[GR-60061] Handle VFS extracted files like symlinks.

tomasstupka · tomasstupka · commit 9b7da27635c8 · 2024-12-18T14:42:45.000Z
PullRequest: graalpython/3612
diff --git a/graalpython/com.oracle.graal.python.test/src/org/graalvm/python/embedding/utils/test/VirtualFileSystemTest.java b/graalpython/com.oracle.graal.python.test/src/org/graalvm/python/embedding/utils/test/VirtualFileSystemTest.java
@@ -55,12 +55,15 @@
 import java.lang.reflect.Modifier;
 import java.net.URI;
 import java.nio.ByteBuffer;
+import java.nio.channels.NonWritableChannelException;
 import java.nio.channels.SeekableByteChannel;
 import java.nio.file.AccessMode;
 import java.nio.file.DirectoryStream;
 import java.nio.file.Files;
+import java.nio.file.LinkOption;
 import java.nio.file.NoSuchFileException;
 import java.nio.file.NotDirectoryException;
+import java.nio.file.NotLinkException;
 import java.nio.file.OpenOption;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
@@ -85,6 +88,7 @@
 import static org.graalvm.python.embedding.utils.VirtualFileSystem.HostIO.READ_WRITE;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -175,8 +179,10 @@ public void toRealPath() throws Exception {
     private static void toRealPathVFS(FileSystem fs, String pathPrefix) throws IOException {
         assertEquals(Path.of(VFS_MOUNT_POINT, "dir1"), fs.toRealPath(Path.of(pathPrefix, "dir1")));
         assertEquals(Path.of(VFS_MOUNT_POINT, "SomeFile"), fs.toRealPath(Path.of(pathPrefix, "SomeFile")));
-        assertEquals(Path.of(VFS_MOUNT_POINT, "does-not-exist", "extractme"), fs.toRealPath(Path.of(pathPrefix, "does-not-exist", "extractme")));
+        assertEquals(Path.of(VFS_MOUNT_POINT, "does-not-exist"), fs.toRealPath(Path.of(pathPrefix, "does-not-exist")));
+        assertEquals(Path.of(VFS_MOUNT_POINT, "extractme"), fs.toRealPath(Path.of(pathPrefix, "extractme"), LinkOption.NOFOLLOW_LINKS));
         checkExtractedFile(fs.toRealPath(Path.of(pathPrefix, "extractme")), new String[]{"text1", "text2"});
+        checkException(NoSuchFileException.class, () -> fs.toRealPath(Path.of(pathPrefix, "does-not-exist", "extractme")));
     }
 
     @Test
@@ -383,10 +389,23 @@ private static void checkAccessVFS(FileSystem fs, String pathPrefix) throws IOEx
         fs.checkAccess(Path.of(pathPrefix, "dir1"), Set.of(AccessMode.READ));
         // check regular resource file
         fs.checkAccess(Path.of(pathPrefix, "SomeFile"), Set.of(AccessMode.READ));
+
         // check to be extracted file
+        fs.checkAccess(Path.of(pathPrefix, "extractme"), Set.of(AccessMode.READ), LinkOption.NOFOLLOW_LINKS);
+        checkException(SecurityException.class, () -> fs.checkAccess(Path.of(pathPrefix, "extractme"), Set.of(AccessMode.WRITE), LinkOption.NOFOLLOW_LINKS));
         fs.checkAccess(Path.of(pathPrefix, "extractme"), Set.of(AccessMode.READ));
+        // even though extracted -> FS is read-only and we are limiting the access to read-only also
+        // for extracted files
+        checkException(IOException.class, () -> fs.checkAccess(Path.of(pathPrefix, "extractme"), Set.of(AccessMode.WRITE)));
+
+        checkException(NoSuchFileException.class, () -> fs.checkAccess(Path.of(pathPrefix, "does-not-exits", "extractme"), Set.of(AccessMode.READ), LinkOption.NOFOLLOW_LINKS));
+        checkException(NoSuchFileException.class, () -> fs.checkAccess(Path.of(pathPrefix, "does-not-exits", "extractme"), Set.of(AccessMode.READ)));
 
         checkException(SecurityException.class, () -> fs.checkAccess(Path.of(pathPrefix, "SomeFile"), Set.of(AccessMode.WRITE)), "write access should not be possible with VFS");
+        checkException(SecurityException.class, () -> fs.checkAccess(Path.of(pathPrefix, "does-not-exist"), Set.of(AccessMode.WRITE)), "execute access should not be possible with VFS");
+        checkException(SecurityException.class, () -> fs.checkAccess(Path.of(pathPrefix, "SomeFile"), Set.of(AccessMode.EXECUTE)), "execute access should not be possible with VFS");
+        checkException(SecurityException.class, () -> fs.checkAccess(Path.of(pathPrefix, "does-not-exist"), Set.of(AccessMode.EXECUTE)), "execute access should not be possible with VFS");
+
         checkException(NoSuchFileException.class, () -> fs.checkAccess(Path.of(pathPrefix, "does-not-exits"), Set.of(AccessMode.READ)),
                         "should not be able to access a file which does not exist in VFS");
         checkException(NoSuchFileException.class, () -> fs.checkAccess(Path.of(pathPrefix, "does-not-exits", "extractme"), Set.of(AccessMode.READ)),
@@ -485,6 +504,11 @@ public void newByteChannel() throws Exception {
 
             newByteChannelVFS(fs, VFS_MOUNT_POINT);
             withCWD(fs, VFS_ROOT_PATH, (fst) -> newByteChannelVFS(fst, ""));
+
+            checkException(NullPointerException.class, () -> fs.newByteChannel(Path.of(VFS_MOUNT_POINT, "does-not-exist"), null));
+            withCWD(fs, VFS_ROOT_PATH, (fst) -> checkException(NullPointerException.class, () -> fst.newByteChannel(Path.of("does-not-exist"), null)));
+            checkException(NullPointerException.class, () -> fs.newByteChannel(Path.of(VFS_MOUNT_POINT, "does-not-exist", "extractme"), null));
+            withCWD(fs, VFS_ROOT_PATH, (fst) -> checkException(NullPointerException.class, () -> fst.newByteChannel(Path.of("does-not-exist", "extractme"), null)));
         }
 
         // from real FS
@@ -502,25 +526,34 @@ public void newByteChannel() throws Exception {
     }
 
     private static void newByteChannelVFS(FileSystem fs, String pathPrefix) throws IOException {
-        Path path = Path.of(pathPrefix, "file1");
-        for (StandardOpenOption o : StandardOpenOption.values()) {
+        Path file1 = Path.of(pathPrefix, "file1");
+        Path extractable = Path.of(pathPrefix, "extractme");
+        for (StandardOpenOption o : new StandardOpenOption[]{StandardOpenOption.WRITE, StandardOpenOption.READ}) {
             if (o == StandardOpenOption.READ) {
-                SeekableByteChannel bch = fs.newByteChannel(path, Set.of(o));
-                ByteBuffer buffer = ByteBuffer.allocate(1024);
-                bch.read(buffer);
-                String s = new String(buffer.array());
-                String[] ss = s.split(System.lineSeparator());
-                assertTrue(ss.length >= 2);
-                assertEquals("text1", ss[0]);
-                assertEquals("text2", ss[1]);
-
-                checkException(IOException.class, () -> bch.write(buffer), "should not be able to write to VFS");
-                checkException(IOException.class, () -> bch.truncate(0), "should not be able to write to VFS");
+                newByteChannelVFS(fs, file1, Set.of(o));
+                newByteChannelVFS(fs, file1, Set.of(o, LinkOption.NOFOLLOW_LINKS));
+                newByteChannelVFS(fs, extractable, Set.of(o));
+                checkException(IOException.class, () -> fs.newByteChannel(extractable, Set.of(o, LinkOption.NOFOLLOW_LINKS)));
             } else {
-                checkCanOnlyRead(fs, path, o);
+                checkCanOnlyRead(fs, file1, o);
+                checkCanOnlyRead(fs, extractable, o);
             }
         }
-        checkCanOnlyRead(fs, path, StandardOpenOption.READ, StandardOpenOption.WRITE);
+        checkCanOnlyRead(fs, file1, StandardOpenOption.READ, StandardOpenOption.WRITE);
+        checkCanOnlyRead(fs, extractable, StandardOpenOption.READ, StandardOpenOption.WRITE);
+    }
+
+    private static void newByteChannelVFS(FileSystem fs, Path path, Set<OpenOption> options) throws IOException {
+        SeekableByteChannel bch = fs.newByteChannel(path, options);
+        ByteBuffer buffer = ByteBuffer.allocate(1024);
+        bch.read(buffer);
+        String s = new String(buffer.array());
+        String[] ss = s.split(System.lineSeparator());
+        assertTrue(ss.length >= 2);
+        assertEquals("text1", ss[0]);
+        assertEquals("text2", ss[1]);
+        checkException(NonWritableChannelException.class, () -> bch.write(buffer), "should not be able to write to VFS");
+        checkException(NonWritableChannelException.class, () -> bch.truncate(0), "should not be able to write to VFS");
     }
 
     private static void newByteChannelRealFS(FileSystem fs, Path path, String expectedText) throws IOException {
@@ -622,6 +655,19 @@ private static void readAttributesVFS(FileSystem fs, String pathPrefix) throws I
         Map<String, Object> attrs = fs.readAttributes(Path.of(pathPrefix, "dir1"), "creationTime");
         assertEquals(FileTime.fromMillis(0), attrs.get("creationTime"));
 
+        attrs = fs.readAttributes(Path.of(pathPrefix, "extractme"), "creationTime,isSymbolicLink,isRegularFile", LinkOption.NOFOLLOW_LINKS);
+        assertEquals(FileTime.fromMillis(0), attrs.get("creationTime"));
+        assertTrue((Boolean) attrs.get("isSymbolicLink"));
+        assertFalse((Boolean) attrs.get("isRegularFile")); //
+
+        attrs = fs.readAttributes(Path.of(pathPrefix, "extractme"), "creationTime,isSymbolicLink,isRegularFile");
+        assertNotEquals(FileTime.fromMillis(0), attrs.get("creationTime"));
+        assertFalse((Boolean) attrs.get("isSymbolicLink"));
+        assertTrue((Boolean) attrs.get("isRegularFile"));
+
+        checkException(NoSuchFileException.class, () -> fs.readAttributes(Path.of(pathPrefix, "does-not-exist", "extractme"), "creationTime", LinkOption.NOFOLLOW_LINKS));
+        checkException(NoSuchFileException.class, () -> fs.readAttributes(Path.of(pathPrefix, "does-not-exist", "extractme"), "creationTime"));
+
         checkException(NoSuchFileException.class, () -> fs.readAttributes(Path.of(pathPrefix, "does-not-exist"), "creationTime"), "");
         checkException(UnsupportedOperationException.class, () -> fs.readAttributes(Path.of(pathPrefix, "file1"), "unix:creationTime"), "");
     }
@@ -876,7 +922,6 @@ public void createAndReadSymbolicLink() throws Exception {
             checkException(IOException.class, () -> fs.createSymbolicLink(VFS_ROOT_PATH.resolve("link1"), realFSLinkTarget));
 
             checkException(SecurityException.class, () -> fs.createSymbolicLink(VFS_ROOT_PATH, VFS_ROOT_PATH.resolve("link")));
-            checkException(SecurityException.class, () -> fs.readSymbolicLink(VFS_ROOT_PATH.resolve("link1")));
         }
         checkException(SecurityException.class, () -> rHostIOVFS.createSymbolicLink(realFSDir.resolve("link2"), realFSLinkTarget));
         checkException(SecurityException.class, () -> noHostIOVFS.createSymbolicLink(realFSDir.resolve("link3"), realFSLinkTarget));
@@ -902,6 +947,20 @@ private void checkSymlink(Path dir, Path target, Path symlink) throws Exception
         }
     }
 
+    @Test
+    public void readSymbolicLink() throws Exception {
+        for (FileSystem fs : new FileSystem[]{rwHostIOVFS, rHostIOVFS, noHostIOVFS}) {
+            readSymbolicLink(fs, VFS_MOUNT_POINT);
+            withCWD(fs, VFS_ROOT_PATH, (fst) -> readSymbolicLink(fst, ""));
+        }
+    }
+
+    private static void readSymbolicLink(FileSystem fs, String vfsPrefix) throws IOException {
+        checkException(NotLinkException.class, () -> fs.readSymbolicLink(Path.of(vfsPrefix, "file1")));
+        checkException(NoSuchFileException.class, () -> fs.readSymbolicLink(Path.of(vfsPrefix, "does-not-exist")));
+        checkExtractedFile(fs.readSymbolicLink(Path.of(vfsPrefix, "extractme")), new String[]{"text1", "text2"});
+    }
+
     @Test
     public void move() throws Exception {
         Path realFSDir = Files.createTempDirectory("graalpy.vfs.test");
diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/CApiContext.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/capi/CApiContext.java
@@ -53,7 +53,6 @@
 import java.io.PrintStream;
 import java.lang.invoke.VarHandle;
 import java.lang.ref.WeakReference;
-import java.nio.file.LinkOption;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -819,7 +818,7 @@ public static CApiContext ensureCapiWasLoaded(Node node, PythonContext context,
             TruffleFile homePath = env.getInternalTruffleFile(context.getCAPIHome().toJavaStringUncached());
             // e.g. "libpython-native.so"
             String libName = context.getLLVMSupportExt("python");
-            TruffleFile capiFile = homePath.resolve(libName).getCanonicalFile(LinkOption.NOFOLLOW_LINKS);
+            TruffleFile capiFile = homePath.resolve(libName).getCanonicalFile();
             try {
                 SourceBuilder capiSrcBuilder;
                 final boolean useNative = PythonOptions.NativeModules.getValue(env.getOptions());
diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/common/CExtContext.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/common/CExtContext.java
@@ -52,7 +52,6 @@
 import static com.oracle.graal.python.util.PythonUtils.tsLiteral;
 
 import java.io.IOException;
-import java.nio.file.LinkOption;
 import java.util.Set;
 import java.util.logging.Level;
 
@@ -320,7 +319,7 @@ public static Object loadCExtModule(Node location, PythonContext context, Module
         InteropLibrary interopLib;
 
         if (cApiContext.useNativeBackend) {
-            TruffleFile realPath = context.getPublicTruffleFileRelaxed(spec.path, context.getSoAbi()).getCanonicalFile(LinkOption.NOFOLLOW_LINKS);
+            TruffleFile realPath = context.getPublicTruffleFileRelaxed(spec.path, context.getSoAbi()).getCanonicalFile();
             getLogger().config(String.format("loading module %s (real path: %s) as native", spec.path, realPath));
             String loadExpr = String.format("load(%s) \"%s\"", dlopenFlagsToString(context.getDlopenFlags()), realPath);
             if (PythonOptions.UsePanama.getValue(context.getEnv().getOptions())) {
@@ -366,7 +365,7 @@ public static Object loadLLVMLibrary(Node location, PythonContext context, Truff
         Env env = context.getEnv();
         try {
             TruffleString extSuffix = context.getSoAbi();
-            TruffleFile realPath = context.getPublicTruffleFileRelaxed(path, extSuffix).getCanonicalFile(LinkOption.NOFOLLOW_LINKS);
+            TruffleFile realPath = context.getPublicTruffleFileRelaxed(path, extSuffix).getCanonicalFile();
             CallTarget callTarget = env.parseInternal(Source.newBuilder(J_LLVM_LANGUAGE, realPath).build());
             return callTarget.call();
         } catch (SecurityException e) {
diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/hpy/jni/GraalHPyJNIContext.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/cext/hpy/jni/GraalHPyJNIContext.java
@@ -57,7 +57,6 @@
 import static com.oracle.graal.python.util.PythonUtils.tsLiteral;
 
 import java.io.IOException;
-import java.nio.file.LinkOption;
 import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
@@ -461,7 +460,7 @@ public static String getJNILibrary() {
         PythonContext context = PythonContext.get(null);
         TruffleFile libPath = context.getPublicTruffleFileRelaxed(context.getJNIHome()).resolve(PythonContext.J_PYTHON_JNI_LIBRARY_NAME).getAbsoluteFile();
         try {
-            return libPath.getCanonicalFile(LinkOption.NOFOLLOW_LINKS).toString();
+            return libPath.getCanonicalFile().toString();
         } catch (IOException e) {
             LOGGER.severe(String.format("Cannot determine canonical path for %s: %s", libPath, e));
             throw new IllegalStateException(e);
diff --git a/graalpython/org.graalvm.python.embedding/src/org/graalvm/python/embedding/utils/VirtualFileSystemImpl.java b/graalpython/org.graalvm.python.embedding/src/org/graalvm/python/embedding/utils/VirtualFileSystemImpl.java
