pakx-core 0.1.9

pakx core — manifest, lockfile, resolver, installer logic
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

//! Crash-safe write helper used by `agents.lock`, `agents.yml`, and the
//! federated-registry response cache.
//!
//! The pattern is: write the body to `<path>.tmp` and `rename` it into
//! place. POSIX `rename(2)` is atomic within the same filesystem, and on
//! Windows `std::fs::rename` lowers to `MoveFileExW(MOVEFILE_REPLACE_EXISTING)`
//! which is also atomic for files. Either way: a crash mid-write leaves
//! the destination either untouched or fully written, never half.
//!
//! Why bother. The previous `fs::write(path, body)` path could leave a
//! corrupt `agents.lock` on disk if the process died after `open` but
//! before the last byte hit. A corrupt lockfile fails the *next* `pakx
//! install` / `pakx test` hard rather than self-healing — exactly the
//! scenario the user least wants to debug.
//!
//! Permission bits are NOT set here. The `~/.pakx/credentials.json`
//! writer needs `0600` and handles that itself via `OpenOptions::mode`
//! at the `open` call (see `credentials::Credentials::write_to`) —
//! mode-at-open is the only atomic way to get sensitive bits onto disk.
//! For everything else (lockfile, manifest, cache) the default umask is
//! the right call: cache entries are public registry responses, the
//! lockfile is meant to be committed to source control, and manifests
//! are user-authored config.

use std::path::{Path, PathBuf};

/// Write `bytes` to `path` atomically.
///
/// Implementation: write to `<path>.tmp`, then `rename` into place. If
/// the rename fails the orphan `.tmp` is unlinked so we don't leak temp
/// files across crashes. The caller is responsible for ensuring the
/// parent directory exists.
///
/// # Errors
///
/// Returns the underlying `std::io::Error` from either the temp-file
/// write or the final rename. On rename failure the temp file is removed
/// best-effort before returning — the original error is surfaced
/// regardless, since the cleanup outcome is rarely actionable.
pub fn atomic_write(path: &Path, bytes: &[u8]) -> std::io::Result<()> {
    let tmp = tmp_path_for(path);

    // Write the body. On failure, leave the tmp file alone — `fs::write`
    // already removed any partial bytes on close, and the tmp path is
    // deterministic so the next successful run reuses it.
    std::fs::write(&tmp, bytes)?;

    // Rename into place. If the rename fails (cross-device, permission,
    // etc.), unlink the orphan tmp so we don't litter the filesystem
    // with stale `.tmp` files across failed runs. Ignore cleanup errors;
    // surfacing the original rename failure is more useful.
    if let Err(e) = std::fs::rename(&tmp, path) {
        let _ = std::fs::remove_file(&tmp);
        return Err(e);
    }
    Ok(())
}

/// Compute the temp path used by [`atomic_write`]. Splitting this out
/// lets callers reason about the rename target shape (and unit-test the
/// orphan-cleanup path) without going through the filesystem.
#[must_use]
pub fn tmp_path_for(path: &Path) -> PathBuf {
    // `path.with_extension("...tmp")` strips any existing extension,
    // which would collapse `agents.lock` → `agents.tmp` and collide
    // with `agents.yml`'s tmp. Appending `.tmp` to the OS string keeps
    // every original byte intact: `agents.lock` → `agents.lock.tmp`.
    let mut s = path.as_os_str().to_owned();
    s.push(".tmp");
    PathBuf::from(s)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn writes_bytes_to_path() {
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("data.bin");
        atomic_write(&path, b"hello").unwrap();
        assert_eq!(std::fs::read(&path).unwrap(), b"hello");
    }

    #[test]
    fn no_tmp_file_lingers_after_successful_write() {
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("data.bin");
        atomic_write(&path, b"hello").unwrap();

        let tmp = tmp_path_for(&path);
        assert!(
            !tmp.exists(),
            "tmp file {} should not exist after successful rename",
            tmp.display(),
        );
    }

    #[test]
    fn overwrites_existing_destination() {
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("data.bin");
        atomic_write(&path, b"first").unwrap();
        atomic_write(&path, b"second").unwrap();
        assert_eq!(std::fs::read(&path).unwrap(), b"second");
    }

    #[test]
    fn tmp_path_preserves_full_filename() {
        // `agents.lock` must become `agents.lock.tmp`, not `agents.tmp`
        // — collapsing extensions would let `agents.yml`'s tmp collide
        // with `agents.lock`'s tmp in the same directory.
        let p = Path::new("/some/dir/agents.lock");
        assert_eq!(tmp_path_for(p), Path::new("/some/dir/agents.lock.tmp"));
        let p = Path::new("/some/dir/agents.yml");
        assert_eq!(tmp_path_for(p), Path::new("/some/dir/agents.yml.tmp"));
    }

    #[test]
    fn tmp_path_handles_no_extension() {
        let p = Path::new("/some/dir/file");
        assert_eq!(tmp_path_for(p), Path::new("/some/dir/file.tmp"));
    }

    /// Unix-only: a read-only parent dir makes the temp-file create
    /// (and any subsequent rename) fail. Verify the orphan `.tmp` is
    /// cleaned up — or never created — after the failure so we don't
    /// leak temp files. Windows ACLs make this hard to set up the same
    /// way; skipping there keeps the test portable.
    ///
    /// The test silently passes through as a no-op when run as `root`
    /// (root bypasses unix DAC and would make the writes succeed). The
    /// `nix::geteuid` check would pull in another dep just for this
    /// path; we approximate by attempting the write and returning early
    /// if it unexpectedly succeeds — which only happens under root.
    #[cfg(unix)]
    #[test]
    fn cleans_up_tmp_on_failure() {
        use std::os::unix::fs::PermissionsExt;

        let dir = tempfile::tempdir().unwrap();
        let subdir = dir.path().join("ro");
        std::fs::create_dir(&subdir).unwrap();
        let path = subdir.join("data.bin");

        // Drop write perms on the parent dir → both the `fs::write` of
        // `<path>.tmp` and any subsequent `rename` fail with EACCES.
        let mut perms = std::fs::metadata(&subdir).unwrap().permissions();
        perms.set_mode(0o555);
        std::fs::set_permissions(&subdir, perms).unwrap();

        let outcome = atomic_write(&path, b"new");

        // Restore perms before any assertion so a failing assertion
        // doesn't leak a non-deletable tempdir.
        let mut perms = std::fs::metadata(&subdir).unwrap().permissions();
        perms.set_mode(0o755);
        std::fs::set_permissions(&subdir, perms).unwrap();

        // Running as root bypasses DAC; the write succeeds. Skip the
        // assertion in that case rather than failing CI in
        // root-containers.
        if outcome.is_ok() {
            return;
        }

        let tmp = tmp_path_for(&path);
        assert!(
            !tmp.exists(),
            "tmp file {} should not linger after failed write",
            tmp.display(),
        );
    }
}