Commit Graph

5264 Commits

Author SHA1 Message Date
Zooko O'Whielacronx
b15bd674c3 merge NEWS about the mutable file bounds fixes with NEWS about work-in-progress 2011-09-13 13:55:21 -07:00
Zooko O'Whielacronx
eb26075da0 doc: add NEWS item about fixes to potential palimpsest issues in mutable files
ref. #1528
2011-09-12 15:33:29 -07:00
Zooko O'Whielacronx
401d0e7f69 merge the NEWS about the security fix (#1528) with the work-in-progress NEWS 2011-09-13 13:51:53 -07:00
Zooko O'Whielacronx
7a98abeb3a doc: add NEWS entry about the issue which allows unauthorized deletion of shares
ref. #1528
2011-09-12 15:32:46 -07:00
Zooko O'Whielacronx
48f56dab6f doc: add entry in known_issues.rst about the issue which allows unauthorized deletion of shares
ref. #1528
2011-09-12 15:31:35 -07:00
Zooko O'Whielacronx
32f80625c9 storage: more paranoid handling of bounds and palimpsests in mutable share files
* storage server ignores requests to extend shares by sending a new_length
* storage server fills exposed holes (created by sending a write vector whose offset begins after the end of the current data) with 0 to avoid "palimpsest" exposure of previous contents
* storage server zeroes out lease info at the old location when moving it to a new location
ref. #1528
2011-09-12 15:26:55 -07:00
Zooko O'Whielacronx
942c5e5162 storage: test that the storage server ignores requests to extend shares by sending a new_length, and that the storage server fills exposed holes with 0 to avoid "palimpsest" exposure of previous contents
ref. #1528
2011-09-12 15:25:54 -07:00
Zooko O'Whielacronx
20e2910c61 immutable: prevent clients from reading past the end of share data, which would allow them to learn the cancellation secret
Declare explicitly that we prevent this problem in the server's version dict.
fixes #1528 (there are two patches that are each a sufficient fix to #1528 and this is one of them)
2011-09-12 15:24:58 -07:00
Zooko O'Whielacronx
5476f67dc1 storage: remove the storage server's "remote_cancel_lease" function
We're removing this function because it is currently unused, because it is dangerous, and because the bug described in #1528 leaks the cancellation secret, which allows anyone who knows a file's storage index to abuse this function to delete shares of that file.
fixes #1528 (there are two patches that are each a sufficient fix to #1528 and this is one of them)
2011-09-12 15:23:31 -07:00
Zooko O'Whielacronx
65de17245d storage: test that the storage server does *not* have a "remote_cancel_lease" function
We're removing this function because it is currently unused, because it is dangerous, and because the bug described in #1528 leaks the cancellation secret, which allows anyone who knows a file's storage index to abuse this function to delete shares of that file.
ref. #1528
2011-09-12 15:23:24 -07:00
Zooko O'Whielacronx
cffc987804 immutable: test whether the server allows clients to read past the end of share data, which would allow them to learn the cancellation secret
Also test whether the server explicitly declares that it prevents this problem.
ref #1528
2011-09-12 15:12:01 -07:00
Brian Warner
bd709c4833 Retrieve._activate_enough_peers: rewrite Verify logic 2011-09-09 11:11:50 -07:00
Brian Warner
a15ce96846 Retrieve: implement/test stopProducing 2011-09-09 11:11:50 -07:00
Brian Warner
748e419a9b move DownloadStopped from download.common to interfaces 2011-09-09 11:11:50 -07:00
Brian Warner
425152c34e retrieve.py: remove vestigal self._validated_readers 2011-09-09 11:11:50 -07:00
Brian Warner
df07060f93 Retrieve: rewrite flow-control: use a top-level loop() to catch all errors
This ought to close the potential for dropped errors and hanging downloads.
Verify needs to be examined, I may have broken it, although all tests pass.
2011-09-09 11:11:50 -07:00
Brian Warner
53bbc1d06a Retrieve: merge _validate_active_prefixes into _add_active_peers 2011-09-09 11:11:50 -07:00
Brian Warner
2edfb1a334 Retrieve: remove the initial prefix-is-still-good check
This check needs to be done with each fetch from the storage server, to
detect when someone has changed the share (i.e. our servermap goes stale).
Doing it just once at the beginning of retrieve isn't enough: a write might
occur after the first segment but before the second, etc.

_try_to_validate_prefix() was not removed: it will be used by the future
check-with-each-fetch code.

test_mutable.Roundtrip.test_corrupt_all_seqnum_late was disabled, since it
fails until this check is brought back. (the corruption it applies only
touches the prefix, not the block data, so the check-less retrieve actually
tolerates it). Don't forget to re-enable it once the check is brought back.
2011-09-09 11:11:50 -07:00
Brian Warner
2b4f2b7fa3 MDMFSlotReadProxy: remove the queue
This is a neat trick to reduce Foolscap overhead, but the need for an
explicit flush() complicates the Retrieve path and makes it prone to
lost-progress bugs.

Also change test_mutable.FakeStorageServer to tolerate multiple reads of the
same share in a row, a limitation exposed by turning off the queue.
2011-09-09 11:11:50 -07:00
Brian Warner
1597aafea1 rearrange Retrieve: first step, shouldn't change order of execution 2011-09-09 11:11:49 -07:00
david-sarah
6b97e6f407 CLI: test_cli.py -- remove an unnecessary call in test_mkdir_mutable_type. refs #1527 2011-09-06 11:37:30 -07:00
david-sarah
1e59930fda CLI: improve test for 'tahoe mkdir --mutable-type='. refs #1527 2011-09-06 11:30:20 -07:00
david-sarah
23f46b758e CLI: make the --mutable-type option value for 'tahoe put' and 'tahoe mkdir' case-insensitive, and change --help for these commands accordingly. fixes #1527 2011-09-04 19:09:22 -07:00
Kevan Carstensen
64996a913d cli: make --mutable-type imply --mutable in 'tahoe put' 2011-09-03 12:09:20 -07:00
david-sarah
1b7b3bd0d4 SFTP: add a comment about a subtle interaction between OverwriteableFileConsumer and GeneralSFTPFile, and test the case it is commenting on. 2011-09-03 15:23:04 -07:00
Brian Warner
01b5124d0a improve the storage/mutable.py asserts even more 2011-09-01 09:05:43 -07:00
wilcoxjg
d2e5de3b69 storage/mutable.py: special characters in struct.foo arguments indicate standard as opposed to native sizes, we should be using these characters in these asserts 2011-09-01 01:41:44 -07:00
david-sarah
08ea3dc512 docs/write_coordination.rst: fix formatting and add more specific warning about access via sshfs. 2011-08-31 16:21:48 -07:00
Brian Warner
7191b0b32e test_mutable.Version: consolidate some tests, reduce runtime from 19s to 15s 2011-08-30 22:04:51 -07:00
Kevan Carstensen
32e30c9023 mutable/retrieve: handle the case where self._read_length is 0.
Note that the downloader will still fetch a segment for a zero-length
read, which is wasteful. Fixing that isn't specifically required to fix
#1512, but it should probably be fixed before 1.9.
2011-08-30 14:01:41 -07:00
Brian Warner
1dcfec7ff3 NEWS: added summary of all changes since 1.8.2. Needs editing. 2011-08-30 09:32:05 -07:00
Brian Warner
980eb778c1 test_mutable.Update: only upload the files needed for each test. refs #1500
This first step shaves 15% off the runtime: from 139s to 119s on my laptop.
It also fixes a couple of places where a Deferred was being dropped, which
would cause two tests to run in parallel and also confuse error reporting.
2011-08-29 00:27:17 -07:00
Brian Warner
fd676a5846 Let Uploader retain History instead of passing it into upload(). Fixes #1079.
This consistently records all immutable uploads in the Recent Uploads And
Downloads page, regardless of code path. Previously, certain webapi upload
operations (like PUT /uri/$DIRCAP/newchildname) failed to pass the History
object and were left out.
2011-08-28 23:32:46 -07:00
Brian Warner
9756146d61 Fix mutable publish/retrieve timing status displays. Fixes #1505.
publish:
* encrypt and encode times are cumulative, not just current-segment

retrieve:
* same for decrypt and decode times
* update "current status" to include segment number
* set status to Finished/Failed when download is complete
* set progress to 1.0 when complete

More improvements to consider:
* progress is currently 0% or 100%: should calculate how many segments are
  involved (remembering retrieve can be less than the whole file) and set it
  to a fraction
* "fetch" time is fuzzy: what we want is to know how much of the delay is not
  our own fault, but since we do decode/decrypt work while waiting for more
  shares, it's not straightforward
2011-08-28 16:22:21 -07:00
Brian Warner
d575ccba28 Teach 'tahoe debug catalog-shares about MDMF. Closes #1507. 2011-08-28 01:09:31 -07:00
Brian Warner
97b601f75a debug.py: remove some dead comments 2011-08-28 00:45:56 -07:00
Brian Warner
9f827ffa7b hush pyflakes 2011-08-28 00:42:54 -07:00
Brian Warner
0f1d674d76 MutableFileNode.set_downloader_hints: never depend upon order of dict.values()
The old code was calculating the "extension parameters" (a list) from the
downloader hints (a dictionary) with hints.values(), which is not stable, and
would result in corrupted filecaps (with the 'k' and 'segsize' hints
occasionally swapped). The new code always uses [k,segsize].
2011-08-28 00:41:03 -07:00
Brian Warner
4b0078dc49 layout.py: fix MDMF share layout documentation 2011-08-28 00:39:21 -07:00
Brian Warner
a3d6fd4992 teach 'tahoe debug dump-share' about MDMF and offsets. refs #1507 2011-08-28 00:38:34 -07:00
Brian Warner
101ca8dfe4 test_mutable.Version.test_debug: use splitlines() to fix buildslaves
Any slave running in a directory with spaces in the name was miscounting
shares, causing the test to fail.
2011-08-27 23:47:28 -07:00
Brian Warner
7d48f902fc test_mutable.Version: exercise 'tahoe debug find-shares' on MDMF. refs #1507
Also changes NoNetworkGrid to put shares in storage/shares/ .
2011-08-27 17:55:42 -07:00
Brian Warner
80bdc0f5b7 test_mutable.py: oops, missed a .todo 2011-08-27 17:21:18 -07:00
Brian Warner
e0eaeff7f5 test_mutable: merge davidsarah's patch with my Version refactorings 2011-08-27 16:57:07 -07:00
david-sarah
3c92b832f2 Make the immutable/read-only constraint checking for MDMF URIs identical to that for SSK URIs. refs #393 2011-08-22 18:27:20 -07:00
david-sarah
88989a4ea2 Additional tests for MDMF URIs and for zero-length files. refs #393 2011-08-22 18:15:32 -07:00
david-sarah
ac7b8400d4 Additional tests for zero-length partial reads and updates to mutable versions. refs #393 2011-08-21 18:41:11 -07:00
Brian Warner
03ba8065ce test_mutable.Version: factor out some expensive uploads, save 25% runtime 2011-08-27 16:27:37 -07:00
Brian Warner
370e6f271e SDMF: update filenode with correct k/N after Retrieve. Fixes #1510.
Without this, we get a regression when modifying a mutable file that was
created with more shares (larger N) than our current tahoe.cfg . The
modification attempt creates new versions of the (0,1,..,newN-1) shares, but
leaves the old versions of the (newN,..,oldN-1) shares alone (and throws a
assertion error in SDMFSlotWriteProxy.finish_publishing in the process).

The mixed versions that result (some shares with e.g. N=10, some with N=20,
such that both versions are recoverable) cause problems for the Publish code,
even before MDMF landed. Might be related to refs #1390 and refs #1042.
2011-08-27 15:50:31 -07:00
Brian Warner
b8c90d24fc layout.py: annotate assertion to figure out 'tahoe backup' failure 2011-08-27 12:52:53 -07:00