8350880: (zipfs) Add support for read-only zip file systems

Reviewed-by: lancea, alanb, jpai

Author: david-beaumont

src/jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -81,18 +81,24 @@ class ZipFileSystem extends FileSystem {
     private static final boolean isWindows = System.getProperty("os.name")
                                              .startsWith("Windows");
     private static final byte[] ROOTPATH = new byte[] { '/' };
+
+    // Global access mode for "mounted" file system ("readOnly" or "readWrite").
+    private static final String PROPERTY_ACCESS_MODE = "accessMode";
+
+    // Posix file permissions allow per-file access control in a posix-like fashion.
+    // Using a "readOnly" access mode will change the posix permissions of any
+    // underlying entries (they may still show as "writable", but will not be).
     private static final String PROPERTY_POSIX = "enablePosixFileAttributes";
     private static final String PROPERTY_DEFAULT_OWNER = "defaultOwner";
     private static final String PROPERTY_DEFAULT_GROUP = "defaultGroup";
     private static final String PROPERTY_DEFAULT_PERMISSIONS = "defaultPermissions";
     // Property used to specify the entry version to use for a multi-release JAR
     private static final String PROPERTY_RELEASE_VERSION = "releaseVersion";
+
     // Original property used to specify the entry version to use for a
     // multi-release JAR which is kept for backwards compatibility.
     private static final String PROPERTY_MULTI_RELEASE = "multi-release";
 
-    private static final Set<PosixFilePermission> DEFAULT_PERMISSIONS =
-        PosixFilePermissions.fromString("rwxrwxrwx");
     // Property used to specify the compression mode to use
     private static final String PROPERTY_COMPRESSION_METHOD = "compressionMethod";
     // Value specified for compressionMethod property to compress Zip entries
@@ -104,7 +110,8 @@ class ZipFileSystem extends FileSystem {
     private final Path zfpath;
     final ZipCoder zc;
     private final ZipPath rootdir;
-    private boolean readOnly; // readonly file system, false by default
+    // Starts in readOnly (safe mode), but might be reset at the end of initialization.
+    private boolean readOnly = true;
 
     // default time stamp for pseudo entries
     private final long zfsDefaultTimeStamp = System.currentTimeMillis();
@@ -129,10 +136,37 @@ class ZipFileSystem extends FileSystem {
     final boolean supportPosix;
     private final UserPrincipal defaultOwner;
     private final GroupPrincipal defaultGroup;
+    // Unmodifiable set.
     private final Set<PosixFilePermission> defaultPermissions;
 
     private final Set<String> supportedFileAttributeViews;
 
+    private enum ZipAccessMode {
+        // Creates a file system for read-write access.
+        READ_WRITE("readWrite"),
+        // Creates a file system for read-only access.
+        READ_ONLY("readOnly");
+
+        private final String label;
+
+        ZipAccessMode(String label) {
+            this.label = label;
+        }
+
+        // Parses the access mode from an environmental parameter.
+        // Returns null for missing value to indicate default behavior.
+        static ZipAccessMode from(Object value) {
+            if (value == null) {
+                return null;
+            } else if (READ_WRITE.label.equals(value)) {
+                return ZipAccessMode.READ_WRITE;
+            } else if (READ_ONLY.label.equals(value)) {
+                return ZipAccessMode.READ_ONLY;
+            }
+            throw new IllegalArgumentException("Unknown file system access mode: " + value);
+        }
+    }
+
     ZipFileSystem(ZipFileSystemProvider provider,
                   Path zfpath,
                   Map<String, ?> env) throws IOException
@@ -144,28 +178,38 @@ class ZipFileSystem extends FileSystem {
         this.useTempFile  = isTrue(env, "useTempFile");
         this.forceEnd64 = isTrue(env, "forceZIP64End");
         this.defaultCompressionMethod = getDefaultCompressionMethod(env);
+
+        ZipAccessMode accessMode = ZipAccessMode.from(env.get(PROPERTY_ACCESS_MODE));
+        boolean forceReadOnly = (accessMode == ZipAccessMode.READ_ONLY);
+
         this.supportPosix = isTrue(env, PROPERTY_POSIX);
         this.defaultOwner = supportPosix ? initOwner(zfpath, env) : null;
         this.defaultGroup = supportPosix ? initGroup(zfpath, env) : null;
-        this.defaultPermissions = supportPosix ? initPermissions(env) : null;
+        this.defaultPermissions = supportPosix ? Collections.unmodifiableSet(initPermissions(env)) : null;
         this.supportedFileAttributeViews = supportPosix ?
-            Set.of("basic", "posix", "zip") : Set.of("basic", "zip");
+                Set.of("basic", "posix", "zip") : Set.of("basic", "zip");
+
+        // 'create=true' is semantically the same as StandardOpenOption.CREATE,
+        // and can only be used to create a writable file system (whether the
+        // underlying ZIP file exists or not), and is always incompatible with
+        // 'accessMode=readOnly').
+        boolean shouldCreate = isTrue(env, "create");
+        if (shouldCreate && forceReadOnly) {
+            throw new IllegalArgumentException(
+                    "Specifying 'accessMode=readOnly' is incompatible with 'create=true'");
+        }
         if (Files.notExists(zfpath)) {
-            // create a new zip if it doesn't exist
-            if (isTrue(env, "create")) {
+            if (shouldCreate) {
                 try (OutputStream os = Files.newOutputStream(zfpath, CREATE_NEW, WRITE)) {
                     new END().write(os, 0, forceEnd64);
                 }
             } else {
                 throw new NoSuchFileException(zfpath.toString());
             }
         }
-        // sm and existence check
+        // Existence check
         zfpath.getFileSystem().provider().checkAccess(zfpath, AccessMode.READ);
-        boolean writeable = Files.isWritable(zfpath);
-        this.readOnly = !writeable;
         this.zc = ZipCoder.get(nameEncoding);
-        this.rootdir = new ZipPath(this, new byte[]{'/'});
         this.ch = Files.newByteChannel(zfpath, READ);
         try {
             this.cen = initCEN();
@@ -179,13 +223,29 @@ class ZipFileSystem extends FileSystem {
         }
         this.provider = provider;
         this.zfpath = zfpath;
+        this.rootdir = new ZipPath(this, new byte[]{'/'});
+
+        // Determining a release version uses 'this' instance to read paths etc.
+        Optional<Integer> multiReleaseVersion = determineReleaseVersion(env);
+
+        // Set the version-based lookup function for multi-release JARs.
+        this.entryLookup =
+                multiReleaseVersion.map(this::createVersionedLinks).orElse(Function.identity());
 
-        initializeReleaseVersion(env);
+        // We only allow read-write zip/jar files if they are not multi-release
+        // JARs and the underlying file is writable.
+        this.readOnly = forceReadOnly || multiReleaseVersion.isPresent() || !Files.isWritable(zfpath);
+        if (readOnly && accessMode == ZipAccessMode.READ_WRITE) {
+            String reason = multiReleaseVersion.isPresent()
+                    ? "the multi-release JAR file is not writable"
+                    : "the ZIP file is not writable";
+            throw new IOException(reason);
+        }
     }
 
     /**
      * Return the compression method to use (STORED or DEFLATED).  If the
-     * property {@code commpressionMethod} is set use its value to determine
+     * property {@code compressionMethod} is set use its value to determine
      * the compression method to use.  If the property is not set, then the
      * default compression is DEFLATED unless the property {@code noCompression}
      * is set which is supported for backwards compatibility.
@@ -293,12 +353,12 @@ private GroupPrincipal initGroup(Path zfpath, Map<String, ?> env) throws IOExcep
             " or " + GroupPrincipal.class);
     }
 
-    // Initialize the default permissions for files inside the zip archive.
+    // Return the default permissions for files inside the zip archive.
     // If not specified in env, it will return 777.
     private Set<PosixFilePermission> initPermissions(Map<String, ?> env) {
         Object o = env.get(PROPERTY_DEFAULT_PERMISSIONS);
         if (o == null) {
-            return DEFAULT_PERMISSIONS;
+            return PosixFilePermissions.fromString("rwxrwxrwx");
         }
         if (o instanceof String) {
             return PosixFilePermissions.fromString((String)o);
@@ -346,10 +406,6 @@ private void checkWritable() {
         }
     }
 
-    void setReadOnly() {
-        this.readOnly = true;
-    }
-
     @Override
     public Iterable<Path> getRootDirectories() {
         return List.of(rootdir);
@@ -1383,33 +1439,24 @@ private void removeFromTree(IndexNode inode) {
      * Checks if the Zip File System property "releaseVersion" has been specified. If it has,
      * use its value to determine the requested version. If not use the value of the "multi-release" property.
      */
-    private void initializeReleaseVersion(Map<String, ?> env) throws IOException {
+    private Optional<Integer> determineReleaseVersion(Map<String, ?> env) throws IOException {
         Object o = env.containsKey(PROPERTY_RELEASE_VERSION) ?
             env.get(PROPERTY_RELEASE_VERSION) :
             env.get(PROPERTY_MULTI_RELEASE);
 
-        if (o != null && isMultiReleaseJar()) {
-            int version;
-            if (o instanceof String) {
-                String s = (String)o;
-                if (s.equals("runtime")) {
-                    version = Runtime.version().feature();
-                } else if (s.matches("^[1-9][0-9]*$")) {
-                    version = Version.parse(s).feature();
-                } else {
-                    throw new IllegalArgumentException("Invalid runtime version");
-                }
-            } else if (o instanceof Integer) {
-                version = Version.parse(((Integer)o).toString()).feature();
-            } else if (o instanceof Version) {
-                version = ((Version)o).feature();
-            } else {
-                throw new IllegalArgumentException("env parameter must be String, " +
-                    "Integer, or Version");
-            }
-            createVersionedLinks(version < 0 ? 0 : version);
-            setReadOnly();
+        if (o == null || !isMultiReleaseJar()) {
+            return Optional.empty();
         }
+        int version = switch (o) {
+            case String s when s.equals("runtime") -> Runtime.version().feature();
+            case String s when s.matches("^[1-9][0-9]*$") -> Version.parse(s).feature();
+            case Integer i -> Version.parse(i.toString()).feature();
+            case Version v -> v.feature();
+            case String s -> throw new IllegalArgumentException("Invalid runtime version: " + s);
+            default -> throw new IllegalArgumentException("env parameter must be String, " +
+                    "Integer, or Version");
+        };
+        return Optional.of(Math.max(version, 0));
     }
 
     /**
@@ -1435,11 +1482,11 @@ private boolean isMultiReleaseJar() throws IOException {
      * Then wrap the map in a function that getEntry can use to override root
      * entry lookup for entries that have corresponding versioned entries.
      */
-    private void createVersionedLinks(int version) {
+    private Function<byte[], byte[]> createVersionedLinks(int version) {
         IndexNode verdir = getInode(getBytes("/META-INF/versions"));
         // nothing to do, if no /META-INF/versions
         if (verdir == null) {
-            return;
+            return Function.identity();
         }
         // otherwise, create a map and for each META-INF/versions/{n} directory
         // put all the leaf inodes, i.e. entries, into the alias map
@@ -1451,10 +1498,7 @@ private void createVersionedLinks(int version) {
                     getOrCreateInode(getRootName(entryNode, versionNode), entryNode.isdir),
                     entryNode.name))
         );
-        entryLookup = path -> {
-            byte[] entry = aliasMap.get(IndexNode.keyOf(path));
-            return entry == null ? path : entry;
-        };
+        return path -> aliasMap.getOrDefault(IndexNode.keyOf(path), path);
     }
 
     /**
@@ -3551,7 +3595,8 @@ public GroupPrincipal group() {
 
         @Override
         public Set<PosixFilePermission> permissions() {
-            return storedPermissions().orElse(Set.copyOf(defaultPermissions));
+            // supportPosix ==> (defaultPermissions != null)
+            return storedPermissions().orElse(defaultPermissions);
         }
     }
 

src/jdk.zipfs/share/classes/module-info.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -153,8 +153,8 @@
  *   <td>{@link java.lang.String} or {@link java.lang.Boolean}</td>
  *   <td>false</td>
  *   <td>
- *       If the value is {@code true}, the ZIP file system provider
- *       creates a new ZIP or JAR file if it does not exist.
+ *       If the value is {@code true}, the ZIP file system provider creates a
+ *       new ZIP or JAR file if it does not exist.
  *   </td>
  * </tr>
  * <tr>
@@ -225,8 +225,8 @@
  *           </li>
  *           <li>
  *               If the value is not {@code "STORED"} or {@code "DEFLATED"}, an
- *               {@code IllegalArgumentException} will be thrown when the Zip
- *               filesystem is created.
+ *               {@code IllegalArgumentException} will be thrown when creating the
+ *               ZIP file system.
  *           </li>
  *       </ul>
  *   </td>
@@ -260,12 +260,54 @@
  *           <li>
  *               If the value does not represent a valid
  *               {@linkplain Runtime.Version Java SE Platform version number},
- *               an {@code IllegalArgumentException} will be thrown.
+ *               an {@code IllegalArgumentException} will be thrown when creating
+ *               the ZIP file system.
  *           </li>
  *       </ul>
  *   </td>
  * </tr>
- *  </tbody>
+ * <tr>
+ *   <th scope="row">accessMode</th>
+ *   <td>{@link java.lang.String}</td>
+ *   <td>null/unset</td>
+ *   <td>
+ *       A value defining the desired access mode of the file system.
+ *       ZIP file systems can be created to allow for <em>read-write</em> or
+ *       <em>read-only</em> access.
+ *       <ul>
+ *           <li>
+ *               If no value is set, the file system is created as <em>read-write</em>
+ *               if possible. Use {@link java.nio.file.FileSystem#isReadOnly()
+ *               isReadOnly()} to determine the actual access mode.
+ *           </li>
+ *           <li>
+ *               If the value is {@code "readOnly"}, the file system is created
+ *               <em>read-only</em>, and {@link java.nio.file.FileSystem#isReadOnly()
+ *               isReadOnly()} will always return {@code true}. Creating a
+ *               <em>read-only</em> file system requires the underlying ZIP file to
+ *               already exist.
+ *               Specifying the {@code create} property as {@code true} with the
+ *               {@code accessMode} as {@code readOnly} will cause an {@code
+ *               IllegalArgumentException} to be thrown when creating the ZIP file
+ *               system.
+ *           </li>
+ *           <li>
+ *               If the value is {@code "readWrite"}, the file system is created
+ *               <em>read-write</em>, and {@link java.nio.file.FileSystem#isReadOnly()
+ *               isReadOnly()} will always return {@code false}. If a writable file
+ *               system cannot be created, an {@code IOException} will be thrown
+ *               when creating the ZIP file system.
+ *           </li>
+ *           <li>
+ *               Any other values will cause an {@code IllegalArgumentException}
+ *               to be thrown when creating the ZIP file system.
+ *           </li>
+ *       </ul>
+ *       The {@code accessMode} property has no effect on reported POSIX file
+ *       permissions (in cases where POSIX support is enabled).
+ *   </td>
+ * </tr>
+ * </tbody>
  * </table>
  *
  * <h2>Examples:</h2>