mono/mcs/class/referencesource/System.Core/System/IO/LogStream.cs

// ==++==
// 
//   Copyright (c) Microsoft Corporation.  All rights reserved.
// 
// ==--==
/*============================================================
**
** Class:  LogStream
**
===========================================================*/
using System;
using Microsoft.Win32;
using Microsoft.Win32.SafeHandles;
using System.Security;
using System.Security.Permissions;
using System.Threading;
using System.Runtime.InteropServices;
using System.Runtime.Remoting.Messaging;
using System.Runtime.CompilerServices;
using System.Globalization;
using System.Runtime.Versioning;

using System.Diagnostics;
using System.Diagnostics.Contracts;

namespace System.IO {

// This stream has very limited support to enable EventSchemaTraceListener
// Eventually we might want to add more functionality and expose this type 
internal class LogStream : BufferedStream2
{
    internal const long DefaultFileSize = 10*1000*1024;
    internal const int DefaultNumberOfFiles = 2;
    internal const LogRetentionOption DefaultRetention = LogRetentionOption.SingleFileUnboundedSize;

    // Retention policy
    private const int _retentionRetryThreshold = 2;
    private LogRetentionOption _retention;
    private long _maxFileSize = DefaultFileSize;
    private int _maxNumberOfFiles = DefaultNumberOfFiles; 
    private int _currentFileNum = 1;
    bool _disableLogging;
    int _retentionRetryCount;

    private bool _canRead;
    private bool _canWrite;
    private bool _canSeek;
    [SecurityCritical]
    private SafeFileHandle _handle;
    
    private String _fileName;       // Fully qualified file name.
    string _fileNameWithoutExt;
    string _fileExt;
    
    // Save input for retention 
    string _pathSav;
    int _fAccessSav;
    FileShare _shareSav; 
    UnsafeNativeMethods.SECURITY_ATTRIBUTES _secAttrsSav; 
    FileIOPermissionAccess _secAccessSav;
    FileMode _modeSav; 
    int _flagsAndAttributesSav;
    bool _seekToEndSav;

    private readonly object m_lockObject = new Object();

    //Limited to immediate internal need from EventSchemaTraceListener
    //Not param validation done!!
    [ResourceExposure(ResourceScope.Machine)]
    [ResourceConsumption(ResourceScope.Machine)]
    [System.Security.SecurityCritical]
    internal LogStream(String path, int bufferSize, LogRetentionOption retention, long maxFileSize, int maxNumOfFiles) 
    {
        Debug.Assert(!String.IsNullOrEmpty(path));

        // Get absolute path - Security needs this to prevent something
        // like trying to create a file in c:\tmp with the name 
        // "..\WinNT\System32\ntoskrnl.exe".  Store it for user convenience.
        //String filePath = Path.GetFullPathInternal(path);
        String filePath = Path.GetFullPath(path);
        _fileName = filePath;

        // Prevent access to your disk drives as raw block devices.
        if (filePath.StartsWith("\\\\.\\", StringComparison.Ordinal))
            throw new NotSupportedException(SR.GetString(SR.NotSupported_IONonFileDevices));

        UnsafeNativeMethods.SECURITY_ATTRIBUTES secAttrs = GetSecAttrs(FileShare.Read);
        
        // For mitigating local elevation of privilege attack through named pipes
        // make sure we always call CreateFile with SECURITY_ANONYMOUS so that the
        // named pipe server can't impersonate a high privileged client security context
        int flagsAndAttributes = (int)FileOptions.None | (UnsafeNativeMethods.SECURITY_SQOS_PRESENT | UnsafeNativeMethods.SECURITY_ANONYMOUS);
        
        // Only write is enabled
        //_canRead = false;
        //_canSeek = false;
        _canWrite = true;

        _pathSav = filePath;
        _fAccessSav = UnsafeNativeMethods.GENERIC_WRITE;
        _shareSav = FileShare.Read;
        _secAttrsSav = secAttrs;
        _secAccessSav = FileIOPermissionAccess.Write;
        _modeSav = (retention != LogRetentionOption.SingleFileUnboundedSize)? FileMode.Create : FileMode.OpenOrCreate;
        _flagsAndAttributesSav = flagsAndAttributes;
        _seekToEndSav = (retention != LogRetentionOption.SingleFileUnboundedSize)? false : true;
        
        this.bufferSize = bufferSize;
        _retention = retention;
        _maxFileSize = maxFileSize;
        _maxNumberOfFiles = maxNumOfFiles;

        _Init(filePath, _fAccessSav, _shareSav, _secAttrsSav, _secAccessSav, _modeSav, _flagsAndAttributesSav, _seekToEndSav);
    }

    [System.Security.SecurityCritical]
    internal void _Init(String path, int fAccess, FileShare share, UnsafeNativeMethods.SECURITY_ATTRIBUTES secAttrs, FileIOPermissionAccess secAccess, 
                        FileMode mode, int flagsAndAttributes, bool seekToEnd)
    {
        String filePath = Path.GetFullPath(path);
        _fileName = filePath;

        new FileIOPermission(secAccess, new String[] { filePath }).Demand();

        // Don't pop up a dialog for reading from an emtpy floppy drive
        int oldMode = UnsafeNativeMethods.SetErrorMode(UnsafeNativeMethods.SEM_FAILCRITICALERRORS);
        try {
            _handle = UnsafeNativeMethods.SafeCreateFile(filePath, fAccess, share, secAttrs, mode, flagsAndAttributes, UnsafeNativeMethods.NULL);
            int errorCode = Marshal.GetLastWin32Error();

            if (_handle.IsInvalid) {
                // Return a meaningful exception, using the RELATIVE path to
                // the file to avoid returning extra information to the caller
                // unless they have path discovery permission, in which case
                // the full path is fine & useful.

                // We need to give an exception, and preferably it would include
                // the fully qualified path name.  Do security check here.  If
                // we fail, give back the msgPath, which should not reveal much.
                // While this logic is largely duplicated in 
                // __Error.WinIOError, we need this for 
                // IsolatedStorageLogFileStream.
                bool canGiveFullPath = false;

                try {
                    new FileIOPermission(FileIOPermissionAccess.PathDiscovery, new String[] { _fileName }).Demand();
                    canGiveFullPath = true;
                }
                catch(SecurityException) {}

                if (canGiveFullPath)
                    __Error.WinIOError(errorCode, _fileName);
                else
                    __Error.WinIOError(errorCode, Path.GetFileName(_fileName));
            }
        }
        finally {
            UnsafeNativeMethods.SetErrorMode(oldMode);
        }
        Debug.Assert(UnsafeNativeMethods.GetFileType(_handle) == UnsafeNativeMethods.FILE_TYPE_DISK, "did someone accidentally removed the device type check from SafeCreateFile P/Invoke wrapper?"); 

        pos = 0;

        // For Append mode...
        if (seekToEnd) {
            SeekCore(0, SeekOrigin.End);
        }
    }

    public override bool CanRead {
        [Pure]
        get { return _canRead; }
    }

    public override bool CanWrite {
        [Pure]
        get { return _canWrite; }
    }

    public override bool CanSeek {
        [Pure]
        get { return _canSeek; }
    }

    public override long Length {
        get {
            throw new NotSupportedException();
        }
    }

    public override long Position {
        get {
            throw new NotSupportedException();
        }
        set {
            throw new NotSupportedException();
        }
    }

    public override void SetLength(long value)
    {
        throw new NotSupportedException();
    }

    public override long Seek(long offset, SeekOrigin origin) 
    {
        throw new NotSupportedException();
    }

    public override int Read(byte[] array, int offset, int count) 
    {
        throw new NotSupportedException();
    }

    [System.Security.SecurityCritical]
    protected override unsafe void WriteCore(byte[] buffer, int offset, int count, bool blockForWrite, out long streamPos) {
        Debug.Assert(CanWrite, "CanWrite");
        Debug.Assert(buffer != null, "buffer != null");
        Debug.Assert(offset >= 0, "offset is negative");
        Debug.Assert(count >= 0, "count is negative");
        
        int hr = 0;
        int r = WriteFileNative(buffer, offset, count, null, out hr);
        if (r == -1) {
            // For pipes, ERROR_NO_DATA is not an error, but the pipe is closing.
            if (hr == UnsafeNativeMethods.ERROR_NO_DATA) {
                r = 0;
            }
            else {
                // ERROR_INVALID_PARAMETER may be returned for writes
                // where the position is too large (ie, writing at Int64.MaxValue 
                // on Win9x) OR for synchronous writes to a handle opened 
                // asynchronously.
                if (hr == UnsafeNativeMethods.ERROR_INVALID_PARAMETER)
                    throw new IOException(SR.GetString(SR.IO_FileTooLongOrHandleNotSync));
                __Error.WinIOError(hr, String.Empty);
            }
        }
        Debug.Assert(r >= 0, "WriteCore is likely broken.");
        // update cached position 
        streamPos = AddUnderlyingStreamPosition((long)r);
        EnforceRetentionPolicy(_handle, streamPos);
        streamPos = pos;
        return;
    }

    [System.Security.SecurityCritical]
    unsafe private int WriteFileNative(byte[] bytes, int offset, int count, NativeOverlapped* overlapped, out int hr) {
        if (_handle.IsClosed) __Error.FileNotOpen();
        
        if (_disableLogging) { 
            hr = 0;
            return 0;
        }

        Debug.Assert(offset >= 0, "offset >= 0");
        Debug.Assert(count >= 0, "count >= 0");
        Debug.Assert(bytes != null, "bytes != null");

        // Don't corrupt memory when multiple threads are erroneously writing
        // to this stream simultaneously.  (the OS is reading from
        // the array we pass to WriteFile, but if we read beyond the end and
        // that memory isn't allocated, we could get an AV.)
        if (bytes.Length - offset < count)
            throw new IndexOutOfRangeException(SR.GetString(SR.IndexOutOfRange_IORaceCondition));

        // You can't use the fixed statement on an array of length 0.
        if (bytes.Length==0) {
            hr = 0;
            return 0;
        }

        int numBytesWritten = 0;
        int r = 0;
        
        fixed(byte* p = bytes) {
            r = UnsafeNativeMethods.WriteFile(_handle, p + offset, count, out numBytesWritten, overlapped);
        }

        if (r == 0) {
            // We should never silently ---- an error here without some
            // extra work.  We must make sure that BeginWriteCore won't return an 
            // IAsyncResult that will cause EndWrite to block, since the OS won't
            // call AsyncFSCallback for us.  
            hr = Marshal.GetLastWin32Error();

            // For invalid handles, detect the error and mark our handle
            // as closed to give slightly better error messages.  Also
            // help ensure we avoid handle recycling bugs.
            if (hr == UnsafeNativeMethods.ERROR_INVALID_HANDLE)
                _handle.SetHandleAsInvalid();

            return -1;
        }
        else
            hr = 0;
        return numBytesWritten;          
    }

    // This doesn't do argument checking.  Necessary for SetLength, which must
    // set the file pointer beyond the end of the file. This will update the 
    // internal position
    [System.Security.SecurityCritical]
    private long SeekCore(long offset, SeekOrigin origin) 
    {
        Debug.Assert(!_handle.IsClosed, "!_handle.IsClosed");
        Debug.Assert(origin>=SeekOrigin.Begin && origin<=SeekOrigin.End, "origin>=SeekOrigin.Begin && origin<=SeekOrigin.End");
        int hr = 0;
        long ret = 0;
        
        ret = UnsafeNativeMethods.SetFilePointer(_handle, offset, origin, out hr);
        if (ret == -1) {
            // For invalid handles, detect the error and mark our handle
            // as closed to give slightly better error messages.  Also
            // help ensure we avoid handle recycling bugs.
            if (hr == UnsafeNativeMethods.ERROR_INVALID_HANDLE)
                _handle.SetHandleAsInvalid();
            __Error.WinIOError(hr, String.Empty);
        }
        
        UnderlyingStreamPosition = ret;
        return ret;
    }

    [System.Security.SecurityCritical]
    protected override void Dispose(bool disposing)
    {
        // Nothing will be done differently based on whether we are 
        // disposing vs. finalizing.  This is taking advantage of the
        // weak ordering between normal finalizable objects & critical
        // finalizable objects, which I included in the SafeHandle 
        // design for LogStream, which would often "just work" when 
        // finalized.
        try {
            if (_handle == null || _handle.IsClosed) {
                // Make sure BufferedStream doesn't try to flush data on a closed handle
                DiscardBuffer();
            }
        }
        finally {
            try {
                // Cleanup base streams
                base.Dispose(disposing);
            }
            finally {
                if (_handle != null && !_handle.IsClosed)
                    _handle.Dispose();

                _handle = null;
                _canRead = false;
                _canWrite = false;
                _canSeek = false;
            }
        }
    }

    [System.Security.SecurityCritical]
    ~LogStream()
    {
        if (_handle != null) {
            Dispose(false);
        }
    }

    [System.Security.SecurityCritical]
    private void EnforceRetentionPolicy(SafeFileHandle handle, long lastPos) 
    {
        switch (_retention) {
        case LogRetentionOption.LimitedSequentialFiles:
        case LogRetentionOption.UnlimitedSequentialFiles:
        case LogRetentionOption.LimitedCircularFiles:
            if ((lastPos >= _maxFileSize) && (handle == _handle)){
                lock (m_lockObject) {
                    if ((handle != _handle) || (lastPos < _maxFileSize))
                        return;
                    
                    _currentFileNum++;
                    if ((_retention == LogRetentionOption.LimitedCircularFiles) && (_currentFileNum > _maxNumberOfFiles)) { 
                        _currentFileNum = 1;
                    }
                    else if ((_retention == LogRetentionOption.LimitedSequentialFiles) && (_currentFileNum > _maxNumberOfFiles)) {
                        _DisableLogging();
                        return;
                    }

                    if (_fileNameWithoutExt == null) {
                        _fileNameWithoutExt = Path.Combine(Path.GetDirectoryName(_pathSav), Path.GetFileNameWithoutExtension(_pathSav));
                        _fileExt = Path.GetExtension(_pathSav);
                    }

                    string path = (_currentFileNum == 1)?_pathSav: _fileNameWithoutExt + _currentFileNum.ToString(CultureInfo.InvariantCulture) + _fileExt;
                    try {
                        _Init(path, _fAccessSav, _shareSav, _secAttrsSav, _secAccessSav, _modeSav, _flagsAndAttributesSav, _seekToEndSav);
                        
                        // Dispose the old handle and release the file write lock
                        // No need to flush the buffer as we just came off a write
                        if (handle != null && !handle.IsClosed) {
                            handle.Dispose();
                        }
                    }
                    catch (IOException ) { 
                        // Should we do this only for ERROR_SHARING_VIOLATION?
                        //if (UnsafeNativeMethods.MakeErrorCodeFromHR(Marshal.GetHRForException(ioexc)) != InternalResources.ERROR_SHARING_VIOLATION) break;
                        
                        // Possible sharing violation - ----? Let the next iteration try again
                        // For now revert the handle to the original one
                        _handle = handle;
                        
                        _retentionRetryCount++;
                        if (_retentionRetryCount >= _retentionRetryThreshold) {
                            _DisableLogging();
                        }
#if DEBUG
                        throw; 
#endif  
                    }
                    catch (UnauthorizedAccessException ) { 
                        // Indicative of ACL issues
                        _DisableLogging();
#if DEBUG
                        throw; 
#endif  
                    }
                    catch (Exception ) {
                        _DisableLogging();
#if DEBUG
                        throw; 
#endif  
                    }
                }
            }
            break;
        
        case LogRetentionOption.SingleFileBoundedSize:
            if (lastPos >= _maxFileSize) 
                _DisableLogging();
            break;

        case LogRetentionOption.SingleFileUnboundedSize:
            break;
        }
    }

    // When we enable this class widely, we need to raise an 
    // event when we disable logging due to rention policy or
    // error such as ACL that is preventing retention
    [MethodImplAttribute(MethodImplOptions.Synchronized)]
    private void _DisableLogging() 
    {
        // Discard write buffer?
        _disableLogging = true;
    }

    [System.Security.SecurityCritical]
    private static UnsafeNativeMethods.SECURITY_ATTRIBUTES GetSecAttrs(FileShare share)
    {
        UnsafeNativeMethods.SECURITY_ATTRIBUTES secAttrs = null;
        if ((share & FileShare.Inheritable) != 0) {
            secAttrs = new UnsafeNativeMethods.SECURITY_ATTRIBUTES();
            secAttrs.nLength = (int)Marshal.SizeOf(secAttrs);

            secAttrs.bInheritHandle = 1;
        }
        return secAttrs;
    }
}
}