fix(cli): harden okdev cp downloads (#87)

acmore · web-flow · commit 561c502b7826 · 2026-04-19T18:48:17.000+08:00
diff --git a/internal/cli/cp.go b/internal/cli/cp.go
@@ -185,6 +185,20 @@ func multiPodDownloadPath(localPath, shortName, remotePath string, remoteIsDir b
 	return filepath.Join(podDir, filepath.Base(remotePath))
 }
 
+func downloadTargetPath(localPath, shortName, remotePath string, remoteIsDir bool, podCount int) string {
+	if podCount == 1 {
+		return localPath
+	}
+	return multiPodDownloadPath(localPath, shortName, remotePath, remoteIsDir)
+}
+
+func downloadSuccessDestination(localPath, shortName string, podCount int) string {
+	if podCount == 1 {
+		return localPath
+	}
+	return filepath.Join(localPath, shortName) + string(os.PathSeparator)
+}
+
 type cpResult struct {
 	pod string
 	err error
@@ -263,6 +277,7 @@ func runMultiPodCp(cmd *cobra.Command, cc *commandContext, localPath, remotePath
 	out := cmd.OutOrStdout()
 	results := make(chan cpResult, len(pods))
 	sem := make(chan struct{}, effectiveFanout)
+	podCount := len(pods)
 
 	var wg sync.WaitGroup
 	for _, pod := range pods {
@@ -277,17 +292,12 @@ func runMultiPodCp(cmd *cobra.Command, cc *commandContext, localPath, remotePath
 			if upload {
 				cpErr = runSinglePodCp(ctx, cc.kube, cc.namespace, pod.Name, targetContainer, localPath, remotePath, true, io.Discard)
 			} else {
-				podDir := filepath.Join(localPath, short)
-				if err := os.MkdirAll(podDir, 0o755); err != nil {
-					results <- cpResult{pod: pod.Name, err: err}
-					return
-				}
 				isRemoteDir, err := cc.kube.IsRemoteDir(ctx, cc.namespace, pod.Name, targetContainer, remotePath)
 				if err != nil {
 					results <- cpResult{pod: pod.Name, err: err}
 					return
 				}
-				podLocalPath := multiPodDownloadPath(localPath, short, remotePath, isRemoteDir)
+				podLocalPath := downloadTargetPath(localPath, short, remotePath, isRemoteDir, podCount)
 				cpErr = runSinglePodCp(ctx, cc.kube, cc.namespace, pod.Name, targetContainer, podLocalPath, remotePath, false, io.Discard)
 			}
 			results <- cpResult{pod: pod.Name, err: cpErr}
@@ -309,7 +319,7 @@ func runMultiPodCp(cmd *cobra.Command, cc *commandContext, localPath, remotePath
 			if upload {
 				fmt.Fprintf(out, "%s: copied %s -> :%s\n", short, localPath, remotePath)
 			} else {
-				fmt.Fprintf(out, "%s: copied :%s -> %s/%s/\n", short, remotePath, localPath, short)
+				fmt.Fprintf(out, "%s: copied :%s -> %s\n", short, remotePath, downloadSuccessDestination(localPath, short, podCount))
 			}
 		}
 	}
diff --git a/internal/cli/cp_test.go b/internal/cli/cp_test.go
@@ -2,6 +2,7 @@ package cli
 
 import (
 	"fmt"
+	"path/filepath"
 	"strings"
 	"testing"
 
@@ -99,6 +100,70 @@ func TestMultiPodDownloadPath(t *testing.T) {
 	}
 }
 
+func TestDownloadTargetPath(t *testing.T) {
+	tests := []struct {
+		name        string
+		localPath   string
+		shortName   string
+		remotePath  string
+		remoteIsDir bool
+		podCount    int
+		want        string
+	}{
+		{
+			name:       "single pod file stays flat",
+			localPath:  "/tmp/out.txt",
+			shortName:  "worker-0",
+			remotePath: "/workspace/result.txt",
+			podCount:   1,
+			want:       "/tmp/out.txt",
+		},
+		{
+			name:        "single pod directory stays flat",
+			localPath:   "/tmp/out",
+			shortName:   "worker-0",
+			remotePath:  "/workspace/results",
+			remoteIsDir: true,
+			podCount:    1,
+			want:        "/tmp/out",
+		},
+		{
+			name:       "multi pod file nests by pod",
+			localPath:  "/tmp/out",
+			shortName:  "worker-0",
+			remotePath: "/workspace/result.txt",
+			podCount:   2,
+			want:       filepath.Join("/tmp/out", "worker-0", "result.txt"),
+		},
+		{
+			name:        "multi pod directory nests by pod",
+			localPath:   "/tmp/out",
+			shortName:   "worker-0",
+			remotePath:  "/workspace/results",
+			remoteIsDir: true,
+			podCount:    2,
+			want:        filepath.Join("/tmp/out", "worker-0"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := downloadTargetPath(tt.localPath, tt.shortName, tt.remotePath, tt.remoteIsDir, tt.podCount); got != tt.want {
+				t.Fatalf("download target path = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestDownloadSuccessDestination(t *testing.T) {
+	if got := downloadSuccessDestination("/tmp/out.txt", "worker-0", 1); got != "/tmp/out.txt" {
+		t.Fatalf("single pod success destination = %q", got)
+	}
+	if got := downloadSuccessDestination("/tmp/out", "worker-0", 2); got != filepath.Join("/tmp/out", "worker-0")+string(filepath.Separator) {
+		t.Fatalf("multi pod success destination = %q", got)
+	}
+}
+
 func TestCpReadinessCheckErrorsWhenPodsNotRunning(t *testing.T) {
 	allPods := []kube.PodSummary{
 		{Name: "sess-master-0", Phase: "Running", Labels: map[string]string{"okdev.io/workload-role": "Master"}},
diff --git a/internal/kube/client.go b/internal/kube/client.go
@@ -1034,10 +1034,57 @@ func (c *Client) CopyFromPod(ctx context.Context, namespace, podName, remotePath
 }
 
 func (c *Client) CopyFromPodInContainer(ctx context.Context, namespace, podName, container, remotePath, localPath string) error {
+	var lastErr error
+	for attempt := 0; attempt < 3; attempt++ {
+		lastErr = c.copyFromPodInContainerOnce(ctx, namespace, podName, container, remotePath, localPath)
+		if lastErr == nil {
+			return nil
+		}
+		if !isRetryableCopyStreamError(lastErr) || attempt == 2 {
+			return lastErr
+		}
+		time.Sleep(time.Duration(attempt+1) * 500 * time.Millisecond)
+	}
+	return lastErr
+}
+
+func (c *Client) copyFromPodInContainerOnce(ctx context.Context, namespace, podName, container, remotePath, localPath string) error {
 	cs, cfg, err := c.clientset()
 	if err != nil {
 		return err
 	}
+	parent := filepath.Dir(remotePath)
+	base := filepath.Base(remotePath)
+	cmd := []string{"sh", "-lc", fmt.Sprintf("tar cf - -C %s %s", shellQuote(parent), shellQuote(base))}
+	tarFile, err := os.CreateTemp("", "okdev-copy-*.tar")
+	if err != nil {
+		return err
+	}
+	tarPath := tarFile.Name()
+	defer os.Remove(tarPath)
+	var errBuf bytes.Buffer
+	if err := c.execStream(ctx, cs, cfg, namespace, podName, container, cmd, nil, tarFile, &errBuf, false); err != nil {
+		_ = tarFile.Close()
+		return err
+	}
+	if _, err := tarFile.Seek(0, io.SeekStart); err != nil {
+		_ = tarFile.Close()
+		return err
+	}
+	if err := extractSingleFileFromTar(tarFile, localPath); err != nil {
+		_ = tarFile.Close()
+		return err
+	}
+	return tarFile.Close()
+}
+
+func createTempDownloadFile(localPath string) (*os.File, error) {
+	dir := filepath.Dir(localPath)
+	base := filepath.Base(localPath)
+	return os.CreateTemp(dir, base+".tmp-*")
+}
+
+func extractSingleFileFromTar(r io.Reader, localPath string) error {
 	if err := os.MkdirAll(filepath.Dir(localPath), 0o755); err != nil {
 		return err
 	}
@@ -1053,25 +1100,45 @@ func (c *Client) CopyFromPodInContainer(ctx context.Context, namespace, podName,
 		}
 		_ = os.Remove(tempPath)
 	}()
-	var errBuf bytes.Buffer
-	cmd := []string{"sh", "-lc", fmt.Sprintf("cat %s", shellQuote(remotePath))}
-	if err := c.execStream(ctx, cs, cfg, namespace, podName, container, cmd, nil, tempFile, &errBuf, false); err != nil {
+
+	tr := tar.NewReader(r)
+	foundFile := false
+	var fileMode os.FileMode = 0o644
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+		switch hdr.Typeflag {
+		case tar.TypeDir, tar.TypeXHeader, tar.TypeXGlobalHeader, tar.TypeGNULongName, tar.TypeGNULongLink:
+			continue
+		case tar.TypeReg, tar.TypeRegA:
+			if foundFile {
+				return fmt.Errorf("tar archive contains multiple files")
+			}
+			if _, err := io.Copy(tempFile, tr); err != nil {
+				return err
+			}
+			fileMode = os.FileMode(hdr.Mode)
+			foundFile = true
+		default:
+			return fmt.Errorf("tar archive entry %q has unsupported type", hdr.Name)
+		}
+	}
+	if !foundFile {
+		return fmt.Errorf("tar archive contained no file")
+	}
+	if err := tempFile.Chmod(fileMode); err != nil {
 		return err
 	}
 	if err := tempFile.Close(); err != nil {
 		return err
 	}
 	closed = true
-	if err := os.Rename(tempPath, localPath); err != nil {
-		return err
-	}
-	return nil
-}
-
-func createTempDownloadFile(localPath string) (*os.File, error) {
-	dir := filepath.Dir(localPath)
-	base := filepath.Base(localPath)
-	return os.CreateTemp(dir, base+".tmp-*")
+	return os.Rename(tempPath, localPath)
 }
 
 func (c *Client) StreamFromPod(ctx context.Context, namespace, podName, script string, stdout io.Writer) error {
@@ -1185,6 +1252,21 @@ func (c *Client) CopyDirToPod(ctx context.Context, namespace, pod, container, lo
 
 // CopyDirFromPod streams a remote directory as a tar archive and extracts it locally.
 func (c *Client) CopyDirFromPod(ctx context.Context, namespace, pod, container, remoteDir, localDir string) error {
+	var lastErr error
+	for attempt := 0; attempt < 3; attempt++ {
+		lastErr = c.copyDirFromPodOnce(ctx, namespace, pod, container, remoteDir, localDir)
+		if lastErr == nil {
+			return nil
+		}
+		if !isRetryableCopyStreamError(lastErr) || attempt == 2 {
+			return lastErr
+		}
+		time.Sleep(time.Duration(attempt+1) * 500 * time.Millisecond)
+	}
+	return lastErr
+}
+
+func (c *Client) copyDirFromPodOnce(ctx context.Context, namespace, pod, container, remoteDir, localDir string) error {
 	cs, cfg, err := c.clientset()
 	if err != nil {
 		return err
@@ -1215,6 +1297,40 @@ func (c *Client) CopyDirFromPod(ctx context.Context, namespace, pod, container,
 	return tarFile.Close()
 }
 
+func isRetryableCopyStreamError(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := strings.ToLower(err.Error())
+	nonRetryable := []string{
+		"not found",
+		"no such file",
+		"permission denied",
+		"is a directory",
+		"tar archive contains multiple files",
+		"tar archive contained no file",
+		"unsupported type",
+	}
+	for _, s := range nonRetryable {
+		if strings.Contains(msg, s) {
+			return false
+		}
+	}
+	retryable := []string{
+		"unexpected eof",
+		"context deadline exceeded",
+		"unexpected error when reading response body",
+		"connection reset by peer",
+		"timeout",
+	}
+	for _, s := range retryable {
+		if strings.Contains(msg, s) {
+			return true
+		}
+	}
+	return false
+}
+
 // IsRemoteDir probes whether remotePath is a directory on the pod.
 func (c *Client) IsRemoteDir(ctx context.Context, namespace, pod, container, remotePath string) (bool, error) {
 	cs, cfg, err := c.clientset()
diff --git a/internal/kube/client_copy_test.go b/internal/kube/client_copy_test.go
@@ -76,3 +76,79 @@ func TestExtractTarToDir(t *testing.T) {
 		t.Fatalf("d/g.txt: %v %q", err, data)
 	}
 }
+
+func TestExtractSingleFileFromTar(t *testing.T) {
+	var buf bytes.Buffer
+	tw := tar.NewWriter(&buf)
+	if err := tw.WriteHeader(&tar.Header{Name: "f.txt", Mode: 0o640, Size: 3, Typeflag: tar.TypeReg}); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := tw.Write([]byte("abc")); err != nil {
+		t.Fatal(err)
+	}
+	if err := tw.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	outPath := filepath.Join(t.TempDir(), "out.txt")
+	if err := extractSingleFileFromTar(bytes.NewReader(buf.Bytes()), outPath); err != nil {
+		t.Fatal(err)
+	}
+
+	data, err := os.ReadFile(outPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(data) != "abc" {
+		t.Fatalf("unexpected file content %q", data)
+	}
+	info, err := os.Stat(outPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if info.Mode().Perm() != 0o640 {
+		t.Fatalf("unexpected file mode %o", info.Mode().Perm())
+	}
+}
+
+func TestExtractSingleFileFromTarRejectsMultipleFiles(t *testing.T) {
+	var buf bytes.Buffer
+	tw := tar.NewWriter(&buf)
+	for _, name := range []string{"a.txt", "b.txt"} {
+		if err := tw.WriteHeader(&tar.Header{Name: name, Mode: 0o644, Size: 1, Typeflag: tar.TypeReg}); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := tw.Write([]byte("x")); err != nil {
+			t.Fatal(err)
+		}
+	}
+	if err := tw.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	err := extractSingleFileFromTar(bytes.NewReader(buf.Bytes()), filepath.Join(t.TempDir(), "out.txt"))
+	if err == nil || err.Error() != "tar archive contains multiple files" {
+		t.Fatalf("expected multiple files error, got %v", err)
+	}
+}
+
+func TestExtractSingleFileFromTarRejectsTruncatedArchive(t *testing.T) {
+	payload := bytes.Repeat([]byte("a"), 2048)
+	var buf bytes.Buffer
+	tw := tar.NewWriter(&buf)
+	if err := tw.WriteHeader(&tar.Header{Name: "f.txt", Mode: 0o644, Size: int64(len(payload)), Typeflag: tar.TypeReg}); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := tw.Write(payload); err != nil {
+		t.Fatal(err)
+	}
+	if err := tw.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	truncated := buf.Bytes()[:len(buf.Bytes())-1100]
+	err := extractSingleFileFromTar(bytes.NewReader(truncated), filepath.Join(t.TempDir(), "out.txt"))
+	if err == nil {
+		t.Fatal("expected truncated tar extraction to fail")
+	}
+}
diff --git a/internal/kube/client_test.go b/internal/kube/client_test.go
diff --git a/scripts/e2e_kind_job.sh b/scripts/e2e_kind_job.sh
