fix: uwirtefile with lock invoid conficts from different reqs

Author: AlbeeSo

pkg/mounter/proxy/server/ossfs/driver.go

@@ -90,6 +90,9 @@ func (h *Driver) Mount(ctx context.Context, req *proxy.MountRequest) error {
 			klog.InfoS("ossfs exited", "mountpoint", target, "pid", pid)
 		}
 		ossfsExited <- err
+		// Note: No need to clean up credential files since after rotation support,
+		// files are stored in fixed paths and won't generate multiple copies that
+		// could lead to files leakage.
 		close(ossfsExited)
 	}()
 
@@ -98,16 +101,6 @@ func (h *Driver) Mount(ctx context.Context, req *proxy.MountRequest) error {
 		case err := <-ossfsExited:
 			// TODO: collect ossfs outputs to return in error message
 			if err != nil {
-				if passwdFile != "" {
-					if errRemove := os.Remove(passwdFile); errRemove != nil {
-						klog.ErrorS(err, "Remove passwd file", "mountpoint", target, "path", passwdFile)
-					}
-				}
-				if tokenDir != "" {
-					if errRemove := os.RemoveAll(tokenDir); errRemove != nil {
-						klog.ErrorS(err, "Remove token directory", "mountpoint", target, "dir", tokenDir)
-					}
-				}
 				return false, fmt.Errorf("ossfs exited: %w", err)
 			}
 			return false, fmt.Errorf("ossfs exited")

pkg/mounter/proxy/server/ossfs/utils.go

@@ -11,13 +11,13 @@ import (
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
 )
 
-
 // rotateTokenFiles rotates (or initializes) token files
 func rotateTokenFiles(dir string, secrets map[string]string) (rotated bool, err error) {
 	if secrets == nil {
 		return false, nil
 	}
 	// token
+	var fileUpdate bool
 	tokenKey := []string{oss.KeyAccessKeyId, oss.KeyAccessKeySecret, oss.KeySecurityToken, oss.KeyExpiration}
 	for _, key := range tokenKey {
 		val := secrets[filepath.Join(utils.GetPasswdFileName("ossfs"), key)]
@@ -26,12 +26,12 @@ func rotateTokenFiles(dir string, secrets map[string]string) (rotated bool, err
 			klog.Error(err)
 			return
 		}
-		err = os.WriteFile(filepath.Join(dir, key), []byte(val), 0o600)
+		fileUpdate, err = utils.WriteFileWithLock(filepath.Join(dir, key), []byte(val), 0o600)
 		if err != nil {
-			klog.Errorf("writeFile %s failed %v", key, err)
+			klog.Errorf("WriteFileWithLock %s failed %v", key, err)
 			return
 		}
-		rotated = true
+		rotated = fileUpdate || rotated
 	}
 	return
 }
@@ -51,7 +51,7 @@ func prepareCredentialFiles(target string, secrets map[string]string) (file, dir
 	}
 
 	if passwd := secrets[utils.GetPasswdFileName("ossfs")]; passwd != "" {
-		err = os.WriteFile(filepath.Join(hashDir, utils.GetPasswdFileName("ossfs")), []byte(passwd), 0o600)
+		_, err = utils.WriteFileWithLock(filepath.Join(hashDir, utils.GetPasswdFileName("ossfs")), []byte(passwd), 0o600)
 		if err != nil {
 			return
 		}

pkg/mounter/proxy/server/ossfs2/driver.go

@@ -97,6 +97,9 @@ func (h *Driver) Mount(ctx context.Context, req *proxy.MountRequest) error {
 			klog.InfoS("ossfs2 exited", "mountpoint", target, "pid", pid)
 		}
 		ossfsExited <- err
+		// Note: No need to clean up credential files since after rotation support,
+		// files are stored in fixed paths and won't generate multiple copies that
+		// could lead to files leakage.
 		close(ossfsExited)
 	}()
 
@@ -105,9 +108,6 @@ func (h *Driver) Mount(ctx context.Context, req *proxy.MountRequest) error {
 		case err := <-ossfsExited:
 			// TODO: collect ossfs outputs to return in error message
 			if err != nil {
-				if errRemove := os.Remove(passwdFile); errRemove != nil {
-					klog.ErrorS(err, "Remove configuration file", "mountpoint", target, "path", passwdFile)
-				}
 				return false, fmt.Errorf("ossfs2 exited: %w", err)
 			}
 			return false, fmt.Errorf("ossfs2 exited")
@@ -150,11 +150,11 @@ func (h *Driver) Mount(ctx context.Context, req *proxy.MountRequest) error {
 func (h *Driver) RotateToken(ctx context.Context, req *proxy.RotateTokenRequest) error {
 	// prepare passwd file
 	hashDir := utils.GetPasswdHashDir(req.Target)
-	tokenFiles, err := rotateTokenFiles(hashDir, req.Secrets)
+	rotated, err := rotateTokenFiles(hashDir, req.Secrets)
 	if err != nil {
 		return fmt.Errorf("rotate token files failed: %w", err)
 	}
-	if len(tokenFiles) != 0 {
+	if rotated {
 		klog.V(4).InfoS("rotate ossfs2 token files")
 	}
 	return nil

pkg/mounter/proxy/server/ossfs2/utils.go

@@ -12,12 +12,12 @@ import (
 )
 
 // rotateTokenFiles rotates (or initializes) token files
-func rotateTokenFiles(dir string, secrets map[string]string) (rotatedFiles map[string]string, err error) {
+func rotateTokenFiles(dir string, secrets map[string]string) (rotated bool, err error) {
 	if secrets == nil {
-		return nil, nil
+		return false, nil
 	}
-	// token
-	rotatedFiles = make(map[string]string)
+	// tokem
+	var fileUpdate bool
 	tokenKey := []string{oss.KeyAccessKeyId, oss.KeyAccessKeySecret, oss.KeySecurityToken}
 	for _, key := range tokenKey {
 		val := secrets[filepath.Join(utils.GetPasswdFileName("ossfs2"), key)]
@@ -26,12 +26,12 @@ func rotateTokenFiles(dir string, secrets map[string]string) (rotatedFiles map[s
 			klog.Error(err)
 			return
 		}
-		err = os.WriteFile(filepath.Join(dir, key), []byte(val), 0o600)
+		fileUpdate, err = utils.WriteFileWithLock(filepath.Join(dir, key), []byte(val), 0o600)
 		if err != nil {
-			klog.Errorf("writeFile %s failed %v", key, err)
+			klog.Errorf("WriteFileWithLock %s failed %v", key, err)
 			return
 		}
-		rotatedFiles[key] = filepath.Join(dir, key)
+		rotated = rotated || fileUpdate
 	}
 	return
 }
@@ -51,7 +51,7 @@ func prepareCredentialFiles(target string, secrets map[string]string) (file, dir
 	}
 
 	if passwd := secrets[utils.GetPasswdFileName("ossfs2")]; passwd != "" {
-		err = os.WriteFile(filepath.Join(hashDir, utils.GetPasswdFileName("ossfs2")), []byte(passwd), 0o600)
+		_, err = utils.WriteFileWithLock(filepath.Join(hashDir, utils.GetPasswdFileName("ossfs2")), []byte(passwd), 0o600)
 		if err != nil {
 			return
 		}
@@ -60,13 +60,16 @@ func prepareCredentialFiles(target string, secrets map[string]string) (file, dir
 	}
 
 	// token
-	tokenFiles, err := rotateTokenFiles(hashDir, secrets)
-	if len(tokenFiles) != 0 {
+	token, err := rotateTokenFiles(hashDir, secrets)
+	if err != nil {
+		return
+	}
+	if token {
 		dir = hashDir
 		options = append(options,
-			fmt.Sprintf("oss_sts_multi_conf_ak_file=%s", tokenFiles[oss.KeyAccessKeyId]),
-			fmt.Sprintf("oss_sts_multi_conf_sk_file=%s", tokenFiles[oss.KeyAccessKeySecret]),
-			fmt.Sprintf("oss_sts_multi_conf_token_file=%s", tokenFiles[oss.KeySecurityToken]),
+			fmt.Sprintf("oss_sts_multi_conf_ak_file=%s", filepath.Join(hashDir, oss.KeyAccessKeyId)),
+			fmt.Sprintf("oss_sts_multi_conf_sk_file=%s", filepath.Join(hashDir, oss.KeyAccessKeySecret)),
+			fmt.Sprintf("oss_sts_multi_conf_token_file=%s", filepath.Join(hashDir, oss.KeySecurityToken)),
 		)
 		return
 	}

pkg/mounter/proxy/server/ossfs2/utils_test.go

@@ -68,7 +68,7 @@ func TestRotateTokenFiles(t *testing.T) {
 	// case 1: initialize fiexd AKSK
 	secrets := map[string]string{OssfsPasswdFile: "testPasswd"}
 	rotated, err := rotateTokenFiles("/tmp/token-files", secrets)
-	assert.Len(t, rotated, 0)
+	assert.False(t, rotated)
 	assert.NoError(t, err)
 	err = os.RemoveAll("/tmp/token-files")
 	klog.ErrorS(err, "Remove token directory", "dir", "/tmp/token-files")
@@ -81,7 +81,7 @@ func TestRotateTokenFiles(t *testing.T) {
 		filepath.Join(OssfsPasswdFile, oss.KeySecurityToken):   "testSecurityToken",
 	}
 	rotated, err = rotateTokenFiles("/tmp/token-files", secrets)
-	assert.Len(t, rotated, 3)
+	assert.True(t, true)
 	assert.NoError(t, err)
 	ak, _ := os.ReadFile(filepath.Join("/tmp/token-files", oss.KeyAccessKeyId))
 	assert.Equal(t, "testAKID", string(ak))
@@ -100,7 +100,7 @@ func TestRotateTokenFiles(t *testing.T) {
 		filepath.Join(OssfsPasswdFile, oss.KeySecurityToken):   "newSecurityToken",
 	}
 	rotated, err = rotateTokenFiles("/tmp/token-files", secrets)
-	assert.Len(t, rotated, 3)
+	assert.True(t, rotated)
 	assert.NoError(t, err)
 	ak, _ = os.ReadFile(filepath.Join("/tmp/token-files", oss.KeyAccessKeyId))
 	assert.Equal(t, "newAKID", string(ak))

pkg/mounter/utils/filelock.go

@@ -0,0 +1,51 @@
+package utils
+
+import (
+	"os"
+	"sync"
+)
+
+var (
+	// Store the read-write lock corresponding to each file path
+	fileLocks = sync.Map{}
+)
+
+func getFileLock(path string) *sync.RWMutex {
+	lock, _ := fileLocks.LoadOrStore(path, &sync.RWMutex{})
+	return lock.(*sync.RWMutex)
+}
+
+// WriteFileWithLock safely writes data to file with locking
+func WriteFileWithLock(path string, data []byte, perm os.FileMode) (done bool, err error) {
+	lock := getFileLock(path)
+
+	// First try to acquire read lock to check if content is consistent
+	lock.RLock()
+	if existingData, err := os.ReadFile(path); err == nil {
+		// If file exists and content is the same, return directly to avoid redundant write
+		if string(existingData) == string(data) {
+			lock.RUnlock()
+			return false, nil
+		}
+	}
+	lock.RUnlock()
+
+	// Content is different or file does not exist, need to write new content
+	// Acquire write lock
+	lock.Lock()
+	defer lock.Unlock()
+
+	// Check content again (double-checked locking pattern)
+	if existingData, err := os.ReadFile(path); err == nil {
+		if string(existingData) == string(data) {
+			return false, nil
+		}
+	}
+
+	// Perform write operation
+	err = os.WriteFile(path, data, perm)
+	if err == nil {
+		done = true
+	}
+	return
+}