Add script isolation enforcement

Pass isolation options as parameters

Add unit tests for script isolation

Update test to pass options

Author: rhysparry

source/Calamari.Common/CalamariFlavourProgram.cs

@@ -12,6 +12,7 @@
 using Calamari.Common.Features.FunctionScriptContributions;
 using Calamari.Common.Features.Packages;
 using Calamari.Common.Features.Processes;
+using Calamari.Common.Features.Processes.ScriptIsolation;
 using Calamari.Common.Features.Scripting;
 using Calamari.Common.Features.Scripting.DotnetScript;
 using Calamari.Common.Features.StructuredVariables;
@@ -78,6 +79,7 @@ protected virtual int Run(string[] args)
                 }
 #endif
 
+                using var _ = Isolation.Enforce(options.ScriptIsolation);
                 return ResolveAndExecuteCommand(container, options);
             }
             catch (Exception ex)

source/Calamari.Common/CalamariFlavourProgramAsync.cs

@@ -3,6 +3,7 @@
 using System.Diagnostics;
 using System.Linq;
 using System.Reflection;
+using System.Threading;
 using System.Threading.Tasks;
 using Autofac;
 using Autofac.Core;
@@ -14,6 +15,7 @@
 using Calamari.Common.Features.FunctionScriptContributions;
 using Calamari.Common.Features.Packages;
 using Calamari.Common.Features.Processes;
+using Calamari.Common.Features.Processes.ScriptIsolation;
 using Calamari.Common.Features.Scripting;
 using Calamari.Common.Features.Scripting.DotnetScript;
 using Calamari.Common.Features.StructuredVariables;
@@ -143,6 +145,7 @@ protected async Task<int> Run(string[] args)
                 }
 #endif
 
+                await using var _ = await Isolation.EnforceAsync(options.ScriptIsolation, CancellationToken.None);
                 await ResolveAndExecuteCommand(container, options);
                 return 0;
             }

source/Calamari.Common/Features/Processes/ScriptIsolation/FileLock.cs

@@ -0,0 +1,45 @@
+using System;
+using System.IO;
+using System.Threading.Tasks;
+
+namespace Calamari.Common.Features.Processes.ScriptIsolation;
+
+public static class FileLock
+{
+    public static ILockHandle Acquire(LockOptions lockOptions)
+    {
+        var fileShareMode = GetFileShareMode(lockOptions.Type);
+        try
+        {
+            var fileStream = File.Open(lockOptions.LockFile, FileMode.OpenOrCreate, FileAccess.ReadWrite, fileShareMode);
+            return new LockHandle(fileStream);
+        }
+        catch (IOException e)
+        {
+            throw new LockRejectedException(e);
+        }
+    }
+
+    static FileShare GetFileShareMode(LockType isolationLevel)
+    {
+        return isolationLevel switch
+        {
+            LockType.Exclusive => FileShare.None,
+            LockType.Shared => FileShare.ReadWrite,
+            _ => throw new ArgumentOutOfRangeException(nameof(isolationLevel), isolationLevel, null)
+        };
+    }
+
+    sealed class LockHandle(FileStream fileStream) : ILockHandle
+    {
+        public void Dispose()
+        {
+            fileStream.Dispose();
+        }
+
+        public async ValueTask DisposeAsync()
+        {
+            await fileStream.DisposeAsync();
+        }
+    }
+}

source/Calamari.Common/Features/Processes/ScriptIsolation/ILockHandle.cs

@@ -0,0 +1,5 @@
+using System;
+
+namespace Calamari.Common.Features.Processes.ScriptIsolation;
+
+public interface ILockHandle : IAsyncDisposable, IDisposable;

source/Calamari.Common/Features/Processes/ScriptIsolation/Isolation.cs

@@ -0,0 +1,102 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Calamari.Common.Plumbing.Commands;
+using Calamari.Common.Plumbing.Logging;
+using Polly;
+
+namespace Calamari.Common.Features.Processes.ScriptIsolation;
+
+public static class Isolation
+{
+    // Compare these values with the standard script isolation mutex strategy
+    static readonly TimeSpan RetryInitialDelay = TimeSpan.FromMilliseconds(10);
+    static readonly TimeSpan RetryMaxDelay = TimeSpan.FromMilliseconds(500);
+
+    public static ILockHandle Enforce(CommonOptions.ScriptIsolationOptions scriptIsolationOptions)
+    {
+        var lockOptions = LockOptions.FromScriptIsolationOptionsOrNull(scriptIsolationOptions);
+        if (lockOptions is null)
+        {
+            return new NoLock();
+        }
+
+        var pipeline = BuildLockAcquisitionPipeline(lockOptions);
+        LogIsolation(lockOptions);
+        try
+        {
+            return pipeline.Execute(FileLock.Acquire, lockOptions);
+        }
+        catch (Exception exception)
+        {
+            LockRejectedException.Throw(exception);
+            throw; // Satisfy the compiler
+        }
+    }
+
+    public static async Task<ILockHandle> EnforceAsync(
+        CommonOptions.ScriptIsolationOptions scriptIsolationOptions,
+        CancellationToken cancellationToken
+    )
+    {
+        var lockOptions = LockOptions.FromScriptIsolationOptionsOrNull(scriptIsolationOptions);
+        if (lockOptions is null)
+        {
+            return new NoLock();
+        }
+
+        var pipeline = BuildLockAcquisitionPipeline(lockOptions);
+        LogIsolation(lockOptions);
+        try
+        {
+            return await pipeline.ExecuteAsync(static (o, _) => ValueTask.FromResult(FileLock.Acquire(o)), lockOptions, cancellationToken);
+        }
+        catch (Exception exception)
+        {
+            LockRejectedException.Throw(exception);
+            throw; // Satisfy the compiler
+        }
+    }
+
+    static void LogIsolation(LockOptions lockOptions)
+    {
+        Log.Verbose($"Acquiring script isolation mutex {lockOptions.Name} with {lockOptions.Type} lock");
+    }
+
+    static ResiliencePipeline<ILockHandle> BuildLockAcquisitionPipeline(LockOptions lockOptions)
+    {
+        var builder = new ResiliencePipelineBuilder<ILockHandle>();
+        // Timeout must be between 10ms and 1 day. (Polly)
+        // If it's 10ms or less, we'll skip timeout and limit retries
+        // If it's more than 1 day, we'll assume indefinite retries with no timeout
+        var retryAttempts = lockOptions.Timeout <= TimeSpan.FromMilliseconds(10)
+            ? 1
+            : int.MaxValue;
+        if (lockOptions.Timeout < TimeSpan.FromDays(1) && lockOptions.Timeout > TimeSpan.FromMilliseconds(10))
+        {
+            builder.AddTimeout(lockOptions.Timeout);
+        }
+
+        builder.AddRetry(
+                         new()
+                         {
+                             BackoffType = DelayBackoffType.Exponential,
+                             Delay = RetryInitialDelay,
+                             MaxDelay = RetryMaxDelay,
+                             MaxRetryAttempts = retryAttempts,
+                             ShouldHandle = new PredicateBuilder<ILockHandle>().Handle<LockRejectedException>(),
+                             UseJitter = true
+                         }
+                        );
+        return builder.Build();
+    }
+
+    class NoLock : ILockHandle
+    {
+        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
+
+        public void Dispose()
+        {
+        }
+    }
+}

source/Calamari.Common/Features/Processes/ScriptIsolation/LockOptions.cs

@@ -0,0 +1,49 @@
+using System;
+using Calamari.Common.Plumbing.Commands;
+using Calamari.Common.Plumbing.Logging;
+
+namespace Calamari.Common.Features.Processes.ScriptIsolation;
+
+public sealed record LockOptions(
+    LockType Type,
+    string Name,
+    string LockFile,
+    TimeSpan Timeout
+)
+{
+    public static LockOptions? FromScriptIsolationOptionsOrNull(CommonOptions.ScriptIsolationOptions options)
+    {
+        if (string.IsNullOrWhiteSpace(options.Level) || string.IsNullOrWhiteSpace(options.MutexName) || string.IsNullOrWhiteSpace(options.TentacleHome))
+        {
+            return null;
+        }
+
+        var lockType = MapScriptIsolationLevelToLockTypeOrNull(options.Level);
+        if (lockType == null)
+        {
+            Log.Verbose($"Failed to map script isolation level '{options.Level}' to a valid LockType. Expected 'FullIsolation' or 'NoIsolation' (case-insensitive).");
+            return null;
+        }
+
+        if (!TimeSpan.TryParse(options.Timeout, out var timeout))
+        {
+            Log.Verbose($"Failed to parse mutex timeout value '{options.Timeout}' as TimeSpan. Defaulting to TimeSpan.MaxValue.");
+            // What should we do if the timeout is invalid? Default to max value?
+            timeout = TimeSpan.MaxValue;
+        }
+
+        var lockFilePath = GetLockFilePath(options.TentacleHome, options.MutexName);
+        return new LockOptions(lockType.Value, options.MutexName, lockFilePath, timeout);
+    }
+
+    static string GetLockFilePath(string tentacleHome, string mutexName) =>
+        System.IO.Path.Combine(tentacleHome, $"ScriptIsolation.{mutexName}.lock"); // Should we sanitize the mutex name or just allow it to be invalid?
+
+    static LockType? MapScriptIsolationLevelToLockTypeOrNull(string isolationLevel) =>
+        isolationLevel.ToLowerInvariant() switch
+        {
+            "fullisolation" => LockType.Exclusive,
+            "noisolation" => LockType.Shared,
+            _ => null
+        };
+}

source/Calamari.Common/Features/Processes/ScriptIsolation/LockRejectedException.cs

@@ -0,0 +1,30 @@
+using System;
+using System.Diagnostics.CodeAnalysis;
+using Polly.Timeout;
+
+namespace Calamari.Common.Features.Processes.ScriptIsolation;
+
+public sealed class LockRejectedException(string message, Exception? innerException)
+    : Exception(message, innerException)
+{
+    public LockRejectedException(Exception innerException) : this("Lock acquisition failed", innerException)
+    {
+    }
+
+    [DoesNotReturn]
+    public static void Throw(Exception innerException)
+    {
+        if (innerException is LockRejectedException lockRejectedException)
+        {
+            throw lockRejectedException;
+        }
+
+        if (innerException is TimeoutRejectedException timeoutRejectedException)
+        {
+            var message = $"Lock acquisition failed after {timeoutRejectedException.Timeout}";
+            throw new LockRejectedException(message, timeoutRejectedException);
+        }
+
+        throw new LockRejectedException("Lock acquisition failed", innerException);
+    }
+}

source/Calamari.Common/Features/Processes/ScriptIsolation/LockType.cs

@@ -0,0 +1,7 @@
+namespace Calamari.Common.Features.Processes.ScriptIsolation;
+
+public enum LockType
+{
+    Shared,
+    Exclusive
+}

source/Calamari.Common/Plumbing/Commands/CommonOptions.cs

@@ -16,6 +16,7 @@ internal CommonOptions(string command)
         public string Command { get; }
         public List<string> RemainingArguments { get; private set; } = new List<string>();
         public Variables InputVariables { get; } = new Variables();
+        public ScriptIsolationOptions ScriptIsolation { get; } = new ScriptIsolationOptions();
 
         public static CommonOptions Parse(string[] args)
         {
@@ -32,7 +33,10 @@ public static CommonOptions Parse(string[] args)
                       .Add("variables=", "Path to a encrypted JSON file containing variables.", v => options.InputVariables.VariableFiles.Add(v))
                       .Add("variablesPassword=", "Password used to decrypt variables.", v => options.InputVariables.VariablesPassword = v)
                       .Add("outputVariables=", "Path to a encrypted JSON file containing output variables from previous executions.", v => options.InputVariables.OutputVariablesFile = v)
-                      .Add("outputVariablesPassword=", "Password used to decrypt output variables", v => options.InputVariables.OutputVariablesPassword = v);
+                      .Add("outputVariablesPassword=", "Password used to decrypt output variables", v => options.InputVariables.OutputVariablesPassword = v)
+                      .Add("scriptIsolationLevel=", "The level of isolation to run scripts at. Valid values are: NoIsolation or FullIsolation.", v => options.ScriptIsolation.Level = v)
+                      .Add("scriptIsolationMutexName=", "The name of the mutex to use when running scripts with Calamari isolation.", v => options.ScriptIsolation.MutexName = v)
+                      .Add("scriptIsolationTimeout=", "The timeout to use when running scripts with Calamari isolation. In .NET TimeSpan format.", v => options.ScriptIsolation.Timeout = v);
 
             //these are legacy options to support the V2 pipeline
             set.Add("sensitiveVariables=", "(DEPRECATED) Path to a encrypted JSON file containing sensitive variables. This file format is deprecated.", v => options.InputVariables.DeprecatedFormatVariableFiles.Add(v))
@@ -54,5 +58,13 @@ public class Variables
             public List<string> DeprecatedFormatVariableFiles { get; internal set; } = new List<string>();
             public string? DeprecatedVariablesPassword { get; internal set; }
         }
+
+        public class ScriptIsolationOptions
+        {
+            public string? Level { get; internal set; }
+            public string? MutexName { get; internal set; }
+            public string? Timeout { get; internal set; }
+            public string? TentacleHome { get; internal set; } = Environment.GetEnvironmentVariable("TentacleHome");
+        }
     }
 }