Implement close method for containers (fox-it#100)

[Kafow]

#100

[DissectBot]

@Kafow thank you for your contribution! As this is your first code contribution, please read the following Contributor License Agreement (CLA). If you agree with the CLA, please reply with the following information:

@DissectBot agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

Contributor License Agreement

Contribution License Agreement

This Contribution License Agreement ("Agreement") governs your Contribution(s) (as defined below) and conveys certain license rights to Fox-IT B.V. ("Fox-IT") for your Contribution(s) to Fox-IT"s open source Dissect project. This Agreement covers any and all Contributions that you ("You" or "Your"), now or in the future, Submit (as defined below) to this project. This Agreement is between Fox-IT B.V. and You and takes effect when you click an “I Accept” button, check box presented with these terms, otherwise accept these terms or, if earlier, when You Submit a Contribution.

1. Definitions.
   "Contribution" means any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Fox-IT for inclusion in, or documentation of, any of the software products owned or managed by, or on behalf of, Fox-IT as part of the Project (the "Work").
   "Project" means any of the projects owned or managed by Fox-IT and offered under a license approved by the Open Source Initiative (www.opensource.org).
   "Submit" means any form of electronic, verbal, or written communication sent to Fox-IT or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Fox-IT for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."

2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Fox-IT and to recipients of software distributed by Fox-IT a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.

3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Fox-IT and to recipients of software distributed by Fox-IT a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, maintain, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.

4. Representations. You represent that:

   • You are legally entitled to grant the above license.
   • each of Your Contributions is Your original creation (see section 8 for submissions on behalf of others).
   • Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.

5. Employer. If Your Contribution is made in the course of Your work for an employer or Your employer has intellectual property rights in Your Submission by contract or applicable law, You must secure permission from Your employer to make the Contribution before signing this Agreement. In that case, the term "You" in this Agreement will refer to You and the employer collectively. If You change employers in the future and desire to Submit additional Contribution for the new employer, then You agree to sign a new Agreement and secure permission from the new employer before Submitting those Contributions.

6. Support. You are not expected to provide support for Your Contribution, unless You choose to do so. Any such support provided to the Project is provided free of charge.

7. Warranty. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.

8. Third party material. Should You wish to submit work that is not Your original creation, You may only submit it to Fox-IT separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which You are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".

9. Notify. You agree to notify Fox-IT of any facts or circumstances of which You become aware that would make the above representations inaccurate in any respect.

10. Governing law / competent court. This Agreement is governed by the laws of the Netherlands. Any disputes that may arise are resolved by arbitration in accordance with the Arbitration Regulations of the Foundation for the Settlement of Automation Disputes (Stichting Geschillenoplossing Automatisering – SGOA – (www.sgoa.eu), this without prejudice to either party"s right to request preliminary relief in preliminary relief proceedings or arbitral preliminary relief proceedings. Arbitration proceedings take place in Amsterdam, or in any other place designated in the Arbitration Regulations. Arbitration shall take place in English.

[Schamper]

Hi @Kafow, sorry for the delay. Please give us a moment to review and check how we can best incorporate these changes to make sure everything works as intended!

[Kafow]

@DissectBot agree

[Kafow]

Hey, is there an update? @pyrco @Schamper

[pyrco]

Thanks for looking into the container close() functions! They have been waiting to be implemented, but so far we haven't yet gotten to that.

I think the best place to implement the functionality is in the respective file format implementations (e.g. QCow, VDI, etc.), and call their close() method, similar as how it is already done for AsdfContainer and EwfContainer. The file format implementations should be responsible for managing their resources as they know about the details of them. This becomes clear in case of VMDK later on.

Of course the SplitContainer is fully defined and managed here, so the close() you implemented there is ok.

A side note on AsdfContainer and EwfContainer: they already use the close() method of the underlying implementation, which in case of EwfContainer is effectively a no-op, so feel free to also look at that. The AsdfContainer.close() is even worse as the ASDF implementation it doesn't even have a close(), I'll create a bug for that on our internal ticketing system.

[Kafow]

I understand that from the library as a whole perspective and I mostly agree.
If I understand you correctly, I should open a PR in each of the underlying format implementations (e.g. qcow2 in dissect.hypervisor) and implement close over there right?
BTW, I tried to trace the close call of ASDF and EWF, and noticed that they are deriving it from dissect.utils.AlignedStream which is also doing nothing :)

https://github.com/fox-it/dissect.util/blob/fd72425d224b2220b3546d9f149103ae12479469/dissect/util/stream.py#L169-L171

Due to the fact every disk implementation is deriving from dissect.utils.AlignedStream, I suggest we create consistency between EWF, ASDF and the rest, and do the same to prepare for overriding close method in each disk implantation.

Suggested change

	self.qcow2.fh.close()
	self.qcow2.close()

[pyrco]

I looked a bit longer at the issue and have to revise my suggestion a bit.

As a general rule, you want the object that opens a file handle to be responsible for closing it, as that is where most information is available about what is going on with that file handle. The place this happens in the dissect code turns out to be more variable then I expected.

Most of the file handle opening happens in the Container sub-classes in dissect.target, so that is where the close() method should be implemented. However, most of the Container sub-classes (with the exception of SplitContainer) do not yet store the opened file handles in an instance variable, so that should be fixed.

There are 3 Container sub-classes that are an exception to this: AsdfContainer, VhdxContainer and VmdkContainer. Here the underlying container implementation of these 3 opens the file handle itself, it also may open other file handles. So for these 3 the close() method should be implemented in AsdfSnapshot (in target.evidence), VHDX and VMDK (both in target.hypervisor). These can then be called by the close() of their Container sub-class.

Finally there is the big exception on all of this that the Container sub-classes and those 3 underlying implementation classes also allow an already opened file handle to be passed. But that is something we can ignore for now.

I don't think AlignedStream is the right place to implement the close(), as it is just an abstract reader of an IO stream. It doesn't know anything about file handles, so it shouldn't concern itself with it.

[Kafow]

I think that before we get into fixing the issue of closing the file handles, we need to decide where should we open the file handle. Now the inconsistency between those 3 containers, and other container implementation is just making more confusion in the code and whose the one managing the resources.

IMO It should be in the container implementation due to how SplitContainer is implemented, but I might miss some other dissect use cases of disk implementation that such change might break.

And I totally agree that the file handle should be instance variable everywhere.

[pyrco]

When implementing it in the Container class, there are still the 3 execptions that need to do it in the underlying implementation (AsdfContainer, VhdxContainer and VmdkContainer). So for me it makes more sense to do it in the underlying implementation.

This would mean accepting Paths (and opening them) as well as open file handles. But that would be ok as we want the underlying implementations to be usable on their own. SplitContainer and RawContainer do not have an underlying implementation, so those two will need to implement the close() necessarily in their own class.

We could sub-class AlignedStream into something called AlignedFileStream which would implement the close() and an __init__() that deals with file Path(s) and open file handle(s) and keeps hem around.

One other thing that close() and __init__() need to do is to keep track of whether the file was opened by the instance or if an already open file handle was passed.

As AlignedStream (and also Container) is sub-classed from io.RawIOBase (resp. io.IOBase), close() will be called on destruction of an instance. Which is something that happens when the instance goes out of scope. If the instance was passed an already open file handle, it would be closed while the caller would not be aware of the closing, which would lead to all kinds of issues.

[pyrco]

VMDK.disks can have a .parent VMDK which also has .disks etc. These should also be iterated over and closed.