github.com/himawarisunflower/go-update@v0.0.0-20210917073417-3bee296db6a2/apply.go

github.com/himawarisunflower/go-update@v0.0.0-20210917073417-3bee296db6a2/apply.go (about)

     1  package update
     2  
     3  import (
     4  	"bytes"
     5  	"crypto"
     6  	"crypto/x509"
     7  	"encoding/pem"
     8  	"errors"
     9  	"fmt"
    10  	"io"
    11  	"io/ioutil"
    12  	"os"
    13  	"path/filepath"
    14  
    15  	"github.com/inconshreveable/go-update/internal/osext"
    16  )
    17  
    18  var (
    19  	openFile = os.OpenFile
    20  )
    21  
    22  // Apply performs an update of the current executable (or opts.TargetFile, if set) with the contents of the given io.Reader.
    23  //
    24  // Apply performs the following actions to ensure a safe cross-platform update:
    25  //
    26  // 1. If configured, applies the contents of the update io.Reader as a binary patch.
    27  //
    28  // 2. If configured, computes the checksum of the new executable and verifies it matches.
    29  //
    30  // 3. If configured, verifies the signature with a public key.
    31  //
    32  // 4. Creates a new file, /path/to/.target.new with the TargetMode with the contents of the updated file
    33  //
    34  // 5. Renames /path/to/target to /path/to/.target.old
    35  //
    36  // 6. Renames /path/to/.target.new to /path/to/target
    37  //
    38  // 7. If the final rename is successful, deletes /path/to/.target.old, returns no error. On Windows,
    39  // the removal of /path/to/target.old always fails, so instead Apply hides the old file instead.
    40  //
    41  // 8. If the final rename fails, attempts to roll back by renaming /path/to/.target.old
    42  // back to /path/to/target.
    43  //
    44  // If the roll back operation fails, the file system is left in an inconsistent state (betweet steps 5 and 6) where
    45  // there is no new executable file and the old executable file could not be be moved to its original location. In this
    46  // case you should notify the user of the bad news and ask them to recover manually. Applications can determine whether
    47  // the rollback failed by calling RollbackError, see the documentation on that function for additional detail.
    48  func Apply(update io.Reader, opts Options) error {
    49  	// validate
    50  	verify := false
    51  	switch {
    52  	case opts.Signature != nil && opts.PublicKey != nil:
    53  		// okay
    54  		verify = true
    55  	case opts.Signature != nil:
    56  		return errors.New("no public key to verify signature with")
    57  	case opts.PublicKey != nil:
    58  		return errors.New("No signature to verify with")
    59  	}
    60  
    61  	// set defaults
    62  	if opts.Hash == 0 {
    63  		opts.Hash = crypto.SHA256
    64  	}
    65  	if opts.Verifier == nil {
    66  		opts.Verifier = NewECDSAVerifier()
    67  	}
    68  	if opts.TargetMode == 0 {
    69  		opts.TargetMode = 0755
    70  	}
    71  
    72  	// get target path
    73  	var err error
    74  	opts.TargetPath, err = opts.getPath()
    75  	if err != nil {
    76  		return err
    77  	}
    78  
    79  	var newBytes []byte
    80  	if opts.Patcher != nil {
    81  		if newBytes, err = opts.applyPatch(update); err != nil {
    82  			return err
    83  		}
    84  	} else {
    85  		// no patch to apply, go on through
    86  		if newBytes, err = ioutil.ReadAll(update); err != nil {
    87  			return err
    88  		}
    89  	}
    90  
    91  	// verify checksum if requested
    92  	if opts.Checksum != nil {
    93  		if err = opts.verifyChecksum(newBytes); err != nil {
    94  			return err
    95  		}
    96  	}
    97  
    98  	if verify {
    99  		if err = opts.verifySignature(newBytes); err != nil {
   100  			return err
   101  		}
   102  	}
   103  
   104  	// get the directory the executable exists in
   105  	updateDir := filepath.Dir(opts.TargetPath)
   106  	filename := filepath.Base(opts.TargetPath)
   107  
   108  	// Copy the contents of newbinary to a new executable file
   109  	newPath := filepath.Join(updateDir, fmt.Sprintf(".%s.new", filename))
   110  	fp, err := openFile(newPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, opts.TargetMode)
   111  	if err != nil {
   112  		return err
   113  	}
   114  	defer fp.Close()
   115  
   116  	_, err = io.Copy(fp, bytes.NewReader(newBytes))
   117  	if err != nil {
   118  		return err
   119  	}
   120  
   121  	// if we don't call fp.Close(), windows won't let us move the new executable
   122  	// because the file will still be "in use"
   123  	fp.Close()
   124  
   125  	// this is where we'll move the executable to so that we can swap in the updated replacement
   126  	oldPath := opts.OldSavePath
   127  	removeOld := opts.OldSavePath == ""
   128  	if removeOld {
   129  		oldPath = filepath.Join(updateDir, fmt.Sprintf(".%s.old", filename))
   130  	}
   131  
   132  	// delete any existing old exec file - this is necessary on Windows for two reasons:
   133  	// 1. after a successful update, Windows can't remove the .old file because the process is still running
   134  	// 2. windows rename operations fail if the destination file already exists
   135  	_ = os.Remove(oldPath)
   136  
   137  	// move the existing executable to a new file in the same directory
   138  	err = os.Rename(opts.TargetPath, oldPath)
   139  	if err != nil {
   140  		return err
   141  	}
   142  
   143  	// move the new exectuable in to become the new program
   144  	err = os.Rename(newPath, opts.TargetPath)
   145  
   146  	if err != nil {
   147  		// move unsuccessful
   148  		//
   149  		// The filesystem is now in a bad state. We have successfully
   150  		// moved the existing binary to a new location, but we couldn't move the new
   151  		// binary to take its place. That means there is no file where the current executable binary
   152  		// used to be!
   153  		// Try to rollback by restoring the old binary to its original path.
   154  		rerr := os.Rename(oldPath, opts.TargetPath)
   155  		if rerr != nil {
   156  			return &rollbackErr{err, rerr}
   157  		}
   158  
   159  		return err
   160  	}
   161  
   162  	// move successful, remove the old binary if needed
   163  	if removeOld {
   164  		errRemove := os.Remove(oldPath)
   165  
   166  		// windows has trouble with removing old binaries, so hide it instead
   167  		if errRemove != nil {
   168  			err = hideFile(oldPath)
   169  		}
   170  		if err != nil {
   171  			return err
   172  		}
   173  	}
   174  
   175  	return nil
   176  }
   177  
   178  // RollbackError takes an error value returned by Apply and returns the error, if any,
   179  // that occurred when attempting to roll back from a failed update. Applications should
   180  // always call this function on any non-nil errors returned by Apply.
   181  //
   182  // If no rollback was needed or if the rollback was successful, RollbackError returns nil,
   183  // otherwise it returns the error encountered when trying to roll back.
   184  func RollbackError(err error) error {
   185  	if err == nil {
   186  		return nil
   187  	}
   188  	if rerr, ok := err.(*rollbackErr); ok {
   189  		return rerr.rollbackErr
   190  	}
   191  	return nil
   192  }
   193  
   194  type rollbackErr struct {
   195  	error             // original error
   196  	rollbackErr error // error encountered while rolling back
   197  }
   198  
   199  type Options struct {
   200  	// TargetPath defines the path to the file to update.
   201  	// The emptry string means 'the executable file of the running program'.
   202  	TargetPath string
   203  
   204  	// Create TargetPath replacement with this file mode. If zero, defaults to 0755.
   205  	TargetMode os.FileMode
   206  
   207  	// Checksum of the new binary to verify against. If nil, no checksum or signature verification is done.
   208  	Checksum []byte
   209  
   210  	// Public key to use for signature verification. If nil, no signature verification is done.
   211  	PublicKey crypto.PublicKey
   212  
   213  	// Signature to verify the updated file. If nil, no signature verification is done.
   214  	Signature []byte
   215  
   216  	// Pluggable signature verification algorithm. If nil, ECDSA is used.
   217  	Verifier Verifier
   218  
   219  	// Use this hash function to generate the checksum. If not set, SHA256 is used.
   220  	Hash crypto.Hash
   221  
   222  	// If nil, treat the update as a complete replacement for the contents of the file at TargetPath.
   223  	// If non-nil, treat the update contents as a patch and use this object to apply the patch.
   224  	Patcher Patcher
   225  
   226  	// Store the old executable file at this path after a successful update.
   227  	// The empty string means the old executable file will be removed after the update.
   228  	OldSavePath string
   229  }
   230  
   231  // CheckPermissions determines whether the process has the correct permissions to
   232  // perform the requested update. If the update can proceed, it returns nil, otherwise
   233  // it returns the error that would occur if an update were attempted.
   234  func (o *Options) CheckPermissions() error {
   235  	// get the directory the file exists in
   236  	path, err := o.getPath()
   237  	if err != nil {
   238  		return err
   239  	}
   240  
   241  	fileDir := filepath.Dir(path)
   242  	fileName := filepath.Base(path)
   243  
   244  	// attempt to open a file in the file's directory
   245  	newPath := filepath.Join(fileDir, fmt.Sprintf(".%s.new", fileName))
   246  	fp, err := openFile(newPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, o.TargetMode)
   247  	if err != nil {
   248  		return err
   249  	}
   250  	fp.Close()
   251  
   252  	_ = os.Remove(newPath)
   253  	return nil
   254  }
   255  
   256  // SetPublicKeyPEM is a convenience method to set the PublicKey property
   257  // used for checking a completed update's signature by parsing a
   258  // Public Key formatted as PEM data.
   259  func (o *Options) SetPublicKeyPEM(pembytes []byte) error {
   260  	block, _ := pem.Decode(pembytes)
   261  	if block == nil {
   262  		return errors.New("couldn't parse PEM data")
   263  	}
   264  
   265  	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
   266  	if err != nil {
   267  		return err
   268  	}
   269  	o.PublicKey = pub
   270  	return nil
   271  }
   272  
   273  func (o *Options) getPath() (string, error) {
   274  	if o.TargetPath == "" {
   275  		return osext.Executable()
   276  	} else {
   277  		return o.TargetPath, nil
   278  	}
   279  }
   280  
   281  func (o *Options) applyPatch(patch io.Reader) ([]byte, error) {
   282  	// open the file to patch
   283  	old, err := os.Open(o.TargetPath)
   284  	if err != nil {
   285  		return nil, err
   286  	}
   287  	defer old.Close()
   288  
   289  	// apply the patch
   290  	var applied bytes.Buffer
   291  	if err = o.Patcher.Patch(old, &applied, patch); err != nil {
   292  		return nil, err
   293  	}
   294  
   295  	return applied.Bytes(), nil
   296  }
   297  
   298  func (o *Options) verifyChecksum(updated []byte) error {
   299  	checksum, err := checksumFor(o.Hash, updated)
   300  	if err != nil {
   301  		return err
   302  	}
   303  
   304  	if !bytes.Equal(o.Checksum, checksum) {
   305  		return fmt.Errorf("Updated file has wrong checksum. Expected: %x, got: %x", o.Checksum, checksum)
   306  	}
   307  	return nil
   308  }
   309  
   310  func (o *Options) verifySignature(updated []byte) error {
   311  	checksum, err := checksumFor(o.Hash, updated)
   312  	if err != nil {
   313  		return err
   314  	}
   315  	return o.Verifier.VerifySignature(checksum, o.Signature, o.Hash, o.PublicKey)
   316  }
   317  
   318  func checksumFor(h crypto.Hash, payload []byte) ([]byte, error) {
   319  	if !h.Available() {
   320  		return nil, errors.New("requested hash function not available")
   321  	}
   322  	hash := h.New()
   323  	hash.Write(payload) // guaranteed not to error
   324  	return hash.Sum([]byte{}), nil
   325  }