Fix config access due to race condition

[JoshuaSBrown]

PR Description

See issue for what triggered this PR #1241. The PR pulls out the Config structure a C struct with no safety mechanisms to prevent race conditions and memory corruption. The global config file is placed behind thread locks, in addition a switch is placed in front of initializing the Config structure to prevent excessive reads from the config file once the global state has been loaded into memory.

Tasks

• - A description of the PR has been provided, and a diagram included if it is a new feature.
• - Formatter has been run
• - CHANGELOG comment has been added
• - Labels have been assigned to the pr
• - A reviwer has been added
• - A user has been assigned to work on the pr
• - If new feature a unit test has been added

Summary by Sourcery

Refactor config loading and access to prevent race conditions and improve thread safety.

Bug Fixes:

• Fixed a race condition when accessing configuration values.

Enhancements:

• Improved thread safety for configuration access.
• Refactored logging to use a dedicated logging module.
• Introduced utility functions for UUID decoding and formatting.

Tests:

• Added unit tests for the new config module and utility functions.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request addresses a race condition in the configuration access by using a read-write lock to protect the global configuration. It also refactors the configuration loading and access logic into a separate file, and removes the logging macros from the main source file.

Sequence diagram showing thread-safe configuration access

sequenceDiagram
    participant T1 as Thread 1
    participant T2 as Thread 2
    participant CM as ConfigManager
    participant C as Config

    Note over CM: Using read-write lock for thread safety

    T1->>CM: getConfigVal()
    activate CM
    CM->>CM: pthread_rwlock_rdlock()
    CM->>C: Read config value
    CM->>CM: pthread_rwlock_unlock()
    CM-->>T1: Return value
    deactivate CM

    T2->>CM: setConfigVal()
    activate CM
    CM->>CM: pthread_rwlock_wrlock()
    CM->>C: Write config value
    CM->>CM: pthread_rwlock_unlock()
    CM-->>T2: Return status
    deactivate CM

Loading

Class diagram showing the new configuration and utility structure

classDiagram
    class Config {
      +char repo_id[MAX_ID_LEN]
      +char server_addr[MAX_ADDR_LEN]
      +char pub_key[MAX_KEY_LEN]
      +char priv_key[MAX_KEY_LEN]
      +char server_key[MAX_KEY_LEN]
      +char user[MAX_ID_LEN]
      +char test_path[MAX_PATH_LEN]
      +char log_path[MAX_PATH_LEN]
      +char globus_collection_path[MAX_PATH_LEN]
      +size_t timeout
    }

    class ConfigManager {
      -Config g_config
      -bool config_loaded
      -pthread_rwlock_t config_rwlock
      +bool initializeGlobalConfig()
      +void allowConfigReinitialization()
      +bool getConfigVal(char* label, char* dest, size_t max_len)
      +bool setConfigVal(char* label, char* src)
      +Config createLocalConfigCopy()
    }

    class Util {
      +void uuidToStr(unsigned char* uuid, char* out)
      +bool decodeUUID(char* input, char* uuid)
    }

    class AuthzLog {
      +FILE* log_file
      +bool write_to_file
      +void AUTHZ_LOG_DEBUG()
      +void AUTHZ_LOG_INFO()
      +void AUTHZ_LOG_ERROR()
      +void AUTHZ_LOG_INIT()
      +void AUTHZ_LOG_CLOSE()
    }

    ConfigManager --> Config : manages
    note for ConfigManager "Thread-safe configuration management"

Loading

File-Level Changes

Change	Details	Files
Refactor configuration loading and access logic.	Introduce a new Config.h and Config.c file to encapsulate configuration logic. Implement functions to load, validate, and access configuration values. Use a read-write lock to protect the global configuration from race conditions. Move the configuration loading logic from libauthz.c to Config.c. Add functions to get and set config values.	repository/gridftp/globus5/authz/source/Config.h repository/gridftp/globus5/authz/source/Config.c
Remove logging macros from libauthz.c.	Remove the logging macros from libauthz.c. Include AuthzLog.h for logging functionality.	repository/gridftp/globus5/authz/source/libauthz.c
Add utility functions for UUID encoding and decoding.	Introduce a new Util.h and Util.c file to encapsulate UUID encoding and decoding logic. Implement functions to convert a UUID to a string and decode a string to a UUID.	repository/gridftp/globus5/authz/source/Util.h repository/gridftp/globus5/authz/source/Util.c
Update AuthzWorker to use the new config structure.	Update the AuthzWorker class to use the new Config struct instead of a pointer. Update the AuthzWorker class to use the new getConfigVal function.	repository/gridftp/globus5/authz/source/AuthzWorker.cpp repository/gridftp/globus5/authz/source/AuthzWorker.hpp
Update tests to use the new config structure.	Update the tests to use the new Config struct instead of a pointer. Add new tests for the config and util files. Update the CMakeLists.txt to include the new tests.	repository/gridftp/globus5/authz/tests/unit/test_AuthzWorker.cpp repository/gridftp/globus5/authz/tests/unit/CMakeLists.txt repository/gridftp/globus5/authz/tests/unit/test_Config.cpp repository/gridftp/globus5/authz/tests/unit/test_Util.cpp

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[JoshuaSBrown]

@par-hermes format

[sourcery-ai]

Hey @JoshuaSBrown - I've reviewed your changes and they look great!

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[t-ramz]

I have a few comments about Config.c

[t-ramz]

Should this copy the max length or size_t len? I'm not sure how safe the operation is, but if you provide a larger size than the string is, you could have a memory access issue.

[AronPerez]

#1252 (comment)

Will get stopped by this as far as I can tell.

len > a_max_len

[t-ramz]

That will prevent copying larger data into a smaller string, I am worried about the copy function trying to copy more than the source string has to offer.
e.g.

size_t max = 15;
char* source = "hi";
char destination[max];
strncpy(destination, source, max);

where the first two characters of source are valid, but what about the next 13 in this case? It could try to copy that arbitrary memory, I'm not sure

[JoshuaSBrown]

When you use "" C auto appends the null terminator. So "hi" is actualy 'h' 'i' '\0'.

If you have a char array of just 'h', 'i' yes you will copy in whatever is after that until max is reached.

[t-ramz]

I had found incorrect documentation on strncpy, GeeksForGeeks had said the final parameter was the number of characters copied, not the maximum characters copied.

C++ Ref, on the other hand says it's max characters.

Which leads me to another question:
Where are some good online docs for the C standard library?

[t-ramz]

Is there any way we could pick up or process non-C strings?

[JoshuaSBrown]

This is partly why I have the C++ code mixed in as soon as possible. I am not aware of standard string support in the C language. The string.h file only provides utility functions i.e. strlen.

[t-ramz]

I'm a little confused by the format string, but it certainly seems to work.

[t-ramz]

My C is rusty (ha!) and I've been looking at too much JS and Python is assignment like this Copy by default?

[JoshuaSBrown]

Correct C is copy by default. You have to use & or a pointer for referneces.

[t-ramz]

Nice!!!

[t-ramz]

Looks like we're set up for a single return, and this else can skip the unlock, write to dest and set err=true;

[t-ramz]

The else should likely set err to true

[JoshuaSBrown]

Good catch.

[AronPerez]

Questions about:

1. Needing to use pthread_rwlock_unlock after aquiring the read lock with pthread_rwlock_rdlock.
2. General C practices.

[AronPerez]

Do we need to release the lock here with pthread_rwlock_unlock?

I'm reading if the lock is still held, the thread can become deadlocked.

[t-ramz]

Good catch! Yes, early return will need to be unlocked.

[t-ramz]

I think this function can, and should, be refactored to a single return for this reason. Maybe along the lines of

bool err = false;
if (!config_loaded) {
    if (config_file) {
        while () ...
    } else {
        err = true;
    }
}
...
unlock();
return err;

Will also need to set config_loaded accordingly

[JoshuaSBrown]

Good catches @AronPerez

[AronPerez]

Question about deadlock here.

[AronPerez]

Question about deadlock here

[AronPerez]

Question about deadlock here

[JoshuaSBrown]

Looks to be missing an unlock good catch.

[AronPerez]

Do we need the else? Seems like we'd release the write lock and return error anyhow.

[JoshuaSBrown]

If err is initialized as true, you are correct we can get rid of the else good point.

[AronPerez]

Does 1024 refer to some data size?

[AronPerez]

256 corresponds to the max id length correct? Seems like a magic number that could benefit from an explicit constant name for readability purposes.

Same applies to value value.

[AronPerez]

General C question from this.

 * This function copies a source string (`a_src`) to a destination buffer
 * (`a_dest`) while ensuring the length of the source string does not exceed the
 * maximum allowed length

Is it bad practice to ensure null termination when using strncpy, even if we know we don't exactly need it? There's no scenario where a_src is longer than a_max_len cause

if (len > a_max_len)

So no buffer overruns or memory leaks.

I was reading this https://cboard.cprogramming.com/c-programming/117061-null-termination-str-n-cpy-strlen.html#post872229

[JoshuaSBrown]

This is a really good catch, and demonstrates your attention to detail. You are correct, strlen only returns the number of chars excluding the null pointer. This should raise an error if len + 1 > a_max_len. strncpy will auto append \0 as long as there is room.

[t-ramz]

Yeah this is a great catch, I didn't think about the possibility of running out of space for the null terminator during copy.
I'm not sure if it's more clear to write len + 1 > a_max_len or len >= a_max_len or size_t len = strlen(a_src) + 1; but whichever way I feel like it should be noted somewhere nearby the reason for a change.

[t-ramz]

I like having retries. Is there something that prompted this?

[t-ramz]

Adding a comment so this Debug code doesn't get left in PR, or gets better naming.