Implement Tar APIs

[carlossanlop]

Fixes #65951

Approved proposal in this comment: #65951 (comment)

It's ready to review but I still have some small TODOs to address.

• Some tests depend on the runtime-assets that need to be merged first: Add System.Formats.Tar test assets runtime-assets#238
• Need to implement the latest stream-based TarFile methods.
• Async methods (might submit them in a separate PR if that's ok).
• Some Unix-specific syscall issues. @eerhardt @tmds I would appreciate if you could help me with those. I'll tag you.

cc @baronfel

[ghost]

Tagging subscribers to this area: @dotnet/area-system-io
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Fixes #65951

It's ready to review but I still have some small TODOs to address.

• Some tests depend on the runtime-assets that need to be merged first: Add System.Formats.Tar test assets runtime-assets#238
• Need to implement the latest stream-based TarFile methods.
• Async methods (might submit them in a separate PR if that's ok).
• Some Unix-specific syscall issues. @eerhardt @tmds I would appreciate if you could help me with those. I'll tag you.

cc @baronfel

Author:	carlossanlop
Assignees:	carlossanlop
Labels:	area-System.IO
Milestone:	7.0.0

[dotnet-issue-labeler]

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, to please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

[danmoseley]

can we share the existing WrappedStream.cs by moving it into Common?

[carlossanlop]

We actually have one already being shared, but I needed to slightly modify it for my own purposes and didn't want to break the other tests depending on it. So that's why I had to copy it here.

[danmoseley]

It's very similar. I wonder if there's a way to parameterize a single copy.

[danmoseley]

I didn't review properly - someone else will need to 😃

[stephentoub]

In general what's the plan for all these TODOs?

[carlossanlop]

Address them before merging.

[jeffhandley]

If we start getting close to the Preview 4 snap such that the merge is at-risk, I'd also be open to filing a follow-up issue for any of the TODOs that aren't blocking, for them to be addressed in Preview 5.

[carlossanlop]

I can collect a list of the pending TODOs into a comment so we can document them in this preview as features that won't yet be fully working.

[stephentoub]

It'd be much more efficient to parse this with IndexOf rather than Split

[stephentoub]

Can these be spans instead? e.g.

private static ReadOnlySpan<byte> PaxMagic => new byte[] { ... };

?

[carlossanlop]

I noticed the suggestion is a property. Is this smart enough to cache the array, instead of returning new byte[] every time it is called?

[carlossanlop]

I changed this, but I'm still curious. I suspect the answer is that it gets cached.

[gfoidl]

Roslyn has an optimization to refer to the static data segment of the assembly. So no allocation happens here.
See sharplab.

[stephentoub]

I'll stop commenting on these, too, but there are more efficient ways to do this rather than allocating new byte[]s each time.

[carlossanlop]

Fixed with ArrayPool.

[carlossanlop]

I seem to have generated the tar and tar.gz files from runtime-testdata with the wrong uid and gid, so some tests will fail due to that. I'll have to generate them again with the script and update the package here.

Edit: Fixed.

[tmds]

Unlike tar this doesn't respect umask while extracting.

[tmds]

See my elaborate comment here: #67883 (comment).

I think we want to respect the umask since that is something that protects the user for unintentionally opening up permissions.

To do that, you can call the internal SafeHandle.Open on Unix that accepts Interop.Sys.Permissions:

runtime/src/libraries/System.Private.CoreLib/src/Microsoft/Win32/SafeHandles/SafeFileHandle.Unix.cs

Lines 185 to 190 in dbf5c58

	internal static SafeFileHandle Open(string fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, long preallocationSize,
	Interop.Sys.Permissions openPermissions = DefaultOpenPermissions,
	Func<Interop.ErrorInfo, Interop.Sys.OpenFlags, string, Exception?>? createOpenException = null)
	{
	return Open(fullPath, mode, access, share, options, preallocationSize, openPermissions, out _, out _, createOpenException);
	}

Per that comment, at some point we'll also want to support applying all permissions (including sticky, setgroup, setuser), and setting ownership (uid, gid). The API will need to be extended to support that use-case.

cc @eerhardt

[tmds]

// If the permissions weren't set at all

Why are we ignoring permissions when none are set?

[carlossanlop]

I saw your other comment. This is probably wrong so I'll fix it.

[tmds]

tar files have permissions and ownership information.
The tar command has flags that controls these.

By default:

• For a regular user, tar will not set the owner, and filter out priviledged bits from the permissions (because the user can't set them). The process umask is respected.
• For root, tar will set the owner, and set all permission bits. The process umask is ignored.

The implementation isn't considering ownership at the moment, and the permission bits get filtered for priviledged bits but the umask gets ignored.

I think we should default to the regular user tar behavior.

To be able to opt into the other mode, the API will need to be extended. This doesn't need to happen now if only the default mode should be supported. Though maybe you want to take it into account already, and for example introduce ExtractOptions and add Overwrite to it instead of making it an argument.

[adamsitnik]

would it be possible to use inheritdoc and avoid the need of having dedicated docs for methods that just call base class implementation?

[adamsitnik]

I assume it's on the TODO list?

[carlossanlop]

Yes, async will have to be implemented later.

[stephentoub]

If we're not going to implement these as part of this PR, I'd prefer they be removed, at least from the ref, until they're implemented. It's otherwise a bad experience to add new APIs that aren't yet implemented.

[carlossanlop]

No problem. Removing them from the ref.

[adamsitnik]

this struct seems to be very large and I would not expect it to get us some perf. What are we getting by keeping it a struct?

[carlossanlop]

Would you prefer if I use class? And maybe split it into internal class TarHeaderRead and internal class TarHeaderWrite?

[adamsitnik]

I expect us to get no perf benefits from keeping it struct, while we can run into issues like modifying a copy instead:

TarHeader header = new();
header._mode = 1;

SetMode(header);

Console.WriteLine(header._mode); // prints 1 as we have passed struct copy to SetMode and modified a copy

static void SetMode(TarHeader h) => h._mode = 2;

[adamsitnik]

Checking current time is expensive. IMO the current implementation (having only the UnixEpoch check) is all we need.

[adamsitnik]

Can we call these something other than "sub" and "super"? I find the terminology confusing.

@stephentoub SuperSubmarineStream? ;)

[adamsitnik]

Fixed. Now I lazy-initialize this field.

@carlossanlop have you pushed these changes? I can still see _header._extendedAttributes = new Dictionary<string, string>();

[adamsitnik]

Should we re-propose this as uint instead of int?

That would be my preference, but get ready for a lot of pushback at the review :)

[adamsitnik]

perf: since Path.GetFileName returns only a substring of the provided path, we could use the overload that returns ReadOnlySpan<char> here and make SanitizeEntryFilePath accept ROS and avoid additional string allocation

[adamsitnik]

just for my education: for what input this could be true?

[adamsitnik]

why would we like to remove the file now, if the method can still throw few checks later?

If we want to overwrite a file we can use FileMode.Create when creating a FileStream:

Specifies that the operating system should create a new file. If the file already exists, it will be overwritten.

[adamsitnik]

if you create FileStream with FileMode.CreateNew it's going to throw if the file already exists.

Suggested change

	if (Path.Exists(destinationFileName))
	{
	throw new IOException(string.Format(SR.IO_FileExists_Name, destinationFileName));
	}
	using FileStream fs = File.Create(destinationFileName, bufferSize: 0x1000, FileOptions.None);
	using FileStream fs = new (destinationFileName, FileMode.CreateNew, FileAccess.Write);

[adamsitnik]

not related to your PR: I find it unintuitive that a buffer rented from array pool is passed by reference to a helper method. I needed to verify that the helper method returns the buffer to the pool in case it's too small.

[carlossanlop]

Is there anything I should do on my code to help improve its readability? Or maybe should we open an issue to discuss it separately?

[danmoseley]

You can just do the rent/return inside EntryFromPath as an implementation detail.

[adamsitnik]

I expect us to get no perf benefits from keeping it struct, while we can run into issues like modifying a copy instead:

TarHeader header = new();
header._mode = 1;

SetMode(header);

Console.WriteLine(header._mode); // prints 1 as we have passed struct copy to SetMode and modified a copy

static void SetMode(TarHeader h) => h._mode = 2;

[carlossanlop]

The 3 test failures are unrelated to my changes.

[adamsitnik]

As discussed, offline, let's merge it now, include in Preview4 and address remaining feedback later (#68230).

Big thanks for you work @carlossanlop !

[carlossanlop]

Thanks Adam! I'll add your latest feedback to the follow-up issue checklist.

[carlossanlop]

/backport to release/7.0-preview4

[github-actions]

Started backporting to release/7.0-preview4: /~https://github.com/dotnet/runtime/actions/runs/2203040454

[github-actions]

@carlossanlop backporting to release/7.0-preview4 failed, the patch most likely resulted in conflicts:

$ git am --3way --ignore-whitespace --keep-non-patch changes.patch

Applying: Implement Tar APIs
Applying: Address some comment suggestions.
Applying: Add SystemFormatsTarTestData package dependency entries and versions.
Applying: Merge the major and minor p/invokes into a single one.
Applying: Address exception and nullability suggestions.
Applying: Adjust tests for the latest suggestions.
Applying: Document elevation requirement to extract device files on Unix.
Applying: Add tests to verify extraction without elevation throws for device files. Rename file for TarFile Extraction to filesystem.
Applying: Add separate expected mode for special files from assets (644).
Applying: Bump assets version to one with the fix
error: sha1 information is lacking or useless (eng/Versions.props).
error: could not build fake ancestor
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0010 Bump assets version to one with the fix
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!