HPCC-29246 Check Plane scope in DFU server when spraying/despraying

[wangkx]

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

[github-actions]

https://track.hpccsystems.com/browse/HPCC-29246
Jira updated

[jakesmith]

@wangkx - please see feedback.

I think needs reworking to explicitly handle the passed plane name in the dfu workunit., common the code if poss. that has to do very similar in the service, and avoid adding new methods to DFS + avoid use of IFileDescriptor's for scope checking, and go directly to CDfsLogicalFileName or methods that build them like queryDistributedFileDirectory().getDropZoneScopePermissions

[wangkx]

@jakesmith please review last 2 commits.

[jakesmith]

@wangkx - please see feedback.

[jakesmith]

I think the above is a little clearer if:

if (write)
{
    if (!HASREADPERMISSION(perm))
        throw MakeStringException(DFSERR_CreateAccessDenied,"Create permission denied for physical file(s)");
}
else if (!HASWRITEPERMISSION(perm))
    throw MakeStringException(DFSERR_LookupAccessDenied,"Lookup permission denied for physical file(s)");

[jakesmith]

also, not new, but worth changing to makeStringExceptionV and including the name of the file in the error.
I think fd->getTraceName will provide what you need

[jakesmith]

not new, but unused/should be removed.

[jakesmith]

why is this linking? looks like it will leak.

[wangkx]

The code is copied from dadfs.cpp. I guess the LINK should be removed since a query function should return a pointer.

[jakesmith]

right, yes should link like this unless it's passing ownership to something else.

[jakesmith]

formatting: there's inconsistency in this cpp file in general, but when modifying a method or a class, the preferred formatting is with the start block on a new line.

[jakesmith]

This looks very similar to some of the functionality in the TpCommon.cpp, in : getDropZoneScopePermissions(IEspContext& context, const IPropertyTree* dropZone, const char* dropZonePath)

I think it should call a common function for relative path extraction.

[jakesmith]

see comments re. adding a jfile getRelativePath and using directly here (and in TpCommon.cpp)

[jakesmith]

you may want a version that takes a IPropertyTree *dropZone too,
see comment re. duplication with functionality in TpCommon.cpp's getDropZoneScopePermissions.

[jakesmith]

but .. see other comments, re. using getRelativePath

[jakesmith]

if there were multiple separators, that would be an invalid path, not sure this is the place to try to cope with invalid paths, there would be many places that would need to if they were invalid like this.

[jakesmith]

There's an existing generalized jfile function called 'splitRelativePath', which is almost suitable, but not quite.
I think you should add a genaralized function (to jfile) that returns the relative path from a path, given a leading path:

const char *getRelativePath(const char *path, const char *leadingPath)
{
    size_t len = strlen(leadingPath);
    if (0 == strncmp(path, leadingPath, len))
    {
        const char *rel = path + len;
        if ('\0' == *rel)
            return rel;
        if (isPathSepChar(*rel))
            return rel+1;
    }
    return nullptr;
}

and then I'm not sure much value in having getDropZoneRelativePath functions.
The dfurun code that uses getRelativePath becomes:

            Owned<IPropertyTree> dropZonePlane = getDropZonePlane(planeName);
            if (!dropZonePlane)
                throw makeStringExceptionV(-1, "DropZone %s not found.", planeName);
            const char *relativePath = getRelativePath(dir, dropZonePlane->queryProp("@prefix"));
            if (nullptr == relPath)
                throw makeStringExceptionV(-1, "Invalid DropZone directory %s.", dir);

[wangkx]

@jakesmith is it possible that the last char of the prefix is a PathSepChar and the last char of the dir is not? For example: the prefix is '/var/lib/HPCCSystems/mydropzone/' and the dir is '/var/lib/HPCCSystems/mydropzone'.

[jakesmith]

Maybe. We should ensure the helper function handles that case.
You could change the function to see if pathLen == leadingLen+1 && isPathSepChar(path[pathLen-1])) ...
then --leadingLen ...

[jakesmith]

you can put this code in the #ifndef above, since there is no intention for it to apply to containerized setups,
if plane is blank in containerized then it's an unexpected error:

#ifndef _CONTAINERIZED
            Owned<IEnvironmentFactory> factory = getEnvironmentFactory(true);
            Owned<IConstEnvironment> env = factory->openEnvironment();
            if (env->isDropZoneRestrictionEnabled() || !checkLegacyPhysicalPerms)
                throw makeStringException(-1, "Empty plane name.");
            perm = queryDistributedFileDirectory().getFDescPermissions(fd,user,auditflags);
#else
            throw makeStringException(-1, "Unexpected empty plane name."); // should never be the case in containerized setups
#endif

[jakesmith]

formatting: start block on newline

[jakesmith]

minor: the else case should be the normal case, eventually we should aim to delete the paths that look in the environment and check isDropZoneRestrictionEnabled..
So it is better/clearer to put the normal case 1st, and the edge case in the else blocks.

[jakesmith]

Can we reword as :

This function checks the scope permissions for a file or files that reside in a single directory on a single plane.
The IFileDescriptor is used to discover the plane and directory.
If the plane is not present, it implies that it is a bare-metal system and useDropZoneRestriction is off, and there is no matching dropzone in the environment.
If this is the case, or the plane permissions are not found and @failOverToLegacyPhysicalPerms is configured, then the legacy physical file permissions will be checked.

[wangkx]

@jakesmith please review my changes. I also add/remove many spaces (trying to match the formatting in the same cpp files).

[jakesmith]

@wangkx - looks good, a couple of minor comments

[jakesmith]

Better to only use the above block if needed (if denied).
I'd go with:

if ((write && !HASWRITEPERMISSION(perm)) || (!write && !HASREADPERMISSION(perm)))
{
    StringBuffer traceName;
    fd->getTraceName(traceName);
    if (traceName.length() > 255)
    {
        traceName.setLength(255);
        traceName.append("...");
    }
    if (write)
        throw makeStringExceptionV(DFSERR_CreateAccessDenied, "Create permission denied for physical file(s): %s", traceName.str());
    else
        throw makeStringExceptionV(DFSERR_LookupAccessDenied, "Lookup permission denied for physical file(s): %s", traceName.str());
}

[wangkx]

This function may be used by the checkForeignFilePermissions() in #17563. I may change it to:

void ensureFilePermissions(const char * fileName, IFileDescriptor * fd, SecAccessFlags perm, bool write)
    {
        if ((write && !HASWRITEPERMISSION(perm)) || (!write && !HASREADPERMISSION(perm)))
        {
            StringBuffer traceName;
            if (isEmptyString(fileName))
            {
                fd->getTraceName(traceName);
                elideString(traceName, 255);
                fileName = traceName.str();
            }
            if (write)
                throw makeStringExceptionV(DFSERR_CreateAccessDenied, "Create permission denied for physical file(s): %s", fileName);
            else
                throw makeStringExceptionV(DFSERR_LookupAccessDenied, "Lookup permission denied for physical file(s): %s", fileName);
        }
    }

[wangkx]

Also add the ensureFilePermissions() into #17563.

[jakesmith]

trivial: block start on newline prefered formatting style

[jakesmith]

trivial: not sure about the 'A', I think "ensureFilePermissions" would be better.

[jakesmith]

in fact, there's an existing function for this kind of truncation, see jstring's elideString function.

[jakesmith]

I'm not keen on the function passing 2 parameters one or both being able to serve up what's required.
I think better to simplify and,pass fileName only, and if seems worth it, put the code to get the tracename and truncate in a separate utility function - used in contexts that require it:

StringBuffer &getFDescName(const IFileDescriptor *fd, StringBuffer &result)
{
    fd->getTraceName(result);
    elideString(result, 255);
}

...
..
ensureFilePermissions(getFDescName(name), perm, write);

given u can express this in a couple of lines, not sure it's worth the extra helper function though..

[wangkx]

ok

[wangkx]

Should we check 'if ((write && !HASWRITEPERMISSION(perm)) || (!write && !HASREADPERMISSION(perm)))' before ensureFilePermissions(getFDescName(name), perm, write); ?

[wangkx]

If yes, the name ensureFilePermissions should be changed to throwFilePermissionException? If no, the getFDescName() will be called even if not denied.

[jakesmith]

If yes, the name ensureFilePermissions should be changed to throwFilePermissionException? If no, the getFDescName() will be called even if not denied.

I can live with it being called unconditionally, readability is more important than 100% efficiency here.
i.e. leave it as ensureFilePermissions and call getFDescName before hand (or the 2 lines of equivalent code)

Leave this PR for now though, let's get #17563 agreed on and merged 1st.

[wangkx]

Now, I am not sure that it is worth to change the IFileDescriptor * fd to const char * fileName in the ensureFilePermissions(). Maybe leave the checkForeignFilePermissions() as it is (not call the ensureFilePermissions())?

[jakesmith]

I suspect it is worth changing and calling from checkForeignFilePermissions, so still exercising common code.

[wangkx]

ok

[jakesmith]

Please rebase onto latest candidate-9.2.x, now that #17563 is merged.

[jakesmith]

looks the code below breaks this rule ?
Doesn't it need to conditionally call getRelativePath ? (if isAbsolute..)

[wangkx]

Will check if isAbsolute ...

[jakesmith]

@wangkx - looks good, but 1 issue I think.

[jakesmith]

@wangkx - looks good, please squash.

[wangkx]

@jakesmith the commits are squashed.

[jakesmith]

@wangkx - looks good.

[wangkx]

@ghalliday please merge