/*	$OpenBSD: recover.c,v 1.26 2017/06/12 18:38:57 millert Exp $	*/

/*-

 * Copyright (c) 1993, 1994

 *	The Regents of the University of California.  All rights reserved.

 * Copyright (c) 1993, 1994, 1995, 1996

 *	Keith Bostic.  All rights reserved.

 *

 * See the LICENSE file for redistribution information.

 */

#include "config.h"

#include <sys/queue.h>

#include <sys/stat.h>

#include <sys/time.h>

/*

 * We include <sys/file.h>, because the open #defines were found there

 * on historical systems.  We also include <fcntl.h> because the open(2)

 * #defines are found there on newer systems.

 */

#include <sys/file.h>

#include <bitstring.h>

#include <dirent.h>

#include <errno.h>

#include <fcntl.h>

#include <limits.h>

#include <paths.h>

#include <pwd.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <time.h>

#include <unistd.h>

#include "common.h"

/*

 * Recovery code.

 *

 * The basic scheme is as follows.  In the EXF structure, we maintain full

 * paths of a b+tree file and a mail recovery file.  The former is the file

 * used as backing store by the DB package.  The latter is the file that

 * contains an email message to be sent to the user if we crash.  The two

 * simple states of recovery are:

 *

 *	+ first starting the edit session:

 *		the b+tree file exists and is mode 700, the mail recovery

 *		file doesn't exist.

 *	+ after the file has been modified:

 *		the b+tree file exists and is mode 600, the mail recovery

 *		file exists, and is exclusively locked.

 *

 * In the EXF structure we maintain a file descriptor that is the locked

 * file descriptor for the mail recovery file.  NOTE: we sometimes have to

 * do locking with fcntl(2).  This is a problem because if you close(2) any

 * file descriptor associated with the file, ALL of the locks go away.  Be

 * sure to remember that if you have to modify the recovery code.  (It has

 * been rhetorically asked of what the designers could have been thinking

 * when they did that interface.  The answer is simple: they weren't.)

 *

 * To find out if a recovery file/backing file pair are in use, try to get

 * a lock on the recovery file.

 *

 * To find out if a backing file can be deleted at boot time, check for an

 * owner execute bit.  (Yes, I know it's ugly, but it's either that or put

 * special stuff into the backing file itself, or correlate the files at

 * boot time, neither of which looks like fun.)  Note also that there's a

 * window between when the file is created and the X bit is set.  It's small,

 * but it's there.  To fix the window, check for 0 length files as well.

 *

 * To find out if a file can be recovered, check the F_RCV_ON bit.  Note,

 * this DOES NOT mean that any initialization has been done, only that we

 * haven't yet failed at setting up or doing recovery.

 *

 * To preserve a recovery file/backing file pair, set the F_RCV_NORM bit.

 * If that bit is not set when ending a file session:

 *	If the EXF structure paths (rcv_path and rcv_mpath) are not NULL,

 *	they are unlink(2)'d, and free(3)'d.

 *	If the EXF file descriptor (rcv_fd) is not -1, it is closed.

 *

 * The backing b+tree file is set up when a file is first edited, so that

 * the DB package can use it for on-disk caching and/or to snapshot the

 * file.  When the file is first modified, the mail recovery file is created,

 * the backing file permissions are updated, the file is sync(2)'d to disk,

 * and the timer is started.  Then, at RCV_PERIOD second intervals, the

 * b+tree file is synced to disk.  RCV_PERIOD is measured using SIGALRM, which

 * means that the data structures (SCR, EXF, the underlying tree structures)

 * must be consistent when the signal arrives.

 *

 * The recovery mail file contains normal mail headers, with two additions,

 * which occur in THIS order, as the FIRST TWO headers:

 *

 *	X-vi-recover-file: file_name

 *	X-vi-recover-path: recover_path

 *

 * Since newlines delimit the headers, this means that file names cannot have

 * newlines in them, but that's probably okay.  As these files aren't intended

 * to be long-lived, changing their format won't be too painful.

 *

 * Btree files are named "vi.XXXX" and recovery files are named "recover.XXXX".

 */

#define	VI_FHEADER	"X-vi-recover-file: "

#define	VI_PHEADER	"X-vi-recover-path: "

static int	 rcv_copy(SCR *, int, char *);

static void	 rcv_email(SCR *, char *);

static char	*rcv_gets(char *, size_t, int);

static int	 rcv_mailfile(SCR *, int, char *);

static int	 rcv_mktemp(SCR *, char *, char *, int);

/*

 * rcv_tmp --

 *	Build a file name that will be used as the recovery file.

 *

 * PUBLIC: int rcv_tmp(SCR *, EXF *, char *);

 */

int

rcv_tmp(SCR *sp, EXF *ep, char *name)

{

	static int warned = 0;

	int fd;

	/*

	 * !!!

	 * ep MAY NOT BE THE SAME AS sp->ep, DON'T USE THE LATTER.

	 */

		goto err;

		}

	}

	/* Newlines delimit the mail messages. */

		    "Files with newlines in the name are unrecoverable");

		}

		goto err;

		    "Modifications not recoverable if the session fails");

	}

	/* We believe the file is recoverable. */

}

/*

 * rcv_init --

 *	Force the file to be snapshotted for recovery.

 *

 * PUBLIC: int rcv_init(SCR *);

 */

int

rcv_init(SCR *sp)

{

	EXF *ep;

	/* Only do this once. */

	/* If we already know the file isn't recoverable, we're done. */

	/* Turn off recoverability until we figure out if this will work. */

	/* Test if we're recovering a file, not editing one. */

		/* Build a file to mail to the user. */

			goto err;

		/* Force a read of the entire file. */

			goto err;

		/* Turn on a busy message, and sync it to backing store. */

		    "Copying file for recovery...", BUSY_ON);

			    "Preservation failed: %s");

		}

	}

	/* Turn off the owner execute bit. */

	/* We believe the file is recoverable. */

	    "Modifications not recoverable if the session fails");

}

/*

 * rcv_sync --

 *	Sync the file, optionally:

 *		flagging the backup file to be preserved

 *		snapshotting the backup file and send email to the user

 *		sending email to the user if the file was modified

 *		ending the file session

 *

 * PUBLIC: int rcv_sync(SCR *, u_int);

 */

int

rcv_sync(SCR *sp, u_int flags)

{

	EXF *ep;

	int fd, rval;

	/* Make sure that there's something to recover/sync. */

	/* Sync the file if it's been modified. */

		}

		/* REQUEST: don't remove backing file on exit. */

		/* REQUEST: send email. */

	}

	/*

	 * !!!

	 * Each time the user exec's :preserve, we have to snapshot all of

	 * the recovery information, i.e. it's like the user re-edited the

	 * file.  We copy the DB(3) backing file, and then create a new mail

	 * recovery file, it's simpler than exiting and reopening all of the

	 * underlying files.

	 *

	 * REQUEST: snapshot the file.

	 */

	rval = 0;

			goto err;

			goto err;

		    "Copying file for recovery...", BUSY_ON);

			rval = 1;

		}

	}

	if (0) {

err:		rval = 1;

	}

	/* REQUEST: end the file session. */

}

/*

 * rcv_mailfile --

 *	Build the file to mail to the user.

 */

static int

rcv_mailfile(SCR *sp, int issync, char *cp_path)

{

	EXF *ep;

	GS *gp;

	struct passwd *pw;

	size_t len;

	uid_t uid;

	int fd;

	char *t1, *t2, *t3;

		    "Information on user id %u not found", uid);

	}

	/*

	 * XXX

	 * We keep an open lock on the file so that the recover option can

	 * distinguish between files that are live and those that need to

	 * be recovered.  There's an obvious window between the mkstemp call

	 * and the lock, but it's pretty small.

	 */

		/* Save the recover file descriptor, and mail path. */

		}

	}

	/*

	 * XXX

	 * We can't use stdio(3) here.  The problem is that we may be using

	 * fcntl(2), so if ANY file descriptor into the file is closed, the

	 * lock is lost.  So, we could never close the FILE *, even if we

	 * dup'd the fd first.

	 */

	else

	    "%s%s\n%s%s\n%s\n%s\n%s%s\n%s%s\n%s\n%s\n\n",

	    VI_FHEADER, t,			/* Non-standard. */

	    VI_PHEADER, cp_path,		/* Non-standard. */

	    "Reply-To: root",

	    "From: root (Nvi recovery program)",

	    "Subject: Nvi saved the file ", p,

	    "Precedence: bulk",			/* For vacation(1). */

	    "Auto-Submitted: auto-generated");

		goto lerr;

		goto werr;

	    "%s%.24s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n\n",

	    " was editing a file named ", t, " on the machine ",

	    host, ", when it was saved for recovery. ",

	    "You can recover most, if not all, of the changes ",

	}

	/*

	 * Format the message.  (Yes, I know it's silly.)

	 * Requires that the message end in a <newline>.

	 */

#define	FMTCOLS	60

		/* Check for a short length. */

		}

		/* Check for a required <newline>. */

			goto wout;

		/* Find the closest space, if any. */

					goto wout;

				t3 = t2;

			}

		/* t2 points to the last character to display. */

		/* t2 points one after the last character to display. */

			goto werr;

	}

		}

	}

}

/*

 *	people making love

 *	never exactly the same

 *	just like a snowflake

 *

 * rcv_list --

 *	List the files that can be recovered by this user.

 *

 * PUBLIC: int rcv_list(SCR *);

 */

int

rcv_list(SCR *sp)

{

	struct dirent *dp;

	DIR *dirp;

	int fd;

	FILE *fp;

	int found;

	/* Open the recovery directory for reading. */

	}

	/* Read the directory. */

			continue;

		/*

		 * If it's readable, it's recoverable.

		 */

			continue;

		case LOCK_FAILED:

			/*

			 * XXX

			 * Assume that a lock can't be acquired, but that we

			 * should permit recovery anyway.  If this is wrong,

			 * and someone else is using the file, we're going to

			 * die horribly.

			 */

			break;

		case LOCK_SUCCESS:

			break;

		case LOCK_UNAVAIL:

			/* If it's locked, it's live. */

		}

		/* Check the headers. */

		}

			    "%s: malformed recovery file");

		}

		/*

		 * If the file doesn't exist, it's an orphaned recovery file,

		 * toss it.

		 *

		 * XXX

		 * This can occur if the backup file was deleted and we crashed

		 * before deleting the email file.

		 */

		}

		/* Get the last modification time and display. */

		/* Close, discarding lock. */

	}

}

/*

 * rcv_read --

 *	Start a recovered file as the file to edit.

 *

 * PUBLIC: int rcv_read(SCR *, FREF *);

 */

int

rcv_read(SCR *sp, FREF *frp)

{

	struct dirent *dp;

	DIR *dirp;

	EXF *ep;

	struct timespec rec_mtim;

	int fd, found, locked, requested, sv_fd;

	char *name, *p, *t, *rp, *recp, *pathp;

	}

	sv_fd = -1;

	rec_mtim.tv_sec = rec_mtim.tv_nsec = 0;

	recp = pathp = NULL;

			continue;

		    sizeof(recpath), "%s/%s", rp, dp->d_name);

		/*

		 * If it's readable, it's recoverable.  It would be very

		 * nice to use stdio(3), but, we can't because that would

		 * require closing and then reopening the file so that we

		 * could have a lock and still close the FP.  Another tip

		 * of the hat to fcntl(2).

		 *

		 * XXX

		 * Should be O_RDONLY, we don't want to write it.  However,

		 * if we're using fcntl(2), there's no way to lock a file

		 * descriptor that's not open for writing.

		 */

			continue;

		case LOCK_FAILED:

			/*

			 * XXX

			 * Assume that a lock can't be acquired, but that we

			 * should permit recovery anyway.  If this is wrong,

			 * and someone else is using the file, we're going to

			 * die horribly.

			 */

			locked = 0;

		case LOCK_SUCCESS:

			locked = 1;

		case LOCK_UNAVAIL:

			/* If it's locked, it's live. */

		}

		/* Check the headers. */

			    "%s: malformed recovery file");

		}

		/*

		 * If the file doesn't exist, it's an orphaned recovery file,

		 * toss it.

		 *

		 * XXX

		 * This can occur if the backup file was deleted and we crashed

		 * before deleting the email file.

		 */

		}

		/* Check the file name. */

			goto next;

		/*

		 * If we've found more than one, take the most recent.

		 */

			p = recp;

			t = pathp;

				recp = p;

			}

				recp = p;

				pathp = t;

			}

			}

			sv_fd = fd;

	}

		    "No files named %s, readable by you, to recover");

	}

	    "There are older versions of this file for you to recover");

			    "There are other files for you to recover");

	}

	/*

	 * Create the FREF structure, start the btree file.

	 *

	 * XXX

	 * file_init() is going to set ep->rcv_path.

	 */

	}

	/*

	 * We keep an open lock on the file so that the recover option can

	 * distinguish between files that are live and those that need to

	 * be recovered.  The lock is already acquired, just copy it.

	 */

	/* We believe the file is recoverable. */

}

/*

 * rcv_copy --

 *	Copy a recovery file.

 */

static int

rcv_copy(SCR *sp, int wfd, char *fname)

{

	int nr, nw, off, rfd;

		goto err;

				goto err;

}

/*

 * rcv_gets --

 *	Fgets(3) for a file descriptor.

 */

static char *

rcv_gets(char *buf, size_t len, int fd)

{

	int nr;

	char *p;

}

/*

 * rcv_mktemp --

 *	Paranoid make temporary file routine.

 */

static int

rcv_mktemp(SCR *sp, char *path, char *dname, int perms)

{

	int fd;

	/*

	 * !!!

	 * We expect mkstemp(3) to set the permissions correctly.  On

	 * historic System V systems, mkstemp didn't.  Do it here, on

	 * GP's.  This also protects us from users with stupid umasks.

	 *

	 * XXX

	 * The variable perms should really be a mode_t.

	 */

			fd = -1;

		}

	}

}

/*

 * rcv_email --

 *	Send email.

 */

static void

rcv_email(SCR *sp, char *fname)

{

		    _PATH_SENDMAIL, "not sending email: %s");

	else {

		/*

		 * !!!

		 * If you need to port this to a system that doesn't have

		 * sendmail, the -t flag causes sendmail to read the message

		 * for the recipients instead of specifying them some other

		 * way.

		 */

		    "%s -t < %s", _PATH_SENDMAIL, fname);

	}

}