feat: repair multiple permissions docs (fixes)

shepilov · shepilov · commit eb951fb7a8d0 · 2026-05-19T12:38:20.000+02:00
diff --git a/model/permission/permissions.go b/model/permission/permissions.go
@@ -7,11 +7,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"time"
 
 	build "github.com/cozy/cozy-stack/pkg/config"
-	stackconfig "github.com/cozy/cozy-stack/pkg/config/config"
+	"github.com/cozy/cozy-stack/pkg/config/config"
 	"github.com/cozy/cozy-stack/pkg/consts"
 	"github.com/cozy/cozy-stack/pkg/couchdb"
 	"github.com/cozy/cozy-stack/pkg/couchdb/mango"
@@ -250,12 +251,6 @@ func GetForSharePreview(db prefixer.Prefixer, sharingID string) (*Permission, er
 // docs as part of the read by creating/updating the canonical permission doc
 // and deleting duplicate legacy docs.
 func GetForShareInteract(db prefixer.Prefixer, sharingID string) (*Permission, error) {
-	mu := stackconfig.Lock().ReadWrite(db, shareInteractLockName(sharingID))
-	if err := mu.Lock(); err != nil {
-		return nil, err
-	}
-	defer mu.Unlock()
-
 	return getOrRepairShareInteractPermissions(db, sharingID)
 }
 
@@ -303,21 +298,35 @@ func getOrRepairShareInteractPermissions(db prefixer.Prefixer, sharingID string)
 			return canonical, err
 		}
 
-		perm, retry, err := repairShareInteractPermissions(db, sharingID, perms)
-		if err == nil && !retry {
-			return perm, nil
-		}
-		if retry && err == nil {
-			return nil, &couchdb.Error{
-				StatusCode: http.StatusConflict,
-				Name:       "conflict",
-				Reason:     "could not repair share-interact permissions after retries",
-			}
+		mu := config.Lock().ReadWrite(db, shareInteractLockName(sharingID))
+		if err := mu.Lock(); err != nil {
+			return nil, err
 		}
-		return nil, err
+		defer mu.Unlock()
+
+		return getOrRepairShareInteractPermissionsLocked(db, sharingID)
 	})
 }
 
+func getOrRepairShareInteractPermissionsLocked(db prefixer.Prefixer, sharingID string) (*Permission, error) {
+	perms, err := getShareInteractPermissions(db, sharingID)
+	if err != nil {
+		return nil, err
+	}
+	if canonical, needsRepair, err := shareInteractRepairState(perms, sharingID); err != nil || !needsRepair {
+		return canonical, err
+	}
+
+	perm, retry, err := repairShareInteractPermissions(db, sharingID, perms)
+	if err == nil && !retry {
+		return perm, nil
+	}
+	if retry && err == nil {
+		return nil, fmt.Errorf("could not repair share-interact permissions after retries")
+	}
+	return nil, err
+}
+
 func shareInteractRetryOptions() utils.RetryOptions {
 	return utils.RetryOptions{
 		Attempts:     5,
@@ -344,15 +353,17 @@ func shareInteractRepairState(perms []Permission, sharingID string) (*Permission
 	usable := 0
 	hasDuplicate := false
 	for i := range perms {
-		if perms[i].ID() != canonicalID {
+		p := &perms[i]
+		isCanonical := p.ID() == canonicalID
+		if !isCanonical {
 			hasDuplicate = true
 		}
-		if perms[i].Expired() {
+		if p.Expired() {
 			continue
 		}
 		usable++
-		if perms[i].ID() == canonicalID {
-			canonical = &perms[i]
+		if isCanonical {
+			canonical = p
 		}
 	}
 	if usable == 0 {
@@ -391,7 +402,7 @@ func repairShareInteractPermissions(db prefixer.Prefixer, sharingID string, perm
 		hasUsablePermission = true
 
 		if len(merged.Permissions) == 0 && len(p.Permissions) > 0 {
-			merged.Permissions = p.Clone().(*Permission).Permissions
+			merged.Permissions = slices.Clone(p.Permissions)
 		}
 		if merged.Metadata == nil && p.Metadata != nil {
 			merged.Metadata = p.Metadata.Clone()
@@ -820,14 +831,14 @@ func CreateShareInteractSet(db prefixer.Prefixer, sharingID string, codes map[st
 		doc.Codes = make(map[string]string)
 	}
 
-	mu := stackconfig.Lock().ReadWrite(db, shareInteractLockName(sharingID))
+	mu := config.Lock().ReadWrite(db, shareInteractLockName(sharingID))
 	if err := mu.Lock(); err != nil {
 		return nil, err
 	}
 	defer mu.Unlock()
 
 	return utils.RetryWithBackoffValue(context.Background(), shareInteractRetryOptions(), func() (*Permission, error) {
-		existing, err := getOrRepairShareInteractPermissions(db, sharingID)
+		existing, err := getOrRepairShareInteractPermissionsLocked(db, sharingID)
 		if err != nil && !couchdb.IsNotFoundError(err) {
 			return nil, err
 		}
diff --git a/model/permission/permissions_test.go b/model/permission/permissions_test.go
@@ -17,7 +17,10 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-var testPrefix = prefixer.NewPrefixer(0, "test", "permission-tests")
+func testPrefix(t *testing.T) prefixer.Prefixer {
+	t.Helper()
+	return prefixer.NewPrefixer(0, "test", t.Name())
+}
 
 func TestCheckDoctypeName(t *testing.T) {
 	assert.NoError(t, CheckDoctypeName("io.cozy.files", false))
@@ -438,7 +441,8 @@ func TestGetForShareInteractRepairsDuplicateDocs(t *testing.T) {
 	}
 
 	config.UseTestFile(t)
-	require.NoError(t, couchdb.ResetDB(testPrefix, consts.Permissions))
+	db := testPrefix(t)
+	require.NoError(t, couchdb.ResetDB(db, consts.Permissions))
 
 	const sharingID = "sharing-duplicate-interact-permissions"
 	perms := Permission{
@@ -450,7 +454,7 @@ func TestGetForShareInteractRepairsDuplicateDocs(t *testing.T) {
 		}},
 	}
 
-	err := couchdb.CreateDoc(testPrefix, &Permission{
+	err := couchdb.CreateDoc(db, &Permission{
 		Type:        TypeShareInteract,
 		Permissions: perms.Permissions,
 		Codes: map[string]string{
@@ -459,7 +463,7 @@ func TestGetForShareInteractRepairsDuplicateDocs(t *testing.T) {
 		SourceID: consts.Sharings + "/" + sharingID,
 	})
 	require.NoError(t, err)
-	err = couchdb.CreateDoc(testPrefix, &Permission{
+	err = couchdb.CreateDoc(db, &Permission{
 		Type:        TypeShareInteract,
 		Permissions: perms.Permissions,
 		Codes: map[string]string{
@@ -469,27 +473,27 @@ func TestGetForShareInteractRepairsDuplicateDocs(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	repaired, err := GetForShareInteract(testPrefix, sharingID)
+	repaired, err := GetForShareInteract(db, sharingID)
 	require.NoError(t, err)
 	require.Equal(t, ShareInteractPermissionID(sharingID), repaired.ID())
 	require.Equal(t, map[string]string{
 		"alice@example.test": "alice-token",
 		"bob@example.test":   "bob-token",
 	}, repaired.Codes)
 
-	all, err := getShareInteractPermissions(testPrefix, sharingID)
+	all, err := getShareInteractPermissions(db, sharingID)
 	require.NoError(t, err)
 	require.Len(t, all, 1)
 	require.Equal(t, ShareInteractPermissionID(sharingID), all[0].ID())
 
-	repaired, err = GetForShareInteract(testPrefix, sharingID)
+	repaired, err = GetForShareInteract(db, sharingID)
 	require.NoError(t, err)
 	require.Equal(t, map[string]string{
 		"alice@example.test": "alice-token",
 		"bob@example.test":   "bob-token",
 	}, repaired.Codes)
 
-	all, err = getShareInteractPermissions(testPrefix, sharingID)
+	all, err = getShareInteractPermissions(db, sharingID)
 	require.NoError(t, err)
 	require.Len(t, all, 1)
 }
@@ -500,7 +504,8 @@ func TestGetForShareInteractRepairsExpiredDuplicateDocs(t *testing.T) {
 	}
 
 	config.UseTestFile(t)
-	require.NoError(t, couchdb.ResetDB(testPrefix, consts.Permissions))
+	db := testPrefix(t)
+	require.NoError(t, couchdb.ResetDB(db, consts.Permissions))
 
 	const sharingID = "sharing-expired-duplicate-interact-permissions"
 	rules := Set{{
@@ -511,7 +516,7 @@ func TestGetForShareInteractRepairsExpiredDuplicateDocs(t *testing.T) {
 	}}
 	expiredAt := time.Now().Add(-time.Hour).Format(time.RFC3339)
 
-	err := couchdb.CreateNamedDoc(testPrefix, &Permission{
+	err := couchdb.CreateNamedDoc(db, &Permission{
 		PID:         ShareInteractPermissionID(sharingID),
 		Type:        TypeShareInteract,
 		Permissions: rules,
@@ -521,7 +526,7 @@ func TestGetForShareInteractRepairsExpiredDuplicateDocs(t *testing.T) {
 		SourceID: consts.Sharings + "/" + sharingID,
 	})
 	require.NoError(t, err)
-	err = couchdb.CreateDoc(testPrefix, &Permission{
+	err = couchdb.CreateDoc(db, &Permission{
 		Type:        TypeShareInteract,
 		Permissions: rules,
 		Codes: map[string]string{
@@ -532,14 +537,14 @@ func TestGetForShareInteractRepairsExpiredDuplicateDocs(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	repaired, err := GetForShareInteract(testPrefix, sharingID)
+	repaired, err := GetForShareInteract(db, sharingID)
 	require.NoError(t, err)
 	require.Equal(t, ShareInteractPermissionID(sharingID), repaired.ID())
 	require.Equal(t, map[string]string{
 		"alice@example.test": "alice-token",
 	}, repaired.Codes)
 
-	all, err := getShareInteractPermissions(testPrefix, sharingID)
+	all, err := getShareInteractPermissions(db, sharingID)
 	require.NoError(t, err)
 	require.Len(t, all, 1)
 	require.Equal(t, ShareInteractPermissionID(sharingID), all[0].ID())
@@ -551,7 +556,8 @@ func TestCreateShareInteractSetUsesCanonicalDoc(t *testing.T) {
 	}
 
 	config.UseTestFile(t)
-	require.NoError(t, couchdb.ResetDB(testPrefix, consts.Permissions))
+	db := testPrefix(t)
+	require.NoError(t, couchdb.ResetDB(db, consts.Permissions))
 
 	const sharingID = "sharing-canonical-interact-permissions"
 	md := metadata.New()
@@ -566,13 +572,13 @@ func TestCreateShareInteractSetUsesCanonicalDoc(t *testing.T) {
 		Metadata: md,
 	}
 
-	first, err := CreateShareInteractSet(testPrefix, sharingID, map[string]string{
+	first, err := CreateShareInteractSet(db, sharingID, map[string]string{
 		"alice@example.test": "alice-token",
 	}, perms)
 	require.NoError(t, err)
 	require.Equal(t, ShareInteractPermissionID(sharingID), first.ID())
 
-	second, err := CreateShareInteractSet(testPrefix, sharingID, map[string]string{
+	second, err := CreateShareInteractSet(db, sharingID, map[string]string{
 		"bob@example.test": "bob-token",
 	}, perms)
 	require.NoError(t, err)
@@ -585,7 +591,7 @@ func TestCreateShareInteractSetUsesCanonicalDoc(t *testing.T) {
 	require.NotNil(t, second.Metadata)
 	require.True(t, second.Metadata.UpdatedAt.After(first.Metadata.UpdatedAt))
 
-	all, err := getShareInteractPermissions(testPrefix, sharingID)
+	all, err := getShareInteractPermissions(db, sharingID)
 	require.NoError(t, err)
 	require.Len(t, all, 1)
 	require.Equal(t, ShareInteractPermissionID(sharingID), all[0].ID())
diff --git a/model/sharing/sharing.go b/model/sharing/sharing.go
@@ -400,7 +400,7 @@ func (s *Sharing) GetInteractCode(inst *instance.Instance, member *Member, membe
 	if stored, ok := updated.Codes[key]; ok {
 		return stored, nil
 	}
-	return code, nil
+	return "", fmt.Errorf("share-interact code for %s was not stored in sharing %s", key, s.SID)
 }
 
 func (s *Sharing) createInteractPermissions(inst *instance.Instance, m *Member) (string, error) {
diff --git a/pkg/utils/retry.go b/pkg/utils/retry.go
@@ -2,7 +2,7 @@ package utils
 
 import (
 	"context"
-	"math/rand"
+	"math/rand/v2"
 	"time"
 )
 
@@ -19,7 +19,8 @@ type RetryOptions struct {
 	// MaxDelay caps the exponential backoff delay before jitter is applied.
 	MaxDelay time.Duration
 	// JitterFactor adds a random delay between 0 and the current backoff delay
-	// multiplied by JitterFactor. For example, 0.25 adds up to 25% jitter.
+	// multiplied by JitterFactor. This jitter is one-sided: it can only extend
+	// the delay, never shorten it. For example, 0.25 adds up to 25% jitter.
 	// Values lower than or equal to 0 disable jitter.
 	JitterFactor float64
 	// ShouldRetry can be used to retry only some errors. When nil, every
@@ -109,14 +110,14 @@ func backoffDelay(initial time.Duration, attempt int, maxDelay time.Duration) ti
 	delay := initial
 	for i := 0; i < attempt; i++ {
 		if delay > maxRetryDelay/2 {
-			delay = maxRetryDelay
-		} else {
-			delay *= 2
-		}
-		if maxDelay > 0 && delay > maxDelay {
-			return maxDelay
+			return cappedDelay(maxRetryDelay, maxDelay)
 		}
+		delay *= 2
 	}
+	return cappedDelay(delay, maxDelay)
+}
+
+func cappedDelay(delay time.Duration, maxDelay time.Duration) time.Duration {
 	if maxDelay > 0 && delay > maxDelay {
 		return maxDelay
 	}
@@ -141,7 +142,7 @@ func addJitter(delay time.Duration, jitterFactor float64) time.Duration {
 	if maxJitter <= 0 {
 		return delay
 	}
-	jitter := time.Duration(rand.Int63n(int64(maxJitter)))
+	jitter := time.Duration(rand.Int64N(int64(maxJitter)))
 	if maxRetryDelay-delay < jitter {
 		return maxRetryDelay
 	}
diff --git a/pkg/utils/retry_test.go b/pkg/utils/retry_test.go
@@ -92,6 +92,11 @@ func TestRetryWithBackoffCapsDelay(t *testing.T) {
 	}, delays)
 }
 
+func TestRetryDelaySaturatesOnOverflow(t *testing.T) {
+	assert.Equal(t, maxRetryDelay, backoffDelay(maxRetryDelay, 1, 0))
+	assert.Equal(t, time.Hour, backoffDelay(maxRetryDelay, 1, time.Hour))
+}
+
 func TestRetryWithBackoffStopsWhenContextIsCanceled(t *testing.T) {
 	errTemporary := errors.New("temporary")
 	ctx, cancel := context.WithCancel(context.Background())
@@ -114,13 +119,16 @@ func TestRetryWithBackoffStopsWhenContextIsCanceled(t *testing.T) {
 
 func TestRetryDelayWithJitter(t *testing.T) {
 	base := 4 * time.Second
+	hasJitter := false
 
-	for i := 0; i < 10; i++ {
+	for i := 0; i < 100; i++ {
 		delay := retryDelay(base, 0, 0, 0.25)
 
 		assert.GreaterOrEqual(t, delay, base)
 		assert.Less(t, delay, base+time.Second)
+		hasJitter = hasJitter || delay > base
 	}
+	assert.True(t, hasJitter)
 }
 
 func TestRetryWithExpBackoffRunsAtLeastOnce(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -400,7 +400,7 @@ func (s Sharing) GetInteractCode(inst instance.Instance, member *Member, membe`
`400`	`400`	`if stored, ok := updated.Codes[key]; ok {`
`401`	`401`	`return stored, nil`
`402`	`402`	`}`
`403`		`- return code, nil`
	`403`	`+ return "", fmt.Errorf("share-interact code for %s was not stored in sharing %s", key, s.SID)`
`404`	`404`	`}`
`405`	`405`
`406`	`406`	`func (s Sharing) createInteractPermissions(inst instance.Instance, m *Member) (string, error) {`