running-process 4.5.7

Subprocess and PTY runtime for the running-process project
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276

//! Production-shaped orchestration of one Unix `SCM_RIGHTS` handle-passing
//! handoff (#354, slice 4).
//!
//! Mirrors the Windows sequence in [`super::orchestrate`] with the stages a
//! Unix handoff actually has. `SCM_RIGHTS` carries the duplicated file
//! descriptor *inside* the message, so there is no separate "duplicate"
//! step followed by a "deliver the handle value" step: one
//! `sendmsg(SCM_RIGHTS)` call both duplicates the descriptor into the
//! backend and tells the backend about it. The broker-side sequence is:
//!
//! 1. send the broker-held connection fd plus the one-time token to the
//!    backend handoff socket ([`super::try_send_scm_rights`]),
//! 2. wait for the backend acknowledgement observed by a
//!    [`UnixHandoffAckWait`] channel, and
//! 3. complete the pending entry in the [`HandoffAckRegistry`], consuming
//!    the one-time token exactly once.
//!
//! Any failure at any step abandons the handoff: the one-time token is
//! revoked, the pending ACK entry is removed, and the caller receives
//! [`UnixHandoffOutcome::FallbackToReconnect`]. The negotiated
//! `backend_pipe` reconnect path stays authoritative; orchestration
//! failures are silent optimization failures, never client errors, and
//! this function never panics on transport, delivery, or registry errors.
//!
//! # Descriptor ownership contract
//!
//! Unlike the Windows `DuplicateHandle` path there is no cross-process
//! leak the broker cannot clean up: the broker keeps ownership of its own
//! `request.fd` at every stage (`SCM_RIGHTS` sends a *duplicate*), so on
//! fallback the caller may simply close the broker-held descriptor. What
//! the broker *cannot* undo is a duplicate that already reached the
//! backend: once the send succeeded, the backend holds its own descriptor
//! until it closes it. [`UnixHandoffFallback::fd_reached_backend`] records
//! that honestly so callers can log it instead of pretending the duplicate
//! was reclaimed.

use std::time::Instant;

use super::ack::HandoffAckRegistry;
use super::fallback::{HandoffFallbackDecision, HandoffFallbackReason};
use super::handoff_token::{HandoffToken, HandoffTokenStore};
use super::orchestrate::HandoffDeliveryError;
use super::unix::{
    try_send_scm_rights, ScmRightsAttempt, ScmRightsResult, ScmRightsSuccess, UnixFileDescriptor,
    UnixHandoffSocket,
};
use super::AcknowledgedHandoff;

/// Inputs for one orchestrated Unix `SCM_RIGHTS` handle-passing handoff.
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct UnixHandoffRequest {
    /// Broker-owned connection file descriptor to pass to the backend.
    pub fd: UnixFileDescriptor,
    /// Backend handoff socket that should receive the file descriptor.
    pub backend_socket: UnixHandoffSocket,
    /// One-time token issued at Hello time and registered for an ACK.
    pub token: HandoffToken,
}

impl UnixHandoffRequest {
    /// Build inputs for one orchestrated handoff.
    pub fn new(
        fd: UnixFileDescriptor,
        backend_socket: UnixHandoffSocket,
        token: HandoffToken,
    ) -> Self {
        Self {
            fd,
            backend_socket,
            token,
        }
    }
}

/// Acknowledgement channel observing the backend's adoption of a
/// handed-off connection.
///
/// `SCM_RIGHTS` already delivers the descriptor and token in one message,
/// so unlike the Windows [`super::HandoffDelivery`] trait there is no
/// separate deliver step to abstract — only the ACK wait. Production wire
/// delivery of the ACK does not exist yet (the v1 envelope reserves no
/// backend-to-broker control frame); the orchestration treats the wait as
/// a pluggable step so the sequencing and fallback contract are real
/// today.
pub trait UnixHandoffAckWait {
    /// Block until the backend acknowledges adopting the handed-off
    /// connection, or until `deadline`.
    ///
    /// Returns the instant the acknowledgement was observed. The
    /// orchestrator still validates that instant against the
    /// [`HandoffAckRegistry`] deadline registered at issuance, so an ACK
    /// channel that misjudges the deadline cannot complete an overdue
    /// handoff.
    fn await_backend_ack(
        &mut self,
        token: &HandoffToken,
        deadline: Instant,
    ) -> Result<Instant, HandoffDeliveryError>;
}

/// Step of the orchestration at which a Unix handoff was abandoned.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum UnixHandoffStage {
    /// `sendmsg(SCM_RIGHTS)` to the backend handoff socket failed.
    Send,
    /// The backend acknowledgement was not observed before the deadline.
    AwaitAck,
    /// The ACK registry rejected the acknowledgement (overdue or already
    /// expired by a sweep).
    Acknowledge,
}

/// A handoff completed end to end: descriptor sent with its token and
/// acknowledged before the registry deadline.
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct CompletedUnixHandoff {
    /// Successful `SCM_RIGHTS` send into the backend.
    pub sent: ScmRightsSuccess,
    /// Timely backend acknowledgement that consumed the one-time token.
    pub acknowledged: AcknowledgedHandoff,
}

/// A handoff abandoned at some orchestration stage.
///
/// The one-time token has been revoked and the pending ACK entry removed;
/// the caller must keep using the negotiated `backend_pipe` reconnect path.
/// The broker still owns `broker_fd` and may close it.
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct UnixHandoffFallback {
    /// Stage at which the handoff was abandoned.
    pub stage: UnixHandoffStage,
    /// Silent reconnect fallback decision for the client-visible contract.
    pub decision: HandoffFallbackDecision,
    /// Broker-owned connection descriptor. `SCM_RIGHTS` only ever sends a
    /// duplicate, so unlike the Windows leak contract the broker retains
    /// ownership and may close this descriptor now that the handoff is
    /// abandoned.
    pub broker_fd: UnixFileDescriptor,
    /// True when the `SCM_RIGHTS` send already succeeded before the
    /// failure: the backend holds a duplicated descriptor the broker
    /// cannot reclaim; it lives until the backend closes it. The revoked
    /// token guarantees the backend can never *adopt* that connection.
    pub fd_reached_backend: bool,
    /// Human-readable failure detail for logs.
    pub detail: String,
}

/// Outcome of one orchestrated Unix `SCM_RIGHTS` handle-passing handoff.
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum UnixHandoffOutcome {
    /// The backend adopted the connection before the ACK deadline.
    Completed(CompletedUnixHandoff),
    /// The handoff was abandoned; the client reconnects via `backend_pipe`.
    FallbackToReconnect(UnixHandoffFallback),
}

impl UnixHandoffOutcome {
    /// Return true when the handoff completed end to end.
    pub fn is_completed(&self) -> bool {
        matches!(self, Self::Completed(_))
    }

    /// Return the fallback details when the handoff was abandoned.
    pub fn fallback(&self) -> Option<&UnixHandoffFallback> {
        match self {
            Self::Completed(_) => None,
            Self::FallbackToReconnect(fallback) => Some(fallback),
        }
    }
}

/// Run one production-shaped Unix handoff with the real
/// `sendmsg(SCM_RIGHTS)` transport.
///
/// The token in `request` must have been issued from `tokens` and
/// registered pending in `acks` (the Hello path does both). On success the
/// token is consumed exactly once; on any failure it is revoked and the
/// outcome degrades to the `backend_pipe` reconnect fallback. On non-Unix
/// targets the transport reports `UnsupportedPlatform` and the outcome is
/// the same non-panicking fallback.
pub fn execute_unix_handoff<W>(
    tokens: &mut HandoffTokenStore,
    acks: &mut HandoffAckRegistry,
    request: &UnixHandoffRequest,
    ack_wait: &mut W,
) -> UnixHandoffOutcome
where
    W: UnixHandoffAckWait + ?Sized,
{
    execute_unix_handoff_with_transport(tokens, acks, request, try_send_scm_rights, ack_wait)
}

/// Run one orchestrated Unix handoff with an explicit send transport.
///
/// Platform-neutral tests inject a mock transport here; production callers
/// use [`execute_unix_handoff`].
pub fn execute_unix_handoff_with_transport<T, W>(
    tokens: &mut HandoffTokenStore,
    acks: &mut HandoffAckRegistry,
    request: &UnixHandoffRequest,
    transport: T,
    ack_wait: &mut W,
) -> UnixHandoffOutcome
where
    T: FnOnce(&ScmRightsAttempt) -> ScmRightsResult,
    W: UnixHandoffAckWait + ?Sized,
{
    let attempt = ScmRightsAttempt::new(request.fd, request.backend_socket.clone(), request.token);
    let sent = match transport(&attempt) {
        Ok(success) => success,
        Err(error) => {
            acks.abandon(tokens, &request.token);
            return abandoned(
                UnixHandoffStage::Send,
                error.fallback_decision(),
                request.fd,
                false,
                error.to_string(),
            );
        }
    };

    let deadline = ack_deadline_from(acks, Instant::now());
    let acknowledged_at = match ack_wait.await_backend_ack(&request.token, deadline) {
        Ok(at) => at,
        Err(error) => {
            acks.abandon(tokens, &request.token);
            return abandoned(
                UnixHandoffStage::AwaitAck,
                HandoffFallbackDecision::new(HandoffFallbackReason::BackendAckTimeout),
                request.fd,
                true,
                error.to_string(),
            );
        }
    };

    match acks.acknowledge(tokens, &request.token, acknowledged_at) {
        Ok(acknowledged) => {
            UnixHandoffOutcome::Completed(CompletedUnixHandoff { sent, acknowledged })
        }
        Err(error) => {
            // AckDeadlineExceeded already revoked the token; TokenNotPending
            // means a sweep expired it. Revoke defensively either way so no
            // error path can leave the one-time token presentable.
            tokens.revoke(&request.token);
            abandoned(
                UnixHandoffStage::Acknowledge,
                HandoffFallbackDecision::new(HandoffFallbackReason::BackendAckTimeout),
                request.fd,
                true,
                error.to_string(),
            )
        }
    }
}

fn abandoned(
    stage: UnixHandoffStage,
    decision: HandoffFallbackDecision,
    broker_fd: UnixFileDescriptor,
    fd_reached_backend: bool,
    detail: String,
) -> UnixHandoffOutcome {
    UnixHandoffOutcome::FallbackToReconnect(UnixHandoffFallback {
        stage,
        decision,
        broker_fd,
        fd_reached_backend,
        detail,
    })
}

fn ack_deadline_from(acks: &HandoffAckRegistry, now: Instant) -> Instant {
    now.checked_add(acks.ack_deadline()).unwrap_or(now)
}