ryra-core 0.9.5

Core library for ryra: config, registry, and service generation logic
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

use std::fs::OpenOptions;
use std::io::Write;
use std::path::Path;

use crate::error::{Error, Result};

/// Write `contents` to `path` atomically with the given permission mode.
///
/// Guarantees:
/// - The file is created with `mode` from byte zero (no world-readable window
///   even for secret-bearing files written with 0o600).
/// - The file never appears half-written on disk — either the old contents or
///   the new contents exist after this call, never a torn state. Achieved by
///   writing to a sibling `.<name>.tmp.<pid>` file and `rename`-ing over the
///   target (atomic on a single POSIX filesystem).
///
/// The temporary file is written to the same directory as `path` so the
/// rename stays within one filesystem. `sync_all` is called before the
/// rename so the new content hits disk before the rename metadata op.
pub fn atomic_write(path: &Path, contents: &[u8], mode: u32) -> Result<()> {
    let parent = path.parent().ok_or_else(|| Error::FileWrite {
        path: path.to_path_buf(),
        source: std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
            "path has no parent directory",
        ),
    })?;

    // Ensure parent exists before we try to create the tempfile inside it.
    if !parent.as_os_str().is_empty() {
        std::fs::create_dir_all(parent).map_err(|source| Error::DirCreate {
            path: parent.to_path_buf(),
            source,
        })?;
    }

    let name = path.file_name().ok_or_else(|| Error::FileWrite {
        path: path.to_path_buf(),
        source: std::io::Error::new(std::io::ErrorKind::InvalidInput, "path has no file name"),
    })?;

    // Refuse to clobber a symlink at `path`. The final `rename` would replace
    // the link itself with our tempfile, silently destroying the user's link
    // target. We only manage regular files — if a user has intentionally
    // symlinked a ryra-managed config elsewhere, surface the conflict.
    if let Ok(meta) = std::fs::symlink_metadata(path)
        && meta.file_type().is_symlink()
    {
        return Err(Error::FileWrite {
            path: path.to_path_buf(),
            source: std::io::Error::new(
                std::io::ErrorKind::InvalidInput,
                "refusing to overwrite a symlink — resolve the symlink or remove it",
            ),
        });
    }

    // .<name>.tmp.<pid> — dot-prefixed so it's not mistaken for user content
    // if something interrupts us mid-write.
    let mut tmp_name = std::ffi::OsString::from(".");
    tmp_name.push(name);
    tmp_name.push(".tmp.");
    tmp_name.push(std::process::id().to_string());
    let tmp_path = parent.join(tmp_name);

    let write_result = (|| -> Result<()> {
        let mut opts = OpenOptions::new();
        opts.write(true).create(true).truncate(true);
        #[cfg(unix)]
        {
            use std::os::unix::fs::OpenOptionsExt;
            opts.mode(mode);
        }
        let mut f = opts.open(&tmp_path).map_err(|source| Error::FileWrite {
            path: tmp_path.clone(),
            source,
        })?;

        f.write_all(contents).map_err(|source| Error::FileWrite {
            path: tmp_path.clone(),
            source,
        })?;
        f.sync_all().map_err(|source| Error::FileWrite {
            path: tmp_path.clone(),
            source,
        })?;

        // On non-unix (none of our targets, but for completeness) the mode
        // argument has no effect at creation. Apply it after the fact so the
        // behavior is at least consistent.
        #[cfg(not(unix))]
        {
            let _ = mode;
        }

        std::fs::rename(&tmp_path, path).map_err(|source| Error::FileWrite {
            path: path.to_path_buf(),
            source,
        })?;

        Ok(())
    })();

    // Best-effort cleanup if anything failed before the rename. After a
    // successful rename the tmp path no longer exists, so this is a no-op.
    if write_result.is_err() {
        let _ = std::fs::remove_file(&tmp_path);
    }

    write_result
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn writes_file_with_mode() -> std::result::Result<(), Box<dyn std::error::Error>> {
        let dir = tempfile::tempdir()?;
        let path = dir.path().join("secret.toml");
        atomic_write(&path, b"hello=world\n", 0o600)?;

        let contents = std::fs::read_to_string(&path)?;
        assert_eq!(contents, "hello=world\n");

        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let mode = std::fs::metadata(&path)?.permissions().mode() & 0o777;
            assert_eq!(mode, 0o600);
        }
        Ok(())
    }

    #[test]
    fn overwrites_existing() -> std::result::Result<(), Box<dyn std::error::Error>> {
        let dir = tempfile::tempdir()?;
        let path = dir.path().join("config.toml");
        atomic_write(&path, b"first\n", 0o644)?;
        atomic_write(&path, b"second\n", 0o644)?;

        let contents = std::fs::read_to_string(&path)?;
        assert_eq!(contents, "second\n");
        Ok(())
    }

    #[test]
    #[cfg(unix)]
    fn refuses_to_clobber_symlink() -> std::result::Result<(), Box<dyn std::error::Error>> {
        let dir = tempfile::tempdir()?;
        let target = dir.path().join("real.toml");
        std::fs::write(&target, b"original")?;
        let link = dir.path().join("config.toml");
        std::os::unix::fs::symlink(&target, &link)?;

        let result = atomic_write(&link, b"new", 0o644);
        assert!(result.is_err(), "expected error, got {result:?}");

        // Target must be untouched — the whole point of the check.
        assert_eq!(std::fs::read_to_string(&target)?, "original");
        Ok(())
    }

    #[test]
    fn tightens_permissions_on_overwrite() -> std::result::Result<(), Box<dyn std::error::Error>> {
        let dir = tempfile::tempdir()?;
        let path = dir.path().join("preferences.toml");
        atomic_write(&path, b"v1", 0o644)?;
        atomic_write(&path, b"v2", 0o600)?;

        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let mode = std::fs::metadata(&path)?.permissions().mode() & 0o777;
            assert_eq!(mode, 0o600, "rename-over should install the new mode");
        }
        Ok(())
    }
}