different points in time or in different codebases.
+- A malicious user cannot pollute the runtime code namespace with hijacked implementations of terms. Imagine that a malicious user wanted to override `Environment.Config.expect` to send the key/value to a remote server before returning them. They may succeed in finding a Nimbus node without a definition for `Environment.Config.expect`, and they could even get that node to request the definition! But then their efforts will fall apart. If they provide anything other than the actual implementation then the definition will no longer hash to `01bga3jq5u8ev85lsatbqip9hkrgr4jtr4li520b0r5gpvmi9el30` and code from other users that calls `Environment.Config.expect` will be blissfully ignorant of any definition with a different hash.
+
+### Code sandboxing
+
+Addressing code by its content isn't enough to make it safe to run arbitrary user code. For example you wouldn't want a malicious user to be able to submit a Unison Cloud job that looked like:
+
+```
+Cloud.submit Environment.default() do
+  doBadStuff = coerceAbilities do
+    getEnv "AWS_SECRET_ACCESS_KEY"
+  doBadStuff()
+```
+
+Luckily, the Unison programming language supports fine-grained code sandboxing. Before Nimbus runs any user-provided code (via job submission, service deployment, etc), it runs the code through [reflection.Value.validateSandboxed][Value.validateSandboxed]. By default it disallows all code that performs IO or uses reflection to dynamically load code/values. By default it does allow a small number of builtins that are tracked as being potential sandbox candidates such as `toDebugText` which returns a textual representation of an arbitrary value (in practice this one is harmless albeit not particularly useful since the Nimbus runtime doesn't have user-provided names for definitions). If you'd like a different set of sandbox rules for your cluster, contact Unison Cloud support, and we can make the sandbox rules configurable.
+
+[architecture]: README.md
+[cloud-client]: https://share.unison-lang.org/@unison/cloud
+[Cloud.deploy]: https://share.unison-lang.org/@unison/cloud/code/releases/21.2.0/latest/terms/Cloud/deploy
+[developer-authorization]: #user-developer-authorization
+[envoy]: https://www.envoyproxy.io/
+[Value.validateSandboxed]: https://share.unison-lang.org/@unison/base/code/releases/6.5.0/latest/terms/reflection/Value/validateSandboxed
+[service-auth]: #service-authentication-and-authorization
+[Share]: https://share.unison-lang.org/
+[share-auth]: https://github.com/unisoncomputing/share-api/tree/main/share-auth
+[unison-auth]: https://share.unison-lang.org/@unison/auth