Improve handling of disk cache errors (#3625)

* Improve handling of disk cache errors

* better exception message

* tst

* log

* tst

* log

* debug

* assert

* tst

* why

* tst

* chown

* buildspec

* Update toolkit-test-log.properties

* Update CredentialWriter.kt

* Update DiskCache.kt

* perms

* tst

* log

* perms

* faster perms

* more creds

Author: rli

.changes/next-release/bugfix-d0f3ffcc-004e-49f9-9d91-e910d4e6303e.json

@@ -0,0 +1,4 @@
+{
+  "type" : "bugfix",
+  "description" : "Improve handling of disk errors related to SSO and align folder permissions with AWS CLI"
+}

buildspec/linuxTests.yml

@@ -13,8 +13,10 @@ env:
 phases:
   install:
     commands:
-      - export PATH="$PATH:$HOME/.dotnet/tools"
-      - dotnet codeartifact-creds install
+      - useradd codebuild-user
+      - dnf install -y acl
+      - chown -R codebuild-user:codebuild-user /codebuild/output
+      - setfacl -m d:o::rwx,o::rwx /root
 
   build:
     commands:
@@ -23,10 +25,11 @@ phases:
           CODEARTIFACT_URL=$(aws codeartifact get-repository-endpoint --domain $CODEARTIFACT_DOMAIN_NAME --repository $CODEARTIFACT_REPO_NAME --format maven --query repositoryEndpoint --output text)
           CODEARTIFACT_NUGET_URL=$(aws codeartifact get-repository-endpoint --domain $CODEARTIFACT_DOMAIN_NAME --repository $CODEARTIFACT_REPO_NAME --format nuget --query repositoryEndpoint --output text)
           CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token --domain $CODEARTIFACT_DOMAIN_NAME --query authorizationToken --output text --duration-seconds 3600)
+          su codebuild-user -c "dotnet codeartifact-creds install"
         fi
 
       - chmod +x gradlew
-      - ./gradlew -PideProfileName=$ALTERNATIVE_IDE_PROFILE_NAME check coverageReport --info --console plain --continue
+      - su codebuild-user -c "./gradlew -PideProfileName=$ALTERNATIVE_IDE_PROFILE_NAME check coverageReport --info --console plain --continue"
       - ./gradlew -PideProfileName=$ALTERNATIVE_IDE_PROFILE_NAME buildPlugin
       - VCS_COMMIT_ID="${CODEBUILD_RESOLVED_SOURCE_VERSION}"
       - CI_BUILD_URL=$(echo $CODEBUILD_BUILD_URL | sed 's/#/%23/g') # Encode `#` in the URL because otherwise the url is clipped in the Codecov.io site
@@ -44,7 +47,7 @@ phases:
       - rsync -rmq --include='*/' --include '**/build/idea-sandbox/system*/log/**' --exclude='*' . $TEST_ARTIFACTS/ || true
       - rsync -rmq --include='*/' --include '**/build/reports/**' --exclude='*' . $TEST_ARTIFACTS/ || true
       - rsync -rmq --include='*/' --include '**/test-results/**/*.xml' --exclude='*' . $TEST_ARTIFACTS/test-reports || true
-      - cp -r ./intellij/build/distributions/*.zip $BUILD_ARTIFACTS/ || true
+      - cp -r ./intellij/build/distributions/*.zip $BUILD_ARTIFACTS/ || touch $BUILD_ARTIFACTS/build_failed
 
 reports:
   unit-test:

core/src/software/aws/toolkits/core/utils/PathUtils.kt

@@ -3,15 +3,26 @@
 
 package software.aws.toolkits.core.utils
 
+import org.slf4j.Logger
 import java.io.InputStream
 import java.io.OutputStream
 import java.nio.charset.Charset
+import java.nio.file.AccessMode
 import java.nio.file.FileAlreadyExistsException
 import java.nio.file.Files
 import java.nio.file.NoSuchFileException
 import java.nio.file.Path
+import java.nio.file.attribute.AclEntry
+import java.nio.file.attribute.AclFileAttributeView
 import java.nio.file.attribute.FileTime
 import java.nio.file.attribute.PosixFilePermission
+import java.nio.file.attribute.PosixFilePermissions
+import java.nio.file.attribute.UserPrincipal
+import kotlin.io.path.getPosixFilePermissions
+import kotlin.io.path.isRegularFile
+
+val POSIX_OWNER_ONLY_FILE = setOf(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)
+val POSIX_OWNER_ONLY_DIR = setOf(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE)
 
 fun Path.inputStream(): InputStream = Files.newInputStream(this)
 fun Path.inputStreamIfExists(): InputStream? = try {
@@ -20,26 +31,183 @@ fun Path.inputStreamIfExists(): InputStream? = try {
     null
 }
 
-fun Path.touch() {
-    this.createParentDirectories()
+fun Path.touch(restrictToOwner: Boolean = false) {
     try {
-        Files.createFile(this)
-    } catch (_: FileAlreadyExistsException) { }
+        if (!restrictToOwner || !hasPosixFilePermissions()) {
+            Files.createFile(this)
+        } else {
+            Files.createFile(this, PosixFilePermissions.asFileAttribute(POSIX_OWNER_ONLY_FILE))
+        }
+    } catch (_: FileAlreadyExistsException) {}
 }
 
 fun Path.outputStream(): OutputStream {
     this.createParentDirectories()
     return Files.newOutputStream(this)
 }
-fun Path.createParentDirectories() = Files.createDirectories(this.parent)
+
+fun Path.createParentDirectories(restrictToOwner: Boolean = false) = if (!restrictToOwner || !hasPosixFilePermissions()) {
+    Files.createDirectories(this.parent)
+} else {
+    Files.createDirectories(this.parent, PosixFilePermissions.asFileAttribute(POSIX_OWNER_ONLY_DIR))
+}
+
 fun Path.exists() = Files.exists(this)
 fun Path.deleteIfExists() = Files.deleteIfExists(this)
 fun Path.lastModified(): FileTime = Files.getLastModifiedTime(this)
 fun Path.readText(charset: Charset = Charsets.UTF_8) = toFile().readText(charset)
 fun Path.writeText(text: String, charset: Charset = Charsets.UTF_8) = toFile().writeText(text, charset)
+
+// Comes from PosixFileAttributeView#name()
+fun Path.hasPosixFilePermissions() = "posix" in this.fileSystem.supportedFileAttributeViews()
 fun Path.filePermissions(permissions: Set<PosixFilePermission>) {
-    // Comes from PosixFileAttributeView#name()
-    if ("posix" in this.fileSystem.supportedFileAttributeViews()) {
+    if (hasPosixFilePermissions()) {
         Files.setPosixFilePermissions(this, permissions)
     }
 }
+
+fun Path.tryDirOp(log: Logger, block: Path.() -> Unit) {
+    try {
+        log.debug { "dir op on $this" }
+        block(this)
+    } catch (e: Exception) {
+        if (e !is java.nio.file.AccessDeniedException && e !is kotlin.io.AccessDeniedException) {
+            throw e
+        }
+
+        if (!hasPosixFilePermissions()) {
+            throw tryAugmentExceptionMessage(e, this)
+        }
+
+        log.info(e) { "Attempting to handle ADE for directory operation" }
+        try {
+            var parent = if (this.isRegularFile()) { parent } else { this }
+
+            while (parent != null) {
+                if (!parent.exists()) {
+                    log.info { "${parent.toAbsolutePath()}: does not exist yet" }
+                } else {
+                    if (tryOrNull { parent.fileSystem.provider().checkAccess(parent, AccessMode.READ, AccessMode.WRITE, AccessMode.EXECUTE) } != null) {
+                        log.debug { "$parent has rwx, exiting" }
+                        // can assume parent permissions are correct
+                        break
+                    }
+
+                    log.debug { "fixing perms for $parent" }
+                    parent.tryFixPerms(log, POSIX_OWNER_ONLY_DIR)
+                }
+
+                parent = parent.parent
+            }
+        } catch (e2: Exception) {
+            log.warn(e2) { "Encountered error while handling ADE for ${e.message}" }
+
+            throw tryAugmentExceptionMessage(e, this)
+        }
+
+        log.info { "Done attempting to handle ADE for directory operation" }
+        block(this)
+    }
+}
+
+fun<T> Path.tryFileOp(log: Logger, block: Path.() -> T) =
+    try {
+        log.debug { "file op on $this" }
+        block(this)
+    } catch (e: Exception) {
+        if (e !is java.nio.file.AccessDeniedException && e !is kotlin.io.AccessDeniedException) {
+            throw e
+        }
+
+        if (!hasPosixFilePermissions()) {
+            throw tryAugmentExceptionMessage(e, this)
+        }
+
+        log.info(e) { "Attempting to handle ADE for file operation" }
+        try {
+            log.debug { "fixing perms for $this" }
+            tryFixPerms(log, POSIX_OWNER_ONLY_FILE)
+        } catch (e2: Exception) {
+            log.warn(e2) { "Encountered error while handling ADE for ${e.message}" }
+
+            throw tryAugmentExceptionMessage(e, this)
+        }
+
+        log.info { "Done attempting to handle ADE for file operation" }
+        block(this)
+    }
+
+private fun Path.tryFixPerms(log: Logger, desiredPermissions: Set<PosixFilePermission>) {
+    // TODO: consider handling linux ACLs
+    // only try ops if we own the file
+    // (ab)use invariant that chmod only works if you are root or the file owner
+    val perms = tryOrLogShortException(log) { Files.getPosixFilePermissions(this) }
+    val ownership = tryOrLogShortException(log) { Files.getOwner(this) }
+
+    log.info { "Permissions for ${toAbsolutePath()}: $ownership, $perms" }
+    if (perms != null && ownership != null) {
+        if (ownership.name != "root" && tryOrNull { filePermissions(perms) } != null) {
+            val permissions = perms + desiredPermissions
+            log.info { "Setting perms for ${toAbsolutePath()}: $permissions" }
+            filePermissions(permissions)
+        }
+    }
+}
+
+private fun tryAugmentExceptionMessage(e: Exception, path: Path): Exception {
+    if (e !is java.nio.file.AccessDeniedException && e !is kotlin.io.AccessDeniedException) {
+        return e
+    }
+
+    var potentialProblem = if (path.exists()) { path } else { path.parent }
+    var acls: List<AclEntry>? = null
+    var ownership: UserPrincipal? = null
+    while (potentialProblem != null) {
+        acls = tryOrNull { Files.getFileAttributeView(potentialProblem, AclFileAttributeView::class.java).acl }
+        ownership = tryOrNull { Files.getOwner(potentialProblem) }
+
+        if (acls != null || ownership != null) {
+            break
+        }
+
+        potentialProblem = potentialProblem.parent
+    }
+
+    val message = buildString {
+        // $path is automatically added to the front of the exception message
+        appendLine("Exception trying to perform operation")
+
+        if (potentialProblem != null) {
+            append("Potential issue is with $potentialProblem")
+
+            if (ownership != null) {
+                append(", which has owner: $ownership")
+            }
+
+            if (acls != null) {
+                append(", and ACL entries for: ${acls.map { it.principal() }}")
+            }
+
+            val posixPermissions = tryOrNull { PosixFilePermissions.toString(potentialProblem.getPosixFilePermissions()) }
+            if (posixPermissions != null) {
+                append(", and POSIX permissions: $posixPermissions")
+            }
+        }
+    }
+
+    return when (e) {
+        is kotlin.io.AccessDeniedException -> kotlin.io.AccessDeniedException(e.file, e.other, message)
+        is java.nio.file.AccessDeniedException -> java.nio.file.AccessDeniedException(e.file, e.otherFile, message)
+        // should never happen
+        else -> e
+    }.also {
+        it.stackTrace = e.stackTrace
+    }
+}
+
+private fun<T> tryOrLogShortException(log: Logger, block: () -> T) = try {
+    block()
+} catch (e: Exception) {
+    log.warn { "${e::class.simpleName}: ${e.message}" }
+    null
+}

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/CredentialWriter.kt

@@ -18,6 +18,12 @@ import com.intellij.openapi.ui.Messages
 import com.intellij.openapi.vfs.LocalFileSystem
 import org.jetbrains.annotations.TestOnly
 import software.amazon.awssdk.profiles.ProfileFileLocation
+import software.aws.toolkits.core.utils.createParentDirectories
+import software.aws.toolkits.core.utils.getLogger
+import software.aws.toolkits.core.utils.touch
+import software.aws.toolkits.core.utils.tryDirOp
+import software.aws.toolkits.core.utils.tryFileOp
+import software.aws.toolkits.core.utils.writeText
 import software.aws.toolkits.resources.message
 import software.aws.toolkits.telemetry.AwsTelemetry
 import java.io.File
@@ -128,23 +134,14 @@ object DefaultConfigFileWriter : ConfigFileWriter {
         """.trimIndent()
 
     override fun createFile(file: File) {
-        val parent = file.parentFile
-        if (parent.mkdirs()) {
-            parent.setReadable(false, false)
-            parent.setReadable(true)
-            parent.setWritable(false, false)
-            parent.setWritable(true)
-            parent.setExecutable(false, false)
-            parent.setExecutable(true)
-        }
-
-        file.writeText(TEMPLATE)
+        val path = file.toPath()
+        path.tryDirOp(LOG) { createParentDirectories() }
 
-        file.setReadable(false, false)
-        file.setReadable(true)
-        file.setWritable(false, false)
-        file.setWritable(true)
-        file.setExecutable(false, false)
-        file.setExecutable(false)
+        path.tryFileOp(LOG) {
+            touch(restrictToOwner = true)
+            writeText(TEMPLATE)
+        }
     }
+
+    private val LOG = getLogger<DefaultConfigFileWriter>()
 }