| blob | dab314307c3e55e6431de3d41ea2364fda5d9f25 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
27 #ifdef XP_WIN
28 # include <windows.h>
29 # include <softpub.h>
30 # include <wintrust.h>
36 // MOZ_LOG=BackgroundFileSaver:5
38 #define LOG(args) MOZ_LOG(prlog, mozilla::LogLevel::Debug, args)
39 #define LOG_ENABLED() MOZ_LOG_TEST(prlog, mozilla::LogLevel::Debug)
41 ////////////////////////////////////////////////////////////////////////////////
42 //// Globals
44 /**
45 * Buffer size for writing to the output file or reading from the input file.
46 */
47 #define BUFFERED_IO_SIZE (1024 * 32)
49 /**
50 * When this upper limit is reached, the original request is suspended.
51 */
52 #define REQUEST_SUSPEND_AT (1024 * 1024 * 4)
54 /**
55 * When this lower limit is reached, the original request is resumed.
56 */
57 #define REQUEST_RESUME_AT (1024 * 1024 * 2)
59 ////////////////////////////////////////////////////////////////////////////////
60 //// NotifyTargetChangeRunnable
62 /**
63 * Runnable object used to notify the control thread that file contents will now
64 * be saved to the specified file.
65 */
78 };
80 ////////////////////////////////////////////////////////////////////////////////
81 //// BackgroundFileSaver
88 }
92 }
94 // Called on the control thread.
98 nsresult rv;
112 sThreadCount++;
115 }
118 }
120 // Called on the control thread.
121 NS_IMETHODIMP
127 }
129 // Called on the control thread.
130 NS_IMETHODIMP
134 }
136 // Called on the control thread.
137 NS_IMETHODIMP
145 }
147 // Called on the control thread.
148 NS_IMETHODIMP
151 {
159 }
160 }
162 // After the worker thread wakes up because attention is requested, it will
163 // rename or create the target file as requested, and start copying data.
165 }
167 // Called on the control thread.
168 NS_IMETHODIMP
170 nsresult rv;
172 // This will cause the NS_AsyncCopy operation, if it's in progress, to consume
173 // all the data that is still in the pipe, and then finish.
177 // Ensure that, when we get attention from the worker thread, if no pending
178 // rename operation is waiting, the operation will complete.
179 {
184 }
185 }
187 // After the worker thread wakes up because attention is requested, it will
188 // process the completion conditions, detect that completion is requested, and
189 // notify the main thread of the completion. If this function was called with
190 // a success code, we wait for the copy to finish before processing the
191 // completion conditions, otherwise we interrupt the copy immediately.
193 }
195 NS_IMETHODIMP
199 // Ensure Personal Security Manager is initialized. This is required for
200 // PK11_* operations to work.
201 nsresult rv;
206 }
208 NS_IMETHODIMP
211 // We acquire a lock because mSha256 is written on the worker thread.
215 }
218 }
220 NS_IMETHODIMP
224 // Ensure Personal Security Manager is initialized.
225 nsresult rv;
230 }
232 NS_IMETHODIMP
236 // We acquire a lock because mSignatureInfo is written on the worker thread.
240 }
244 }
246 }
248 // Called on the control thread.
251 nsresult rv;
255 // We only require attention one time. If this function is called two times
256 // before the worker thread wakes up, and the first has aShouldInterruptCopy
257 // false and the second true, we won't forcibly interrupt the copy from the
258 // control thread. However, that never happens, because calling Finish with a
259 // success code is the only case that may result in aShouldInterruptCopy being
260 // false. In that case, we won't call this function again, because consumers
261 // should not invoke other methods on the control thread after calling Finish.
262 // And in any case, Finish already closes one end of the pipe, causing the
263 // copy to finish properly on its own.
266 }
269 // Background event queues are not shutdown and could be called after
270 // the queue is reset to null. To match the behavior of nsIThread
271 // return NS_ERROR_UNEXPECTED
274 }
276 // Copy is not in progress, post an event to handle the change manually.
280 NS_DISPATCH_EVENT_MAY_BLOCK);
284 // Interrupt the copy. The copy will be resumed, if needed, by the
285 // ProcessAttention function, invoked by the AsyncCopyCallback function.
287 }
289 // Indicate that attention has been requested successfully, there is no need
290 // to post another event until the worker thread processes the current one.
294 }
296 // Called on the worker thread.
297 // static
299 // We called NS_ADDREF_THIS when NS_AsyncCopy started, to keep the object
300 // alive even if other references disappeared. At the end of this method,
301 // we've finished using the object and can safely release our reference.
304 {
307 // Now that the copy was interrupted or terminated, any notification from
308 // the control thread requires an event to be posted to the worker thread.
311 // When detecting failures, ignore the status code we use to interrupt.
315 }
316 }
319 }
321 // Called on the worker thread.
323 nsresult rv;
325 // This function is called whenever the attention of the worker thread has
326 // been requested. This may happen in these cases:
327 // * We are about to start the copy for the first time. In this case, we are
328 // called from an event posted on the worker thread from the control thread
329 // by GetWorkerThreadAttention, and mAsyncCopyContext is null.
330 // * We have interrupted the copy for some reason. In this case, we are
331 // called by AsyncCopyCallback, and mAsyncCopyContext is null.
332 // * We are currently executing ProcessStateChange, and attention is requested
333 // by the control thread, for example because SetTarget or Finish have been
334 // called. In this case, we are called from from an event posted through
335 // GetWorkerThreadAttention. While mAsyncCopyContext was always null when
336 // the event was posted, at this point mAsyncCopyContext may not be null
337 // anymore, because ProcessStateChange may have started the copy before the
338 // event that called this function was processed on the worker thread.
339 // If mAsyncCopyContext is not null, we interrupt the copy and re-enter
340 // through AsyncCopyCallback. This allows us to check if, for instance, we
341 // should rename the target file. We will then restart the copy if needed.
345 }
346 // Use the current shared state to determine the next operation to execute.
349 // If something failed while processing, terminate the operation now.
350 {
355 }
356 }
357 // Ensure we notify completion now that the operation failed.
359 }
362 }
364 // Called on the worker thread.
366 nsresult rv;
368 // We might have been notified because the operation is complete, verify.
371 }
373 // Get a copy of the current shared state for the worker thread.
380 {
390 // From now on, another attention event needs to be posted if state changes.
392 }
394 // The initial target can only be null if it has never been assigned. In this
395 // case, there is nothing to do since we never created any output file.
398 }
400 // Determine if we are processing the attention request for the first time.
403 // Assign the target file for the first time.
406 }
408 // Verify whether we have actually been instructed to use a different file.
409 // This may happen the first time this function is executed, if SetTarget was
410 // called two times before the worker thread processed the attention request.
416 // If we were asked to rename the file but the initial file did not exist,
417 // we simply create the file in the renamed location. We avoid this check
418 // if we have already started writing the output file ourselves.
423 }
425 // We are moving the previous target file to a different location.
430 nsAutoString renamedTargetName;
434 // We must delete any existing target file before moving the current
435 // one.
441 }
443 // Move the file. If this fails, we still reference the original file
444 // in mActualTarget, so that it is deleted if requested. If this
445 // succeeds, the nsIFile instance referenced by mActualTarget mutates
446 // and starts pointing to the new file, but we'll discard the reference.
449 }
451 // We should not only update the mActualTarget with renameTarget when
452 // they point to the different files.
453 // In this way, if mActualTarget and renamedTarget point to the same file
454 // with different addresses, "CheckCompletion()" will return false
455 // forever.
456 }
458 // Update mActualTarget with renameTarget,
459 // even if they point to the same file.
462 }
464 // Notify if the target file name actually changed.
466 // We must clone the nsIFile instance because mActualTarget is not
467 // immutable, it may change if the target is renamed later.
478 }
481 // The pending rename operation might be the last task before finishing. We
482 // may return here only if we have already created the target file.
485 }
487 // Even if the operation did not complete, the pipe input stream may be
488 // empty and may have been closed already. We detect this case using the
489 // Available property, because it never returns an error if there is more
490 // data to be consumed. If the pipe input stream is closed, we just exit
491 // and wait for more calls like SetTarget or Finish to be invoked on the
492 // control thread. However, we still truncate the file or create the
493 // initial digest context if we are expected to do that.
498 }
499 }
501 // Create the digest if requested and NSS hasn't been shut down.
505 }
507 // When we are requested to append to an existing file, we should read the
508 // existing data and ensure we include it as part of the final hash.
516 // Try to clean up the inputStream if an error occurs.
527 // We reached the end of the file.
529 }
534 // The pending resume operation may have been cancelled by the control
535 // thread while the worker thread was reading in the existing file.
536 // Abort reading in the original file in that case, as the digest will
537 // be discarded anyway.
541 }
542 }
544 // Close explicitly to handle any errors.
548 }
549 }
551 // We will append to the initial target file only if it was requested by the
552 // caller, but we'll always append on subsequent accesses to the target file.
558 }
560 // Create the target file, or append to it if we already started writing it.
561 // The 0600 permissions are used while the file is being downloaded, and for
562 // interrupted downloads. Those may be located in the system temporary
563 // directory, as well as the target directory, and generally have a ".part"
564 // extension. Those part files should never be group or world-writable even
565 // if the umask allows it.
577 // Wrap the output stream so that it feeds the digest if needed.
579 // Constructing the DigestOutputStream cannot fail. Passing mDigest
580 // to DigestOutputStream is safe, because BackgroundFileSaver always
581 // outlives the outputStream. BackgroundFileSaver is reference-counted
582 // before the call to AsyncCopy, and mDigest is never destroyed
583 // before AsyncCopyCallback.
585 }
587 // Start copying our input to the target file. No errors can be raised past
588 // this point if the copy starts, since they should be handled by the thread.
589 {
600 }
601 }
603 // If the operation succeeded, we must ensure that we keep this object alive
604 // for the entire duration of the copy, since only the raw pointer will be
605 // provided as the argument of the AsyncCopyCallback function. We can add the
606 // reference now, after NS_AsyncCopy returned, because it always starts
607 // processing asynchronously, and there is no risk that the callback is
608 // invoked before we reach this point. If the operation failed instead, then
609 // AsyncCopyCallback will never be called.
613 }
615 // Called on the worker thread.
617 nsresult rv;
623 {
628 }
630 // If an error occurred, we don't need to do the checks in this code block,
631 // and the operation can be completed immediately with a failure code.
635 // We did not incur in an error, so we must determine if we can stop now.
636 // If the Finish method has not been called, we can just continue now.
639 }
641 // We can only stop when all the operations requested by the control
642 // thread have been processed. First, we check whether we have processed
643 // the first SetTarget call, if any. Then, we check whether we have
644 // processed any rename requested by subsequent SetTarget calls.
648 }
650 // If we still have data to write to the output file, allow the copy
651 // operation to resume. The Available getter may return an error if one
652 // of the pipe's streams has been already closed.
657 }
658 }
661 }
663 // Ensure we notify completion now that the operation finished.
664 // Do a best-effort attempt to remove the file if required.
667 }
669 // Finish computing the hash
677 }
678 }
680 // Compute the signature of the binary. ExtractSignatureInfo doesn't do
681 // anything on non-Windows platforms except return an empty nsIArray.
683 nsString filePath;
690 }
691 }
693 // Post an event to notify that the operation completed.
697 NS_DISPATCH_NORMAL))) {
699 }
702 }
704 // Called on the control thread.
708 }
711 }
713 // Called on the control thread.
717 nsresult status;
718 {
721 }
725 // If mObserver keeps alive an enclosure that captures `this`, we'll have a
726 // cycle that won't be caught by the cycle-collector, so we need to break it
727 // when we're done here (see bug 1444265).
729 }
731 // At this point, the worker thread will not process any more events, and we
732 // can shut it down. Shutting down a thread may re-enter the event loop on
733 // this thread. This is not a problem in this case, since this function is
734 // called by a top-level event itself, and we have already invoked the
735 // completion observer callback. Re-entering the loop can only delay the
736 // final release and destruction of this saver object, since we are keeping a
737 // reference to it through the event object.
740 sThreadCount--;
742 // When there are no more active downloads, we consider the download session
743 // finished. We record the maximum number of concurrent downloads reached
744 // during the session in a telemetry histogram, and we reset the maximum
745 // thread counter for the next download session
748 sTelemetryMaxThreadCount);
750 }
753 }
757 {
761 }
762 }
763 #ifdef XP_WIN
764 // Setup the file to check.
771 // We want to check it is signed and trusted.
782 // Disallow revocation checks over the network
784 // no UI
788 // The WINTRUST_ACTION_GENERIC_VERIFY_V2 policy verifies that the certificate
789 // chains up to a trusted root CA and has appropriate permissions to sign
790 // code.
792 // Check if the file is signed by something that is trusted. If the file is
793 // not signed, this is a no-op.
796 // According to the Windows documentation, we should check against 0 instead
797 // of ERROR_SUCCESS, which is an HRESULT.
800 }
802 // Lock because signature information is read on the main thread.
805 // A binary may have multiple signers. Each signer may have multiple certs
806 // in the chain.
812 }
818 }
825 X509_ASN_ENCODING) {
827 }
832 }
835 }
836 }
837 }
838 // Free the provider data if cryptoProviderData is not null.
843 }
844 #endif
846 }
848 ////////////////////////////////////////////////////////////////////////////////
849 //// BackgroundFileSaverOutputStream
853 nsIOutputStreamCallback)
862 }
864 NS_IMETHODIMP
867 NS_IMETHODIMP
870 NS_IMETHODIMP
874 }
876 NS_IMETHODIMP
880 }
882 NS_IMETHODIMP
887 }
889 NS_IMETHODIMP
892 }
894 NS_IMETHODIMP
897 }
899 NS_IMETHODIMP
909 aEventTarget);
910 }
912 NS_IMETHODIMP
921 }
923 ////////////////////////////////////////////////////////////////////////////////
924 //// BackgroundFileSaverStreamListener
931 nsAsyncCopyProgressFun
934 }
936 NS_IMETHODIMP
941 }
943 NS_IMETHODIMP
945 nsresult aStatusCode) {
946 // If an error occurred, cancel the operation immediately. On success, wait
947 // until the caller has determined whether the file should be renamed.
950 }
953 }
955 NS_IMETHODIMP
960 nsresult rv;
964 // Read the requested data. Since the pipe has an infinite buffer, we don't
965 // expect any write error to occur here.
970 // If reading from the input stream fails for any reason, the pipe will return
971 // a success code, but without reading all the data. Since we should be able
972 // to read the requested data when OnDataAvailable is called, raise an error.
976 }
979 {
989 }
990 }
991 }
995 }
998 }
1000 // Called on the worker thread.
1001 // static
1007 // Wait if the control thread is in the process of suspending or resuming.
1010 // This function is called when some bytes are consumed by NS_AsyncCopy. Each
1011 // time this happens, verify if a suspended request should be resumed, because
1012 // we have now consumed enough data.
1019 // Post an event to verify if the request should be resumed.
1023 self,
1025 NS_DISPATCH_NORMAL))) {
1027 }
1028 }
1029 }
1030 }
1032 // Called on the control thread.
1034 // Prevent the worker thread from changing state while processing.
1039 // Try to suspend the request. If this fails, don't try to resume later.
1044 }
1045 }
1048 // Resume the request only if we succeeded in suspending it.
1053 }
1054 }
1055 }
1058 }
1060 ////////////////////////////////////////////////////////////////////////////////
1061 //// DigestOutputStream
1068 }
1070 NS_IMETHODIMP
1073 NS_IMETHODIMP
1076 NS_IMETHODIMP
1083 }
1085 NS_IMETHODIMP
1088 // Not supported. We could read the stream to a buf, call DigestOp on the
1089 // result, seek back and pass the stream on, but it's not worth it since our
1090 // application (NS_AsyncCopy) doesn't invoke this on the sink.
1092 }
1094 NS_IMETHODIMP
1098 }
1100 NS_IMETHODIMP
1103 }
1105 #undef LOG_ENABLED