refactor: replace ps-based process handling with process manager

lib/Handler/CertificateEngine/CfsslHandler.php

@@ -22,6 +22,8 @@
 use OCA\Libresign\Service\CertificatePolicyService;
 use OCA\Libresign\Service\Crl\CrlRevocationChecker;
 use OCA\Libresign\Service\Install\InstallService;
+use OCA\Libresign\Service\Process\ProcessManager;
+use OCA\Libresign\Vendor\Symfony\Component\Process\Process;
 use OCP\Files\AppData\IAppDataFactory;
 use OCP\IAppConfig;
 use OCP\IConfig;
@@ -39,6 +41,7 @@
  */
 class CfsslHandler extends AEngineHandler implements IEngineHandler {
 	public const CFSSL_URI = 'http://127.0.0.1:8888/api/v1/cfssl/';
+	private const PROCESS_SOURCE = 'cfssl';
 
 	/** @var Client */
 	protected $client;
@@ -58,6 +61,7 @@ public function __construct(
 		protected CrlMapper $crlMapper,
 		protected LoggerInterface $logger,
 		CrlRevocationChecker $crlRevocationChecker,
+		private ProcessManager $processManager,
 	) {
 		parent::__construct(
 			$config,
@@ -245,10 +249,11 @@ private function gencert(): void {
 		$configPath = $this->getCurrentConfigPath();
 		$csrFile = $configPath . '/csr_server.json';
 
-		$cmd = escapeshellcmd($binary) . ' gencert -initca ' . escapeshellarg($csrFile);
-		$output = shell_exec($cmd);
+		$process = $this->createProcess([$binary, 'gencert', '-initca', $csrFile]);
+		$process->run();
+		$output = $process->getOutput();
 
-		if (!$output) {
+		if (!$process->isSuccessful() || $output === '') {
 			throw new \RuntimeException('cfssl without output.');
 		}
 
@@ -320,11 +325,26 @@ private function wakeUp(): void {
 			throw new LibresignException('CFSSL not configured.');
 		}
 		$this->cfsslServerHandler->updateExpirity($this->getCaExpiryInDays());
-		$cmd = 'nohup ' . $binary . ' serve -address=127.0.0.1 '
-			. '-ca-key ' . $configPath . DIRECTORY_SEPARATOR . 'ca-key.pem '
-			. '-ca ' . $configPath . DIRECTORY_SEPARATOR . 'ca.pem '
-			. '-config ' . $configPath . DIRECTORY_SEPARATOR . 'config_server.json > /dev/null 2>&1 & echo $!';
-		shell_exec($cmd);
+		$process = $this->createProcess([
+			$binary,
+			'serve',
+			'-address=127.0.0.1',
+			'-ca-key', $configPath . DIRECTORY_SEPARATOR . 'ca-key.pem',
+			'-ca', $configPath . DIRECTORY_SEPARATOR . 'ca.pem',
+			'-config', $configPath . DIRECTORY_SEPARATOR . 'config_server.json',
+		]);
+		$process->setOptions(['create_new_console' => true]);
+		$process->setTimeout(null);
+		$process->disableOutput();
+		$process->start();
+
+		$pid = (int)($process->getPid() ?? 0);
+		if ($pid > 0) {
+			$this->processManager->register(self::PROCESS_SOURCE, $pid, [
+				'uri' => $this->getCfsslUri(),
+			]);
+		}
+
 		$loops = 0;
 		while (!$this->portOpen() && $loops <= 4) {
 			sleep(1);
@@ -349,38 +369,37 @@ private function portOpen(): bool {
 	}
 
 	private function getServerPid(): int {
-		$cmd = 'ps -eo pid,command|';
-		$cmd .= 'grep "cfssl.*serve.*-address"|'
-			. 'grep -v grep|'
-			. 'grep -v defunct|'
-			. 'sed -e "s/^[[:space:]]*//"|cut -d" " -f1';
-		$output = shell_exec($cmd);
-		if (!is_string($output)) {
-			return 0;
-		}
-		$pid = trim($output);
-		return (int)$pid;
-	}
-
-	/**
-	 * Parse command
-	 *
-	 * Have commands that need to be executed as sudo otherwise don't will work,
-	 * by example the command runuser or kill. To prevent error when run in a
-	 * GitHub Actions, these commands are executed prefixed by sudo when exists
-	 * an environment called GITHUB_ACTIONS.
-	 */
-	private function parseCommand(string $command): string {
-		if (getenv('GITHUB_ACTIONS') !== false) {
-			$command = 'sudo ' . $command;
-		}
-		return $command;
+		$uri = $this->getCfsslUri();
+		return $this->processManager->findRunningPid(
+			self::PROCESS_SOURCE,
+			fn (array $entry): bool => ($entry['context']['uri'] ?? '') === $uri,
+		);
 	}
 
 	private function stopIfRunning(): void {
-		$pid = $this->getServerPid();
-		if ($pid > 0) {
-			exec($this->parseCommand('kill -9 ' . $pid));
+		$uri = $this->getCfsslUri();
+		$port = (int)(parse_url($uri, PHP_URL_PORT) ?? 0);
+		$this->processManager->setSourceHint(self::PROCESS_SOURCE, [
+			'uri' => $uri,
+			'port' => $port,
+		]);
+
+		$this->processManager->findRunningPid(
+			self::PROCESS_SOURCE,
+			fn (array $entry): bool => ($entry['context']['uri'] ?? '') === $uri,
+		);
+
+		foreach ($this->processManager->listRunning(self::PROCESS_SOURCE) as $entry) {
+			if (($entry['context']['uri'] ?? '') !== $uri) {
+				continue;
+			}
+
+			$pid = (int)($entry['pid'] ?? 0);
+			if ($pid <= 0) {
+				continue;
+			}
+			$this->processManager->stopPid($pid, SIGKILL);
+			$this->processManager->unregister(self::PROCESS_SOURCE, $pid);
 		}
 	}
 
@@ -452,8 +471,10 @@ private function checkBinaries(): array {
 					->setTip('Run occ libresign:install --cfssl'),
 			];
 		}
-		$version = shell_exec("$binary version");
-		if (!is_string($version) || empty($version)) {
+		$process = $this->createProcess([$binary, 'version']);
+		$process->run();
+		$version = $process->getOutput();
+		if (!$process->isSuccessful() || empty($version)) {
 			return [
 				(new ConfigureCheckHelper())
 					->setErrorMessage(sprintf(
@@ -502,6 +523,13 @@ private function checkBinaries(): array {
 		return $return;
 	}
 
+	/**
+	 * @param string[] $command
+	 */
+	protected function createProcess(array $command): Process {
+		return new Process($command);
+	}
+
 	/**
 	 * Get Authority Key Identifier from certificate (needed for CFSSL revocation)
 	 *

lib/Migration/StopRunningWorkers.php

@@ -8,14 +8,16 @@
 
 namespace OCA\Libresign\Migration;
 
-use OCA\Libresign\Service\Worker\WorkerStopper;
+use OCA\Libresign\Service\Process\ProcessManager;
 use OCP\Migration\IOutput;
 use OCP\Migration\IRepairStep;
 use Psr\Log\LoggerInterface;
 
 class StopRunningWorkers implements IRepairStep {
+	private const PROCESS_SOURCE = 'worker';
+
 	public function __construct(
-		private WorkerStopper $stopper,
+		private ProcessManager $processManager,
 		private LoggerInterface $logger,
 	) {
 	}
@@ -28,7 +30,7 @@ public function getName(): string {
 	#[\Override]
 	public function run(IOutput $output): void {
 		try {
-			$stopped = $this->stopper->stopAll();
+			$stopped = $this->processManager->stopAll(self::PROCESS_SOURCE, SIGTERM);
 			if ($stopped > 0) {
 				$output->info('Stopped ' . $stopped . ' LibreSign worker(s).');
 			}

lib/Service/Install/InstallService.php

@@ -21,7 +21,9 @@
 use OCA\Libresign\Handler\CertificateEngine\CfsslHandler;
 use OCA\Libresign\Handler\CertificateEngine\IEngineHandler;
 use OCA\Libresign\Service\CaIdentifierService;
+use OCA\Libresign\Service\Process\ProcessManager;
 use OCA\Libresign\Vendor\LibreSign\WhatOSAmI\OperatingSystem;
+use OCA\Libresign\Vendor\Symfony\Component\Process\Process;
 use OCP\Files\AppData\IAppDataFactory;
 use OCP\Files\IAppData;
 use OCP\Files\NotFoundException;
@@ -37,7 +39,6 @@
 use RuntimeException;
 use Symfony\Component\Console\Helper\ProgressBar;
 use Symfony\Component\Console\Output\OutputInterface;
-use Symfony\Component\Process\Process;
 
 class InstallService {
 	use TSimpleFile {
@@ -52,6 +53,7 @@ class InstallService {
 	public const JSIGNPDF_VERSION = '2.3.0'; /** @todo When update, verify the hash **/
 	private const JSIGNPDF_HASH = 'd239658ea50a39eb35169d8392feaffb';
 	public const CFSSL_VERSION = '1.6.5';
+	private const PROCESS_SOURCE = 'install';
 
 	private ICache $cache;
 	private ?OutputInterface $output = null;
@@ -77,6 +79,7 @@ public function __construct(
 		private SignSetupService $signSetupService,
 		protected IAppDataFactory $appDataFactory,
 		private CaIdentifierService $caIdentifierService,
+		private ProcessManager $processManager,
 	) {
 		$this->cache = $cacheFactory->createDistributed('libresign-setup');
 		$this->appData = $appDataFactory->get('libresign');
@@ -145,18 +148,28 @@ private function getDataDir(): string {
 
 	private function runAsync(): void {
 		$resource = $this->resource;
-		$process = new Process([OC::$SERVERROOT . '/occ', 'libresign:install', '--' . $resource]);
+		$process = $this->createProcess([OC::$SERVERROOT . '/occ', 'libresign:install', '--' . $resource]);
 		$process->setOptions(['create_new_console' => true]);
 		$process->setTimeout(null);
 		$process->start();
 		$data['pid'] = $process->getPid();
 		if ($data['pid']) {
+			$this->processManager->register(self::PROCESS_SOURCE, (int)$data['pid'], [
+				'resource' => $resource,
+			]);
 			$this->setCache($resource, $data);
 		} else {
 			$this->logger->error('Error to get PID of background install proccess. Command: ' . OC::$SERVERROOT . '/occ libresign:install --' . $resource);
 		}
 	}
 
+	/**
+	 * @param string[] $command
+	 */
+	protected function createProcess(array $command): Process {
+		return new Process($command);
+	}
+
 	private function progressToDatabase(int $downloadSize, int $downloaded): void {
 		$data = $this->getProressData();
 		$data['download_size'] = $downloadSize;
@@ -295,27 +308,27 @@ public function isDownloadWip(): bool {
 	}
 
 	private function getInstallPid(int $pid = 0): int {
+		$resource = $this->resource;
 		if ($pid > 0) {
-			if (shell_exec('which ps') === null) {
-				if (is_dir('/proc/' . $pid)) {
-					return $pid;
-				}
-				return 0;
+			$registeredPid = $this->processManager->findRunningPid(
+				self::PROCESS_SOURCE,
+				fn (array $entry): bool
+					=> $entry['pid'] === $pid
+					&& ($entry['context']['resource'] ?? '') === $resource,
+			);
+
+			if ($registeredPid > 0) {
+				return $registeredPid;
 			}
-			$cmd = 'ps -p ' . $pid . ' -o pid,command|';
-		} else {
-			$cmd = 'ps -eo pid,command|';
-		}
-		$cmd .= 'grep "libresign:install --' . $this->resource . '"|'
-			. 'grep -v grep|'
-			. 'grep -v defunct|'
-			. 'sed -e "s/^[[:space:]]*//"|cut -d" " -f1';
-		$output = shell_exec($cmd);
-		if (!is_string($output)) {
+
+			$this->processManager->unregister(self::PROCESS_SOURCE, $pid);
 			return 0;
 		}
-		$pid = trim($output);
-		return (int)$pid;
+
+		return $this->processManager->findRunningPid(
+			self::PROCESS_SOURCE,
+			fn (array $entry): bool => ($entry['context']['resource'] ?? '') === $resource,
+		);
 	}
 
 	public function setResource(string $resource): self {