/** * arcrun auth_service_account Worker * * POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output * * 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory, * 確保 AES-GCM 解密 / RS256 sign 邏輯只存在於一個檔案(rule 02 §2.2)。 * * 這個 Worker 比 auth_static_key 多一個 host function:http_request(token exchange 用)。 * http_request 不是 crypto,不受 rule 02 §2.2 約束;在此檔內聚合提供即可。 * * 安全邊界: * - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查 * - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體 * - private key 只以 PKCS8 bytes 傳給 crypto_sign_rs256 host function,decrypt 後 plaintext 不離開 WASM */ import componentWasm from '../component.wasm' assert { type: 'webassembly' }; import { Hono } from 'hono'; import { cors } from 'hono/cors'; import { createWasiShim, createArcrunHostFunctions, type ArcrunHostEnv, type WasiHostFunctions, } from '../../../cypher-executor/src/lib/wasi-shim'; type Env = ArcrunHostEnv; const app = new Hono<{ Bindings: Env }>(); app.use('*', cors()); app.get('/', (c) => c.json({ ok: true, component: 'auth_service_account' })); app.post('/', async (c) => { let input: Record; try { input = await c.req.json(); } catch { return c.json({ success: false, error: 'request body must be JSON' }, 400); } const apiKey = typeof input.api_key === 'string' ? input.api_key : ''; if (!apiKey) { return c.json({ success: false, error: 'api_key 必填' }, 400); } try { const result = await runWasm(c.env, apiKey, input); return c.json(result); } catch (e) { return c.json( { success: false, error: e instanceof Error ? e.message : String(e) }, 500, ); } }); export default app; // ── WASM runner ────────────────────────────────────────────────────────────── async function runWasm(env: Env, apiKey: string, input: unknown): Promise { const stdinData = JSON.stringify(input); const baseHost = createArcrunHostFunctions(env, apiKey); const hostFunctions: WasiHostFunctions = { ...baseHost, http_request: async (url, method, headersJson, body) => { const headers: Record = {}; if (headersJson) { try { const parsed = JSON.parse(headersJson); if (parsed && typeof parsed === 'object') { for (const [k, v] of Object.entries(parsed as Record)) { if (typeof v === 'string') headers[k] = v; } } } catch { // 忽略 header parse 錯誤,當作沒 header } } const init: RequestInit = { method, headers }; if (body && method.toUpperCase() !== 'GET' && method.toUpperCase() !== 'HEAD') { init.body = body; } const res = await fetch(url, init); // WASM 端(main.go)直接 json.Unmarshal 回傳內容找 access_token, // 因此只回傳 response body 原文。非 2xx 也回原文,讓 WASM 從 {error, error_description} 判斷 return await res.text(); }, }; const shim = createWasiShim(stdinData, hostFunctions); const instance = await WebAssembly.instantiate( componentWasm as WebAssembly.Module, shim.imports, ); shim.setMemory(instance.exports.memory as WebAssembly.Memory); await shim.run(instance); const stdout = shim.getStdout().trim(); if (!stdout) throw new Error('WASM component produced no output'); return JSON.parse(stdout); }