tor-browser

BackgroundFileSaver.cpp (39968B)

---

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "BackgroundFileSaver.h"

#include "ScopedNSSTypes.h"
#include "mozilla/ArrayAlgorithm.h"
#include "mozilla/Components.h"
#include "mozilla/Casting.h"
#include "mozilla/Logging.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/glean/NetwerkMetrics.h"
#include "nsCOMArray.h"
#include "nsComponentManagerUtils.h"
#include "nsDependentSubstring.h"
#include "nsIAsyncInputStream.h"
#include "nsIFile.h"
#include "nsIMutableArray.h"
#include "nsIPipe.h"
#include "nsNetUtil.h"
#include "nsThreadUtils.h"
#include "pk11pub.h"
#include "secoidt.h"

#ifdef XP_WIN
#  include <windows.h>
#  include <softpub.h>
#  include <wintrust.h>
#endif  // XP_WIN

namespace mozilla {
namespace net {

// MOZ_LOG=BackgroundFileSaver:5
static LazyLogModule prlog("BackgroundFileSaver");
#define LOG(args) MOZ_LOG(prlog, mozilla::LogLevel::Debug, args)
#define LOG_ENABLED() MOZ_LOG_TEST(prlog, mozilla::LogLevel::Debug)

////////////////////////////////////////////////////////////////////////////////
//// Globals

/**
* Buffer size for writing to the output file or reading from the input file.
*/
#define BUFFERED_IO_SIZE (1024 * 32)

/**
* When this upper limit is reached, the original request is suspended.
*/
#define REQUEST_SUSPEND_AT (1024 * 1024 * 4)

/**
* When this lower limit is reached, the original request is resumed.
*/
#define REQUEST_RESUME_AT (1024 * 1024 * 2)

////////////////////////////////////////////////////////////////////////////////
//// NotifyTargetChangeRunnable

/**
* Runnable object used to notify the control thread that file contents will now
* be saved to the specified file.
*/
class NotifyTargetChangeRunnable final : public Runnable {
public:
 NotifyTargetChangeRunnable(BackgroundFileSaver* aSaver, nsIFile* aTarget)
     : Runnable("net::NotifyTargetChangeRunnable"),
       mSaver(aSaver),
       mTarget(aTarget) {}

 NS_IMETHOD Run() override { return mSaver->NotifyTargetChange(mTarget); }

private:
 RefPtr<BackgroundFileSaver> mSaver;
 nsCOMPtr<nsIFile> mTarget;
};

////////////////////////////////////////////////////////////////////////////////
//// BackgroundFileSaver

uint32_t BackgroundFileSaver::sThreadCount = 0;
uint32_t BackgroundFileSaver::sTelemetryMaxThreadCount = 0;

BackgroundFileSaver::BackgroundFileSaver() {
 LOG(("Created BackgroundFileSaver [this = %p]", this));
}

BackgroundFileSaver::~BackgroundFileSaver() {
 LOG(("Destroying BackgroundFileSaver [this = %p]", this));
}

// Called on the control thread.
nsresult BackgroundFileSaver::Init() {
 MOZ_ASSERT(NS_IsMainThread(), "This should be called on the main thread");

 NS_NewPipe2(getter_AddRefs(mPipeInputStream),
             getter_AddRefs(mPipeOutputStream), true, true, 0,
             HasInfiniteBuffer() ? UINT32_MAX : 0);

 mControlEventTarget = GetCurrentSerialEventTarget();
 NS_ENSURE_TRUE(mControlEventTarget, NS_ERROR_NOT_INITIALIZED);

 nsresult rv = NS_CreateBackgroundTaskQueue("BgFileSaver",
                                            getter_AddRefs(mBackgroundET));
 NS_ENSURE_SUCCESS(rv, rv);

 sThreadCount++;
 if (sThreadCount > sTelemetryMaxThreadCount) {
   sTelemetryMaxThreadCount = sThreadCount;
 }

 return NS_OK;
}

// Called on the control thread.
NS_IMETHODIMP
BackgroundFileSaver::GetObserver(nsIBackgroundFileSaverObserver** aObserver) {
 NS_ENSURE_ARG_POINTER(aObserver);
 *aObserver = do_AddRef(mObserver).take();
 return NS_OK;
}

// Called on the control thread.
NS_IMETHODIMP
BackgroundFileSaver::SetObserver(nsIBackgroundFileSaverObserver* aObserver) {
 mObserver = aObserver;
 return NS_OK;
}

// Called on the control thread.
NS_IMETHODIMP
BackgroundFileSaver::EnableAppend() {
 MOZ_ASSERT(NS_IsMainThread(), "This should be called on the main thread");

 MutexAutoLock lock(mLock);
 mAppend = true;

 return NS_OK;
}

// Called on the control thread.
NS_IMETHODIMP
BackgroundFileSaver::SetTarget(nsIFile* aTarget, bool aKeepPartial) {
 NS_ENSURE_ARG(aTarget);
 {
   MutexAutoLock lock(mLock);
   if (!mInitialTarget) {
     aTarget->Clone(getter_AddRefs(mInitialTarget));
     mInitialTargetKeepPartial = aKeepPartial;
   } else {
     aTarget->Clone(getter_AddRefs(mRenamedTarget));
     mRenamedTargetKeepPartial = aKeepPartial;
   }
 }

 // After the worker thread wakes up because attention is requested, it will
 // rename or create the target file as requested, and start copying data.
 return GetWorkerThreadAttention(true);
}

// Called on the control thread.
NS_IMETHODIMP
BackgroundFileSaver::Finish(nsresult aStatus) {
 nsresult rv;

 // This will cause the NS_AsyncCopy operation, if it's in progress, to consume
 // all the data that is still in the pipe, and then finish.
 rv = mPipeOutputStream->Close();
 NS_ENSURE_SUCCESS(rv, rv);

 // Ensure that, when we get attention from the worker thread, if no pending
 // rename operation is waiting, the operation will complete.
 {
   MutexAutoLock lock(mLock);
   mFinishRequested = true;
   if (NS_SUCCEEDED(mStatus)) {
     mStatus = aStatus;
   }
 }

 // After the worker thread wakes up because attention is requested, it will
 // process the completion conditions, detect that completion is requested, and
 // notify the main thread of the completion.  If this function was called with
 // a success code, we wait for the copy to finish before processing the
 // completion conditions, otherwise we interrupt the copy immediately.
 return GetWorkerThreadAttention(NS_FAILED(aStatus));
}

NS_IMETHODIMP
BackgroundFileSaver::EnableSha256() {
 MOZ_ASSERT(NS_IsMainThread(),
            "Can't enable sha256 or initialize NSS off the main thread");
 // Ensure Personal Security Manager is initialized. This is required for
 // PK11_* operations to work.
 nsresult rv = NS_OK;
 mozilla::components::NSSComponent::Service(&rv);
 NS_ENSURE_SUCCESS(rv, rv);
 MutexAutoLock lock(mLock);
 mSha256Enabled = true;  // this will be read by the worker thread
 return NS_OK;
}

NS_IMETHODIMP
BackgroundFileSaver::GetSha256Hash(nsACString& aHash) {
 MOZ_ASSERT(NS_IsMainThread(), "Can't inspect sha256 off the main thread");
 // We acquire a lock because mSha256 is written on the worker thread.
 MutexAutoLock lock(mLock);
 if (mSha256.IsEmpty()) {
   return NS_ERROR_NOT_AVAILABLE;
 }
 aHash = mSha256;
 return NS_OK;
}

NS_IMETHODIMP
BackgroundFileSaver::EnableSignatureInfo() {
 MOZ_ASSERT(NS_IsMainThread(),
            "Can't enable signature extraction off the main thread");
 // Ensure Personal Security Manager is initialized.
 nsresult rv = NS_OK;
 mozilla::components::NSSComponent::Service(&rv);
 NS_ENSURE_SUCCESS(rv, rv);
 MutexAutoLock lock(mLock);
 mSignatureInfoEnabled = true;
 return NS_OK;
}

NS_IMETHODIMP
BackgroundFileSaver::GetSignatureInfo(
   nsTArray<nsTArray<nsTArray<uint8_t>>>& aSignatureInfo) {
 MOZ_ASSERT(NS_IsMainThread(), "Can't inspect signature off the main thread");
 // We acquire a lock because mSignatureInfo is written on the worker thread.
 MutexAutoLock lock(mLock);
 if (!mComplete || !mSignatureInfoEnabled) {
   return NS_ERROR_NOT_AVAILABLE;
 }
 for (const auto& signatureChain : mSignatureInfo) {
   aSignatureInfo.AppendElement(TransformIntoNewArray(
       signatureChain, [](const auto& element) { return element.Clone(); }));
 }
 return NS_OK;
}

// Called on the control thread.
nsresult BackgroundFileSaver::GetWorkerThreadAttention(
   bool aShouldInterruptCopy) {
 nsresult rv;

 MutexAutoLock lock(mLock);

 // We only require attention one time.  If this function is called two times
 // before the worker thread wakes up, and the first has aShouldInterruptCopy
 // false and the second true, we won't forcibly interrupt the copy from the
 // control thread.  However, that never happens, because calling Finish with a
 // success code is the only case that may result in aShouldInterruptCopy being
 // false.  In that case, we won't call this function again, because consumers
 // should not invoke other methods on the control thread after calling Finish.
 // And in any case, Finish already closes one end of the pipe, causing the
 // copy to finish properly on its own.
 if (mWorkerThreadAttentionRequested) {
   return NS_OK;
 }

 if (!mAsyncCopyContext) {
   // Background event queues are not shutdown and could be called after
   // the queue is reset to null.  To match the behavior of nsIThread
   // return NS_ERROR_UNEXPECTED
   if (!mBackgroundET) {
     return NS_ERROR_UNEXPECTED;
   }

   // Copy is not in progress, post an event to handle the change manually.
   rv = mBackgroundET->Dispatch(
       NewRunnableMethod("net::BackgroundFileSaver::ProcessAttention", this,
                         &BackgroundFileSaver::ProcessAttention),
       NS_DISPATCH_EVENT_MAY_BLOCK);
   NS_ENSURE_SUCCESS(rv, rv);

 } else if (aShouldInterruptCopy) {
   // Interrupt the copy.  The copy will be resumed, if needed, by the
   // ProcessAttention function, invoked by the AsyncCopyCallback function.
   NS_CancelAsyncCopy(mAsyncCopyContext, NS_ERROR_ABORT);
 }

 // Indicate that attention has been requested successfully, there is no need
 // to post another event until the worker thread processes the current one.
 mWorkerThreadAttentionRequested = true;

 return NS_OK;
}

// Called on the worker thread.
// static
void BackgroundFileSaver::AsyncCopyCallback(void* aClosure, nsresult aStatus) {
 // We called NS_ADDREF_THIS when NS_AsyncCopy started, to keep the object
 // alive even if other references disappeared.  At the end of this method,
 // we've finished using the object and can safely release our reference.
 RefPtr<BackgroundFileSaver> self =
     dont_AddRef((BackgroundFileSaver*)aClosure);
 {
   MutexAutoLock lock(self->mLock);

   // Now that the copy was interrupted or terminated, any notification from
   // the control thread requires an event to be posted to the worker thread.
   self->mAsyncCopyContext = nullptr;

   // When detecting failures, ignore the status code we use to interrupt.
   if (NS_FAILED(aStatus) && aStatus != NS_ERROR_ABORT &&
       NS_SUCCEEDED(self->mStatus)) {
     self->mStatus = aStatus;
   }
 }

 (void)self->ProcessAttention();
}

// Called on the worker thread.
nsresult BackgroundFileSaver::ProcessAttention() {
 nsresult rv;

 // This function is called whenever the attention of the worker thread has
 // been requested.  This may happen in these cases:
 // * We are about to start the copy for the first time.  In this case, we are
 //   called from an event posted on the worker thread from the control thread
 //   by GetWorkerThreadAttention, and mAsyncCopyContext is null.
 // * We have interrupted the copy for some reason.  In this case, we are
 //   called by AsyncCopyCallback, and mAsyncCopyContext is null.
 // * We are currently executing ProcessStateChange, and attention is requested
 //   by the control thread, for example because SetTarget or Finish have been
 //   called.  In this case, we are called from from an event posted through
 //   GetWorkerThreadAttention.  While mAsyncCopyContext was always null when
 //   the event was posted, at this point mAsyncCopyContext may not be null
 //   anymore, because ProcessStateChange may have started the copy before the
 //   event that called this function was processed on the worker thread.
 // If mAsyncCopyContext is not null, we interrupt the copy and re-enter
 // through AsyncCopyCallback.  This allows us to check if, for instance, we
 // should rename the target file.  We will then restart the copy if needed.

 // mAsyncCopyContext is only written on the worker thread (which we are on)
 MOZ_ASSERT(!NS_IsMainThread());
 {
   // Even though we're the only thread that writes this, we have to take the
   // lock
   MutexAutoLock lock(mLock);
   if (mAsyncCopyContext) {
     NS_CancelAsyncCopy(mAsyncCopyContext, NS_ERROR_ABORT);
     return NS_OK;
   }
 }
 // Use the current shared state to determine the next operation to execute.
 rv = ProcessStateChange();
 if (NS_FAILED(rv)) {
   // If something failed while processing, terminate the operation now.
   {
     MutexAutoLock lock(mLock);

     if (NS_SUCCEEDED(mStatus)) {
       mStatus = rv;
     }
   }
   // Ensure we notify completion now that the operation failed.
   CheckCompletion();
 }

 return NS_OK;
}

// Called on the worker thread.
nsresult BackgroundFileSaver::ProcessStateChange() {
 nsresult rv;

 // We might have been notified because the operation is complete, verify.
 if (CheckCompletion()) {
   return NS_OK;
 }

 // Get a copy of the current shared state for the worker thread.
 nsCOMPtr<nsIFile> initialTarget;
 bool initialTargetKeepPartial;
 nsCOMPtr<nsIFile> renamedTarget;
 bool renamedTargetKeepPartial;
 bool sha256Enabled;
 bool append;
 {
   MutexAutoLock lock(mLock);

   initialTarget = mInitialTarget;
   initialTargetKeepPartial = mInitialTargetKeepPartial;
   renamedTarget = mRenamedTarget;
   renamedTargetKeepPartial = mRenamedTargetKeepPartial;
   sha256Enabled = mSha256Enabled;
   append = mAppend;

   // From now on, another attention event needs to be posted if state changes.
   mWorkerThreadAttentionRequested = false;
 }

 // The initial target can only be null if it has never been assigned.  In this
 // case, there is nothing to do since we never created any output file.
 if (!initialTarget) {
   return NS_OK;
 }

 // Determine if we are processing the attention request for the first time.
 bool isContinuation = !!mActualTarget;
 if (!isContinuation) {
   // Assign the target file for the first time.
   mActualTarget = initialTarget;
   mActualTargetKeepPartial = initialTargetKeepPartial;
 }

 // Verify whether we have actually been instructed to use a different file.
 // This may happen the first time this function is executed, if SetTarget was
 // called two times before the worker thread processed the attention request.
 bool equalToCurrent = false;
 if (renamedTarget) {
   rv = mActualTarget->Equals(renamedTarget, &equalToCurrent);
   NS_ENSURE_SUCCESS(rv, rv);
   if (!equalToCurrent) {
     // If we were asked to rename the file but the initial file did not exist,
     // we simply create the file in the renamed location.  We avoid this check
     // if we have already started writing the output file ourselves.
     bool exists = true;
     if (!isContinuation) {
       rv = mActualTarget->Exists(&exists);
       NS_ENSURE_SUCCESS(rv, rv);
     }
     if (exists) {
       // We are moving the previous target file to a different location.
       nsCOMPtr<nsIFile> renamedTargetParentDir;
       rv = renamedTarget->GetParent(getter_AddRefs(renamedTargetParentDir));
       NS_ENSURE_SUCCESS(rv, rv);

       nsAutoString renamedTargetName;
       rv = renamedTarget->GetLeafName(renamedTargetName);
       NS_ENSURE_SUCCESS(rv, rv);

       // We must delete any existing target file before moving the current
       // one.
       rv = renamedTarget->Exists(&exists);
       NS_ENSURE_SUCCESS(rv, rv);
       if (exists) {
         rv = renamedTarget->Remove(false);
         NS_ENSURE_SUCCESS(rv, rv);
       }

       // Move the file.  If this fails, we still reference the original file
       // in mActualTarget, so that it is deleted if requested.  If this
       // succeeds, the nsIFile instance referenced by mActualTarget mutates
       // and starts pointing to the new file, but we'll discard the reference.
       rv = mActualTarget->MoveTo(renamedTargetParentDir, renamedTargetName);
       NS_ENSURE_SUCCESS(rv, rv);
     }

     // We should not only update the mActualTarget with renameTarget when
     // they point to the different files.
     // In this way, if mActualTarget and renamedTarget point to the same file
     // with different addresses, "CheckCompletion()" will return false
     // forever.
   }

   // Update mActualTarget with renameTarget,
   // even if they point to the same file.
   mActualTarget = renamedTarget;
   mActualTargetKeepPartial = renamedTargetKeepPartial;
 }

 // Notify if the target file name actually changed.
 if (!equalToCurrent) {
   // We must clone the nsIFile instance because mActualTarget is not
   // immutable, it may change if the target is renamed later.
   nsCOMPtr<nsIFile> actualTargetToNotify;
   rv = mActualTarget->Clone(getter_AddRefs(actualTargetToNotify));
   NS_ENSURE_SUCCESS(rv, rv);

   RefPtr<NotifyTargetChangeRunnable> event =
       new NotifyTargetChangeRunnable(this, actualTargetToNotify);
   NS_ENSURE_TRUE(event, NS_ERROR_FAILURE);

   rv = mControlEventTarget->Dispatch(event, NS_DISPATCH_NORMAL);
   NS_ENSURE_SUCCESS(rv, rv);
 }

 if (isContinuation) {
   // The pending rename operation might be the last task before finishing. We
   // may return here only if we have already created the target file.
   if (CheckCompletion()) {
     return NS_OK;
   }

   // Even if the operation did not complete, the pipe input stream may be
   // empty and may have been closed already.  We detect this case using the
   // Available property, because it never returns an error if there is more
   // data to be consumed.  If the pipe input stream is closed, we just exit
   // and wait for more calls like SetTarget or Finish to be invoked on the
   // control thread.  However, we still truncate the file or create the
   // initial digest context if we are expected to do that.
   uint64_t available;
   rv = mPipeInputStream->Available(&available);
   if (NS_FAILED(rv)) {
     return NS_OK;
   }
 }

 // Create the digest if requested and NSS hasn't been shut down.
 if (sha256Enabled && mDigest.isNothing()) {
   mDigest.emplace(Digest());
   mDigest->Begin(SEC_OID_SHA256);
 }

 // When we are requested to append to an existing file, we should read the
 // existing data and ensure we include it as part of the final hash.
 if (mDigest.isSome() && append && !isContinuation) {
   nsCOMPtr<nsIInputStream> inputStream;
   rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream), mActualTarget,
                                   PR_RDONLY | nsIFile::OS_READAHEAD);
   if (rv != NS_ERROR_FILE_NOT_FOUND) {
     NS_ENSURE_SUCCESS(rv, rv);

     // Try to clean up the inputStream if an error occurs.
     auto closeGuard =
         mozilla::MakeScopeExit([&] { (void)inputStream->Close(); });

     char buffer[BUFFERED_IO_SIZE];
     while (true) {
       uint32_t count;
       rv = inputStream->Read(buffer, BUFFERED_IO_SIZE, &count);
       NS_ENSURE_SUCCESS(rv, rv);

       if (count == 0) {
         // We reached the end of the file.
         break;
       }

       rv = mDigest->Update(BitwiseCast<unsigned char*, char*>(buffer), count);
       NS_ENSURE_SUCCESS(rv, rv);

       // The pending resume operation may have been cancelled by the control
       // thread while the worker thread was reading in the existing file.
       // Abort reading in the original file in that case, as the digest will
       // be discarded anyway.
       MutexAutoLock lock(mLock);
       if (NS_FAILED(mStatus)) {
         return NS_ERROR_ABORT;
       }
     }

     // Close explicitly to handle any errors.
     closeGuard.release();
     rv = inputStream->Close();
     NS_ENSURE_SUCCESS(rv, rv);
   }
 }

 // We will append to the initial target file only if it was requested by the
 // caller, but we'll always append on subsequent accesses to the target file.
 int32_t creationIoFlags;
 if (isContinuation) {
   creationIoFlags = PR_APPEND;
 } else {
   creationIoFlags = (append ? PR_APPEND : PR_TRUNCATE) | PR_CREATE_FILE;
 }

 // Create the target file, or append to it if we already started writing it.
 // The 0600 permissions are used while the file is being downloaded, and for
 // interrupted downloads. Those may be located in the system temporary
 // directory, as well as the target directory, and generally have a ".part"
 // extension. Those part files should never be group or world-writable even
 // if the umask allows it.
 nsCOMPtr<nsIOutputStream> outputStream;
 rv = NS_NewLocalFileOutputStream(getter_AddRefs(outputStream), mActualTarget,
                                  PR_WRONLY | creationIoFlags, 0600);
 NS_ENSURE_SUCCESS(rv, rv);

 nsCOMPtr<nsIOutputStream> bufferedStream;
 rv = NS_NewBufferedOutputStream(getter_AddRefs(bufferedStream),
                                 outputStream.forget(), BUFFERED_IO_SIZE);
 NS_ENSURE_SUCCESS(rv, rv);
 outputStream = bufferedStream;

 // Wrap the output stream so that it feeds the digest if needed.
 if (mDigest.isSome()) {
   // Constructing the DigestOutputStream cannot fail. Passing mDigest
   // to DigestOutputStream is safe, because BackgroundFileSaver always
   // outlives the outputStream. BackgroundFileSaver is reference-counted
   // before the call to AsyncCopy, and mDigest is never destroyed
   // before AsyncCopyCallback.
   outputStream = new DigestOutputStream(outputStream, mDigest.ref());
 }

 // Start copying our input to the target file.  No errors can be raised past
 // this point if the copy starts, since they should be handled by the thread.
 {
   MutexAutoLock lock(mLock);

   rv = NS_AsyncCopy(mPipeInputStream, outputStream, mBackgroundET,
                     NS_ASYNCCOPY_VIA_READSEGMENTS, 4096, AsyncCopyCallback,
                     this, false, true, getter_AddRefs(mAsyncCopyContext),
                     GetProgressCallback());
   if (NS_FAILED(rv)) {
     NS_WARNING("NS_AsyncCopy failed.");
     mAsyncCopyContext = nullptr;
     return rv;
   }
 }

 // If the operation succeeded, we must ensure that we keep this object alive
 // for the entire duration of the copy, since only the raw pointer will be
 // provided as the argument of the AsyncCopyCallback function.  We can add the
 // reference now, after NS_AsyncCopy returned, because it always starts
 // processing asynchronously, and there is no risk that the callback is
 // invoked before we reach this point.  If the operation failed instead, then
 // AsyncCopyCallback will never be called.
 NS_ADDREF_THIS();

 return NS_OK;
}

// Called on the worker thread.
bool BackgroundFileSaver::CheckCompletion() {
 nsresult rv;

 bool failed = true;
 {
   MutexAutoLock lock(mLock);
   MOZ_ASSERT(!mAsyncCopyContext,
              "Should not be copying when checking completion conditions.");

   if (mComplete) {
     return true;
   }

   // If an error occurred, we don't need to do the checks in this code block,
   // and the operation can be completed immediately with a failure code.
   if (NS_SUCCEEDED(mStatus)) {
     failed = false;

     // We did not incur in an error, so we must determine if we can stop now.
     // If the Finish method has not been called, we can just continue now.
     if (!mFinishRequested) {
       return false;
     }

     // We can only stop when all the operations requested by the control
     // thread have been processed.  First, we check whether we have processed
     // the first SetTarget call, if any.  Then, we check whether we have
     // processed any rename requested by subsequent SetTarget calls.
     if ((mInitialTarget && !mActualTarget) ||
         (mRenamedTarget && mRenamedTarget != mActualTarget)) {
       return false;
     }

     // If we still have data to write to the output file, allow the copy
     // operation to resume.  The Available getter may return an error if one
     // of the pipe's streams has been already closed.
     uint64_t available;
     rv = mPipeInputStream->Available(&available);
     if (NS_SUCCEEDED(rv) && available != 0) {
       return false;
     }
   }

   mComplete = true;
 }

 // Ensure we notify completion now that the operation finished.
 // Do a best-effort attempt to remove the file if required.
 if (failed && mActualTarget && !mActualTargetKeepPartial) {
   (void)mActualTarget->Remove(false);
 }

 // Finish computing the hash
 if (!failed && mDigest.isSome()) {
   nsTArray<uint8_t> outArray;
   rv = mDigest->End(outArray);
   if (NS_SUCCEEDED(rv)) {
     MutexAutoLock lock(mLock);
     mSha256 = nsDependentCSubstring(
         BitwiseCast<char*, uint8_t*>(outArray.Elements()), outArray.Length());
   }
 }

 // Compute the signature of the binary. ExtractSignatureInfo doesn't do
 // anything on non-Windows platforms except return an empty nsIArray.
 if (!failed && mActualTarget) {
   nsString filePath;
   mActualTarget->GetTarget(filePath);
   nsresult rv = ExtractSignatureInfo(filePath);
   if (NS_FAILED(rv)) {
     LOG(("Unable to extract signature information [this = %p].", this));
   } else {
     LOG(("Signature extraction success! [this = %p]", this));
   }
 }

 // Post an event to notify that the operation completed.
 if (NS_FAILED(mControlEventTarget->Dispatch(
         NewRunnableMethod("BackgroundFileSaver::NotifySaveComplete", this,
                           &BackgroundFileSaver::NotifySaveComplete),
         NS_DISPATCH_NORMAL))) {
   NS_WARNING("Unable to post completion event to the control thread.");
 }

 return true;
}

// Called on the control thread.
nsresult BackgroundFileSaver::NotifyTargetChange(nsIFile* aTarget) {
 if (mObserver) {
   (void)mObserver->OnTargetChange(this, aTarget);
 }

 return NS_OK;
}

// Called on the control thread.
nsresult BackgroundFileSaver::NotifySaveComplete() {
 MOZ_ASSERT(NS_IsMainThread(), "This should be called on the main thread");

 nsresult status;
 {
   MutexAutoLock lock(mLock);
   status = mStatus;
 }

 if (mObserver) {
   (void)mObserver->OnSaveComplete(this, status);
   // If mObserver keeps alive an enclosure that captures `this`, we'll have a
   // cycle that won't be caught by the cycle-collector, so we need to break it
   // when we're done here (see bug 1444265).
   mObserver = nullptr;
 }

 // At this point, the worker thread will not process any more events, and we
 // can shut it down.  Shutting down a thread may re-enter the event loop on
 // this thread.  This is not a problem in this case, since this function is
 // called by a top-level event itself, and we have already invoked the
 // completion observer callback.  Re-entering the loop can only delay the
 // final release and destruction of this saver object, since we are keeping a
 // reference to it through the event object.
 mBackgroundET = nullptr;

 sThreadCount--;

 // When there are no more active downloads, we consider the download session
 // finished. We record the maximum number of concurrent downloads reached
 // during the session in a telemetry histogram, and we reset the maximum
 // thread counter for the next download session
 if (sThreadCount == 0) {
   glean::network::backgroundfilesaver_thread_count.AccumulateSingleSample(
       sTelemetryMaxThreadCount);
   sTelemetryMaxThreadCount = 0;
 }

 return NS_OK;
}

nsresult BackgroundFileSaver::ExtractSignatureInfo(const nsAString& filePath) {
 MOZ_ASSERT(!NS_IsMainThread(), "Cannot extract signature on main thread");
 {
   MutexAutoLock lock(mLock);
   if (!mSignatureInfoEnabled) {
     return NS_OK;
   }
 }
#ifdef XP_WIN
 // Setup the file to check.
 WINTRUST_FILE_INFO fileToCheck = {0};
 fileToCheck.cbStruct = sizeof(WINTRUST_FILE_INFO);
 fileToCheck.pcwszFilePath = filePath.Data();
 fileToCheck.hFile = nullptr;
 fileToCheck.pgKnownSubject = nullptr;

 // We want to check it is signed and trusted.
 WINTRUST_DATA trustData = {0};
 trustData.cbStruct = sizeof(trustData);
 trustData.pPolicyCallbackData = nullptr;
 trustData.pSIPClientData = nullptr;
 trustData.dwUIChoice = WTD_UI_NONE;
 trustData.fdwRevocationChecks = WTD_REVOKE_NONE;
 trustData.dwUnionChoice = WTD_CHOICE_FILE;
 trustData.dwStateAction = WTD_STATEACTION_VERIFY;
 trustData.hWVTStateData = nullptr;
 trustData.pwszURLReference = nullptr;
 // Disallow revocation checks over the network
 trustData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL;
 // no UI
 trustData.dwUIContext = 0;
 trustData.pFile = &fileToCheck;

 // The WINTRUST_ACTION_GENERIC_VERIFY_V2 policy verifies that the certificate
 // chains up to a trusted root CA and has appropriate permissions to sign
 // code.
 GUID policyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
 // Check if the file is signed by something that is trusted. If the file is
 // not signed, this is a no-op.
 LONG ret = WinVerifyTrust(nullptr, &policyGUID, &trustData);
 CRYPT_PROVIDER_DATA* cryptoProviderData = nullptr;
 // According to the Windows documentation, we should check against 0 instead
 // of ERROR_SUCCESS, which is an HRESULT.
 if (ret == 0) {
   cryptoProviderData = WTHelperProvDataFromStateData(trustData.hWVTStateData);
 }
 if (cryptoProviderData) {
   // Lock because signature information is read on the main thread.
   MutexAutoLock lock(mLock);
   LOG(("Downloaded trusted and signed file [this = %p].", this));
   // A binary may have multiple signers. Each signer may have multiple certs
   // in the chain.
   for (DWORD i = 0; i < cryptoProviderData->csSigners; ++i) {
     const CERT_CHAIN_CONTEXT* certChainContext =
         cryptoProviderData->pasSigners[i].pChainContext;
     if (!certChainContext) {
       break;
     }
     for (DWORD j = 0; j < certChainContext->cChain; ++j) {
       const CERT_SIMPLE_CHAIN* certSimpleChain =
           certChainContext->rgpChain[j];
       if (!certSimpleChain) {
         break;
       }

       nsTArray<nsTArray<uint8_t>> certList;
       bool extractionSuccess = true;
       for (DWORD k = 0; k < certSimpleChain->cElement; ++k) {
         CERT_CHAIN_ELEMENT* certChainElement = certSimpleChain->rgpElement[k];
         if (certChainElement->pCertContext->dwCertEncodingType !=
             X509_ASN_ENCODING) {
           continue;
         }
         nsTArray<uint8_t> cert;
         cert.AppendElements(certChainElement->pCertContext->pbCertEncoded,
                             certChainElement->pCertContext->cbCertEncoded);
         certList.AppendElement(std::move(cert));
       }
       if (extractionSuccess) {
         mSignatureInfo.AppendElement(std::move(certList));
       }
     }
   }
   // Free the provider data if cryptoProviderData is not null.
   trustData.dwStateAction = WTD_STATEACTION_CLOSE;
   WinVerifyTrust(nullptr, &policyGUID, &trustData);
 } else {
   LOG(("Downloaded unsigned or untrusted file [this = %p].", this));
 }
#endif
 return NS_OK;
}

////////////////////////////////////////////////////////////////////////////////
//// BackgroundFileSaverOutputStream

NS_IMPL_ISUPPORTS(BackgroundFileSaverOutputStream, nsIBackgroundFileSaver,
                 nsIOutputStream, nsIAsyncOutputStream,
                 nsIOutputStreamCallback)

BackgroundFileSaverOutputStream::BackgroundFileSaverOutputStream()
   : mAsyncWaitCallback(nullptr) {}

bool BackgroundFileSaverOutputStream::HasInfiniteBuffer() { return false; }

nsAsyncCopyProgressFun BackgroundFileSaverOutputStream::GetProgressCallback() {
 return nullptr;
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::Close() { return mPipeOutputStream->Close(); }

NS_IMETHODIMP
BackgroundFileSaverOutputStream::Flush() { return mPipeOutputStream->Flush(); }

NS_IMETHODIMP
BackgroundFileSaverOutputStream::StreamStatus() {
 return mPipeOutputStream->StreamStatus();
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::Write(const char* aBuf, uint32_t aCount,
                                      uint32_t* _retval) {
 return mPipeOutputStream->Write(aBuf, aCount, _retval);
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::WriteFrom(nsIInputStream* aFromStream,
                                          uint32_t aCount, uint32_t* _retval) {
 return mPipeOutputStream->WriteFrom(aFromStream, aCount, _retval);
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::WriteSegments(nsReadSegmentFun aReader,
                                              void* aClosure, uint32_t aCount,
                                              uint32_t* _retval) {
 return mPipeOutputStream->WriteSegments(aReader, aClosure, aCount, _retval);
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::IsNonBlocking(bool* _retval) {
 return mPipeOutputStream->IsNonBlocking(_retval);
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::CloseWithStatus(nsresult reason) {
 return mPipeOutputStream->CloseWithStatus(reason);
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::AsyncWait(nsIOutputStreamCallback* aCallback,
                                          uint32_t aFlags,
                                          uint32_t aRequestedCount,
                                          nsIEventTarget* aEventTarget) {
 NS_ENSURE_STATE(!mAsyncWaitCallback);

 mAsyncWaitCallback = aCallback;

 return mPipeOutputStream->AsyncWait(this, aFlags, aRequestedCount,
                                     aEventTarget);
}

NS_IMETHODIMP
BackgroundFileSaverOutputStream::OnOutputStreamReady(
   nsIAsyncOutputStream* aStream) {
 NS_ENSURE_STATE(mAsyncWaitCallback);

 nsCOMPtr<nsIOutputStreamCallback> asyncWaitCallback = nullptr;
 asyncWaitCallback.swap(mAsyncWaitCallback);

 return asyncWaitCallback->OnOutputStreamReady(this);
}

////////////////////////////////////////////////////////////////////////////////
//// BackgroundFileSaverStreamListener

NS_IMPL_ISUPPORTS(BackgroundFileSaverStreamListener, nsIBackgroundFileSaver,
                 nsIRequestObserver, nsIStreamListener)

bool BackgroundFileSaverStreamListener::HasInfiniteBuffer() { return true; }

nsAsyncCopyProgressFun
BackgroundFileSaverStreamListener::GetProgressCallback() {
 return AsyncCopyProgressCallback;
}

NS_IMETHODIMP
BackgroundFileSaverStreamListener::OnStartRequest(nsIRequest* aRequest) {
 NS_ENSURE_ARG(aRequest);

 return NS_OK;
}

NS_IMETHODIMP
BackgroundFileSaverStreamListener::OnStopRequest(nsIRequest* aRequest,
                                                nsresult aStatusCode) {
 // If an error occurred, cancel the operation immediately.  On success, wait
 // until the caller has determined whether the file should be renamed.
 if (NS_FAILED(aStatusCode)) {
   Finish(aStatusCode);
 }

 return NS_OK;
}

NS_IMETHODIMP
BackgroundFileSaverStreamListener::OnDataAvailable(nsIRequest* aRequest,
                                                  nsIInputStream* aInputStream,
                                                  uint64_t aOffset,
                                                  uint32_t aCount) {
 nsresult rv;

 NS_ENSURE_ARG(aRequest);

 // Read the requested data.  Since the pipe has an infinite buffer, we don't
 // expect any write error to occur here.
 uint32_t writeCount;
 rv = mPipeOutputStream->WriteFrom(aInputStream, aCount, &writeCount);
 NS_ENSURE_SUCCESS(rv, rv);

 // If reading from the input stream fails for any reason, the pipe will return
 // a success code, but without reading all the data.  Since we should be able
 // to read the requested data when OnDataAvailable is called, raise an error.
 if (writeCount < aCount) {
   NS_WARNING("Reading from the input stream should not have failed.");
   return NS_ERROR_UNEXPECTED;
 }

 bool stateChanged = false;
 {
   MutexAutoLock lock(mSuspensionLock);

   if (!mReceivedTooMuchData) {
     uint64_t available;
     nsresult rv = mPipeInputStream->Available(&available);
     if (NS_SUCCEEDED(rv) && available > REQUEST_SUSPEND_AT) {
       mReceivedTooMuchData = true;
       mRequest = aRequest;
       stateChanged = true;
     }
   }
 }

 if (stateChanged) {
   NotifySuspendOrResume();
 }

 return NS_OK;
}

// Called on the worker thread.
// static
void BackgroundFileSaverStreamListener::AsyncCopyProgressCallback(
   void* aClosure, uint32_t aCount) {
 BackgroundFileSaverStreamListener* self =
     (BackgroundFileSaverStreamListener*)aClosure;

 // Wait if the control thread is in the process of suspending or resuming.
 MutexAutoLock lock(self->mSuspensionLock);

 // This function is called when some bytes are consumed by NS_AsyncCopy.  Each
 // time this happens, verify if a suspended request should be resumed, because
 // we have now consumed enough data.
 if (self->mReceivedTooMuchData) {
   uint64_t available;
   nsresult rv = self->mPipeInputStream->Available(&available);
   if (NS_FAILED(rv) || available < REQUEST_RESUME_AT) {
     self->mReceivedTooMuchData = false;

     // Post an event to verify if the request should be resumed.
     if (NS_FAILED(self->mControlEventTarget->Dispatch(
             NewRunnableMethod(
                 "BackgroundFileSaverStreamListener::NotifySuspendOrResume",
                 self,
                 &BackgroundFileSaverStreamListener::NotifySuspendOrResume),
             NS_DISPATCH_NORMAL))) {
       NS_WARNING("Unable to post resume event to the control thread.");
     }
   }
 }
}

// Called on the control thread.
nsresult BackgroundFileSaverStreamListener::NotifySuspendOrResume() {
 // Prevent the worker thread from changing state while processing.
 MutexAutoLock lock(mSuspensionLock);

 if (mReceivedTooMuchData) {
   if (!mRequestSuspended) {
     // Try to suspend the request.  If this fails, don't try to resume later.
     if (NS_SUCCEEDED(mRequest->Suspend())) {
       mRequestSuspended = true;
     } else {
       NS_WARNING("Unable to suspend the request.");
     }
   }
 } else {
   if (mRequestSuspended) {
     // Resume the request only if we succeeded in suspending it.
     if (NS_SUCCEEDED(mRequest->Resume())) {
       mRequestSuspended = false;
     } else {
       NS_WARNING("Unable to resume the request.");
     }
   }
 }

 return NS_OK;
}

////////////////////////////////////////////////////////////////////////////////
//// DigestOutputStream
NS_IMPL_ISUPPORTS(DigestOutputStream, nsIOutputStream)

DigestOutputStream::DigestOutputStream(nsIOutputStream* aStream,
                                      Digest& aDigest)
   : mOutputStream(aStream), mDigest(aDigest) {
 MOZ_ASSERT(mOutputStream, "Can't have null output stream");
}

NS_IMETHODIMP
DigestOutputStream::Close() { return mOutputStream->Close(); }

NS_IMETHODIMP
DigestOutputStream::Flush() { return mOutputStream->Flush(); }

NS_IMETHODIMP
DigestOutputStream::StreamStatus() { return mOutputStream->StreamStatus(); }

NS_IMETHODIMP
DigestOutputStream::Write(const char* aBuf, uint32_t aCount, uint32_t* retval) {
 nsresult rv = mDigest.Update(
     BitwiseCast<const unsigned char*, const char*>(aBuf), aCount);
 NS_ENSURE_SUCCESS(rv, rv);

 return mOutputStream->Write(aBuf, aCount, retval);
}

NS_IMETHODIMP
DigestOutputStream::WriteFrom(nsIInputStream* aFromStream, uint32_t aCount,
                             uint32_t* retval) {
 // Not supported. We could read the stream to a buf, call DigestOp on the
 // result, seek back and pass the stream on, but it's not worth it since our
 // application (NS_AsyncCopy) doesn't invoke this on the sink.
 MOZ_CRASH("DigestOutputStream::WriteFrom not implemented");
}

NS_IMETHODIMP
DigestOutputStream::WriteSegments(nsReadSegmentFun aReader, void* aClosure,
                                 uint32_t aCount, uint32_t* retval) {
 MOZ_CRASH("DigestOutputStream::WriteSegments not implemented");
}

NS_IMETHODIMP
DigestOutputStream::IsNonBlocking(bool* retval) {
 return mOutputStream->IsNonBlocking(retval);
}

#undef LOG_ENABLED

}  // namespace net
}  // namespace mozilla