I'll still need to make this work with proxy v2.

In proxy v2, all requests go through the proxy, even in development mode, so there's only one code path to implement. When downloading files, we set stream: True in the request to the proxy, so it streams back the data on stdout, and if it errors, that'll go to stderr. Right now if we see an error in stderr, we bubble it up, so we'll want roughly the same loop you implemented, checking how many bytes we got and then retrying the request. See

Can we add test data to the securedrop to include a bigger file? And also a binary file, like maybe a 200kb image or something, since all the file uploads now are text?

Yep, that seems like a good idea, test data is currently generated by the loaddata.py script so adding stuff would go there.

I've rebased from the proxy-rusting branch (#1718), so the commits are starting to look messy. I've started to refactor the API code to support streaming, but I'm hitting an issue with using the new VCRAPI.

Specifically, in order for streaming responses to actually work, I've changed the type of StreamedResponse.contents from bytes to io.BufferReader:

@dataclass(frozen=True)
class StreamedResponse:
    """Container for streamed data along with the filename and ETag checksum sent by the server."""

    contents: BufferedReader
    sha256sum: str
    filename: str
    content_length: int

And I also made it so that when _send_json_request runs the subprocess, it runs subprocess.Popen if streaming, and subprocess.run if not streaming. This way the function can return stdout without reading all of the data, allowing it to be streamed.

The problem I'm hitting with VCRAPI is ultimately:

TypeError: cannot pickle '_io.BufferedReader' object

The VCR is trying to pickle a StreamedResponse, but since it contains the stdout for a running process, it just can't be done. I'm not sure the best way to proceed.

Since I'm be reviewing #1718 soon, and that's where VCRAPI was implemented, I think I may point this out there instead and possibly request changes.

The idea is that both StreamedResponse and JSONResponse are serializable, so we can save them in the YAML files for VCR.

Do we need to stream the bytes through _send_json_request? The way I was thinking was that _send_json_request would do all the requests, including multiple retries, buffering the received bytes and then return a single StreamedResponse with all the combined bytes at the end.

Do we need to stream the bytes through _send_json_request? The way I was thinking was that _send_json_request would do all the requests, including multiple retries, buffering the received bytes and then return a single StreamedResponse with all the combined bytes at the end.

Ahh okay, this makes a lot of sense. I'll try this out.

Actually, there's an issue with _send_json_request making all of the requests and returning a StreamedResponse with bytes.

download_submission is where the file is actually streamed to disk. If we do all of the requests and retries in _send_json_request and just return the bytes, this means the download must stream into memory first and can't be streamed directly to disk. For example, a 500mb submission would take 500mb of RAM to download, when it would only need one chunk size of RAM to stream directly to disk.

Does the client every download multiple submissions simultaneously? I could see multiple 500mb submissions causing a DOS on SDW, by exhausting the memory.

It might be a good idea to talk this through and figure out exactly how it should work.

Does the client every download multiple submissions simultaneously?

I think downloads are in series, but I agree with your general point that we should buffer downloads. And we have two use cases of of wanting to both serialize the raw bytes but also keep them out of memory and on disk.

Maybe we could do something like:

• have subprocess stream the bytes to a temporary file (like you proposed)
• return a file handle in StreamedResponse, that callers can do .read() on. (ideally this would be some kind of TemporaryFile class that automatically deletes off of disk once the variable is dropped)
• when StreamedResponse is serialized for VCRs, it reads from the file on disk, converts it to io.BytesIO, and serializes that? and unserializes to io.BytesIO as well.

What do you think?

My earlier rebase was extremely messy, so since proxy v2 to was merged into main, I cleaned up all of my commits (including writing detailed commit messages) and force pushed. This PR is now ready for review. Here are some things to consider:

I get DOWNLOAD_RETRY_LIMIT from QubesDB by subprocessing out to qubesdb-read, and it defaults to 3.

As we discussed above, the streaming and retrying now happens directly in _send_json_request. It streams to a temporary file on disk until the download is complete. However, after it's complete, it still loads the whole thing in memory in order to store in a StreamedResponse object:

# FIXME: For now, store the contents as bytes
fobj.seek(0)
contents = fobj.read()
fobj.close()

I didn't mess with the VCR cassette code to try to serialize file objects with .read() or anything, and it's still serializing bytes directly. Downloading a 500mb file will take 500mb of RAM still. However, if we want to change this approach in the future it should be simple.

Do you think we should change it in this PR, or punt that for the future?

This also includes two new tests:

• test_download_submission_autoresume: This downloads a submission, but it stubs subprocess.Popen to replace stdout with a fake stdout that writes up to 200 bytes and then raises a subprocess.TimeoutExpired exception the first time. Subsequent subprocess.Popen calls no longer used the stubbed version. This simulates a proxy subprocess that times out the first time, and then finishes the download with a subsequent range request the next time, that doesn't time out.
• test_download_submission_autoresume_fail: This stubs subprocess.Popen so that it will always time out, just to make sure that the timeout exception is still getting thrown when number of retries runs out.

@legoktm this should address everything. Here are the main changes:

• SD_DOWNLOAD_RETRY_LIMIT is loaded directly from QubesDB instead of by calling out to qubesdb-read

• The chunk size has been increased to 1024 bytes.

  But note that, in order for the tests to work, you now need to start the server with NUM_SOURCES=5 LOADDATA_ARGS="--random-file-size 3" make dev, since it requires tests files uploaded that are larger than 1KB, so it can be split into chunks. I've updated the readme at client/tests/sdk/README.md to include the new command to start the server, but I also noticed here that the readme is out of date -- it still has separate instructions for generating cassettes for API calls over HTTP and over qrexec, but it's all over subprocess to the proxy now. I haven't updated this, but maybe should.

• The tests use mocker instead of monkeypatching

• I've split the streaming code out of _send_json_request into _streaming_download. I've also split the JSONResponse handling code into _handle_json_response, since _streaming_download might need to return a JSONResponse too.

• I made a new test to ensure that streaming downloads will return a JSONResponse on errors.

Alright I think this is ready! I got the SDK tests to pass by this: 1a103a7

Yay, it looks good to me as well. I'll rebase and then do one more round of testing on Qubes before merging.

I set up a server with 50MB files, set 10 retries via qubesdb, start a large download, and then kill -9 the securedrop-proxy process in sd-proxy and it immediately fails instead of retrying. I'm trying to debug what's going wrong...

I figured out what was going on, and 1ee3538 fixes it now.

I added a bunch of debug logs, ran it in sd-app, tried downloading a large file over tor, and killed securedrop-proxy in the middle of the download. I discovered it was actually failing at this exception:

During the loop that reads chunks from the proc.stdout, it determines that the download is finished if the chunk is None:

It turns out, when the securedrop-proxy process is killed, proc.stdout.read() also returns None, even though the download isn't finished. But since it sets download_finished to True, the retry loop doesn't retry, it makes it to the end of the function, and throws the exception.

I fixed it by checking the process return code when it's done executing. If it's non-zero, I set download_finished to False, which allows the retry loop to continue until it's finished.

Also, I moved the block of code that reads the contents of the streaming file from disk to memory to below this return code check. Here's that code:

Since fobj is a tempfile, when fobj.close() is called, it deletes the file from disk, and that breaks the download if the retry had actually failed, so it can't delete the file from disk until after we're sure the download has succeeded.

This commits adds several new debug logs, but it will only get logged if you run securedrop-client like this: LOGLEVEL=DEBUG securedrop-client

Also when testing this, I actually killed the securedrop-proxy process twice for the same download, and watched it retry twice and still finish successfully.

Rebased to clear the safety alert...

The PR looks good! I successfully downloaded a ~50MB file over 3 requests. On the server side, I saw it responding with HTTP 206 for Partial Content.

I pushed one commit to make the value in QubesDB optional, thanks to Cory for reviewing. I'm going to do a partial squash and then merge this (once tests pass).