Skip to content

Commit

Permalink
Write buildpack directories to builder layer
Browse files Browse the repository at this point in the history
When a custom buildpack is provided for image building, the contents
of the buildpack directory, tgz file, or image are copied as tar
entries to a new layer in the ephemeral builder image. Prior to this
commit, only file entries from the buildpack source were copied as
builder layer tar entries; intermediate directory entries from the
source were not copied. This results in directories being created in
the builder container using default permissions. This worked on most
Linux-like OSs where the default permissions allow others-read
access. On some OSs like Arch Linux where the default directory
permissions do not allow others-read, this prevented the lifecycle
processes from reading the buildpack files.

This commit explicitly creates all intermediate directory tar entries
in the builder image layer to ensure that the buildpack directories
and files can be read by the lifecycle processes.

Fixes gh-26658
  • Loading branch information
scottfrederick committed Jun 2, 2021
1 parent e2cba40 commit f560e86
Show file tree
Hide file tree
Showing 11 changed files with 171 additions and 35 deletions.
Expand Up @@ -24,7 +24,6 @@
import java.nio.file.Paths;
import java.nio.file.SimpleFileVisitor;
import java.nio.file.attribute.BasicFileAttributes;
import java.nio.file.attribute.PosixFileAttributeView;

import org.springframework.boot.buildpack.platform.docker.type.Layer;
import org.springframework.boot.buildpack.platform.io.Content;
Expand Down Expand Up @@ -82,9 +81,18 @@ public void apply(IOConsumer<Layer> layers) throws IOException {
private void addLayerContent(Layout layout) throws IOException {
String id = this.coordinates.getSanitizedId();
Path cnbPath = Paths.get("/cnb/buildpacks/", id, this.coordinates.getVersion());
writeBasePathEntries(layout, cnbPath);
Files.walkFileTree(this.path, new LayoutFileVisitor(this.path, cnbPath, layout));
}

private void writeBasePathEntries(Layout layout, Path basePath) throws IOException {
int pathCount = basePath.getNameCount();
for (int pathIndex = 1; pathIndex < pathCount + 1; pathIndex++) {
String name = "/" + basePath.subpath(0, pathIndex) + "/";
layout.directory(name, Owner.ROOT);
}
}

/**
* A {@link BuildpackResolver} compatible method to resolve directory buildpacks.
* @param context the resolver context
Expand Down Expand Up @@ -116,16 +124,30 @@ private static class LayoutFileVisitor extends SimpleFileVisitor<Path> {
this.layout = layout;
}

@Override
public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) throws IOException {
if (!dir.equals(this.basePath)) {
this.layout.directory(relocate(dir), Owner.ROOT, getMode(dir));
}
return FileVisitResult.CONTINUE;
}

@Override
public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException {
PosixFileAttributeView attributeView = Files.getFileAttributeView(file, PosixFileAttributeView.class);
Assert.state(attributeView != null,
"Buildpack content in a directory is not supported on this operating system");
int mode = FilePermissions.posixPermissionsToUmask(attributeView.readAttributes().permissions());
this.layout.file(relocate(file), Owner.ROOT, mode, Content.of(file.toFile()));
this.layout.file(relocate(file), Owner.ROOT, getMode(file), Content.of(file.toFile()));
return FileVisitResult.CONTINUE;
}

private int getMode(Path path) throws IOException {
try {
return FilePermissions.umaskForPath(path);
}
catch (IllegalStateException ex) {
throw new IllegalStateException(
"Buildpack content in a directory is not supported on this operating system");
}
}

private String relocate(Path path) {
Path node = path.subpath(this.basePath.getNameCount(), path.getNameCount());
return Paths.get(this.layerPath.toString(), node.toString()).toString();
Expand Down
Expand Up @@ -127,11 +127,9 @@ private void copyLayerTar(Path path, OutputStream out) throws IOException {
tarOut.setLongFileMode(TarArchiveOutputStream.LONGFILE_POSIX);
TarArchiveEntry entry = tarIn.getNextTarEntry();
while (entry != null) {
if (entry.isFile()) {
tarOut.putArchiveEntry(entry);
StreamUtils.copy(tarIn, tarOut);
tarOut.closeArchiveEntry();
}
tarOut.putArchiveEntry(entry);
StreamUtils.copy(tarIn, tarOut);
tarOut.closeArchiveEntry();
entry = tarIn.getNextTarEntry();
}
tarOut.finish();
Expand Down
Expand Up @@ -89,6 +89,7 @@ private void copyAndRebaseEntries(OutputStream outputStream) throws IOException
try (TarArchiveInputStream tar = new TarArchiveInputStream(
new GzipCompressorInputStream(Files.newInputStream(this.path)));
TarArchiveOutputStream output = new TarArchiveOutputStream(outputStream)) {
writeBasePathEntries(output, basePath);
TarArchiveEntry entry = tar.getNextTarEntry();
while (entry != null) {
entry.setName(basePath + "/" + entry.getName());
Expand All @@ -101,6 +102,16 @@ private void copyAndRebaseEntries(OutputStream outputStream) throws IOException
}
}

private void writeBasePathEntries(TarArchiveOutputStream output, Path basePath) throws IOException {
int pathCount = basePath.getNameCount();
for (int pathIndex = 1; pathIndex < pathCount + 1; pathIndex++) {
String name = "/" + basePath.subpath(0, pathIndex) + "/";
TarArchiveEntry entry = new TarArchiveEntry(name);
output.putArchiveEntry(entry);
output.closeArchiveEntry();
}
}

/**
* A {@link BuildpackResolver} compatible method to resolve tar-gzip buildpacks.
* @param context the resolver context
Expand Down
Expand Up @@ -16,6 +16,10 @@

package org.springframework.boot.buildpack.platform.io;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.util.Collection;

Expand All @@ -32,6 +36,21 @@ public final class FilePermissions {
private FilePermissions() {
}

/**
* Return the integer representation of the file permissions for a path, where the
* integer value conforms to the
* <a href="https://en.wikipedia.org/wiki/Umask">umask</a> octal notation.
* @param path the file path
* @return the integer representation
* @throws IOException if path permissions cannot be read
*/
public static int umaskForPath(Path path) throws IOException {
Assert.notNull(path, "Path must not be null");
PosixFileAttributeView attributeView = Files.getFileAttributeView(path, PosixFileAttributeView.class);
Assert.state(attributeView != null, "Unsupported file type for retrieving Posix attributes");
return posixPermissionsToUmask(attributeView.readAttributes().permissions());
}

/**
* Return the integer representation of a set of Posix file permissions, where the
* integer value conforms to the
Expand Down
Expand Up @@ -33,7 +33,18 @@ public interface Layout {
* @param owner the owner of the directory
* @throws IOException on IO error
*/
void directory(String name, Owner owner) throws IOException;
default void directory(String name, Owner owner) throws IOException {
directory(name, owner, 0755);
}

/**
* Add a directory to the content.
* @param name the full name of the directory to add
* @param owner the owner of the directory
* @param mode the permissions for the file
* @throws IOException on IO error
*/
void directory(String name, Owner owner, int mode) throws IOException;

/**
* Write a file to the content.
Expand Down
Expand Up @@ -44,8 +44,8 @@ class TarLayoutWriter implements Layout, Closeable {
}

@Override
public void directory(String name, Owner owner) throws IOException {
this.outputStream.putArchiveEntry(createDirectoryEntry(name, owner));
public void directory(String name, Owner owner, int mode) throws IOException {
this.outputStream.putArchiveEntry(createDirectoryEntry(name, owner, mode));
this.outputStream.closeArchiveEntry();
}

Expand All @@ -56,8 +56,8 @@ public void file(String name, Owner owner, int mode, Content content) throws IOE
this.outputStream.closeArchiveEntry();
}

private TarArchiveEntry createDirectoryEntry(String name, Owner owner) {
return createEntry(name, owner, TarConstants.LF_DIR, 0755, 0);
private TarArchiveEntry createDirectoryEntry(String name, Owner owner, int mode) {
return createEntry(name, owner, TarConstants.LF_DIR, mode, 0);
}

private TarArchiveEntry createFileEntry(String name, Owner owner, int mode, int size) {
Expand Down
Expand Up @@ -133,8 +133,11 @@ private void assertHasExpectedLayers(Buildpack buildpack) throws IOException {
entries.add(entry);
entry = tar.getNextTarEntry();
}
assertThat(entries).extracting("name", "mode").containsExactlyInAnyOrder(
assertThat(entries).extracting("name", "mode").containsExactlyInAnyOrder(tuple("/cnb/", 0755),
tuple("/cnb/buildpacks/", 0755), tuple("/cnb/buildpacks/example_buildpack1/", 0755),
tuple("/cnb/buildpacks/example_buildpack1/0.0.1/", 0755),
tuple("/cnb/buildpacks/example_buildpack1/0.0.1/buildpack.toml", 0644),
tuple("/cnb/buildpacks/example_buildpack1/0.0.1/bin/", 0755),
tuple("/cnb/buildpacks/example_buildpack1/0.0.1/bin/detect", 0744),
tuple("/cnb/buildpacks/example_buildpack1/0.0.1/bin/build", 0744));
}
Expand Down
Expand Up @@ -38,6 +38,7 @@
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.fail;
import static org.assertj.core.api.Assertions.tuple;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.BDDMockito.willAnswer;
Expand Down Expand Up @@ -126,6 +127,10 @@ private Object withMockLayers(InvocationOnMock invocation) {
TarArchive archive = (out) -> {
try (TarArchiveOutputStream tarOut = new TarArchiveOutputStream(out)) {
tarOut.setLongFileMode(TarArchiveOutputStream.LONGFILE_POSIX);
writeTarEntry(tarOut, "/cnb/");
writeTarEntry(tarOut, "/cnb/buildpacks/");
writeTarEntry(tarOut, "/cnb/buildpacks/example_buildpack/");
writeTarEntry(tarOut, "/cnb/buildpacks/example_buildpack/0.0.1/");
writeTarEntry(tarOut, "/cnb/buildpacks/example_buildpack/0.0.1/buildpack.toml");
writeTarEntry(tarOut, "/cnb/buildpacks/example_buildpack/0.0.1/" + this.longFilePath);
tarOut.finish();
Expand Down Expand Up @@ -154,16 +159,22 @@ private void assertHasExpectedLayers(Buildpack buildpack) throws IOException {
});
assertThat(layers).hasSize(1);
byte[] content = layers.get(0).toByteArray();
List<String> names = new ArrayList<>();
List<TarArchiveEntry> entries = new ArrayList<>();
try (TarArchiveInputStream tar = new TarArchiveInputStream(new ByteArrayInputStream(content))) {
TarArchiveEntry entry = tar.getNextTarEntry();
while (entry != null) {
names.add(entry.getName());
entries.add(entry);
entry = tar.getNextTarEntry();
}
}
assertThat(names).containsExactlyInAnyOrder("cnb/buildpacks/example_buildpack/0.0.1/buildpack.toml",
"cnb/buildpacks/example_buildpack/0.0.1/" + this.longFilePath);
assertThat(entries).extracting("name", "mode").containsExactlyInAnyOrder(
tuple("cnb/", TarArchiveEntry.DEFAULT_DIR_MODE),
tuple("cnb/buildpacks/", TarArchiveEntry.DEFAULT_DIR_MODE),
tuple("cnb/buildpacks/example_buildpack/", TarArchiveEntry.DEFAULT_DIR_MODE),
tuple("cnb/buildpacks/example_buildpack/0.0.1/", TarArchiveEntry.DEFAULT_DIR_MODE),
tuple("cnb/buildpacks/example_buildpack/0.0.1/buildpack.toml", TarArchiveEntry.DEFAULT_FILE_MODE),
tuple("cnb/buildpacks/example_buildpack/0.0.1/" + this.longFilePath,
TarArchiveEntry.DEFAULT_FILE_MODE));
}

}
Expand Up @@ -87,12 +87,19 @@ private void writeBuildpackContentToArchive(Path archive) throws Exception {
String buildScript = "#!/usr/bin/env bash\n" + "echo \"---> build\"\n";
try (TarArchiveOutputStream tar = new TarArchiveOutputStream(Files.newOutputStream(archive))) {
writeEntry(tar, "buildpack.toml", buildpackToml.toString());
writeEntry(tar, "bin/");
writeEntry(tar, "bin/detect", detectScript);
writeEntry(tar, "bin/build", buildScript);
tar.finish();
}
}

private void writeEntry(TarArchiveOutputStream tar, String entryName) throws IOException {
TarArchiveEntry entry = new TarArchiveEntry(entryName);
tar.putArchiveEntry(entry);
tar.closeArchiveEntry();
}

private void writeEntry(TarArchiveOutputStream tar, String entryName, String content) throws IOException {
TarArchiveEntry entry = new TarArchiveEntry(entryName);
entry.setSize(content.length());
Expand All @@ -111,8 +118,13 @@ void assertHasExpectedLayers(Buildpack buildpack) throws IOException {
assertThat(layers).hasSize(1);
byte[] content = layers.get(0).toByteArray();
try (TarArchiveInputStream tar = new TarArchiveInputStream(new ByteArrayInputStream(content))) {
assertThat(tar.getNextEntry().getName()).isEqualTo("cnb/");
assertThat(tar.getNextEntry().getName()).isEqualTo("cnb/buildpacks/");
assertThat(tar.getNextEntry().getName()).isEqualTo("cnb/buildpacks/example_buildpack1/");
assertThat(tar.getNextEntry().getName()).isEqualTo("cnb/buildpacks/example_buildpack1/0.0.1/");
assertThat(tar.getNextEntry().getName())
.isEqualTo("cnb/buildpacks/example_buildpack1/0.0.1/buildpack.toml");
assertThat(tar.getNextEntry().getName()).isEqualTo("cnb/buildpacks/example_buildpack1/0.0.1/bin/");
assertThat(tar.getNextEntry().getName()).isEqualTo("cnb/buildpacks/example_buildpack1/0.0.1/bin/detect");
assertThat(tar.getNextEntry().getName()).isEqualTo("cnb/buildpacks/example_buildpack1/0.0.1/bin/build");
assertThat(tar.getNextEntry()).isNull();
Expand Down
Expand Up @@ -16,14 +16,21 @@

package org.springframework.boot.buildpack.platform.io;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.Collections;
import java.util.Set;

import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIOException;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;

/**
Expand All @@ -33,6 +40,28 @@
*/
class FilePermissionsTests {

@TempDir
Path tempDir;

@Test
void umaskForPath() throws IOException {
FileAttribute<Set<PosixFilePermission>> fileAttribute = PosixFilePermissions
.asFileAttribute(PosixFilePermissions.fromString("rw-r-----"));
Path tempFile = Files.createTempFile(this.tempDir, "umask", null, fileAttribute);
assertThat(FilePermissions.umaskForPath(tempFile)).isEqualTo(0640);
}

@Test
void umaskForPathWithNonExistentFile() throws IOException {
assertThatIOException()
.isThrownBy(() -> FilePermissions.umaskForPath(Paths.get(this.tempDir.toString(), "does-not-exist")));
}

@Test
void umaskForPathWithNullPath() throws IOException {
assertThatIllegalArgumentException().isThrownBy(() -> FilePermissions.umaskForPath(null));
}

@Test
void posixPermissionsToUmask() {
Set<PosixFilePermission> permissions = PosixFilePermissions.fromString("rwxrw-r--");
Expand Down

0 comments on commit f560e86

Please sign in to comment.