| blob | 3af6b8eb2664235c21775ffec123da5e7fd47d6f |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
27 #ifdef XP_WIN
28 # include <windows.h>
29 # include <softpub.h>
30 # include <wintrust.h>
36 // MOZ_LOG=BackgroundFileSaver:5
38 #define LOG(args) MOZ_LOG(prlog, mozilla::LogLevel::Debug, args)
39 #define LOG_ENABLED() MOZ_LOG_TEST(prlog, mozilla::LogLevel::Debug)
41 ////////////////////////////////////////////////////////////////////////////////
42 //// Globals
44 /**
45 * Buffer size for writing to the output file or reading from the input file.
46 */
47 #define BUFFERED_IO_SIZE (1024 * 32)
49 /**
50 * When this upper limit is reached, the original request is suspended.
51 */
52 #define REQUEST_SUSPEND_AT (1024 * 1024 * 4)
54 /**
55 * When this lower limit is reached, the original request is resumed.
56 */
57 #define REQUEST_RESUME_AT (1024 * 1024 * 2)
59 ////////////////////////////////////////////////////////////////////////////////
60 //// NotifyTargetChangeRunnable
62 /**
63 * Runnable object used to notify the control thread that file contents will now
64 * be saved to the specified file.
65 */
78 };
80 ////////////////////////////////////////////////////////////////////////////////
81 //// BackgroundFileSaver
88 }
92 }
94 // Called on the control thread.
109 sThreadCount++;
112 }
115 }
117 // Called on the control thread.
118 NS_IMETHODIMP
123 }
125 // Called on the control thread.
126 NS_IMETHODIMP
130 }
132 // Called on the control thread.
133 NS_IMETHODIMP
141 }
143 // Called on the control thread.
144 NS_IMETHODIMP
147 {
155 }
156 }
158 // After the worker thread wakes up because attention is requested, it will
159 // rename or create the target file as requested, and start copying data.
161 }
163 // Called on the control thread.
164 NS_IMETHODIMP
166 nsresult rv;
168 // This will cause the NS_AsyncCopy operation, if it's in progress, to consume
169 // all the data that is still in the pipe, and then finish.
173 // Ensure that, when we get attention from the worker thread, if no pending
174 // rename operation is waiting, the operation will complete.
175 {
180 }
181 }
183 // After the worker thread wakes up because attention is requested, it will
184 // process the completion conditions, detect that completion is requested, and
185 // notify the main thread of the completion. If this function was called with
186 // a success code, we wait for the copy to finish before processing the
187 // completion conditions, otherwise we interrupt the copy immediately.
189 }
191 NS_IMETHODIMP
195 // Ensure Personal Security Manager is initialized. This is required for
196 // PK11_* operations to work.
197 nsresult rv;
203 }
205 NS_IMETHODIMP
208 // We acquire a lock because mSha256 is written on the worker thread.
212 }
215 }
217 NS_IMETHODIMP
221 // Ensure Personal Security Manager is initialized.
222 nsresult rv;
228 }
230 NS_IMETHODIMP
234 // We acquire a lock because mSignatureInfo is written on the worker thread.
238 }
242 }
244 }
246 // Called on the control thread.
249 nsresult rv;
253 // We only require attention one time. If this function is called two times
254 // before the worker thread wakes up, and the first has aShouldInterruptCopy
255 // false and the second true, we won't forcibly interrupt the copy from the
256 // control thread. However, that never happens, because calling Finish with a
257 // success code is the only case that may result in aShouldInterruptCopy being
258 // false. In that case, we won't call this function again, because consumers
259 // should not invoke other methods on the control thread after calling Finish.
260 // And in any case, Finish already closes one end of the pipe, causing the
261 // copy to finish properly on its own.
264 }
267 // Background event queues are not shutdown and could be called after
268 // the queue is reset to null. To match the behavior of nsIThread
269 // return NS_ERROR_UNEXPECTED
272 }
274 // Copy is not in progress, post an event to handle the change manually.
278 NS_DISPATCH_EVENT_MAY_BLOCK);
282 // Interrupt the copy. The copy will be resumed, if needed, by the
283 // ProcessAttention function, invoked by the AsyncCopyCallback function.
285 }
287 // Indicate that attention has been requested successfully, there is no need
288 // to post another event until the worker thread processes the current one.
292 }
294 // Called on the worker thread.
295 // static
297 // We called NS_ADDREF_THIS when NS_AsyncCopy started, to keep the object
298 // alive even if other references disappeared. At the end of this method,
299 // we've finished using the object and can safely release our reference.
302 {
305 // Now that the copy was interrupted or terminated, any notification from
306 // the control thread requires an event to be posted to the worker thread.
309 // When detecting failures, ignore the status code we use to interrupt.
313 }
314 }
317 }
319 // Called on the worker thread.
321 nsresult rv;
323 // This function is called whenever the attention of the worker thread has
324 // been requested. This may happen in these cases:
325 // * We are about to start the copy for the first time. In this case, we are
326 // called from an event posted on the worker thread from the control thread
327 // by GetWorkerThreadAttention, and mAsyncCopyContext is null.
328 // * We have interrupted the copy for some reason. In this case, we are
329 // called by AsyncCopyCallback, and mAsyncCopyContext is null.
330 // * We are currently executing ProcessStateChange, and attention is requested
331 // by the control thread, for example because SetTarget or Finish have been
332 // called. In this case, we are called from from an event posted through
333 // GetWorkerThreadAttention. While mAsyncCopyContext was always null when
334 // the event was posted, at this point mAsyncCopyContext may not be null
335 // anymore, because ProcessStateChange may have started the copy before the
336 // event that called this function was processed on the worker thread.
337 // If mAsyncCopyContext is not null, we interrupt the copy and re-enter
338 // through AsyncCopyCallback. This allows us to check if, for instance, we
339 // should rename the target file. We will then restart the copy if needed.
341 // mAsyncCopyContext is only written on the worker thread (which we are on)
343 {
344 // Even though we're the only thread that writes this, we have to take the
345 // lock
350 }
351 }
352 // Use the current shared state to determine the next operation to execute.
355 // If something failed while processing, terminate the operation now.
356 {
361 }
362 }
363 // Ensure we notify completion now that the operation failed.
365 }
368 }
370 // Called on the worker thread.
372 nsresult rv;
374 // We might have been notified because the operation is complete, verify.
377 }
379 // Get a copy of the current shared state for the worker thread.
386 {
396 // From now on, another attention event needs to be posted if state changes.
398 }
400 // The initial target can only be null if it has never been assigned. In this
401 // case, there is nothing to do since we never created any output file.
404 }
406 // Determine if we are processing the attention request for the first time.
409 // Assign the target file for the first time.
412 }
414 // Verify whether we have actually been instructed to use a different file.
415 // This may happen the first time this function is executed, if SetTarget was
416 // called two times before the worker thread processed the attention request.
422 // If we were asked to rename the file but the initial file did not exist,
423 // we simply create the file in the renamed location. We avoid this check
424 // if we have already started writing the output file ourselves.
429 }
431 // We are moving the previous target file to a different location.
436 nsAutoString renamedTargetName;
440 // We must delete any existing target file before moving the current
441 // one.
447 }
449 // Move the file. If this fails, we still reference the original file
450 // in mActualTarget, so that it is deleted if requested. If this
451 // succeeds, the nsIFile instance referenced by mActualTarget mutates
452 // and starts pointing to the new file, but we'll discard the reference.
455 }
457 // We should not only update the mActualTarget with renameTarget when
458 // they point to the different files.
459 // In this way, if mActualTarget and renamedTarget point to the same file
460 // with different addresses, "CheckCompletion()" will return false
461 // forever.
462 }
464 // Update mActualTarget with renameTarget,
465 // even if they point to the same file.
468 }
470 // Notify if the target file name actually changed.
472 // We must clone the nsIFile instance because mActualTarget is not
473 // immutable, it may change if the target is renamed later.
484 }
487 // The pending rename operation might be the last task before finishing. We
488 // may return here only if we have already created the target file.
491 }
493 // Even if the operation did not complete, the pipe input stream may be
494 // empty and may have been closed already. We detect this case using the
495 // Available property, because it never returns an error if there is more
496 // data to be consumed. If the pipe input stream is closed, we just exit
497 // and wait for more calls like SetTarget or Finish to be invoked on the
498 // control thread. However, we still truncate the file or create the
499 // initial digest context if we are expected to do that.
504 }
505 }
507 // Create the digest if requested and NSS hasn't been shut down.
511 }
513 // When we are requested to append to an existing file, we should read the
514 // existing data and ensure we include it as part of the final hash.
522 // Try to clean up the inputStream if an error occurs.
533 // We reached the end of the file.
535 }
540 // The pending resume operation may have been cancelled by the control
541 // thread while the worker thread was reading in the existing file.
542 // Abort reading in the original file in that case, as the digest will
543 // be discarded anyway.
547 }
548 }
550 // Close explicitly to handle any errors.
554 }
555 }
557 // We will append to the initial target file only if it was requested by the
558 // caller, but we'll always append on subsequent accesses to the target file.
564 }
566 // Create the target file, or append to it if we already started writing it.
567 // The 0600 permissions are used while the file is being downloaded, and for
568 // interrupted downloads. Those may be located in the system temporary
569 // directory, as well as the target directory, and generally have a ".part"
570 // extension. Those part files should never be group or world-writable even
571 // if the umask allows it.
583 // Wrap the output stream so that it feeds the digest if needed.
585 // Constructing the DigestOutputStream cannot fail. Passing mDigest
586 // to DigestOutputStream is safe, because BackgroundFileSaver always
587 // outlives the outputStream. BackgroundFileSaver is reference-counted
588 // before the call to AsyncCopy, and mDigest is never destroyed
589 // before AsyncCopyCallback.
591 }
593 // Start copying our input to the target file. No errors can be raised past
594 // this point if the copy starts, since they should be handled by the thread.
595 {
606 }
607 }
609 // If the operation succeeded, we must ensure that we keep this object alive
610 // for the entire duration of the copy, since only the raw pointer will be
611 // provided as the argument of the AsyncCopyCallback function. We can add the
612 // reference now, after NS_AsyncCopy returned, because it always starts
613 // processing asynchronously, and there is no risk that the callback is
614 // invoked before we reach this point. If the operation failed instead, then
615 // AsyncCopyCallback will never be called.
619 }
621 // Called on the worker thread.
623 nsresult rv;
626 {
633 }
635 // If an error occurred, we don't need to do the checks in this code block,
636 // and the operation can be completed immediately with a failure code.
640 // We did not incur in an error, so we must determine if we can stop now.
641 // If the Finish method has not been called, we can just continue now.
644 }
646 // We can only stop when all the operations requested by the control
647 // thread have been processed. First, we check whether we have processed
648 // the first SetTarget call, if any. Then, we check whether we have
649 // processed any rename requested by subsequent SetTarget calls.
653 }
655 // If we still have data to write to the output file, allow the copy
656 // operation to resume. The Available getter may return an error if one
657 // of the pipe's streams has been already closed.
662 }
663 }
666 }
668 // Ensure we notify completion now that the operation finished.
669 // Do a best-effort attempt to remove the file if required.
672 }
674 // Finish computing the hash
682 }
683 }
685 // Compute the signature of the binary. ExtractSignatureInfo doesn't do
686 // anything on non-Windows platforms except return an empty nsIArray.
688 nsString filePath;
695 }
696 }
698 // Post an event to notify that the operation completed.
702 NS_DISPATCH_NORMAL))) {
704 }
707 }
709 // Called on the control thread.
713 }
716 }
718 // Called on the control thread.
722 nsresult status;
723 {
726 }
730 // If mObserver keeps alive an enclosure that captures `this`, we'll have a
731 // cycle that won't be caught by the cycle-collector, so we need to break it
732 // when we're done here (see bug 1444265).
734 }
736 // At this point, the worker thread will not process any more events, and we
737 // can shut it down. Shutting down a thread may re-enter the event loop on
738 // this thread. This is not a problem in this case, since this function is
739 // called by a top-level event itself, and we have already invoked the
740 // completion observer callback. Re-entering the loop can only delay the
741 // final release and destruction of this saver object, since we are keeping a
742 // reference to it through the event object.
745 sThreadCount--;
747 // When there are no more active downloads, we consider the download session
748 // finished. We record the maximum number of concurrent downloads reached
749 // during the session in a telemetry histogram, and we reset the maximum
750 // thread counter for the next download session
753 sTelemetryMaxThreadCount);
755 }
758 }
762 {
766 }
767 }
768 #ifdef XP_WIN
769 // Setup the file to check.
776 // We want to check it is signed and trusted.
787 // Disallow revocation checks over the network
789 // no UI
793 // The WINTRUST_ACTION_GENERIC_VERIFY_V2 policy verifies that the certificate
794 // chains up to a trusted root CA and has appropriate permissions to sign
795 // code.
797 // Check if the file is signed by something that is trusted. If the file is
798 // not signed, this is a no-op.
801 // According to the Windows documentation, we should check against 0 instead
802 // of ERROR_SUCCESS, which is an HRESULT.
805 }
807 // Lock because signature information is read on the main thread.
810 // A binary may have multiple signers. Each signer may have multiple certs
811 // in the chain.
817 }
823 }
830 X509_ASN_ENCODING) {
832 }
837 }
840 }
841 }
842 }
843 // Free the provider data if cryptoProviderData is not null.
848 }
849 #endif
851 }
853 ////////////////////////////////////////////////////////////////////////////////
854 //// BackgroundFileSaverOutputStream
858 nsIOutputStreamCallback)
867 }
869 NS_IMETHODIMP
872 NS_IMETHODIMP
875 NS_IMETHODIMP
878 }
880 NS_IMETHODIMP
884 }
886 NS_IMETHODIMP
890 }
892 NS_IMETHODIMP
897 }
899 NS_IMETHODIMP
902 }
904 NS_IMETHODIMP
907 }
909 NS_IMETHODIMP
919 aEventTarget);
920 }
922 NS_IMETHODIMP
931 }
933 ////////////////////////////////////////////////////////////////////////////////
934 //// BackgroundFileSaverStreamListener
941 nsAsyncCopyProgressFun
944 }
946 NS_IMETHODIMP
951 }
953 NS_IMETHODIMP
955 nsresult aStatusCode) {
956 // If an error occurred, cancel the operation immediately. On success, wait
957 // until the caller has determined whether the file should be renamed.
960 }
963 }
965 NS_IMETHODIMP
970 nsresult rv;
974 // Read the requested data. Since the pipe has an infinite buffer, we don't
975 // expect any write error to occur here.
980 // If reading from the input stream fails for any reason, the pipe will return
981 // a success code, but without reading all the data. Since we should be able
982 // to read the requested data when OnDataAvailable is called, raise an error.
986 }
989 {
999 }
1000 }
1001 }
1005 }
1008 }
1010 // Called on the worker thread.
1011 // static
1017 // Wait if the control thread is in the process of suspending or resuming.
1020 // This function is called when some bytes are consumed by NS_AsyncCopy. Each
1021 // time this happens, verify if a suspended request should be resumed, because
1022 // we have now consumed enough data.
1029 // Post an event to verify if the request should be resumed.
1033 self,
1035 NS_DISPATCH_NORMAL))) {
1037 }
1038 }
1039 }
1040 }
1042 // Called on the control thread.
1044 // Prevent the worker thread from changing state while processing.
1049 // Try to suspend the request. If this fails, don't try to resume later.
1054 }
1055 }
1058 // Resume the request only if we succeeded in suspending it.
1063 }
1064 }
1065 }
1068 }
1070 ////////////////////////////////////////////////////////////////////////////////
1071 //// DigestOutputStream
1078 }
1080 NS_IMETHODIMP
1083 NS_IMETHODIMP
1086 NS_IMETHODIMP
1089 NS_IMETHODIMP
1096 }
1098 NS_IMETHODIMP
1101 // Not supported. We could read the stream to a buf, call DigestOp on the
1102 // result, seek back and pass the stream on, but it's not worth it since our
1103 // application (NS_AsyncCopy) doesn't invoke this on the sink.
1105 }
1107 NS_IMETHODIMP
1111 }
1113 NS_IMETHODIMP
1116 }
1118 #undef LOG_ENABLED