android: use SAF for storing Taildropped files

[kari-ts]

Use Android Storage Access Framework for receiving Taildropped files.

-Add a picker to allow users to select where Taildropped files go
-If no directory is selected, internal app storage is used
-Provide SAF API for Go to use when writing and renaming files
-Provide Android FileOps implementation

Updates tailscale/tailscale#15263

[ghost]

Pull Request Revisions

Revision	Description
r20	Added Storage Access Framework file handling Implemented advanced file handling for Taildrop using Storage Access Framework, including directory selection, persistent URI storage, and file stream management across multiple Android components.
r19	Removed unused variable in backend Deleted an unused variable from the GetExt method before the conditional check in the backend initialization
r18	Added SAF directory selection for Taildrop Enhanced Android app to support Storage Access Framework (SAF) directory selection for Taildrop file sharing, with persistent URI storage and backend restart mechanisms
r17	Updated Tailscale dependency version Added a new Tailscale module version 1.83.0-pre.0 to the project's go.sum file
r16	Implemented Storage Access Framework support Added Storage Access Framework support for Taildrop file sharing, enabling user-selected download directories and persistent file access permissions

15 more revisions

r15	Removed Creachadair taskgroup dependency Deleted github.com/creachadair/taskgroup package from go.sum, removing this specific dependency from the project
r14	Removed eventbus from netmon initialization Simplified netmon.New() call by removing eventbus parameter and associated bus.Close() deferred call
r13	Removed several dependency modules Deleted Prometheus, goautoneg, and protobuf dependencies from go.mod and go.sum files
r12	Added Storage Access Framework file handling Implemented comprehensive Storage Access Framework (SAF) support for file operations in Android, including directory selection, file writing, and renaming, with modifications to App, MainActivity, and backend systems to enable flexible Taildrop file handling
r11	Updated Go toolchain revision hash Replaced Go toolchain revision hash with a new commit identifier
r10	Module dependencies updated and upgraded Updated Go module dependencies, including Prometheus client, crypto, and system libraries to newer versions
r9	No changes since last revision
r8	Added Storage Access Framework file support Implemented Storage Access Framework (SAF) file handling for Android, enabling flexible file storage selection and management for Taildrop file transfers with support for dynamic directory selection and URI persistence.
r7	Implemented Storage Access Framework support Added Storage Access Framework (SAF) support for Taildrop file sharing, enabling users to choose custom download directories and improving file management across Android versions
r6	Removed duplicate Tailscale start method Removed redundant startLibtailscale call and removed local Tailscale module replacement in go.mod
r5	Updated Android file sharing implementation Refactored ShareFileHelper and file operations with improved error handling, stream management, and added OutputStreamAdapter for Java-Go interoperability
r4	Code formatting and import reordering Performed consistent code formatting in Kotlin files, including import reorganization and whitespace alignment
r3	Improved file handling and error management Enhanced ShareFileHelper and MainViewModel with robust file URI validation, better error handling, and more comprehensive file operations in Android implementation
r2	Refactored ShareFileHelper and file handling Updated ShareFileHelper with new methods, improved file descriptor handling, added caching for file creation, and modified Android file operations interface
r1	Added Storage Access Framework support Implemented SAF file sharing mechanism for Taildrop, with file operations, directory selection, and persistent URI storage

---

☑️ AI review skipped after 5 revisions, comment with `/review` to review again

Help

React with emojis to give feedback on AI-generated reviews:

• 👍 means the feedback was helpful and actionable
• 👎 means the feedback was incorrect or unhelpful

💬 Replying to feedback with a comment helps us improve the system. Your input also contributes to shaping future interactions with the AI reviewer.

We'd love to hear from you—reach out anytime at [email protected].

[ghost]

The showDirectoryPickerLauncher() call is made inside a viewModelScope.launch block during toggleVpn. Was this intentional? It could cause the directory picker to appear unexpectedly during VPN toggling, which might confuse users.

[barnstar]

I kind of agree with Skynet here. An actionable error message might be a less disruptive. Perhaps modelled after health warnings. Along with knowing where Taildrop files go (or don't go) and being able to change that in Settings after the fact.

...but this will do for now.

[kari-ts]

100%

[ghost]

After launching the directory picker, the function returns immediately. However, there's no indication that the function will be called again after the picker completes. Consider adding a callback mechanism to ensure the flow continues appropriately after directory selection.

[ghost]

In SetShareFileHelper in interfaces.go, the current implementation handles a full channel by draining and adding the new value, but it could potentially lose an unprocessed helper. Is a buffered channel size of 1 sufficient, or should it be increased to handle more concurrent operations?

[ghost]

There's a missing format argument in SendLog function in interfaces.go. The log.Printf call uses '%v' but doesn't include the logstr variable in the argument list, which would cause a runtime error.

[barnstar]

Couple of nits, but looks good.

Small concern about the annoyance of popping up a forced picker, but allow users to know that the Taildrop dest is set/unset in Settings and set/change it and perhaps pop up a heath-esque warning if it's unset or unwritable but I understand that adds a bunch of complexity. Also unsure about AndroidTV and whether any of this is relevant.

[barnstar]

I kind of agree with Skynet here. An actionable error message might be a less disruptive. Perhaps modelled after health warnings. Along with knowing where Taildrop files go (or don't go) and being able to change that in Settings after the fact.

...but this will do for now.

[barnstar]

Seems like a lot of work to move a file but I image there's no alternative?

[barnstar]

Are incoming Taildrop files relevant on Android TV? They are not on AppleTV. If the user can actually pick a directory and use the files - all good - otherwise we should skip the dialog.

[kari-ts]

good call. gating it with an AndroidTV check

[ghost]

The streamCache in ShareFileHelper could grow indefinitely since entries are never removed. This might lead to memory leaks if many files are created. Consider adding a cleanup mechanism that removes entries after they're no longer needed or implements an LRU cache with size limits.

[ghost]

The init function in ShareFileHelper doesn't handle URI validation. If an invalid URI is passed, it will be stored and used, potentially causing errors later. Consider adding validation to prevent storing invalid URIs.

[ghost]

The createStreamCached method always creates a file even when merely getting the URI in openFileURI. This could lead to empty files being created unnecessarily. Consider separating the file creation from URI retrieval or implementing lazy file creation.

[ghost]

In the renamePartialFile method, there's no validation if the target directory is writable before attempting operations. This could lead to failures during file operations. Consider checking write permissions to the target directory before proceeding.

[ghost]

The SafStream class doesn't implement proper resource management. If a file is cached but not used for a while, the underlying stream may be closed by the OS or could hold system resources unnecessarily. Consider adding a mechanism to close idle streams after a timeout period.

[ghost]

The renamePartialFile method could fail silently if DocumentFile.fromSingleUri(context, partialUriObj)?.delete() returns false or null. This might leave orphaned temporary files. Consider checking the return value and logging a warning.

[ghost]

The generateNewFilename method uses UUID which is better than a timestamp, but it adds the UUID after the base filename. Consider using a more human-readable format where the original filename is still easily recognizable. For example, appending a shorter unique identifier with a timestamp like $baseName-$timestamp-$shortId$extension would make sorting and identification easier.

[ghost]

In libtailscale/backend.go, the directFileRoot value is set during initialization and there's a setDirectFileRoot method, but there's no synchronization mechanism when changing this value. If setDirectFileRoot is called while file operations are in progress, it could lead to race conditions or inconsistent behavior. Consider adding proper synchronization or ensuring the value can only be changed when no file operations are active.

[ghost]

There's potential for resource leakage in the streamCache. The OutputStreamAdapter returned from openFileWriter has no mechanism to remove entries from the cache when the stream is closed. This can lead to accumulating stale streams and growing memory usage. Consider implementing a reference counting or purging mechanism for closed streams.

[ghost]

In the MainActivity.kt directoryPickerLauncher, there's a missing call to app.getStoredDirectoryUri() when the user selects a valid URI. This might cause inconsistent behavior where the URI is stored but not properly retrieved on app restart. Consider updating App.getStoredDirectoryUri() to handle the saved URI correctly.

[ghost]

The SetDirectFileRoot function sends to onFilePath channel without checking if there are receivers. Consider adding a select statement with a default case to prevent blocking if no goroutine is receiving from this channel. This could block the UI thread if the Go side isn't ready to receive.

[ghost]

There's a documentation issue in interfaces.go where the comment for OutputStream likely has incorrect information. It appears to be copied from InputStream without proper modification.

[ghost]

The infinite goroutine in backend.go that listens to onFilePath channel doesn't have any cancellation mechanism. This could lead to a goroutine leak if the backend is recreated multiple times during app lifecycle. Consider using a context or a done channel for proper cleanup.

[ghost]

The SetDirectFileRoot function in interfaces.go sends to onFilePath channel without a non-blocking fallback. If the receiving goroutine isn't running yet, this will block the UI thread. Consider using a buffered channel or adding a select with a default case.

[ghost]

The streamCache in ShareFileHelper doesn't have any mechanism to remove entries when the stream is closed. This can lead to memory leaks as stale entries accumulate over time. Consider implementing a cleanup mechanism in the close() method of OutputStreamAdapter to remove its entry from the cache.

[ghost]

In the OutputStreamAdapter.write method, the return value is always data.size.toLong() regardless of how many bytes were actually written. Java's OutputStream.write might write fewer bytes than requested. Consider capturing the actual bytes written or ensuring the entire buffer is written (possibly with multiple calls).

[ghost]

In RenamePartialFile in fileops.go, the empty string check doesn't distinguish between the file not being found and other errors. Consider returning a more specific error message to help with debugging.

[ghost]

In libtailscale/callbacks.go, the onFilePath channel is unbuffered. Since SetDirectFileRoot doesn't have a non-blocking fallback, it could deadlock if called before the receiving goroutine is started. Consider using a buffered channel similar to onShareFileHelper.

[ghost]

The infinite goroutine in backend.go that listens for filepath changes has no cancellation mechanism. If the App is created multiple times during the application lifecycle, this will leak goroutines. Consider adding a context with cancellation and a done channel to properly terminate this goroutine when it's no longer needed.

[ghost]

The error handling in RenamePartialFile method is opaque. The empty string check doesn't distinguish between different error conditions that might occur on the Android side. Consider having the Android helper return error details along with the URI to enable more specific error messages and troubleshooting.

[ghost]

The SetDirectFileRoot function sends to the onFilePath channel without a non-blocking pattern. If no goroutine is currently receiving from this channel, calls to this function will block indefinitely. Consider using a select with a default case similar to what's used in the SetShareFileHelper function.

[ghost]

In RenamePartialFile method of ShareFileHelper.kt, try and catch blocks are being used, but some exceptions are being silently ignored with just an empty string return. This can make debugging difficult. Consider logging exceptions at minimum or propagating a more descriptive error.

[ghost]

The implementation of SetShareFileHelper and SetDirectFileRoot have different channel handling approaches. SetShareFileHelper has non-blocking fallbacks with proper draining, while SetDirectFileRoot sends directly to the channel which could block. Consider standardizing the pattern across both functions to prevent potential deadlocks.

[ghost]

The ShareFileHelper.kt class doesn't handle concurrent access to its caches. If multiple threads access streamCache or fileCache simultaneously, there could be race conditions. Consider using thread-safe collections like ConcurrentHashMap instead of regular HashMap for these shared resources.

[ghost]

The Taildrop directory URI persistence lacks verification on app startup. If the URI is no longer valid (e.g., directory deleted or permissions revoked), the app will silently fail when trying to access it. Consider adding validation when loading the URI from preferences and providing a fallback mechanism.