Protect private segment functions when called from the same node

[petermasking]

Currently, we only protect the access to segmented functions when called remote. This means that private functions from another segment can be called when both segments are placed on the same node. To assure a consistent behavior we need to add an additional level of protection.

For the implementation we need to change local repository. Module files are currently requested by client id that is bound to one or more segments. We need to change this to requesting module files per segments.

Before

GET http://repository/modules/{clientId}/file.js

After

GET http://repository/modules/{segmentName}/file.js

[petermasking]

We've been working on this issue for a while now and tried to implement the suggested setup. This failed quite early because workers can request the same module multiple times from multiple segments. In the current setup, there wasn't a way to figure out the requesting segment. So we had to go back to the drawing board.

To overcome this problem we refactored the requesting strategy to track where the request was coming from. For this we added a caller parameter.

GET http://repository/modules/file.js?caller=otherfile.js

With this addition information, the repository can check if both files share a segment. If they do the real implementation gets provided, otherwise the remote implementation. This strategy works very well, but introduces a change that has set us to think.

The ESM system caches modules based on their origin. Meaning that in the current setup modules are cached per client (id). No matter the segment, the same module is provided for any request. In the new setup this has changed to caching per
module/caller pair. Effectively this leads more overhead in the memory used. But this isn't something we're worried about yet. We've got another fish to fry first.

Every uniquely loaded module has it's own isolated scope. In this scope state can be kept. Since building distributed systems require stateless components, this new setup forces to keep everything stateless. Great right? For most case, absolutely. But as always, there are exceptions. For example, you might want to share a database connection (pool) with all components running on a worker. The new setup doesn't allow this, so we have to go back to the drawing board again...