foster/denoland-deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-22 15:06:54 -05:00
Code Issues Packages 1 Wiki Activity
denoland-deno/runtime/permissions/lib.rs

3678 lines
105 KiB
Rust
Raw Normal View History

chore: update copyright to 2024 (#21753)
2024-01-01 14:58:21 -05:00
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
use deno_core::anyhow::Context;
refactor: use the 'anyhow' crate instead of 'ErrBox' (#7476)
2020-09-14 12:48:57 -04:00
use deno_core::error::custom_error;
refactor(cli): use shared sys kind parser in flags.rs (#16087)
2022-09-29 06:34:16 -04:00
use deno_core::error::type_error;
refactor: use the 'anyhow' crate instead of 'ErrBox' (#7476)
2020-09-14 12:48:57 -04:00
use deno_core::error::uri_error;
use deno_core::error::AnyError;
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
use deno_core::normalize_path;
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
use deno_core::parking_lot::Mutex;
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
use deno_core::serde::de;
chore(cli/runtime): use re-export serde from deno_core (#9599)
2021-02-25 15:18:35 -05:00
use deno_core::serde::Deserialize;
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
use deno_core::serde::Deserializer;
chore(cli/runtime): use re-export serde from deno_core (#9599)
2021-02-25 15:18:35 -05:00
use deno_core::serde::Serialize;
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
use deno_core::serde_json;
fix(cli): update permission prompt message for compiled binaries (#24081) Co-authored-by: David Sherret <dsherret@gmail.com>
2024-08-19 21:20:06 -04:00
use deno_core::unsync::sync::AtomicFlag;
Re-export deno_core::url (#7525) Also re-exports deno_core::futures and deno_core::serde_json but these are not yet used in the CLI.
2020-09-16 14:28:07 -04:00
use deno_core::url;
refactor(node/http): don't use readablestream for writing to request (#19282) Refactors the internal usage of a readablestream to write to the resource directly --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-05-27 09:42:20 -04:00
use deno_core::url::Url;
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
use deno_core::ModuleSpecifier;
refactor: extract out `runtime::colors` to `deno_terminal::colors` (#22324)
2024-02-07 11:25:14 -05:00
use deno_terminal::colors;
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
use fqdn::FQDN;
refactor: use `once_cell` instead of `lazy_static` (#13135)
2021-12-18 16:14:42 -05:00
use once_cell::sync::Lazy;
chore: upgrade to Rust 1.70.0 (#19345) Co-authored-by: linbingquan <695601626@qq.com>
2023-06-05 20:35:39 -04:00
use std::borrow::Cow;
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
use std::collections::HashSet;
feat(runtime): Allow embedders to perform additional access checks on file open (#23208) Embedders may have special requirements around file opening, so we add a new `check_open` permission check that is called as part of the file open process.
2024-04-19 20:12:03 -04:00
use std::ffi::OsStr;
More permissions prompt options (#1926)
2019-03-18 16:46:23 -04:00
use std::fmt;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
use std::fmt::Debug;
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
use std::hash::Hash;
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
use std::net::IpAddr;
use std::net::Ipv6Addr;
chore: use rustfmt imports_granularity option (#17421) Closes https://github.com/denoland/deno/issues/2699 Closes https://github.com/denoland/deno/issues/2347 Uses unstable rustfmt features. Since dprint invokes `rustfmt` we do not need to switch the cargo toolchain to nightly. Do we care about formatting stability of our codebase across Rust versions? (I don't)
2023-01-14 23:18:58 -05:00
use std::path::Path;
use std::path::PathBuf;
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
use std::string::ToString;
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
use std::sync::Arc;
More permissions prompt options (#1926)
2019-03-18 16:46:23 -04:00
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
pub mod prompter;
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
use prompter::permission_prompt;
use prompter::PromptResponse;
use prompter::PERMISSION_EMOJI;
pub use prompter::set_prompt_callbacks;
pub use prompter::PromptCallback;
feat: log permission access (#2518) Replaces -D/--log-debug flag with --log-level=debug --log-level=info displays permission access
2019-06-22 12:02:51 -04:00
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
/// Fast exit from permission check routines if this permission
/// is in the "fully-granted" state.
macro_rules! skip_check_if_is_permission_fully_granted {
($this:ident) => {
if $this.is_allow_all() {
return Ok(());
}
};
}
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
#[inline]
fn resolve_from_cwd(path: &Path) -> Result<PathBuf, AnyError> {
if path.is_absolute() {
Ok(normalize_path(path))
} else {
#[allow(clippy::disallowed_methods)]
let cwd = std::env::current_dir()
.context("Failed to get current working directory")?;
Ok(normalize_path(cwd.join(path)))
}
}
refactor: use `once_cell` instead of `lazy_static` (#13135)
2021-12-18 16:14:42 -05:00
static DEBUG_LOG_ENABLED: Lazy<bool> =
Lazy::new(|| log::log_enabled!(log::Level::Debug));
perf(ops): optimize permission check (#11800) * perf(ops): optimize permission check Removes the overhead of permission check on access granted (should be common case): Delta measured on `perf_now` from `deno_common` bench: - before: `528ns/op - after: `166ns/op` So ~3x faster
2021-09-22 18:45:58 -04:00
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
/// Quadri-state value for storing permission state
chore: update Rust to 1.68.0 (#18102)
2023-03-09 14:18:00 -05:00
#[derive(
Eq, PartialEq, Default, Debug, Clone, Copy, Deserialize, PartialOrd,
)]
refactor: Elevate DenoPermissions lock to top level (#3398)
2019-11-24 10:42:30 -05:00
pub enum PermissionState {
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
Granted = 0,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
GrantedPartial = 1,
chore: update Rust to 1.68.0 (#18102)
2023-03-09 14:18:00 -05:00
#[default]
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Prompt = 2,
Denied = 3,
}
/// `AllowPartial` prescribes how to treat a permission which is partially
/// denied due to a `--deny-*` flag affecting a subscope of the queried
/// permission.
///
/// `TreatAsGranted` is used in place of `TreatAsPartialGranted` when we don't
/// want to wastefully check for partial denials when, say, checking read
/// access for a file.
#[derive(Debug, Eq, PartialEq)]
#[allow(clippy::enum_variant_names)]
enum AllowPartial {
TreatAsGranted,
TreatAsDenied,
TreatAsPartialGranted,
}
impl From<bool> for AllowPartial {
fn from(value: bool) -> Self {
if value {
Self::TreatAsGranted
} else {
Self::TreatAsDenied
}
}
More permissions prompt options (#1926)
2019-03-18 16:46:23 -04:00
}
refactor: Elevate DenoPermissions lock to top level (#3398)
2019-11-24 10:42:30 -05:00
impl PermissionState {
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
#[inline(always)]
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
fn log_perm_access(name: &str, info: impl FnOnce() -> Option<String>) {
perf(ops): optimize permission check (#11800) * perf(ops): optimize permission check Removes the overhead of permission check on access granted (should be common case): Delta measured on `perf_now` from `deno_common` bench: - before: `528ns/op - after: `166ns/op` So ~3x faster
2021-09-22 18:45:58 -04:00
// Eliminates log overhead (when logging is disabled),
// log_enabled!(Debug) check in a hot path still has overhead
// TODO(AaronO): generalize or upstream this optimization
if *DEBUG_LOG_ENABLED {
log::debug!(
"{}",
colors::bold(&format!(
"{} Granted {}",
PERMISSION_EMOJI,
Self::fmt_access(name, info)
))
);
}
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
}
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
fn fmt_access(name: &str, info: impl FnOnce() -> Option<String>) -> String {
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
format!(
"{} access{}",
name,
refactor: remove usages of `map_or` / `map_or_else` (#18212) These methods are confusing because the arguments are backwards. I feel like they should have never been added to `Option<T>` and that clippy should suggest rewriting to `map(...).unwrap_or(...)`/`map(...).unwrap_or_else(|| ...)` https://github.com/rust-lang/rfcs/issues/1025
2023-03-15 17:46:36 -04:00
info()
.map(|info| { format!(" to {info}") })
.unwrap_or_default(),
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
)
}
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
fn error(name: &str, info: impl FnOnce() -> Option<String>) -> AnyError {
fix(cli): update permission prompt message for compiled binaries (#24081) Co-authored-by: David Sherret <dsherret@gmail.com>
2024-08-19 21:20:06 -04:00
let msg = if is_standalone() {
format!(
"Requires {}, specify the required permissions during compilation using `deno compile --allow-{}`",
Self::fmt_access(name, info),
name
)
} else {
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
format!(
"Requires {}, run again with the --allow-{} flag",
Self::fmt_access(name, info),
name
fix(cli): update permission prompt message for compiled binaries (#24081) Co-authored-by: David Sherret <dsherret@gmail.com>
2024-08-19 21:20:06 -04:00
)
};
custom_error("PermissionDenied", msg)
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
}
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
/// Check the permission state. bool is whether a prompt was issued.
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
#[inline]
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
fn check(
self,
name: &str,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name: Option<&str>,
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
info: Option<&str>,
prompt: bool,
feat(permissions): grant all permission for a group in permission prompt (#17140) This commit adds new "A" option to the interactive permission prompt, that will allow all subsequent permissions for given group (domain). Ie. when querying for permissions to access eg. env variables responding with "A" will allow access to all environmental variables. This works for all permission domains and should make permission prompts more ergonomic for users.
2023-02-22 17:02:10 -05:00
) -> (Result<(), AnyError>, bool, bool) {
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
self.check2(name, api_name, || info.map(|s| s.to_string()), prompt)
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
}
#[inline]
fn check2(
self,
name: &str,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name: Option<&str>,
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
info: impl Fn() -> Option<String>,
prompt: bool,
feat(permissions): grant all permission for a group in permission prompt (#17140) This commit adds new "A" option to the interactive permission prompt, that will allow all subsequent permissions for given group (domain). Ie. when querying for permissions to access eg. env variables responding with "A" will allow access to all environmental variables. This works for all permission domains and should make permission prompts more ergonomic for users.
2023-02-22 17:02:10 -05:00
) -> (Result<(), AnyError>, bool, bool) {
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
match self {
PermissionState::Granted => {
Self::log_perm_access(name, info);
feat(permissions): grant all permission for a group in permission prompt (#17140) This commit adds new "A" option to the interactive permission prompt, that will allow all subsequent permissions for given group (domain). Ie. when querying for permissions to access eg. env variables responding with "A" will allow access to all environmental variables. This works for all permission domains and should make permission prompts more ergonomic for users.
2023-02-22 17:02:10 -05:00
(Ok(()), false, false)
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
}
PermissionState::Prompt if prompt => {
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
let msg = format!(
"{} access{}",
name,
refactor: remove usages of `map_or` / `map_or_else` (#18212) These methods are confusing because the arguments are backwards. I feel like they should have never been added to `Option<T>` and that clippy should suggest rewriting to `map(...).unwrap_or(...)`/`map(...).unwrap_or_else(|| ...)` https://github.com/rust-lang/rfcs/issues/1025
2023-03-15 17:46:36 -04:00
info()
.map(|info| { format!(" to {info}") })
.unwrap_or_default(),
perf(runtime): optimize allocations in read/write checks (#15631)
2022-08-27 11:20:05 -04:00
);
feat(permissions): grant all permission for a group in permission prompt (#17140) This commit adds new "A" option to the interactive permission prompt, that will allow all subsequent permissions for given group (domain). Ie. when querying for permissions to access eg. env variables responding with "A" will allow access to all environmental variables. This works for all permission domains and should make permission prompts more ergonomic for users.
2023-02-22 17:02:10 -05:00
match permission_prompt(&msg, name, api_name, true) {
PromptResponse::Allow => {
Self::log_perm_access(name, info);
(Ok(()), true, false)
}
PromptResponse::AllowAll => {
Self::log_perm_access(name, info);
(Ok(()), true, true)
}
PromptResponse::Deny => (Err(Self::error(name, info)), true, false),
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
}
}
feat(permissions): grant all permission for a group in permission prompt (#17140) This commit adds new "A" option to the interactive permission prompt, that will allow all subsequent permissions for given group (domain). Ie. when querying for permissions to access eg. env variables responding with "A" will allow access to all environmental variables. This works for all permission domains and should make permission prompts more ergonomic for users.
2023-02-22 17:02:10 -05:00
_ => (Err(Self::error(name, info)), false, false),
perf(runtime): optimize PermissionState::check (#9993)
2021-04-12 07:24:41 -04:00
}
Add permissions.request (#3296)
2019-11-11 10:33:29 -05:00
}
}
refactor: Elevate DenoPermissions lock to top level (#3398)
2019-11-24 10:42:30 -05:00
impl fmt::Display for PermissionState {
More permissions prompt options (#1926)
2019-03-18 16:46:23 -04:00
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
PermissionState::Granted => f.pad("granted"),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
PermissionState::GrantedPartial => f.pad("granted-partial"),
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
PermissionState::Prompt => f.pad("prompt"),
PermissionState::Denied => f.pad("denied"),
More permissions prompt options (#1926)
2019-03-18 16:46:23 -04:00
}
}
}
chore: fix clippy warnings (#15944) Stop allowing clippy::derive-partial-eq-without-eq and fix warnings about deriving PartialEq without also deriving Eq. In one case I removed the PartialEq because it a) wasn't necessary, and b) sketchy because it was comparing floating point numbers. IMO, that's a good argument for enforcing the lint rule, because it would most likely have been caught during review if it had been enabled.
2022-09-19 04:25:03 -04:00
#[derive(Clone, Debug, Eq, PartialEq)]
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
pub struct UnitPermission {
pub name: &'static str,
pub description: &'static str,
pub state: PermissionState,
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
pub prompt: bool,
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
}
impl UnitPermission {
pub fn query(&self) -> PermissionState {
self.state
}
pub fn request(&mut self) -> PermissionState {
if self.state == PermissionState::Prompt {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
if PromptResponse::Allow
== permission_prompt(
&format!("access to {}", self.description),
self.name,
Some("Deno.permissions.query()"),
feat(permissions): grant all permission for a group in permission prompt (#17140) This commit adds new "A" option to the interactive permission prompt, that will allow all subsequent permissions for given group (domain). Ie. when querying for permissions to access eg. env variables responding with "A" will allow access to all environmental variables. This works for all permission domains and should make permission prompts more ergonomic for users.
2023-02-22 17:02:10 -05:00
false,
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
)
{
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
self.state = PermissionState::Granted;
} else {
self.state = PermissionState::Denied;
}
}
self.state
}
pub fn revoke(&mut self) -> PermissionState {
if self.state == PermissionState::Granted {
self.state = PermissionState::Prompt;
}
self.state
}
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
pub fn check(&mut self) -> Result<(), AnyError> {
feat(permissions): grant all permission for a group in permission prompt (#17140) This commit adds new "A" option to the interactive permission prompt, that will allow all subsequent permissions for given group (domain). Ie. when querying for permissions to access eg. env variables responding with "A" will allow access to all environmental variables. This works for all permission domains and should make permission prompts more ergonomic for users.
2023-02-22 17:02:10 -05:00
let (result, prompted, _is_allow_all) =
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
self.state.check(self.name, None, None, self.prompt);
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
if prompted {
if result.is_ok() {
self.state = PermissionState::Granted;
} else {
self.state = PermissionState::Denied;
}
}
result
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn create_child_permissions(
&mut self,
flag: ChildUnitPermissionArg,
) -> Result<Self, AnyError> {
let mut perm = self.clone();
match flag {
ChildUnitPermissionArg::Inherit => {
// copy
}
ChildUnitPermissionArg::Granted => {
if self.check().is_err() {
return Err(escalation_error());
}
perm.state = PermissionState::Granted;
}
ChildUnitPermissionArg::NotGranted => {
perm.state = PermissionState::Prompt;
}
}
if self.state == PermissionState::Denied {
perm.state = PermissionState::Denied;
}
Ok(perm)
}
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
}
fix: worker environment permissions should accept an array (#12250)
2021-09-30 15:50:59 -04:00
/// A normalized environment variable name. On Windows this will
/// be uppercase and on other platforms it will stay as-is.
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
fix: worker environment permissions should accept an array (#12250)
2021-09-30 15:50:59 -04:00
struct EnvVarName {
inner: String,
}
impl EnvVarName {
pub fn new(env: impl AsRef<str>) -> Self {
Self {
inner: if cfg!(windows) {
env.as_ref().to_uppercase()
} else {
env.as_ref().to_string()
},
}
}
}
impl AsRef<str> for EnvVarName {
fn as_ref(&self) -> &str {
self.inner.as_str()
}
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
pub trait Descriptor: Eq + Clone + Hash {
type Arg: From<String>;
/// Parse this descriptor from a list of Self::Arg, which may have been converted from
/// command-line strings.
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(list: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError>;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
/// Generic check function to check this descriptor against a `UnaryPermission`.
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError>;
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str;
fn name(&self) -> Cow<str>;
// By default, specifies no-stronger-than relationship.
// As this is not strict, it's only true when descriptors are the same.
fn stronger_than(&self, other: &Self) -> bool {
self == other
}
}
chore: fix clippy warnings (#15944) Stop allowing clippy::derive-partial-eq-without-eq and fix warnings about deriving PartialEq without also deriving Eq. In one case I removed the PartialEq because it a) wasn't necessary, and b) sketchy because it was comparing floating point numbers. IMO, that's a good argument for enforcing the lint rule, because it would most likely have been caught during review if it had been enabled.
2022-09-19 04:25:03 -04:00
#[derive(Clone, Debug, Eq, PartialEq)]
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub struct UnaryPermission<T: Descriptor + Hash> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
granted_global: bool,
granted_list: HashSet<T>,
flag_denied_global: bool,
flag_denied_list: HashSet<T>,
prompt_denied_global: bool,
prompt_denied_list: HashSet<T>,
prompt: bool,
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
}
feat(cli): deserialize Permissions from JSON (#5779)
2020-05-29 07:00:47 -04:00
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl<T: Descriptor + Hash> Default for UnaryPermission<T> {
fn default() -> Self {
UnaryPermission {
granted_global: Default::default(),
granted_list: Default::default(),
flag_denied_global: Default::default(),
flag_denied_list: Default::default(),
prompt_denied_global: Default::default(),
prompt_denied_list: Default::default(),
prompt: Default::default(),
}
}
}
impl<T: Descriptor + Hash> UnaryPermission<T> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
pub fn allow_all() -> Self {
Self {
granted_global: true,
..Default::default()
}
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
pub fn is_allow_all(&self) -> bool {
self.granted_global
&& self.flag_denied_list.is_empty()
&& self.prompt_denied_list.is_empty()
}
pub fn check_all_api(
&mut self,
api_name: Option<&str>,
) -> Result<(), AnyError> {
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn check_desc(
&mut self,
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
desc: Option<&T>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_non_partial: bool,
api_name: Option<&str>,
get_display_name: impl Fn() -> Option<String>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
let (result, prompted, is_allow_all) = self
fix(runtime): negate partial condition for deny flags (#22866)
2024-03-12 18:12:29 -04:00
.query_desc(desc, AllowPartial::from(!assert_non_partial))
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.check2(
T::flag_name(),
api_name,
|| match get_display_name() {
Some(display_name) => Some(display_name),
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
None => desc.map(|d| format!("\"{}\"", d.name())),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
},
self.prompt,
);
if prompted {
if result.is_ok() {
if is_allow_all {
self.insert_granted(None);
} else {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.insert_granted(desc.cloned());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
}
} else {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.insert_prompt_denied(desc.cloned());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
}
}
result
}
fn query_desc(
&self,
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
desc: Option<&T>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
allow_partial: AllowPartial,
) -> PermissionState {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
if self.is_flag_denied(desc) || self.is_prompt_denied(desc) {
PermissionState::Denied
} else if self.is_granted(desc) {
match allow_partial {
AllowPartial::TreatAsGranted => PermissionState::Granted,
AllowPartial::TreatAsDenied => {
if self.is_partial_flag_denied(desc) {
PermissionState::Denied
} else {
PermissionState::Granted
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
}
AllowPartial::TreatAsPartialGranted => {
if self.is_partial_flag_denied(desc) {
PermissionState::GrantedPartial
} else {
PermissionState::Granted
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
}
}
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
} else if matches!(allow_partial, AllowPartial::TreatAsDenied)
&& self.is_partial_flag_denied(desc)
{
PermissionState::Denied
} else {
PermissionState::Prompt
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
}
}
fn request_desc(
&mut self,
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
desc: Option<&T>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
get_display_name: impl Fn() -> Option<String>,
) -> PermissionState {
let state = self.query_desc(desc, AllowPartial::TreatAsPartialGranted);
if state == PermissionState::Granted {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.insert_granted(desc.cloned());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
return state;
}
if state != PermissionState::Prompt {
return state;
}
let mut message = String::with_capacity(40);
message.push_str(&format!("{} access", T::flag_name()));
match get_display_name() {
Some(display_name) => {
message.push_str(&format!(" to \"{}\"", display_name))
}
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
None => {
if let Some(desc) = desc {
message.push_str(&format!(" to \"{}\"", desc.name()));
}
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
}
match permission_prompt(
&message,
T::flag_name(),
Some("Deno.permissions.request()"),
true,
) {
PromptResponse::Allow => {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.insert_granted(desc.cloned());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
PermissionState::Granted
}
PromptResponse::Deny => {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.insert_prompt_denied(desc.cloned());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
PermissionState::Denied
}
PromptResponse::AllowAll => {
self.insert_granted(None);
PermissionState::Granted
}
}
}
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
fn revoke_desc(&mut self, desc: Option<&T>) -> PermissionState {
match desc {
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
Some(desc) => {
self.granted_list.retain(|v| !v.stronger_than(desc));
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
None => {
self.granted_global = false;
// Revoke global is a special case where the entire granted list is
// cleared. It's inconsistent with the granular case where only
// descriptors stronger than the revoked one are purged.
self.granted_list.clear();
}
}
self.query_desc(desc, AllowPartial::TreatAsPartialGranted)
}
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
fn is_granted(&self, desc: Option<&T>) -> bool {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Self::list_contains(desc, self.granted_global, &self.granted_list)
}
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
fn is_flag_denied(&self, desc: Option<&T>) -> bool {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Self::list_contains(desc, self.flag_denied_global, &self.flag_denied_list)
}
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
fn is_prompt_denied(&self, desc: Option<&T>) -> bool {
match desc {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Some(desc) => self
.prompt_denied_list
.iter()
.any(|v| desc.stronger_than(v)),
None => self.prompt_denied_global || !self.prompt_denied_list.is_empty(),
}
}
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
fn is_partial_flag_denied(&self, desc: Option<&T>) -> bool {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
match desc {
None => !self.flag_denied_list.is_empty(),
Some(desc) => self.flag_denied_list.iter().any(|v| desc.stronger_than(v)),
}
}
fn list_contains(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
desc: Option<&T>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
list_global: bool,
list: &HashSet<T>,
) -> bool {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
match desc {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Some(desc) => list_global || list.iter().any(|v| v.stronger_than(desc)),
None => list_global,
}
}
fn insert_granted(&mut self, desc: Option<T>) {
Self::list_insert(desc, &mut self.granted_global, &mut self.granted_list);
}
fn insert_prompt_denied(&mut self, desc: Option<T>) {
Self::list_insert(
desc,
&mut self.prompt_denied_global,
&mut self.prompt_denied_list,
);
}
fn list_insert(
desc: Option<T>,
list_global: &mut bool,
list: &mut HashSet<T>,
) {
match desc {
Some(desc) => {
list.insert(desc);
}
None => *list_global = true,
}
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn create_child_permissions(
&mut self,
flag: ChildUnaryPermissionArg,
) -> Result<UnaryPermission<T>, AnyError> {
let mut perms = Self::default();
match flag {
ChildUnaryPermissionArg::Inherit => {
chore: upgrade to rust 1.79 (#24207)
2024-06-14 07:40:57 -04:00
perms.clone_from(self);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
ChildUnaryPermissionArg::Granted => {
if self.check_all_api(None).is_err() {
return Err(escalation_error());
}
perms.granted_global = true;
}
ChildUnaryPermissionArg::NotGranted => {}
ChildUnaryPermissionArg::GrantedList(granted_list) => {
let granted: Vec<T::Arg> =
granted_list.into_iter().map(From::from).collect();
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
perms.granted_list = T::parse(Some(&granted))?;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
if !perms
.granted_list
.iter()
.all(|desc| desc.check_in_permission(self, None).is_ok())
{
return Err(escalation_error());
}
}
}
perms.flag_denied_global = self.flag_denied_global;
perms.prompt_denied_global = self.prompt_denied_global;
perms.prompt = self.prompt;
chore: upgrade to rust 1.79 (#24207)
2024-06-14 07:40:57 -04:00
perms.flag_denied_list.clone_from(&self.flag_denied_list);
perms
.prompt_denied_list
.clone_from(&self.prompt_denied_list);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
Ok(perms)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
pub struct ReadDescriptor(pub PathBuf);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl Descriptor for ReadDescriptor {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
type Arg = PathBuf;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
skip_check_if_is_permission_fully_granted!(perm);
perm.check_desc(Some(self), true, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(args: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
parse_path_list(args, ReadDescriptor)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str {
"read"
}
fn name(&self) -> Cow<str> {
Cow::from(self.0.display().to_string())
}
fn stronger_than(&self, other: &Self) -> bool {
other.0.starts_with(&self.0)
}
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
pub struct WriteDescriptor(pub PathBuf);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl Descriptor for WriteDescriptor {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
type Arg = PathBuf;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
skip_check_if_is_permission_fully_granted!(perm);
perm.check_desc(Some(self), true, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(args: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
parse_path_list(args, WriteDescriptor)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str {
"write"
}
fn name(&self) -> Cow<str> {
Cow::from(self.0.display().to_string())
}
fn stronger_than(&self, other: &Self) -> bool {
other.0.starts_with(&self.0)
}
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
pub enum Host {
Fqdn(FQDN),
Ip(IpAddr),
}
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
impl Host {
// TODO(bartlomieju): rewrite to not use `AnyError` but a specific error implementations
fn parse(s: &str) -> Result<Self, AnyError> {
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
if s.starts_with('[') && s.ends_with(']') {
let ip = s[1..s.len() - 1]
.parse::<Ipv6Addr>()
.map_err(|_| uri_error(format!("invalid IPv6 address: '{s}'")))?;
return Ok(Host::Ip(IpAddr::V6(ip)));
}
let (without_trailing_dot, has_trailing_dot) =
s.strip_suffix('.').map_or((s, false), |s| (s, true));
if let Ok(ip) = without_trailing_dot.parse::<IpAddr>() {
if has_trailing_dot {
return Err(uri_error(format!(
"invalid host: '{without_trailing_dot}'"
)));
}
Ok(Host::Ip(ip))
} else {
let lower = if s.chars().all(|c| c.is_ascii_lowercase()) {
Cow::Borrowed(s)
} else {
Cow::Owned(s.to_ascii_lowercase())
};
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
let fqdn = {
use std::str::FromStr;
FQDN::from_str(&lower)
.with_context(|| format!("invalid host: '{s}'"))?
};
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
if fqdn.is_root() {
return Err(uri_error(format!("invalid empty host: '{s}'")));
}
Ok(Host::Fqdn(fqdn))
}
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
}
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
#[cfg(test)]
#[track_caller]
fn must_parse(s: &str) -> Self {
Self::parse(s).unwrap()
}
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
}
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
pub struct NetDescriptor(pub Host, pub Option<u16>);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl Descriptor for NetDescriptor {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
type Arg = String;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
skip_check_if_is_permission_fully_granted!(perm);
perm.check_desc(Some(self), false, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(args: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
parse_net_list(args)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str {
"net"
}
fn name(&self) -> Cow<str> {
Cow::from(format!("{}", self))
}
fn stronger_than(&self, other: &Self) -> bool {
self.0 == other.0 && (self.1.is_none() || self.1 == other.1)
}
}
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
// TODO(bartlomieju): rewrite to not use `AnyError` but a specific error implementations
impl NetDescriptor {
pub fn parse(hostname: &str) -> Result<Self, AnyError> {
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
// If this is a IPv6 address enclosed in square brackets, parse it as such.
if hostname.starts_with('[') {
if let Some((ip, after)) = hostname.split_once(']') {
let ip = ip[1..].parse::<Ipv6Addr>().map_err(|_| {
uri_error(format!("invalid IPv6 address in '{hostname}': '{ip}'"))
})?;
let port = if let Some(port) = after.strip_prefix(':') {
let port = port.parse::<u16>().map_err(|_| {
uri_error(format!("invalid port in '{hostname}': '{port}'"))
})?;
Some(port)
} else if after.is_empty() {
None
} else {
return Err(uri_error(format!("invalid host: '{hostname}'")));
};
return Ok(NetDescriptor(Host::Ip(IpAddr::V6(ip)), port));
} else {
return Err(uri_error(format!("invalid host: '{hostname}'")));
}
}
// Otherwise it is an IPv4 address or a FQDN with an optional port.
let (host, port) = match hostname.split_once(':') {
Some((_, "")) => {
return Err(uri_error(format!("invalid empty port in '{hostname}'")));
}
Some((host, port)) => (host, port),
None => (hostname, ""),
};
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
let host = Host::parse(host)?;
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
let port = if port.is_empty() {
None
} else {
let port = port.parse::<u16>().map_err(|_| {
// If the user forgot to enclose an IPv6 address in square brackets, we
// should give them a hint. There are always at least two colons in an
// IPv6 address, so this heuristic finds likely a bare IPv6 address.
if port.contains(':') {
uri_error(format!(
"ipv6 addresses must be enclosed in square brackets: '{hostname}'"
))
} else {
uri_error(format!("invalid port in '{hostname}': '{port}'"))
}
})?;
Some(port)
};
Ok(NetDescriptor(host, port))
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
}
}
impl fmt::Display for NetDescriptor {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
match &self.0 {
Host::Fqdn(fqdn) => write!(f, "{fqdn}"),
Host::Ip(IpAddr::V4(ip)) => write!(f, "{ip}"),
Host::Ip(IpAddr::V6(ip)) => write!(f, "[{ip}]"),
}?;
if let Some(port) = self.1 {
write!(f, ":{}", port)?;
}
Ok(())
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
}
}
Ergonomics: Prompt TTY for permission escalation (#1081)
2018-10-27 09:11:39 -04:00
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
fix: worker environment permissions should accept an array (#12250)
2021-09-30 15:50:59 -04:00
pub struct EnvDescriptor(EnvVarName);
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
fix: worker environment permissions should accept an array (#12250)
2021-09-30 15:50:59 -04:00
impl EnvDescriptor {
pub fn new(env: impl AsRef<str>) -> Self {
Self(EnvVarName::new(env))
}
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl Descriptor for EnvDescriptor {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
type Arg = String;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
skip_check_if_is_permission_fully_granted!(perm);
perm.check_desc(Some(self), false, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(list: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
parse_env_list(list)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str {
"env"
}
fn name(&self) -> Cow<str> {
Cow::from(self.0.as_ref())
}
}
fix: worker environment permissions should accept an array (#12250)
2021-09-30 15:50:59 -04:00
impl AsRef<str> for EnvDescriptor {
fn as_ref(&self) -> &str {
self.0.as_ref()
}
}
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug, Serialize, Deserialize)]
pub struct RunPathQuery<'a> {
pub requested: &'a str,
pub resolved: &'a Path,
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
pub enum RunDescriptorArg {
Name(String),
Path(PathBuf),
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
pub enum RunDescriptor {
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
/// Warning: You may want to construct with `RunDescriptor::from()` for case
/// handling.
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
Name(String),
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
/// Warning: You may want to construct with `RunDescriptor::from()` for case
/// handling.
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
Path(PathBuf),
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
impl From<String> for RunDescriptorArg {
fn from(s: String) -> Self {
#[cfg(windows)]
let s = s.to_lowercase();
let is_path = s.contains('/');
#[cfg(windows)]
let is_path = is_path || s.contains('\\') || Path::new(&s).is_absolute();
if is_path {
Self::Path(resolve_from_cwd(Path::new(&s)).unwrap())
} else {
match which::which(&s) {
Ok(path) => Self::Path(path),
Err(_) => Self::Name(s),
}
}
}
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl Descriptor for RunDescriptor {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
type Arg = RunDescriptorArg;
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
skip_check_if_is_permission_fully_granted!(perm);
perm.check_desc(Some(self), false, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(args: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
parse_run_list(args)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str {
"run"
}
fn name(&self) -> Cow<str> {
Cow::from(self.to_string())
}
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
impl From<String> for RunDescriptor {
fn from(s: String) -> Self {
#[cfg(windows)]
let s = s.to_lowercase();
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
let is_path = s.contains('/');
#[cfg(windows)]
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
let is_path = is_path || s.contains('\\') || Path::new(&s).is_absolute();
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
if is_path {
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
Self::Path(resolve_from_cwd(Path::new(&s)).unwrap())
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
} else {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
match which::which(&s) {
Ok(path) => Self::Path(path),
Err(_) => Self::Name(s),
}
fix(runtime/permissions): Resolve executable specifiers in allowlists and queries (#14130) Closes #14122. Adds two extensions to `--allow-run` behaviour: - When `--allow-run=foo` is specified and `foo` is found in the `PATH` at startup, `RunDescriptor::Path(which("foo"))` is added to the allowlist alongside `RunDescriptor::Name("foo")`. Currently only the latter is. - When run permission for `foo` is queried and `foo` is found in the `PATH` at runtime, either `RunDescriptor::Path(which("foo"))` or `RunDescriptor::Name("foo")` would qualify in the allowlist. Currently only the latter does.
2023-08-30 13:52:01 -04:00
}
}
}
impl From<PathBuf> for RunDescriptor {
fn from(p: PathBuf) -> Self {
#[cfg(windows)]
let p = PathBuf::from(p.to_string_lossy().to_string().to_lowercase());
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Self::Path(resolve_from_cwd(&p).unwrap())
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
}
chore: upgrade to rust 1.79 (#24207)
2024-06-14 07:40:57 -04:00
impl std::fmt::Display for RunDescriptor {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
match self {
chore: upgrade to rust 1.79 (#24207)
2024-06-14 07:40:57 -04:00
RunDescriptor::Name(s) => f.write_str(s),
RunDescriptor::Path(p) => f.write_str(&p.display().to_string()),
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
}
}
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
impl AsRef<Path> for RunDescriptor {
fn as_ref(&self) -> &Path {
match self {
RunDescriptor::Name(s) => s.as_ref(),
RunDescriptor::Path(s) => s.as_ref(),
}
}
}
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
pub struct SysDescriptor(pub String);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl Descriptor for SysDescriptor {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
type Arg = String;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
skip_check_if_is_permission_fully_granted!(perm);
perm.check_desc(Some(self), false, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(list: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
parse_sys_list(list)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str {
"sys"
}
fn name(&self) -> Cow<str> {
Cow::from(self.0.to_string())
}
}
refactor(cli): use shared sys kind parser in flags.rs (#16087)
2022-09-29 06:34:16 -04:00
pub fn parse_sys_kind(kind: &str) -> Result<&str, AnyError> {
match kind {
feat(unstable): Add "Deno.osUptime()" API (#17179) This PR adds support for `Deno.osUptime` which reports number of seconds since os was booted. It will allow us to be compatible with Node's `os.uptime` - https://nodejs.org/api/os.html#osuptime Partially based on https://docs.rs/uptime_lib/latest/src/uptime_lib/lib.rs.html
2022-12-26 18:16:12 -05:00
"hostname" | "osRelease" | "osUptime" | "loadavg" | "networkInterfaces"
fix: Add sys permission kinds for node compat (#24242) Fixes #24241 * Support "statfs", "username", "getPriority" and "setPriority" kinds for `--allow-sys`. * Check individual permissions in `node:os.userInfo()` instead of a single "userInfo" permission. * Check for "uid" permission in `node:process.geteuid()` instead of "geteuid". * Add missing "homedir" to `SysPermissionDescriptor.kind` union Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2024-07-10 09:15:43 -04:00
| "systemMemoryInfo" | "uid" | "gid" | "cpus" | "homedir" | "getegid"
| "username" | "statfs" | "getPriority" | "setPriority" => Ok(kind),
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
_ => Err(type_error(format!("unknown system info kind \"{kind}\""))),
refactor(cli): use shared sys kind parser in flags.rs (#16087)
2022-09-29 06:34:16 -04:00
}
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[derive(Clone, Eq, PartialEq, Hash, Debug)]
pub struct FfiDescriptor(pub PathBuf);
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
impl Descriptor for FfiDescriptor {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
type Arg = PathBuf;
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
fn check_in_permission(
&self,
perm: &mut UnaryPermission<Self>,
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
skip_check_if_is_permission_fully_granted!(perm);
perm.check_desc(Some(self), true, api_name, || None)
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn parse(list: Option<&[Self::Arg]>) -> Result<HashSet<Self>, AnyError> {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
parse_path_list(list, FfiDescriptor)
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn flag_name() -> &'static str {
"ffi"
}
fn name(&self) -> Cow<str> {
Cow::from(self.0.display().to_string())
}
fn stronger_than(&self, other: &Self) -> bool {
other.0.starts_with(&self.0)
}
}
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
impl UnaryPermission<ReadDescriptor> {
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub fn query(&self, path: Option<&Path>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.query_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
path
.map(|p| ReadDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
AllowPartial::TreatAsPartialGranted,
)
refactor(cli/flags): change allow_read/write/net types from bool to Option<Vec<T>> (#8896) This PR refactors "cli/flags.rs" and "runtime/permissions.rs" so that "allow_read", "allow_write" and "allow_net" themselves have allowlists, instead of storing them in additional fields.
2020-12-29 13:34:35 -05:00
}
fix(cli/permissions): Fix CWD and exec path leaks (#5642)
2020-05-29 11:27:43 -04:00
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub fn request(&mut self, path: Option<&Path>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.request_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
path
.map(|p| ReadDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
|| Some(path?.display().to_string()),
)
Ergonomics: Prompt TTY for permission escalation (#1081)
2018-10-27 09:11:39 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub fn revoke(&mut self, path: Option<&Path>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.revoke_desc(
path
.map(|p| ReadDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
)
fix(cli/permissions): Fix CWD and exec path leaks (#5642)
2020-05-29 11:27:43 -04:00
}
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
pub fn check(
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.check_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
Some(&ReadDescriptor(resolve_from_cwd(path)?)),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
true,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
|| Some(format!("\"{}\"", path.display())),
)
}
#[inline]
pub fn check_partial(
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
let desc = ReadDescriptor(resolve_from_cwd(path)?);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(Some(&desc), false, api_name, || {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Some(format!("\"{}\"", path.display()))
})
refactor: check permissions in SourceFileFetcher (#5011) This PR hot-fixes permission escapes in dynamic imports, workers and runtime compiler APIs. "permissions" parameter was added to public APIs of SourceFileFetcher and appropriate permission checks are performed during loading of local and remote files.
2020-05-11 07:13:27 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
/// As `check()`, but permission error messages will anonymize the path
/// by replacing it with the given `display`.
pub fn check_blind(
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
&mut self,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
path: &Path,
display: &str,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name: &str,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
let desc = ReadDescriptor(resolve_from_cwd(path)?);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(Some(&desc), false, Some(api_name), || {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Some(format!("<{display}>"))
})
Add --allow-read (#1689) Co-authored-by: Greg Altman <g.s.altman@gmail.com>
2019-02-08 15:59:38 -05:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
pub fn check_all(&mut self, api_name: Option<&str>) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, api_name, || None)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
impl UnaryPermission<WriteDescriptor> {
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub fn query(&self, path: Option<&Path>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.query_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
path
.map(|p| WriteDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
AllowPartial::TreatAsPartialGranted,
)
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub fn request(&mut self, path: Option<&Path>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.request_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
path
.map(|p| WriteDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
|| Some(path?.display().to_string()),
)
Add permissions.request (#3296)
2019-11-11 10:33:29 -05:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub fn revoke(&mut self, path: Option<&Path>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.revoke_desc(
path
.map(|p| WriteDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
)
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
pub fn check(
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.check_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
Some(&WriteDescriptor(resolve_from_cwd(path)?)),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
true,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
|| Some(format!("\"{}\"", path.display())),
)
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
#[inline]
pub fn check_partial(
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.check_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
Some(&WriteDescriptor(resolve_from_cwd(path)?)),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
api_name,
|| Some(format!("\"{}\"", path.display())),
)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
refactor(ext/fs): abstract FS via FileSystem trait (#18599) This commit abstracts out the specifics of the underlying system calls FS operations behind a new `FileSystem` and `File` trait in the `ext/fs` extension. This allows other embedders to re-use ext/fs, but substituting in a different FS backend. This is likely not the final form of these traits. Eventually they will be entirely `deno_core::Resource` agnostic, and will live in a seperate crate. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-04-12 09:13:32 -04:00
/// As `check()`, but permission error messages will anonymize the path
/// by replacing it with the given `display`.
pub fn check_blind(
&mut self,
path: &Path,
display: &str,
api_name: &str,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
let desc = WriteDescriptor(resolve_from_cwd(path)?);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(Some(&desc), false, Some(api_name), || {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Some(format!("<{display}>"))
})
refactor(ext/fs): abstract FS via FileSystem trait (#18599) This commit abstracts out the specifics of the underlying system calls FS operations behind a new `FileSystem` and `File` trait in the `ext/fs` extension. This allows other embedders to re-use ext/fs, but substituting in a different FS backend. This is likely not the final form of these traits. Eventually they will be entirely `deno_core::Resource` agnostic, and will live in a seperate crate. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-04-12 09:13:32 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub fn check_all(&mut self, api_name: Option<&str>) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, api_name, || None)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
impl UnaryPermission<NetDescriptor> {
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
pub fn query(&self, host: Option<&NetDescriptor>) -> PermissionState {
self.query_desc(host, AllowPartial::TreatAsPartialGranted)
Add permissions.request (#3296)
2019-11-11 10:33:29 -05:00
}
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
pub fn request(&mut self, host: Option<&NetDescriptor>) -> PermissionState {
self.request_desc(host, || None)
Add permissions.request (#3296)
2019-11-11 10:33:29 -05:00
}
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
pub fn revoke(&mut self, host: Option<&NetDescriptor>) -> PermissionState {
self.revoke_desc(host)
Add permissions.request (#3296)
2019-11-11 10:33:29 -05:00
}
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
pub fn check(
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
&mut self,
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
host: &NetDescriptor,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name: Option<&str>,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
self.check_desc(Some(host), false, api_name, || None)
feat: log permission access (#2518) Replaces -D/--log-debug flag with --log-level=debug --log-level=info displays permission access
2019-06-22 12:02:51 -04:00
}
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
pub fn check_url(
&mut self,
url: &url::Url,
api_name: Option<&str>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
let host = url
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
.host_str()
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
.ok_or_else(|| type_error(format!("Missing host in url: '{}'", url)))?;
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
let host = Host::parse(host)?;
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
let port = url.port_or_known_default();
let descriptor = NetDescriptor(host, port);
self.check_desc(Some(&descriptor), false, api_name, || {
Some(format!("\"{descriptor}\""))
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
})
feat: first pass at native plugins (#3372)
2019-12-05 15:30:20 -05:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub fn check_all(&mut self) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, None, || None)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
feat: first pass at native plugins (#3372)
2019-12-05 15:30:20 -05:00
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
impl UnaryPermission<EnvDescriptor> {
pub fn query(&self, env: Option<&str>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.query_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
env.map(EnvDescriptor::new).as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
AllowPartial::TreatAsPartialGranted,
)
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
}
pub fn request(&mut self, env: Option<&str>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.request_desc(env.map(EnvDescriptor::new).as_ref(), || None)
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
}
pub fn revoke(&mut self, env: Option<&str>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.revoke_desc(env.map(EnvDescriptor::new).as_ref())
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
pub fn check(
&mut self,
env: &str,
api_name: Option<&str>,
) -> Result<(), AnyError> {
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(Some(&EnvDescriptor::new(env)), false, api_name, || None)
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
}
pub fn check_all(&mut self) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, None, || None)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
}
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
impl UnaryPermission<SysDescriptor> {
pub fn query(&self, kind: Option<&str>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.query_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
kind.map(|k| SysDescriptor(k.to_string())).as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
AllowPartial::TreatAsPartialGranted,
)
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
}
pub fn request(&mut self, kind: Option<&str>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self
.request_desc(kind.map(|k| SysDescriptor(k.to_string())).as_ref(), || {
None
})
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
}
pub fn revoke(&mut self, kind: Option<&str>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.revoke_desc(kind.map(|k| SysDescriptor(k.to_string())).as_ref())
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
}
pub fn check(
&mut self,
kind: &str,
api_name: Option<&str>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.check_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
Some(&SysDescriptor(kind.to_string())),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
api_name,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
|| None,
)
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub fn check_all(&mut self) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, None, || None)
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
}
}
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
impl UnaryPermission<RunDescriptor> {
pub fn query(&self, cmd: Option<&str>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.query_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
cmd.map(|c| RunDescriptor::from(c.to_string())).as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
AllowPartial::TreatAsPartialGranted,
)
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
}
pub fn request(&mut self, cmd: Option<&str>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.request_desc(
cmd.map(|c| RunDescriptor::from(c.to_string())).as_ref(),
|| Some(cmd?.to_string()),
)
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
}
pub fn revoke(&mut self, cmd: Option<&str>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.revoke_desc(cmd.map(|c| RunDescriptor::from(c.to_string())).as_ref())
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
}
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
pub fn check(
&mut self,
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
cmd: RunPathQuery,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name: Option<&str>,
) -> Result<(), AnyError> {
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
debug_assert!(cmd.resolved.is_absolute());
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.check_desc(
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
Some(&RunDescriptor::Path(cmd.resolved.to_path_buf())),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name,
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
|| Some(format!("\"{}\"", cmd.requested)),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
)
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
}
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
pub fn check_all(&mut self, api_name: Option<&str>) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, api_name, || None)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
/// Queries without prompting
pub fn query_all(&mut self, api_name: Option<&str>) -> bool {
if self.is_allow_all() {
return true;
}
let (result, _prompted, _is_allow_all) =
self.query_desc(None, AllowPartial::TreatAsDenied).check2(
RunDescriptor::flag_name(),
api_name,
|| None,
/* prompt */ false,
);
result.is_ok()
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
impl UnaryPermission<FfiDescriptor> {
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub fn query(&self, path: Option<&Path>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.query_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
path
.map(|p| FfiDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
AllowPartial::TreatAsPartialGranted,
)
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub fn request(&mut self, path: Option<&Path>) -> PermissionState {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.request_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
path
.map(|p| FfiDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
|| Some(path?.display().to_string()),
)
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub fn revoke(&mut self, path: Option<&Path>) -> PermissionState {
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.revoke_desc(
path
.map(|p| FfiDescriptor(resolve_from_cwd(p).unwrap()))
.as_ref(),
)
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub fn check(
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.check_desc(
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
Some(&FfiDescriptor(resolve_from_cwd(path)?)),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
true,
api_name,
|| Some(format!("\"{}\"", path.display())),
)
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub fn check_partial(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
let desc = match path {
Some(path) => Some(FfiDescriptor(resolve_from_cwd(path)?)),
None => None,
};
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(desc.as_ref(), false, None, || {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Some(format!("\"{}\"", path?.display()))
})
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub fn check_all(&mut self) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
skip_check_if_is_permission_fully_granted!(self);
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
self.check_desc(None, false, Some("all"), || None)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
}
chore: fix clippy warnings (#15944) Stop allowing clippy::derive-partial-eq-without-eq and fix warnings about deriving PartialEq without also deriving Eq. In one case I removed the PartialEq because it a) wasn't necessary, and b) sketchy because it was comparing floating point numbers. IMO, that's a good argument for enforcing the lint rule, because it would most likely have been caught during review if it had been enabled.
2022-09-19 04:25:03 -04:00
#[derive(Clone, Debug, Eq, PartialEq)]
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub struct Permissions {
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
pub read: UnaryPermission<ReadDescriptor>,
pub write: UnaryPermission<WriteDescriptor>,
pub net: UnaryPermission<NetDescriptor>,
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
pub env: UnaryPermission<EnvDescriptor>,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
pub sys: UnaryPermission<SysDescriptor>,
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
pub run: UnaryPermission<RunDescriptor>,
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
pub ffi: UnaryPermission<FfiDescriptor>,
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
pub all: UnitPermission,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
chore: fix clippy warnings (#15944) Stop allowing clippy::derive-partial-eq-without-eq and fix warnings about deriving PartialEq without also deriving Eq. In one case I removed the PartialEq because it a) wasn't necessary, and b) sketchy because it was comparing floating point numbers. IMO, that's a good argument for enforcing the lint rule, because it would most likely have been caught during review if it had been enabled.
2022-09-19 04:25:03 -04:00
#[derive(Clone, Debug, Eq, PartialEq, Default, Serialize, Deserialize)]
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub struct PermissionsOptions {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
pub allow_all: bool,
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
pub allow_env: Option<Vec<String>>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub deny_env: Option<Vec<String>>,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub allow_net: Option<Vec<String>>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub deny_net: Option<Vec<String>>,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub allow_ffi: Option<Vec<PathBuf>>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub deny_ffi: Option<Vec<PathBuf>>,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub allow_read: Option<Vec<PathBuf>>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub deny_read: Option<Vec<PathBuf>>,
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
pub allow_run: Option<Vec<PathBuf>>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub deny_run: Option<Vec<String>>,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
pub allow_sys: Option<Vec<String>>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub deny_sys: Option<Vec<String>>,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub allow_write: Option<Vec<PathBuf>>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
pub deny_write: Option<Vec<PathBuf>>,
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
pub prompt: bool,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
impl Permissions {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
pub fn new_unary<T>(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
allow_list: Option<&[T::Arg]>,
deny_list: Option<&[T::Arg]>,
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
prompt: bool,
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
) -> Result<UnaryPermission<T>, AnyError>
where
T: Descriptor + Hash,
{
Ok(UnaryPermission::<T> {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
granted_global: global_from_option(allow_list),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
granted_list: T::parse(allow_list)?,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
flag_denied_global: global_from_option(deny_list),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
flag_denied_list: T::parse(deny_list)?,
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
prompt,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
pub const fn new_all(allow_state: bool) -> UnitPermission {
unit_permission_from_flag_bools(
allow_state,
false,
"all",
"all",
false, // never prompt for all
)
}
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
pub fn from_options(opts: &PermissionsOptions) -> Result<Self, AnyError> {
Ok(Self {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
read: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
opts.allow_read.as_deref(),
opts.deny_read.as_deref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
opts.prompt,
)?,
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
write: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
opts.allow_write.as_deref(),
opts.deny_write.as_deref(),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
opts.prompt,
)?,
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
net: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
opts.allow_net.as_deref(),
opts.deny_net.as_deref(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
opts.prompt,
)?,
env: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
opts.allow_env.as_deref(),
opts.deny_env.as_deref(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
opts.prompt,
)?,
sys: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
opts.allow_sys.as_deref(),
opts.deny_sys.as_deref(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
opts.prompt,
)?,
run: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
opts
.allow_run
.as_ref()
.map(|d| {
d.iter()
.map(|s| RunDescriptorArg::Path(s.clone()))
.collect::<Vec<_>>()
})
.as_deref(),
opts
.deny_run
.as_ref()
.map(|d| {
d.iter()
.map(|s| RunDescriptorArg::from(s.clone()))
.collect::<Vec<_>>()
})
.as_deref(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
opts.prompt,
)?,
ffi: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
opts.allow_ffi.as_deref(),
opts.deny_ffi.as_deref(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
opts.prompt,
)?,
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
all: Permissions::new_all(opts.allow_all),
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
/// Create a set of permissions that explicitly allow everything.
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
pub fn allow_all() -> Self {
Self {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
read: UnaryPermission::allow_all(),
write: UnaryPermission::allow_all(),
net: UnaryPermission::allow_all(),
env: UnaryPermission::allow_all(),
sys: UnaryPermission::allow_all(),
run: UnaryPermission::allow_all(),
ffi: UnaryPermission::allow_all(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
all: Permissions::new_all(true),
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
/// Create a set of permissions that enable nothing, but will allow prompting.
pub fn none_with_prompt() -> Self {
Self::none(true)
}
/// Create a set of permissions that enable nothing, and will not allow prompting.
pub fn none_without_prompt() -> Self {
Self::none(false)
}
fn none(prompt: bool) -> Self {
Self {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
read: Permissions::new_unary(None, None, prompt).unwrap(),
write: Permissions::new_unary(None, None, prompt).unwrap(),
net: Permissions::new_unary(None, None, prompt).unwrap(),
env: Permissions::new_unary(None, None, prompt).unwrap(),
sys: Permissions::new_unary(None, None, prompt).unwrap(),
run: Permissions::new_unary(None, None, prompt).unwrap(),
ffi: Permissions::new_unary(None, None, prompt).unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
all: Permissions::new_all(false),
}
}
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
/// A helper function that determines if the module specifier is a local or
/// remote, and performs a read or net check for the specifier.
pub fn check_specifier(
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
&mut self,
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
specifier: &ModuleSpecifier,
) -> Result<(), AnyError> {
Make ModuleSpecifier a type alias, not wrapper struct (#9531)
2021-02-17 13:47:18 -05:00
match specifier.scheme() {
"file" => match specifier.to_file_path() {
fix(permissions): add information about import() API request (#17149) This commit changes permission prompt to show that "import()" API is requesting permissions. Given "dynamic_import.js" like so: ``` import("https://deno.land/std@0.170.0/version.ts"); ``` Before: ``` deno run dynamic_import.js ⚠️ ┌ Deno requests net access to "deno.land". ├ Run again with --allow-net to bypass this prompt. └ Allow? [y/n] (y = yes, allow; n = no, deny) > ``` After: ``` deno run dynamic_import.js ⚠️ ┌ Deno requests net access to "deno.land". ├ Requested by `import()` API ├ Run again with --allow-net to bypass this prompt. └ Allow? [y/n] (y = yes, allow; n = no, deny) > ```
2022-12-21 08:24:39 -05:00
Ok(path) => self.read.check(&path, Some("import()")),
fix: panic on invalid file:// module specifier (#8964)
2021-01-04 04:33:20 -05:00
Err(_) => Err(uri_error(format!(
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
"Invalid file path.\n Specifier: {specifier}"
fix: panic on invalid file:// module specifier (#8964)
2021-01-04 04:33:20 -05:00
))),
feat(cli): support data urls (#8866) Closes: #5059 Co-authored-by: Valentin Anger <syrupthinker@gryphno.de>
2021-01-05 21:22:38 -05:00
},
"data" => Ok(()),
feat: blob URL support (#10045) This commit adds blob URL support. Blob URLs are stored in a process global storage, that can be accessed from all workers, and the module loader. Blob URLs can be created using `URL.createObjectURL` and revoked using `URL.revokeObjectURL`. This commit does not add support for `fetch`ing blob URLs. This will be added in a follow up commit.
2021-04-07 09:22:14 -04:00
"blob" => Ok(()),
fix(permissions): add information about import() API request (#17149) This commit changes permission prompt to show that "import()" API is requesting permissions. Given "dynamic_import.js" like so: ``` import("https://deno.land/std@0.170.0/version.ts"); ``` Before: ``` deno run dynamic_import.js ⚠️ ┌ Deno requests net access to "deno.land". ├ Run again with --allow-net to bypass this prompt. └ Allow? [y/n] (y = yes, allow; n = no, deny) > ``` After: ``` deno run dynamic_import.js ⚠️ ┌ Deno requests net access to "deno.land". ├ Requested by `import()` API ├ Run again with --allow-net to bypass this prompt. └ Allow? [y/n] (y = yes, allow; n = no, deny) > ```
2022-12-21 08:24:39 -05:00
_ => self.net.check_url(specifier, Some("import()")),
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
}
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
/// Wrapper struct for `Permissions` that can be shared across threads.
///
/// We need a way to have internal mutability for permissions as they might get
/// passed to a future that will prompt the user for permission (and in such
/// case might need to be mutated). Also for the Web Worker API we need a way
/// to send permissions to a new thread.
#[derive(Clone, Debug)]
pub struct PermissionsContainer(pub Arc<Mutex<Permissions>>);
impl PermissionsContainer {
pub fn new(perms: Permissions) -> Self {
Self(Arc::new(Mutex::new(perms)))
}
pub fn allow_all() -> Self {
Self::new(Permissions::allow_all())
}
#[inline(always)]
pub fn check_specifier(
&self,
specifier: &ModuleSpecifier,
) -> Result<(), AnyError> {
self.0.lock().check_specifier(specifier)
}
#[inline(always)]
pub fn check_read(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.lock().read.check(path, Some(api_name))
}
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
#[inline(always)]
pub fn check_read_with_api_name(
&self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
self.0.lock().read.check(path, api_name)
}
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
#[inline(always)]
pub fn check_read_blind(
&mut self,
path: &Path,
display: &str,
api_name: &str,
) -> Result<(), AnyError> {
self.0.lock().read.check_blind(path, display, api_name)
}
#[inline(always)]
pub fn check_read_all(&mut self, api_name: &str) -> Result<(), AnyError> {
self.0.lock().read.check_all(Some(api_name))
}
#[inline(always)]
pub fn check_write(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.lock().write.check(path, Some(api_name))
}
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
#[inline(always)]
pub fn check_write_with_api_name(
&self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
self.0.lock().write.check(path, api_name)
}
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
#[inline(always)]
pub fn check_write_all(&mut self, api_name: &str) -> Result<(), AnyError> {
self.0.lock().write.check_all(Some(api_name))
}
refactor(ext/fs): abstract FS via FileSystem trait (#18599) This commit abstracts out the specifics of the underlying system calls FS operations behind a new `FileSystem` and `File` trait in the `ext/fs` extension. This allows other embedders to re-use ext/fs, but substituting in a different FS backend. This is likely not the final form of these traits. Eventually they will be entirely `deno_core::Resource` agnostic, and will live in a seperate crate. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-04-12 09:13:32 -04:00
#[inline(always)]
pub fn check_write_blind(
&mut self,
path: &Path,
display: &str,
api_name: &str,
) -> Result<(), AnyError> {
self.0.lock().write.check_blind(path, display, api_name)
}
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
#[inline(always)]
pub fn check_write_partial(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.lock().write.check_partial(path, Some(api_name))
}
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
#[inline(always)]
pub fn check_run(
&mut self,
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
cmd: RunPathQuery,
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
api_name: &str,
) -> Result<(), AnyError> {
self.0.lock().run.check(cmd, Some(api_name))
}
#[inline(always)]
pub fn check_run_all(&mut self, api_name: &str) -> Result<(), AnyError> {
self.0.lock().run.check_all(Some(api_name))
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
#[inline(always)]
pub fn query_run_all(&mut self, api_name: &str) -> bool {
self.0.lock().run.query_all(Some(api_name))
}
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
#[inline(always)]
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
pub fn check_sys(&self, kind: &str, api_name: &str) -> Result<(), AnyError> {
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
self.0.lock().sys.check(kind, Some(api_name))
}
#[inline(always)]
pub fn check_env(&mut self, var: &str) -> Result<(), AnyError> {
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
self.0.lock().env.check(var, None)
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
}
#[inline(always)]
pub fn check_env_all(&mut self) -> Result<(), AnyError> {
self.0.lock().env.check_all()
}
feat(runtime): Allow embedders to perform additional access checks on file open (#23208) Embedders may have special requirements around file opening, so we add a new `check_open` permission check that is called as part of the file open process.
2024-04-19 20:12:03 -04:00
#[inline(always)]
pub fn check_sys_all(&mut self) -> Result<(), AnyError> {
self.0.lock().sys.check_all()
}
#[inline(always)]
pub fn check_ffi_all(&mut self) -> Result<(), AnyError> {
self.0.lock().ffi.check_all()
}
/// This checks to see if the allow-all flag was passed, not whether all
/// permissions are enabled!
#[inline(always)]
pub fn check_was_allow_all_flag_passed(&mut self) -> Result<(), AnyError> {
self.0.lock().all.check()
}
/// Checks special file access, returning the failed permission type if
/// not successful.
pub fn check_special_file(
&mut self,
path: &Path,
_api_name: &str,
) -> Result<(), &'static str> {
let error_all = |_| "all";
// Safe files with no major additional side-effects. While there's a small risk of someone
// draining system entropy by just reading one of these files constantly, that's not really
// something we worry about as they already have --allow-read to /dev.
if cfg!(unix)
&& (path == OsStr::new("/dev/random")
|| path == OsStr::new("/dev/urandom")
|| path == OsStr::new("/dev/zero")
|| path == OsStr::new("/dev/null"))
{
return Ok(());
}
fix(runtime): Allow opening /dev/fd/XXX for unix (#23743) `deno run script.ts <(some command)` is a valid use case -- let's allow this to work without `--allow-all`. Fixes #23703
2024-05-10 13:21:36 -04:00
/// We'll allow opening /proc/self/fd/{n} without additional permissions under the following conditions:
///
/// 1. n > 2. This allows for opening bash-style redirections, but not stdio
/// 2. the fd referred to by n is a pipe
#[cfg(unix)]
fn is_fd_file_is_pipe(path: &Path) -> bool {
if let Some(fd) = path.file_name() {
if let Ok(s) = std::str::from_utf8(fd.as_encoded_bytes()) {
if let Ok(n) = s.parse::<i32>() {
if n > 2 {
// SAFETY: This is proper use of the stat syscall
unsafe {
let mut stat = std::mem::zeroed::<libc::stat>();
if libc::fstat(n, &mut stat as _) == 0
&& ((stat.st_mode & libc::S_IFMT) & libc::S_IFIFO) != 0
{
return true;
}
};
}
}
}
}
false
}
// On unixy systems, we allow opening /dev/fd/XXX for valid FDs that
// are pipes.
#[cfg(unix)]
if path.starts_with("/dev/fd") && is_fd_file_is_pipe(path) {
return Ok(());
}
feat(runtime): Allow embedders to perform additional access checks on file open (#23208) Embedders may have special requirements around file opening, so we add a new `check_open` permission check that is called as part of the file open process.
2024-04-19 20:12:03 -04:00
if cfg!(target_os = "linux") {
fix(runtime): Allow opening /dev/fd/XXX for unix (#23743) `deno run script.ts <(some command)` is a valid use case -- let's allow this to work without `--allow-all`. Fixes #23703
2024-05-10 13:21:36 -04:00
// On Linux, we also allow opening /proc/self/fd/XXX for valid FDs that
// are pipes.
#[cfg(unix)]
if path.starts_with("/proc/self/fd") && is_fd_file_is_pipe(path) {
return Ok(());
}
feat(runtime): Allow embedders to perform additional access checks on file open (#23208) Embedders may have special requirements around file opening, so we add a new `check_open` permission check that is called as part of the file open process.
2024-04-19 20:12:03 -04:00
if path.starts_with("/dev")
|| path.starts_with("/proc")
|| path.starts_with("/sys")
{
if path.ends_with("/environ") {
self.check_env_all().map_err(|_| "env")?;
} else {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
}
} else if cfg!(unix) {
if path.starts_with("/dev") {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
} else if cfg!(target_os = "windows") {
fix(runtime): allow nul device on windows (#23741) Fixes [23721](https://github.com/denoland/deno/issues/23721)
2024-05-08 16:39:06 -04:00
// \\.\nul is allowed
let s = path.as_os_str().as_encoded_bytes();
if s.eq_ignore_ascii_case(br#"\\.\nul"#) {
return Ok(());
}
feat(runtime): Allow embedders to perform additional access checks on file open (#23208) Embedders may have special requirements around file opening, so we add a new `check_open` permission check that is called as part of the file open process.
2024-04-19 20:12:03 -04:00
fn is_normalized_windows_drive_path(path: &Path) -> bool {
let s = path.as_os_str().as_encoded_bytes();
// \\?\X:\
if s.len() < 7 {
false
} else if s.starts_with(br#"\\?\"#) {
s[4].is_ascii_alphabetic() && s[5] == b':' && s[6] == b'\\'
} else {
false
}
}
// If this is a normalized drive path, accept it
if !is_normalized_windows_drive_path(path) {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
} else {
unimplemented!()
}
Ok(())
}
refactor(node/http): don't use readablestream for writing to request (#19282) Refactors the internal usage of a readablestream to write to the resource directly --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-05-27 09:42:20 -04:00
#[inline(always)]
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
pub fn check_net_url(
refactor(node/http): don't use readablestream for writing to request (#19282) Refactors the internal usage of a readablestream to write to the resource directly --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-05-27 09:42:20 -04:00
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
self.0.lock().net.check_url(url, Some(api_name))
}
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
#[inline(always)]
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
pub fn check_net<T: AsRef<str>>(
feat: Add "deno_net" extension (#11150) This commits moves implementation of net related APIs available on "Deno" namespace to "deno_net" extension. Following APIs were moved: - Deno.listen() - Deno.connect() - Deno.listenTls() - Deno.serveHttp() - Deno.shutdown() - Deno.resolveDns() - Deno.listenDatagram() - Deno.startTls() - Deno.Conn - Deno.Listener - Deno.DatagramConn
2021-06-28 19:43:03 -04:00
&mut self,
host: &(T, Option<u16>),
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
api_name: &str,
feat: Add "deno_net" extension (#11150) This commits moves implementation of net related APIs available on "Deno" namespace to "deno_net" extension. Following APIs were moved: - Deno.listen() - Deno.connect() - Deno.listenTls() - Deno.serveHttp() - Deno.shutdown() - Deno.resolveDns() - Deno.listenDatagram() - Deno.startTls() - Deno.Conn - Deno.Listener - Deno.DatagramConn
2021-06-28 19:43:03 -04:00
) -> Result<(), AnyError> {
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
let hostname = Host::parse(host.0.as_ref())?;
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
let descriptor = NetDescriptor(hostname, host.1);
self.0.lock().net.check(&descriptor, Some(api_name))
feat: Add "deno_net" extension (#11150) This commits moves implementation of net related APIs available on "Deno" namespace to "deno_net" extension. Following APIs were moved: - Deno.listen() - Deno.connect() - Deno.listenTls() - Deno.serveHttp() - Deno.shutdown() - Deno.resolveDns() - Deno.listenDatagram() - Deno.startTls() - Deno.Conn - Deno.Listener - Deno.DatagramConn
2021-06-28 19:43:03 -04:00
}
refactor(permissions): add PermissionsContainer struct for internal mutability (#17134) Turns out we were cloning permissions which after prompting were discarded, so the state of permissions was never preserved. To handle that we need to store all permissions behind "Arc<Mutex<>>" (because there are situations where we need to send them to other thread). Testing and benching code still uses "Permissions" in most places - it's undesirable to share the same permission set between various test/bench files - otherwise granting or revoking permissions in one file would influence behavior of other test files.
2023-01-07 11:25:34 -05:00
#[inline(always)]
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
pub fn check_ffi(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
self.0.lock().ffi.check(path.unwrap(), None)
feat(npm): implement Node API (#13633) This PR implements the NAPI for loading native modules into Deno. Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: DjDeveloper <43033058+DjDeveloperr@users.noreply.github.com> Co-authored-by: Ryan Dahl <ry@tinyclouds.org>
2022-10-05 10:06:44 -04:00
}
feat: ffi to replace plugins (#11152) This commit removes implementation of "native plugins" and replaces it with FFI API. Effectively "Deno.openPlugin" API was replaced with "Deno.dlopen" API.
2021-08-06 17:28:10 -04:00
feat(ext/kv): key-value store (#18232) This commit adds unstable "Deno.openKv()" API that allows to open a key-value database at a specified path. --------- Co-authored-by: Luca Casonato <hello@lcas.dev> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-03-22 00:13:24 -04:00
#[inline(always)]
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
pub fn check_ffi_partial(
feat(ext/kv): connect to remote database (#20178) This patch adds a `remote` backend for `ext/kv`. This supports connection to Deno Deploy and potentially other services compatible with the KV Connect protocol.
2023-08-22 01:56:00 -04:00
&mut self,
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
path: Option<&Path>,
feat(ext/kv): connect to remote database (#20178) This patch adds a `remote` backend for `ext/kv`. This supports connection to Deno Deploy and potentially other services compatible with the KV Connect protocol.
2023-08-22 01:56:00 -04:00
) -> Result<(), AnyError> {
refactor: add `deno_permissions` crate (#22236) Issue https://github.com/denoland/deno/issues/22222 ![image](https://github.com/denoland/deno/assets/34997667/2af8474b-b919-4519-98ce-9d29bc7829f2) This PR moves `runtime/permissions` code to a upstream crate called `deno_permissions`. The `deno_permissions::PermissionsContainer` is put into the OpState and can be used instead of the current trait-based permissions system. For this PR, I've migrated `deno_fetch` to the new crate but kept the rest of the trait-based system as a wrapper of `deno_permissions` crate. Doing the migration all at once is error prone and hard to review. Comparing incremental compile times for `ext/fetch` on Mac M1: | profile | `cargo build --bin deno` | `cargo plonk build --bin deno` | | --------- | ------------- | ------------------- | | `debug` | 20 s | 0.8s | | `release` | 4 mins 12 s | 1.4s |
2024-03-12 13:42:26 -04:00
self.0.lock().ffi.check_partial(path)
feat(ext/kv): connect to remote database (#20178) This patch adds a `remote` backend for `ext/kv`. This supports connection to Deno Deploy and potentially other services compatible with the KV Connect protocol.
2023-08-22 01:56:00 -04:00
}
}
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
const fn unit_permission_from_flag_bools(
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
allow_flag: bool,
deny_flag: bool,
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
name: &'static str,
description: &'static str,
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
prompt: bool,
refactor(runtime/permissions): Rename permission structs (#9841)
2021-03-21 08:49:58 -04:00
) -> UnitPermission {
UnitPermission {
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
name,
description,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
state: if deny_flag {
PermissionState::Denied
} else if allow_flag {
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
PermissionState::Granted
} else {
PermissionState::Prompt
},
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
prompt,
Allow high precision performance.now() (#1977)
2019-04-08 16:22:40 -04:00
}
More permissions prompt options (#1926)
2019-03-18 16:46:23 -04:00
}
Allow inspection and revocation of permissions (#1875)
2019-03-04 11:04:19 -05:00
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
fn global_from_option<T>(flag: Option<&[T]>) -> bool {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
matches!(flag, Some(v) if v.is_empty())
}
fn parse_net_list(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
list: Option<&[String]>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
) -> Result<HashSet<NetDescriptor>, AnyError> {
if let Some(v) = list {
v.iter()
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
.map(|x| NetDescriptor::parse(x))
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.collect::<Result<HashSet<NetDescriptor>, AnyError>>()
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
} else {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Ok(HashSet::new())
refactor: remove CliState, use OpState, add CliModuleLoader (#7588) - remove "CliState.workers" and "CliState.next_worker_id", instead store them on "OpState" using type aliases. - remove "CliState.global_timer" and "CliState.start_time", instead store them on "OpState" using type aliases. - remove "CliState.is_internal", instead pass it to Worker::new - move "CliState::permissions" to "OpState" - move "CliState::main_module" to "OpState" - move "CliState::global_state" to "OpState" - move "CliState::check_unstable()" to "GlobalState" - change "cli_state()" to "global_state()" - change "deno_core::ModuleLoader" trait to pass "OpState" to callbacks - rename "CliState" to "CliModuleLoader"
2020-09-19 19:17:35 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
refactor: remove CliState, use OpState, add CliModuleLoader (#7588) - remove "CliState.workers" and "CliState.next_worker_id", instead store them on "OpState" using type aliases. - remove "CliState.global_timer" and "CliState.start_time", instead store them on "OpState" using type aliases. - remove "CliState.is_internal", instead pass it to Worker::new - move "CliState::permissions" to "OpState" - move "CliState::main_module" to "OpState" - move "CliState::global_state" to "OpState" - move "CliState::check_unstable()" to "GlobalState" - change "cli_state()" to "global_state()" - change "deno_core::ModuleLoader" trait to pass "OpState" to callbacks - rename "CliState" to "CliModuleLoader"
2020-09-19 19:17:35 -04:00
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn parse_env_list(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
list: Option<&[String]>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
) -> Result<HashSet<EnvDescriptor>, AnyError> {
if let Some(v) = list {
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
v.iter()
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.map(|x| {
if x.is_empty() {
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
Err(AnyError::msg("Empty path is not allowed"))
} else {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Ok(EnvDescriptor::new(x))
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
})
.collect()
} else {
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
Ok(HashSet::new())
refactor: remove CliState, use OpState, add CliModuleLoader (#7588) - remove "CliState.workers" and "CliState.next_worker_id", instead store them on "OpState" using type aliases. - remove "CliState.global_timer" and "CliState.start_time", instead store them on "OpState" using type aliases. - remove "CliState.is_internal", instead pass it to Worker::new - move "CliState::permissions" to "OpState" - move "CliState::main_module" to "OpState" - move "CliState::global_state" to "OpState" - move "CliState::check_unstable()" to "GlobalState" - change "cli_state()" to "global_state()" - change "deno_core::ModuleLoader" trait to pass "OpState" to callbacks - rename "CliState" to "CliModuleLoader"
2020-09-19 19:17:35 -04:00
}
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn parse_path_list<T: Descriptor + Hash>(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
list: Option<&[PathBuf]>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
f: fn(PathBuf) -> T,
) -> Result<HashSet<T>, AnyError> {
if let Some(v) = list {
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
v.iter()
.map(|raw_path| {
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
if raw_path.as_os_str().is_empty() {
Err(AnyError::msg("Empty path is not allowed"))
} else {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
resolve_from_cwd(Path::new(&raw_path)).map(f)
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
}
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
})
.collect()
} else {
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
Ok(HashSet::new())
refactor: move WebSocket API to an op_crate (#9026)
2021-01-06 10:57:28 -05:00
}
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn parse_sys_list(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
list: Option<&[String]>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
) -> Result<HashSet<SysDescriptor>, AnyError> {
if let Some(v) = list {
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
v.iter()
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.map(|x| {
if x.is_empty() {
Err(AnyError::msg("empty"))
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
} else {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
Ok(SysDescriptor(x.to_string()))
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
})
.collect()
} else {
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
Ok(HashSet::new())
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
}
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
fn parse_run_list(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
list: Option<&[RunDescriptorArg]>,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
) -> Result<HashSet<RunDescriptor>, AnyError> {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
let Some(v) = list else {
return Ok(HashSet::new());
};
Ok(
v.iter()
.map(|arg| match arg {
RunDescriptorArg::Name(s) => RunDescriptor::Name(s.clone()),
RunDescriptorArg::Path(l) => RunDescriptor::Path(l.clone()),
})
.collect(),
)
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
fn escalation_error() -> AnyError {
custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
)
}
chore: fix clippy warnings (#15944) Stop allowing clippy::derive-partial-eq-without-eq and fix warnings about deriving PartialEq without also deriving Eq. In one case I removed the PartialEq because it a) wasn't necessary, and b) sketchy because it was comparing floating point numbers. IMO, that's a good argument for enforcing the lint rule, because it would most likely have been caught during review if it had been enabled.
2022-09-19 04:25:03 -04:00
#[derive(Debug, Eq, PartialEq)]
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub enum ChildUnitPermissionArg {
Inherit,
Granted,
NotGranted,
}
impl<'de> Deserialize<'de> for ChildUnitPermissionArg {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where
D: Deserializer<'de>,
{
struct ChildUnitPermissionArgVisitor;
impl<'de> de::Visitor<'de> for ChildUnitPermissionArgVisitor {
type Value = ChildUnitPermissionArg;
fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
formatter.write_str("\"inherit\" or boolean")
}
fn visit_unit<E>(self) -> Result<ChildUnitPermissionArg, E>
where
E: de::Error,
{
BREAKING: don't inherit permissions by default (#13668) Previously specifying permissions: {} was the same as specifying permissions: "inherit". Now it will be the same as permissions: "none". Not specifying any permissions (permissions: undefined) still means permissions: "inherit".
2022-03-15 20:43:14 -04:00
Ok(ChildUnitPermissionArg::NotGranted)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
fn visit_str<E>(self, v: &str) -> Result<ChildUnitPermissionArg, E>
where
E: de::Error,
{
if v == "inherit" {
Ok(ChildUnitPermissionArg::Inherit)
} else {
Err(de::Error::invalid_value(de::Unexpected::Str(v), &self))
}
}
fn visit_bool<E>(self, v: bool) -> Result<ChildUnitPermissionArg, E>
where
E: de::Error,
{
match v {
true => Ok(ChildUnitPermissionArg::Granted),
false => Ok(ChildUnitPermissionArg::NotGranted),
}
}
}
deserializer.deserialize_any(ChildUnitPermissionArgVisitor)
}
}
chore: fix clippy warnings (#15944) Stop allowing clippy::derive-partial-eq-without-eq and fix warnings about deriving PartialEq without also deriving Eq. In one case I removed the PartialEq because it a) wasn't necessary, and b) sketchy because it was comparing floating point numbers. IMO, that's a good argument for enforcing the lint rule, because it would most likely have been caught during review if it had been enabled.
2022-09-19 04:25:03 -04:00
#[derive(Debug, Eq, PartialEq)]
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub enum ChildUnaryPermissionArg {
Inherit,
Granted,
NotGranted,
GrantedList(Vec<String>),
}
impl<'de> Deserialize<'de> for ChildUnaryPermissionArg {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where
D: Deserializer<'de>,
{
struct ChildUnaryPermissionArgVisitor;
impl<'de> de::Visitor<'de> for ChildUnaryPermissionArgVisitor {
type Value = ChildUnaryPermissionArg;
fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
formatter.write_str("\"inherit\" or boolean or string[]")
}
fn visit_unit<E>(self) -> Result<ChildUnaryPermissionArg, E>
where
E: de::Error,
{
BREAKING: don't inherit permissions by default (#13668) Previously specifying permissions: {} was the same as specifying permissions: "inherit". Now it will be the same as permissions: "none". Not specifying any permissions (permissions: undefined) still means permissions: "inherit".
2022-03-15 20:43:14 -04:00
Ok(ChildUnaryPermissionArg::NotGranted)
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
fn visit_str<E>(self, v: &str) -> Result<ChildUnaryPermissionArg, E>
where
E: de::Error,
{
if v == "inherit" {
Ok(ChildUnaryPermissionArg::Inherit)
} else {
Err(de::Error::invalid_value(de::Unexpected::Str(v), &self))
}
}
fn visit_bool<E>(self, v: bool) -> Result<ChildUnaryPermissionArg, E>
where
E: de::Error,
{
match v {
true => Ok(ChildUnaryPermissionArg::Granted),
false => Ok(ChildUnaryPermissionArg::NotGranted),
}
}
fn visit_seq<V>(
self,
mut v: V,
) -> Result<ChildUnaryPermissionArg, V::Error>
where
V: de::SeqAccess<'de>,
{
let mut granted_list = vec![];
while let Some(value) = v.next_element::<String>()? {
granted_list.push(value);
}
Ok(ChildUnaryPermissionArg::GrantedList(granted_list))
}
}
deserializer.deserialize_any(ChildUnaryPermissionArgVisitor)
}
}
/// Directly deserializable from JS worker and test permission options.
chore: fix clippy warnings (#15944) Stop allowing clippy::derive-partial-eq-without-eq and fix warnings about deriving PartialEq without also deriving Eq. In one case I removed the PartialEq because it a) wasn't necessary, and b) sketchy because it was comparing floating point numbers. IMO, that's a good argument for enforcing the lint rule, because it would most likely have been caught during review if it had been enabled.
2022-09-19 04:25:03 -04:00
#[derive(Debug, Eq, PartialEq)]
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
pub struct ChildPermissionsArg {
env: ChildUnaryPermissionArg,
net: ChildUnaryPermissionArg,
ffi: ChildUnaryPermissionArg,
read: ChildUnaryPermissionArg,
run: ChildUnaryPermissionArg,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
write: ChildUnaryPermissionArg,
}
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
impl ChildPermissionsArg {
pub fn inherit() -> Self {
ChildPermissionsArg {
env: ChildUnaryPermissionArg::Inherit,
net: ChildUnaryPermissionArg::Inherit,
ffi: ChildUnaryPermissionArg::Inherit,
read: ChildUnaryPermissionArg::Inherit,
run: ChildUnaryPermissionArg::Inherit,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg::Inherit,
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
write: ChildUnaryPermissionArg::Inherit,
}
}
pub fn none() -> Self {
ChildPermissionsArg {
env: ChildUnaryPermissionArg::NotGranted,
net: ChildUnaryPermissionArg::NotGranted,
ffi: ChildUnaryPermissionArg::NotGranted,
read: ChildUnaryPermissionArg::NotGranted,
run: ChildUnaryPermissionArg::NotGranted,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg::NotGranted,
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
write: ChildUnaryPermissionArg::NotGranted,
}
}
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
impl<'de> Deserialize<'de> for ChildPermissionsArg {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where
D: Deserializer<'de>,
{
struct ChildPermissionsArgVisitor;
impl<'de> de::Visitor<'de> for ChildPermissionsArgVisitor {
type Value = ChildPermissionsArg;
fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
formatter.write_str("\"inherit\" or \"none\" or object")
}
fn visit_unit<E>(self) -> Result<ChildPermissionsArg, E>
where
E: de::Error,
{
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
Ok(ChildPermissionsArg::inherit())
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
fn visit_str<E>(self, v: &str) -> Result<ChildPermissionsArg, E>
where
E: de::Error,
{
if v == "inherit" {
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
Ok(ChildPermissionsArg::inherit())
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
} else if v == "none" {
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
Ok(ChildPermissionsArg::none())
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
} else {
Err(de::Error::invalid_value(de::Unexpected::Str(v), &self))
}
}
fn visit_map<V>(self, mut v: V) -> Result<ChildPermissionsArg, V::Error>
where
V: de::MapAccess<'de>,
{
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
let mut child_permissions_arg = ChildPermissionsArg::none();
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
while let Some((key, value)) =
v.next_entry::<String, serde_json::Value>()?
{
if key == "env" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.env = arg.map_err(|e| {
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
de::Error::custom(format!("(deno.permissions.env) {e}"))
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
})?;
} else if key == "net" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.net = arg.map_err(|e| {
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
de::Error::custom(format!("(deno.permissions.net) {e}"))
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
})?;
} else if key == "ffi" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.ffi = arg.map_err(|e| {
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
de::Error::custom(format!("(deno.permissions.ffi) {e}"))
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
})?;
} else if key == "read" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.read = arg.map_err(|e| {
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
de::Error::custom(format!("(deno.permissions.read) {e}"))
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
})?;
} else if key == "run" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.run = arg.map_err(|e| {
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
de::Error::custom(format!("(deno.permissions.run) {e}"))
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
})?;
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
} else if key == "sys" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.sys = arg.map_err(|e| {
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
de::Error::custom(format!("(deno.permissions.sys) {e}"))
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
})?;
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
} else if key == "write" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.write = arg.map_err(|e| {
chore: upgrade to Rust 1.67 (#17548) Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2023-01-27 10:43:16 -05:00
de::Error::custom(format!("(deno.permissions.write) {e}"))
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
})?;
} else {
return Err(de::Error::custom("unknown permission name"));
}
}
Ok(child_permissions_arg)
}
}
deserializer.deserialize_any(ChildPermissionsArgVisitor)
}
}
pub fn create_child_permissions(
main_perms: &mut Permissions,
child_permissions_arg: ChildPermissionsArg,
) -> Result<Permissions, AnyError> {
chore: improve accessing special file test (#25099)
2024-08-19 16:21:27 -04:00
fn is_granted_unary(arg: &ChildUnaryPermissionArg) -> bool {
match arg {
ChildUnaryPermissionArg::Inherit | ChildUnaryPermissionArg::Granted => {
true
}
ChildUnaryPermissionArg::NotGranted
| ChildUnaryPermissionArg::GrantedList(_) => false,
}
}
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
let mut worker_perms = Permissions::none_without_prompt();
chore: improve accessing special file test (#25099)
2024-08-19 16:21:27 -04:00
worker_perms.all = main_perms
.all
.create_child_permissions(ChildUnitPermissionArg::Inherit)?;
// downgrade the `worker_perms.all` based on the other values
if worker_perms.all.query() == PermissionState::Granted {
let unary_perms = [
&child_permissions_arg.read,
&child_permissions_arg.write,
&child_permissions_arg.net,
&child_permissions_arg.env,
&child_permissions_arg.sys,
&child_permissions_arg.run,
&child_permissions_arg.ffi,
];
BREAKING(permissions): remove --allow-hrtime (#25367) Remove `--allow-hrtime` and `--deny-hrtime`. We are doing this because it is already possible to get access to high resolution timers through workers and SharedArrayBuffer. Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2024-09-03 05:24:25 -04:00
let allow_all = unary_perms.into_iter().all(is_granted_unary);
chore: improve accessing special file test (#25099)
2024-08-19 16:21:27 -04:00
if !allow_all {
worker_perms.all.revoke();
}
}
// WARNING: When adding a permission here, ensure it is handled
// in the worker_perms.all block above
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
worker_perms.read = main_perms
.read
.create_child_permissions(child_permissions_arg.read)?;
worker_perms.write = main_perms
.write
.create_child_permissions(child_permissions_arg.write)?;
worker_perms.net = main_perms
.net
.create_child_permissions(child_permissions_arg.net)?;
worker_perms.env = main_perms
.env
.create_child_permissions(child_permissions_arg.env)?;
worker_perms.sys = main_perms
.sys
.create_child_permissions(child_permissions_arg.sys)?;
worker_perms.run = main_perms
.run
.create_child_permissions(child_permissions_arg.run)?;
worker_perms.ffi = main_perms
.ffi
.create_child_permissions(child_permissions_arg.ffi)?;
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
Ok(worker_perms)
}
fix(cli): update permission prompt message for compiled binaries (#24081) Co-authored-by: David Sherret <dsherret@gmail.com>
2024-08-19 21:20:06 -04:00
static IS_STANDALONE: AtomicFlag = AtomicFlag::lowered();
pub fn mark_standalone() {
IS_STANDALONE.raise();
}
pub fn is_standalone() -> bool {
IS_STANDALONE.is_raised()
}
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
#[cfg(test)]
mod tests {
use super::*;
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
use deno_core::serde_json::json;
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
use fqdn::fqdn;
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
use prompter::tests::*;
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
use std::net::Ipv4Addr;
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Creates vector of strings, Vec<String>
macro_rules! svec {
($($x:expr),*) => (vec![$($x.to_string()),*]);
}
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
macro_rules! sarr {
($($x:expr),*) => ([$($x.to_string()),*]);
}
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
#[test]
fn check_paths() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
Move to allowlist and blocklist (#6282)
2020-06-13 13:09:39 -04:00
let allowlist = vec![
refactor: Use PathBuf for paths in flag parsing and whitelists (#3955) * Use PathBuf for DenoSubcommand::Bundle's out_file * Use PathBuf for DenoSubcommand::Format's files * Use PathBuf for DenoSubcommand::Install's dir * Use PathBuf for read/write whitelists
2020-02-11 04:29:36 -05:00
PathBuf::from("/a/specific/dir/name"),
PathBuf::from("/a/specific"),
PathBuf::from("/b/c"),
];
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
let mut perms = Permissions::from_options(&PermissionsOptions {
refactor(cli/flags): change allow_read/write/net types from bool to Option<Vec<T>> (#8896) This PR refactors "cli/flags.rs" and "runtime/permissions.rs" so that "allow_read", "allow_write" and "allow_net" themselves have allowlists, instead of storing them in additional fields.
2020-12-29 13:34:35 -05:00
allow_read: Some(allowlist.clone()),
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
allow_write: Some(allowlist.clone()),
allow_ffi: Some(allowlist),
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Inside of /a/specific and /a/specific/dir/name
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms
.read
.check(Path::new("/a/specific/dir/name"), None)
.is_ok());
assert!(perms
.write
.check(Path::new("/a/specific/dir/name"), None)
.is_ok());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
assert!(perms
.ffi
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.check(Path::new("/a/specific/dir/name"), None)
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
.is_ok());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Inside of /a/specific but outside of /a/specific/dir/name
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/a/specific/dir"), None).is_ok());
assert!(perms
.write
.check(Path::new("/a/specific/dir"), None)
.is_ok());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/a/specific/dir"), None).is_ok());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Inside of /a/specific and /a/specific/dir/name
refactor: Improve path handling in permission checks (#3714)
2020-01-20 09:45:44 -05:00
assert!(perms
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
.read
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
.check(Path::new("/a/specific/dir/name/inner"), None)
refactor: Improve path handling in permission checks (#3714)
2020-01-20 09:45:44 -05:00
.is_ok());
assert!(perms
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
.write
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
.check(Path::new("/a/specific/dir/name/inner"), None)
refactor: Improve path handling in permission checks (#3714)
2020-01-20 09:45:44 -05:00
.is_ok());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
assert!(perms
.ffi
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.check(Path::new("/a/specific/dir/name/inner"), None)
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
.is_ok());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Inside of /a/specific but outside of /a/specific/dir/name
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms
.read
.check(Path::new("/a/specific/other/dir"), None)
.is_ok());
refactor: Improve path handling in permission checks (#3714)
2020-01-20 09:45:44 -05:00
assert!(perms
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
.write
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
.check(Path::new("/a/specific/other/dir"), None)
refactor: Improve path handling in permission checks (#3714)
2020-01-20 09:45:44 -05:00
.is_ok());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
assert!(perms
.ffi
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.check(Path::new("/a/specific/other/dir"), None)
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
.is_ok());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Exact match with /b/c
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/b/c"), None).is_ok());
assert!(perms.write.check(Path::new("/b/c"), None).is_ok());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/b/c"), None).is_ok());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Sub path within /b/c
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/b/c/sub/path"), None).is_ok());
assert!(perms.write.check(Path::new("/b/c/sub/path"), None).is_ok());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/b/c/sub/path"), None).is_ok());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
fix(cli/permissions): Fix CWD and exec path leaks (#5642)
2020-05-29 11:27:43 -04:00
// Sub path within /b/c, needs normalizing
assert!(perms
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
.read
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
.check(Path::new("/b/c/sub/path/../path/."), None)
fix(cli/permissions): Fix CWD and exec path leaks (#5642)
2020-05-29 11:27:43 -04:00
.is_ok());
assert!(perms
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
.write
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
.check(Path::new("/b/c/sub/path/../path/."), None)
fix(cli/permissions): Fix CWD and exec path leaks (#5642)
2020-05-29 11:27:43 -04:00
.is_ok());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
assert!(perms
.ffi
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.check(Path::new("/b/c/sub/path/../path/."), None)
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
.is_ok());
fix(cli/permissions): Fix CWD and exec path leaks (#5642)
2020-05-29 11:27:43 -04:00
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Inside of /b but outside of /b/c
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/b/e"), None).is_err());
assert!(perms.write.check(Path::new("/b/e"), None).is_err());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/b/e"), None).is_err());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
// Inside of /a but outside of /a/specific
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/a/b"), None).is_err());
assert!(perms.write.check(Path::new("/a/b"), None).is_err());
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/a/b"), None).is_err());
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
}
#[test]
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
fn test_check_net_with_values() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
let mut perms = Permissions::from_options(&PermissionsOptions {
refactor(cli/flags): change allow_read/write/net types from bool to Option<Vec<T>> (#8896) This PR refactors "cli/flags.rs" and "runtime/permissions.rs" so that "allow_read", "allow_write" and "allow_net" themselves have allowlists, instead of storing them in additional fields.
2020-12-29 13:34:35 -05:00
allow_net: Some(svec![
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
"localhost",
"deno.land",
"github.com:3000",
"127.0.0.1",
fix: net permissions didn't account for default ports (#6606)
2020-07-02 10:16:41 -04:00
"172.16.0.2:8000",
fix(perm): allow-net with port 80 (#21221)
2023-12-01 13:03:53 -05:00
"www.github.com:443",
"80.example.com:80",
"443.example.com:443"
refactor(cli/flags): change allow_read/write/net types from bool to Option<Vec<T>> (#8896) This PR refactors "cli/flags.rs" and "runtime/permissions.rs" so that "allow_read", "allow_write" and "allow_net" themselves have allowlists, instead of storing them in additional fields.
2020-12-29 13:34:35 -05:00
]),
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
simplify check_net test
2019-06-24 19:30:11 -04:00
let domain_tests = vec![
refactor DenoPermissions.check_net & resolve_addr (#3182)
2019-10-23 10:19:27 -04:00
("localhost", 1234, true),
("deno.land", 0, true),
("deno.land", 3000, true),
("deno.lands", 0, false),
("deno.lands", 3000, false),
("github.com", 3000, true),
("github.com", 0, false),
("github.com", 2000, false),
("github.net", 3000, false),
("127.0.0.1", 0, true),
("127.0.0.1", 3000, true),
("127.0.0.2", 0, false),
("127.0.0.2", 3000, false),
("172.16.0.2", 8000, true),
("172.16.0.2", 0, false),
("172.16.0.2", 6000, false),
("172.16.0.1", 8000, false),
fix(perm): allow-net with port 80 (#21221)
2023-12-01 13:03:53 -05:00
("443.example.com", 444, false),
("80.example.com", 81, false),
("80.example.com", 80, true),
simplify check_net test
2019-06-24 19:30:11 -04:00
// Just some random hosts that should err
refactor DenoPermissions.check_net & resolve_addr (#3182)
2019-10-23 10:19:27 -04:00
("somedomain", 0, false),
("192.168.0.1", 0, false),
simplify check_net test
2019-06-24 19:30:11 -04:00
];
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
for (host, port, is_ok) in domain_tests {
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
let host = Host::parse(host).unwrap();
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
let descriptor = NetDescriptor(host, Some(port));
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(
is_ok,
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
perms.net.check(&descriptor, None).is_ok(),
"{descriptor}",
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
);
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
}
}
#[test]
fn test_check_net_only_flag() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
let mut perms = Permissions::from_options(&PermissionsOptions {
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
allow_net: Some(svec![]), // this means `--allow-net` is present without values following `=` sign
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
let domain_tests = vec![
("localhost", 1234),
("deno.land", 0),
("deno.land", 3000),
("deno.lands", 0),
("deno.lands", 3000),
("github.com", 3000),
("github.com", 0),
("github.com", 2000),
("github.net", 3000),
("127.0.0.1", 0),
("127.0.0.1", 3000),
("127.0.0.2", 0),
("127.0.0.2", 3000),
("172.16.0.2", 8000),
("172.16.0.2", 0),
("172.16.0.2", 6000),
("172.16.0.1", 8000),
("somedomain", 0),
("192.168.0.1", 0),
];
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
for (host_str, port) in domain_tests {
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
let host = Host::parse(host_str).unwrap();
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
let descriptor = NetDescriptor(host, Some(port));
assert!(
perms.net.check(&descriptor, None).is_ok(),
"expected {host_str}:{port} to pass"
);
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
}
}
#[test]
fn test_check_net_no_flag() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
let mut perms = Permissions::from_options(&PermissionsOptions {
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
allow_net: None,
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
let domain_tests = vec![
("localhost", 1234),
("deno.land", 0),
("deno.land", 3000),
("deno.lands", 0),
("deno.lands", 3000),
("github.com", 3000),
("github.com", 0),
("github.com", 2000),
("github.net", 3000),
("127.0.0.1", 0),
("127.0.0.1", 3000),
("127.0.0.2", 0),
("127.0.0.2", 3000),
("172.16.0.2", 8000),
("172.16.0.2", 0),
("172.16.0.2", 6000),
("172.16.0.1", 8000),
("somedomain", 0),
("192.168.0.1", 0),
];
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
for (host_str, port) in domain_tests {
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
let host = Host::parse(host_str).unwrap();
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
let descriptor = NetDescriptor(host, Some(port));
assert!(
perms.net.check(&descriptor, None).is_err(),
"expected {host_str}:{port} to fail"
);
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
}
}
#[test]
fn test_check_net_url() {
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
let mut perms = Permissions::from_options(&PermissionsOptions {
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
allow_net: Some(svec![
"localhost",
"deno.land",
"github.com:3000",
"127.0.0.1",
"172.16.0.2:8000",
"www.github.com:443"
]),
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
simplify check_net test
2019-06-24 19:30:11 -04:00
let url_tests = vec![
// Any protocol + port for localhost should be ok, since we don't specify
("http://localhost", true),
("https://localhost", true),
("https://localhost:4443", true),
("tcp://localhost:5000", true),
("udp://localhost:6000", true),
// Correct domain + any port and protocol should be ok incorrect shouldn't
("https://deno.land/std/example/welcome.ts", true),
("https://deno.land:3000/std/example/welcome.ts", true),
("https://deno.lands/std/example/welcome.ts", false),
("https://deno.lands:3000/std/example/welcome.ts", false),
// Correct domain + port should be ok all other combinations should err
("https://github.com:3000/denoland/deno", true),
("https://github.com/denoland/deno", false),
("https://github.com:2000/denoland/deno", false),
("https://github.net:3000/denoland/deno", false),
// Correct ipv4 address + any port should be ok others should err
("tcp://127.0.0.1", true),
("https://127.0.0.1", true),
("tcp://127.0.0.1:3000", true),
("https://127.0.0.1:3000", true),
("tcp://127.0.0.2", false),
("https://127.0.0.2", false),
("tcp://127.0.0.2:3000", false),
("https://127.0.0.2:3000", false),
// Correct address + port should be ok all other combinations should err
("tcp://172.16.0.2:8000", true),
("https://172.16.0.2:8000", true),
("tcp://172.16.0.2", false),
("https://172.16.0.2", false),
("tcp://172.16.0.2:6000", false),
("https://172.16.0.2:6000", false),
("tcp://172.16.0.1:8000", false),
("https://172.16.0.1:8000", false),
fix: net permissions didn't account for default ports (#6606)
2020-07-02 10:16:41 -04:00
// Testing issue #6531 (Network permissions check doesn't account for well-known default ports) so we dont regress
("https://www.github.com:443/robots.txt", true),
simplify check_net test
2019-06-24 19:30:11 -04:00
];
feat(unstable): add Deno.resolveDns API (#8790)
2021-01-19 09:39:04 -05:00
for (url_str, is_ok) in url_tests {
simplify check_net test
2019-06-24 19:30:11 -04:00
let u = url::Url::parse(url_str).unwrap();
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(is_ok, perms.net.check_url(&u, None).is_ok(), "{}", u);
simplify check_net test
2019-06-24 19:30:11 -04:00
}
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
}
Add permissions.request (#3296)
2019-11-11 10:33:29 -05:00
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
#[test]
fn check_specifiers() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
let read_allowlist = if cfg!(target_os = "windows") {
vec![PathBuf::from("C:\\a")]
} else {
vec![PathBuf::from("/a")]
};
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
let mut perms = Permissions::from_options(&PermissionsOptions {
refactor(cli/flags): change allow_read/write/net types from bool to Option<Vec<T>> (#8896) This PR refactors "cli/flags.rs" and "runtime/permissions.rs" so that "allow_read", "allow_write" and "allow_net" themselves have allowlists, instead of storing them in additional fields.
2020-12-29 13:34:35 -05:00
allow_read: Some(read_allowlist),
allow_net: Some(svec!["localhost"]),
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
let mut fixtures = vec![
(
refactor: Remove call sites of "deno_core::resolve_url_or_path" (#18169) These call sites didn't need to use "resolve_url_or_path". Towards landing https://github.com/denoland/deno/pull/15454
2023-03-13 19:31:03 -04:00
ModuleSpecifier::parse("http://localhost:4545/mod.ts").unwrap(),
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
true,
),
(
refactor: Remove call sites of "deno_core::resolve_url_or_path" (#18169) These call sites didn't need to use "resolve_url_or_path". Towards landing https://github.com/denoland/deno/pull/15454
2023-03-13 19:31:03 -04:00
ModuleSpecifier::parse("http://deno.land/x/mod.ts").unwrap(),
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
false,
),
feat(cli): support data urls (#8866) Closes: #5059 Co-authored-by: Valentin Anger <syrupthinker@gryphno.de>
2021-01-05 21:22:38 -05:00
(
refactor: Remove call sites of "deno_core::resolve_url_or_path" (#18169) These call sites didn't need to use "resolve_url_or_path". Towards landing https://github.com/denoland/deno/pull/15454
2023-03-13 19:31:03 -04:00
ModuleSpecifier::parse("data:text/plain,Hello%2C%20Deno!").unwrap(),
feat(cli): support data urls (#8866) Closes: #5059 Co-authored-by: Valentin Anger <syrupthinker@gryphno.de>
2021-01-05 21:22:38 -05:00
true,
),
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
];
if cfg!(target_os = "windows") {
Make ModuleSpecifier a type alias, not wrapper struct (#9531)
2021-02-17 13:47:18 -05:00
fixtures
refactor: Remove call sites of "deno_core::resolve_url_or_path" (#18169) These call sites didn't need to use "resolve_url_or_path". Towards landing https://github.com/denoland/deno/pull/15454
2023-03-13 19:31:03 -04:00
.push((ModuleSpecifier::parse("file:///C:/a/mod.ts").unwrap(), true));
fixtures.push((
ModuleSpecifier::parse("file:///C:/b/mod.ts").unwrap(),
false,
));
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
} else {
refactor: Remove call sites of "deno_core::resolve_url_or_path" (#18169) These call sites didn't need to use "resolve_url_or_path". Towards landing https://github.com/denoland/deno/pull/15454
2023-03-13 19:31:03 -04:00
fixtures
.push((ModuleSpecifier::parse("file:///a/mod.ts").unwrap(), true));
fixtures
.push((ModuleSpecifier::parse("file:///b/mod.ts").unwrap(), false));
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
}
for (specifier, expected) in fixtures {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(
perms.check_specifier(&specifier).is_ok(),
expected,
"{}",
specifier,
);
fix(cli): restore permission check on workers (#8123) Fixes #8120
2020-10-26 15:56:00 -04:00
}
}
fix: panic on invalid file:// module specifier (#8964)
2021-01-04 04:33:20 -05:00
#[test]
fn check_invalid_specifiers() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
let mut perms = Permissions::allow_all();
fix: panic on invalid file:// module specifier (#8964)
2021-01-04 04:33:20 -05:00
let mut test_cases = vec![];
if cfg!(target_os = "windows") {
test_cases.push("file://");
test_cases.push("file:///");
} else {
test_cases.push("file://remotehost/");
}
for url in test_cases {
assert!(perms
refactor: Remove call sites of "deno_core::resolve_url_or_path" (#18169) These call sites didn't need to use "resolve_url_or_path". Towards landing https://github.com/denoland/deno/pull/15454
2023-03-13 19:31:03 -04:00
.check_specifier(&ModuleSpecifier::parse(url).unwrap())
fix: panic on invalid file:// module specifier (#8964)
2021-01-04 04:33:20 -05:00
.is_err());
}
}
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
#[test]
fn test_query() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
let perms1 = Permissions::allow_all();
let perms2 = Permissions {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
read: Permissions::new_unary(Some(&[PathBuf::from("/foo")]), None, false)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
write: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[PathBuf::from("/foo")]),
None,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
ffi: Permissions::new_unary(Some(&[PathBuf::from("/foo")]), None, false)
.unwrap(),
net: Permissions::new_unary(Some(&sarr!["127.0.0.1:8000"]), None, false)
.unwrap(),
env: Permissions::new_unary(Some(&sarr!["HOME"]), None, false).unwrap(),
sys: Permissions::new_unary(Some(&sarr!["hostname"]), None, false)
.unwrap(),
run: Permissions::new_unary(
Some(&["deno".to_string().into()]),
None,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
all: Permissions::new_all(false),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
};
let perms3 = Permissions {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
read: Permissions::new_unary(None, Some(&[PathBuf::from("/foo")]), false)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
write: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
None,
Some(&[PathBuf::from("/foo")]),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
ffi: Permissions::new_unary(None, Some(&[PathBuf::from("/foo")]), false)
.unwrap(),
net: Permissions::new_unary(None, Some(&sarr!["127.0.0.1:8000"]), false)
.unwrap(),
env: Permissions::new_unary(None, Some(&sarr!["HOME"]), false).unwrap(),
sys: Permissions::new_unary(None, Some(&sarr!["hostname"]), false)
.unwrap(),
run: Permissions::new_unary(
None,
Some(&["deno".to_string().into()]),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
all: Permissions::new_all(false),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
};
let perms4 = Permissions {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
read: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[]),
Some(&[PathBuf::from("/foo")]),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
write: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[]),
Some(&[PathBuf::from("/foo")]),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
ffi: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[]),
Some(&[PathBuf::from("/foo")]),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
net: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[]),
Some(&sarr!["127.0.0.1:8000"]),
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
env: Permissions::new_unary(Some(&[]), Some(&sarr!["HOME"]), false)
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.unwrap(),
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
sys: Permissions::new_unary(Some(&[]), Some(&sarr!["hostname"]), false)
.unwrap(),
run: Permissions::new_unary(
Some(&[]),
Some(&["deno".to_string().into()]),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
false,
)
.unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
all: Permissions::new_all(false),
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
};
#[rustfmt::skip]
{
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
assert_eq!(perms1.read.query(None), PermissionState::Granted);
chore: upgrade Rust to 1.54.0 (#11554)
2021-07-30 09:03:41 -04:00
assert_eq!(perms1.read.query(Some(Path::new("/foo"))), PermissionState::Granted);
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
assert_eq!(perms2.read.query(None), PermissionState::Prompt);
chore: upgrade Rust to 1.54.0 (#11554)
2021-07-30 09:03:41 -04:00
assert_eq!(perms2.read.query(Some(Path::new("/foo"))), PermissionState::Granted);
assert_eq!(perms2.read.query(Some(Path::new("/foo/bar"))), PermissionState::Granted);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(perms3.read.query(None), PermissionState::Prompt);
assert_eq!(perms3.read.query(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms3.read.query(Some(Path::new("/foo/bar"))), PermissionState::Denied);
assert_eq!(perms4.read.query(None), PermissionState::GrantedPartial);
assert_eq!(perms4.read.query(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms4.read.query(Some(Path::new("/foo/bar"))), PermissionState::Denied);
assert_eq!(perms4.read.query(Some(Path::new("/bar"))), PermissionState::Granted);
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
assert_eq!(perms1.write.query(None), PermissionState::Granted);
chore: upgrade Rust to 1.54.0 (#11554)
2021-07-30 09:03:41 -04:00
assert_eq!(perms1.write.query(Some(Path::new("/foo"))), PermissionState::Granted);
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
assert_eq!(perms2.write.query(None), PermissionState::Prompt);
chore: upgrade Rust to 1.54.0 (#11554)
2021-07-30 09:03:41 -04:00
assert_eq!(perms2.write.query(Some(Path::new("/foo"))), PermissionState::Granted);
assert_eq!(perms2.write.query(Some(Path::new("/foo/bar"))), PermissionState::Granted);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(perms3.write.query(None), PermissionState::Prompt);
assert_eq!(perms3.write.query(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms3.write.query(Some(Path::new("/foo/bar"))), PermissionState::Denied);
assert_eq!(perms4.write.query(None), PermissionState::GrantedPartial);
assert_eq!(perms4.write.query(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms4.write.query(Some(Path::new("/foo/bar"))), PermissionState::Denied);
assert_eq!(perms4.write.query(Some(Path::new("/bar"))), PermissionState::Granted);
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
assert_eq!(perms1.ffi.query(None), PermissionState::Granted);
assert_eq!(perms1.ffi.query(Some(Path::new("/foo"))), PermissionState::Granted);
assert_eq!(perms2.ffi.query(None), PermissionState::Prompt);
assert_eq!(perms2.ffi.query(Some(Path::new("/foo"))), PermissionState::Granted);
assert_eq!(perms2.ffi.query(Some(Path::new("/foo/bar"))), PermissionState::Granted);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(perms3.ffi.query(None), PermissionState::Prompt);
assert_eq!(perms3.ffi.query(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms3.ffi.query(Some(Path::new("/foo/bar"))), PermissionState::Denied);
assert_eq!(perms4.ffi.query(None), PermissionState::GrantedPartial);
assert_eq!(perms4.ffi.query(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms4.ffi.query(Some(Path::new("/foo/bar"))), PermissionState::Denied);
assert_eq!(perms4.ffi.query(Some(Path::new("/bar"))), PermissionState::Granted);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert_eq!(perms1.net.query(None), PermissionState::Granted);
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(perms1.net.query(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), None))), PermissionState::Granted);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert_eq!(perms2.net.query(None), PermissionState::Prompt);
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(perms2.net.query(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)))), PermissionState::Granted);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert_eq!(perms3.net.query(None), PermissionState::Prompt);
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(perms3.net.query(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)))), PermissionState::Denied);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert_eq!(perms4.net.query(None), PermissionState::GrantedPartial);
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(perms4.net.query(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)))), PermissionState::Denied);
assert_eq!(perms4.net.query(Some(&NetDescriptor(Host::must_parse("192.168.0.1"), Some(8000)))), PermissionState::Granted);
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
assert_eq!(perms1.env.query(None), PermissionState::Granted);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms1.env.query(Some("HOME")), PermissionState::Granted);
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
assert_eq!(perms2.env.query(None), PermissionState::Prompt);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms2.env.query(Some("HOME")), PermissionState::Granted);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(perms3.env.query(None), PermissionState::Prompt);
assert_eq!(perms3.env.query(Some("HOME")), PermissionState::Denied);
assert_eq!(perms4.env.query(None), PermissionState::GrantedPartial);
assert_eq!(perms4.env.query(Some("HOME")), PermissionState::Denied);
assert_eq!(perms4.env.query(Some("AWAY")), PermissionState::Granted);
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
assert_eq!(perms1.sys.query(None), PermissionState::Granted);
assert_eq!(perms1.sys.query(Some("HOME")), PermissionState::Granted);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(perms2.sys.query(None), PermissionState::Prompt);
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
assert_eq!(perms2.sys.query(Some("hostname")), PermissionState::Granted);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(perms3.sys.query(None), PermissionState::Prompt);
assert_eq!(perms3.sys.query(Some("hostname")), PermissionState::Denied);
assert_eq!(perms4.sys.query(None), PermissionState::GrantedPartial);
assert_eq!(perms4.sys.query(Some("hostname")), PermissionState::Denied);
assert_eq!(perms4.sys.query(Some("uid")), PermissionState::Granted);
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
assert_eq!(perms1.run.query(None), PermissionState::Granted);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms1.run.query(Some("deno")), PermissionState::Granted);
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
assert_eq!(perms2.run.query(None), PermissionState::Prompt);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms2.run.query(Some("deno")), PermissionState::Granted);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(perms3.run.query(None), PermissionState::Prompt);
assert_eq!(perms3.run.query(Some("deno")), PermissionState::Denied);
assert_eq!(perms4.run.query(None), PermissionState::GrantedPartial);
assert_eq!(perms4.run.query(Some("deno")), PermissionState::Denied);
assert_eq!(perms4.run.query(Some("node")), PermissionState::Granted);
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
};
}
#[test]
fn test_request() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
let mut perms: Permissions = Permissions::none_without_prompt();
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
#[rustfmt::skip]
{
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
let prompt_value = PERMISSION_PROMPT_STUB_VALUE_SETTER.lock();
prompt_value.set(true);
chore: upgrade Rust to 1.54.0 (#11554)
2021-07-30 09:03:41 -04:00
assert_eq!(perms.read.request(Some(Path::new("/foo"))), PermissionState::Granted);
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
assert_eq!(perms.read.query(None), PermissionState::Prompt);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
chore: upgrade Rust to 1.54.0 (#11554)
2021-07-30 09:03:41 -04:00
assert_eq!(perms.read.request(Some(Path::new("/foo/bar"))), PermissionState::Granted);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
chore: upgrade Rust to 1.54.0 (#11554)
2021-07-30 09:03:41 -04:00
assert_eq!(perms.write.request(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms.write.query(Some(Path::new("/foo/bar"))), PermissionState::Prompt);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
refactor: clean up permission handling (#9367)
2021-03-17 17:45:12 -04:00
assert_eq!(perms.write.request(None), PermissionState::Denied);
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
prompt_value.set(false);
assert_eq!(perms.ffi.request(Some(Path::new("/foo"))), PermissionState::Denied);
assert_eq!(perms.ffi.query(Some(Path::new("/foo/bar"))), PermissionState::Prompt);
prompt_value.set(true);
assert_eq!(perms.ffi.request(None), PermissionState::Denied);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(perms.net.request(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), None))), PermissionState::Granted);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(perms.net.request(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)))), PermissionState::Granted);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms.env.request(Some("HOME")), PermissionState::Granted);
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
assert_eq!(perms.env.query(None), PermissionState::Prompt);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms.env.request(Some("HOME")), PermissionState::Granted);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
assert_eq!(perms.sys.request(Some("hostname")), PermissionState::Granted);
assert_eq!(perms.sys.query(None), PermissionState::Prompt);
prompt_value.set(false);
assert_eq!(perms.sys.request(Some("hostname")), PermissionState::Granted);
prompt_value.set(true);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms.run.request(Some("deno")), PermissionState::Granted);
feat(permissions): allow run permission to take values (#9833) This commit adds allowlist support to `--allow-run` flag. Additionally `Deno.permissions.query()` allows to query for specific programs within allowlist.
2021-04-09 18:12:00 -04:00
assert_eq!(perms.run.query(None), PermissionState::Prompt);
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms.run.request(Some("deno")), PermissionState::Granted);
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
};
}
#[test]
fn test_revoke() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
let mut perms = Permissions {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
read: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[PathBuf::from("/foo"), PathBuf::from("/foo/baz")]),
None,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
write: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[PathBuf::from("/foo"), PathBuf::from("/foo/baz")]),
None,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
ffi: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[PathBuf::from("/foo"), PathBuf::from("/foo/baz")]),
None,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
net: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&sarr!["127.0.0.1", "127.0.0.1:8000"]),
None,
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
false,
)
.unwrap(),
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
env: Permissions::new_unary(Some(&sarr!["HOME"]), None, false).unwrap(),
sys: Permissions::new_unary(Some(&sarr!["hostname"]), None, false)
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.unwrap(),
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
run: Permissions::new_unary(
Some(&["deno".to_string().into()]),
None,
false,
)
.unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
all: Permissions::new_all(false),
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
};
#[rustfmt::skip]
{
fix(cli/permissions): ensure revoked permissions are no longer granted (#12159) Fixes #12153
2021-09-24 01:48:15 -04:00
assert_eq!(perms.read.revoke(Some(Path::new("/foo/bar"))), PermissionState::Prompt);
assert_eq!(perms.read.query(Some(Path::new("/foo"))), PermissionState::Prompt);
assert_eq!(perms.read.query(Some(Path::new("/foo/baz"))), PermissionState::Granted);
assert_eq!(perms.write.revoke(Some(Path::new("/foo/bar"))), PermissionState::Prompt);
assert_eq!(perms.write.query(Some(Path::new("/foo"))), PermissionState::Prompt);
assert_eq!(perms.write.query(Some(Path::new("/foo/baz"))), PermissionState::Granted);
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
assert_eq!(perms.ffi.revoke(Some(Path::new("/foo/bar"))), PermissionState::Prompt);
assert_eq!(perms.ffi.query(Some(Path::new("/foo"))), PermissionState::Prompt);
assert_eq!(perms.ffi.query(Some(Path::new("/foo/baz"))), PermissionState::Granted);
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(perms.net.revoke(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), Some(9000)))), PermissionState::Prompt);
assert_eq!(perms.net.query(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), None))), PermissionState::Prompt);
assert_eq!(perms.net.query(Some(&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)))), PermissionState::Granted);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms.env.revoke(Some("HOME")), PermissionState::Prompt);
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
assert_eq!(perms.env.revoke(Some("hostname")), PermissionState::Prompt);
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms.run.revoke(Some("deno")), PermissionState::Prompt);
refactor: permissions (#7074)
2020-08-18 16:29:32 -04:00
};
Add "fork" method on DenoPermissions, PermissionState (#5693)
2020-06-06 10:56:21 -04:00
}
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
#[test]
fn test_check() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
let mut perms = Permissions::none_with_prompt();
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
let prompt_value = PERMISSION_PROMPT_STUB_VALUE_SETTER.lock();
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/foo"), None).is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/foo"), None).is_ok());
assert!(perms.read.check(Path::new("/bar"), None).is_err());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.write.check(Path::new("/foo"), None).is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.write.check(Path::new("/foo"), None).is_ok());
assert!(perms.write.check(Path::new("/bar"), None).is_err());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
prompt_value.set(true);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/foo"), None).is_ok());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
prompt_value.set(false);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/foo"), None).is_ok());
assert!(perms.ffi.check(Path::new("/bar"), None).is_err());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_ok());
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8001)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_err());
assert!(perms
.net
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
.check(&NetDescriptor(Host::must_parse("127.0.0.1"), None), None)
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
.is_err());
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("deno.land"), Some(8000)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_err());
assert!(perms
.net
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
.check(&NetDescriptor(Host::must_parse("deno.land"), None), None)
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
.is_err());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
#[allow(clippy::disallowed_methods)]
let cwd = std::env::current_dir().unwrap();
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
assert!(perms
.run
.check(
RunPathQuery {
requested: "cat",
resolved: &cwd.join("cat")
},
None
)
.is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
assert!(perms
.run
.check(
RunPathQuery {
requested: "cat",
resolved: &cwd.join("cat")
},
None
)
.is_ok());
assert!(perms
.run
.check(
RunPathQuery {
requested: "ls",
resolved: &cwd.join("ls")
},
None
)
.is_err());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("HOME", None).is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("HOME", None).is_ok());
assert!(perms.env.check("PATH", None).is_err());
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
prompt_value.set(true);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("hostname", None).is_ok());
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
prompt_value.set(false);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("hostname", None).is_ok());
assert!(perms.env.check("osRelease", None).is_err());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
}
#[test]
fn test_check_fail() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
let mut perms = Permissions::none_with_prompt();
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
let prompt_value = PERMISSION_PROMPT_STUB_VALUE_SETTER.lock();
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/foo"), None).is_err());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/foo"), None).is_err());
assert!(perms.read.check(Path::new("/bar"), None).is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.read.check(Path::new("/bar"), None).is_ok());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.write.check(Path::new("/foo"), None).is_err());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.write.check(Path::new("/foo"), None).is_err());
assert!(perms.write.check(Path::new("/bar"), None).is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(perms.write.check(Path::new("/bar"), None).is_ok());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
prompt_value.set(false);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/foo"), None).is_err());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
prompt_value.set(true);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/foo"), None).is_err());
assert!(perms.ffi.check(Path::new("/bar"), None).is_ok());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
prompt_value.set(false);
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert!(perms.ffi.check(Path::new("/bar"), None).is_ok());
fix(permissions): Allow ancestor path for --allow-ffi (#16765) This commit changes "--allow-ffi" flag to support "parent paths", ie. if an FFI library is loaded we are checking if the library has an ancestor path in the allowlist for the FFI permission descriptor.
2022-12-14 15:38:53 -05:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_err());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8000)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_err());
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8001)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_ok());
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("deno.land"), Some(8000)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("127.0.0.1"), Some(8001)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_ok());
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("deno.land"), Some(8000)),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_ok());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
#[allow(clippy::disallowed_methods)]
let cwd = std::env::current_dir().unwrap();
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
assert!(perms
.run
.check(
RunPathQuery {
requested: "cat",
resolved: &cwd.join("cat")
},
None
)
.is_err());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
assert!(perms
.run
.check(
RunPathQuery {
requested: "cat",
resolved: &cwd.join("cat")
},
None
)
.is_err());
assert!(perms
.run
.check(
RunPathQuery {
requested: "ls",
resolved: &cwd.join("ls")
},
None
)
.is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
fix(regression): do not expose resolved path in Deno.Command permission denied error (#25434) Regression from https://github.com/denoland/deno/pull/25370
2024-09-04 18:57:49 -04:00
assert!(perms
.run
.check(
RunPathQuery {
requested: "ls",
resolved: &cwd.join("ls")
},
None
)
.is_ok());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("HOME", None).is_err());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("HOME", None).is_err());
assert!(perms.env.check("PATH", None).is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("PATH", None).is_ok());
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
prompt_value.set(false);
assert!(perms.sys.check("hostname", None).is_err());
prompt_value.set(true);
assert!(perms.sys.check("hostname", None).is_err());
assert!(perms.sys.check("osRelease", None).is_ok());
prompt_value.set(false);
assert!(perms.sys.check("osRelease", None).is_ok());
feat(runtime/permissions): prompt fallback (#9376) Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com> Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2021-04-11 22:15:43 -04:00
}
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
#[test]
#[cfg(windows)]
fn test_env_windows() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
let prompt_value = PERMISSION_PROMPT_STUB_VALUE_SETTER.lock();
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
let mut perms = Permissions::allow_all();
perms.env = UnaryPermission {
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
granted_global: false,
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
..Permissions::new_unary(Some(&sarr!["HOME"]), None, false).unwrap()
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
};
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("HOME", None).is_ok());
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert!(perms.env.check("HOME", None).is_ok());
assert!(perms.env.check("hOmE", None).is_ok());
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
chore: upgrade to Rust 1.59 (#13767)
2022-02-24 20:03:12 -05:00
assert_eq!(perms.env.revoke(Some("HomE")), PermissionState::Prompt);
feat(permissions): allow env permission to take values (#9825)
2021-04-13 07:25:21 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
fix(runtime): negate partial condition for deny flags (#22866)
2024-03-12 18:12:29 -04:00
#[test]
fn test_check_partial_denied() {
let mut perms = Permissions {
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
read: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[]),
Some(&[PathBuf::from("/foo/bar")]),
fix(runtime): negate partial condition for deny flags (#22866)
2024-03-12 18:12:29 -04:00
false,
)
.unwrap(),
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
write: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[]),
Some(&[PathBuf::from("/foo/bar")]),
fix(runtime): negate partial condition for deny flags (#22866)
2024-03-12 18:12:29 -04:00
false,
)
.unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
..Permissions::none_without_prompt()
fix(runtime): negate partial condition for deny flags (#22866)
2024-03-12 18:12:29 -04:00
};
perms.read.check_partial(Path::new("/foo"), None).unwrap();
assert!(perms.read.check(Path::new("/foo"), None).is_err());
perms.write.check_partial(Path::new("/foo"), None).unwrap();
assert!(perms.write.check(Path::new("/foo"), None).is_err());
}
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
#[test]
fn test_net_fully_qualified_domain_name() {
let mut perms = Permissions {
net: Permissions::new_unary(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&["allowed.domain".to_string(), "1.1.1.1".to_string()]),
Some(&["denied.domain".to_string(), "2.2.2.2".to_string()]),
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
false,
)
.unwrap(),
..Permissions::none_without_prompt()
};
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("allowed.domain."), None),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None,
)
.unwrap();
perms
.net
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
.check(&NetDescriptor(Host::must_parse("1.1.1.1"), None), None)
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
.unwrap();
assert!(perms
.net
.check(
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
&NetDescriptor(Host::must_parse("denied.domain."), None),
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
None
)
.is_err());
assert!(perms
.net
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
.check(&NetDescriptor(Host::must_parse("2.2.2.2"), None), None)
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
.is_err());
fix(runtime): use FQDN in NetDescriptor (#23084)
2024-03-26 19:27:40 -04:00
}
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
#[test]
fn test_deserialize_child_permissions_arg() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
assert_eq!(
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
ChildPermissionsArg::inherit(),
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
ChildPermissionsArg {
env: ChildUnaryPermissionArg::Inherit,
net: ChildUnaryPermissionArg::Inherit,
ffi: ChildUnaryPermissionArg::Inherit,
read: ChildUnaryPermissionArg::Inherit,
run: ChildUnaryPermissionArg::Inherit,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg::Inherit,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
write: ChildUnaryPermissionArg::Inherit,
}
);
assert_eq!(
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
ChildPermissionsArg::none(),
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
ChildPermissionsArg {
env: ChildUnaryPermissionArg::NotGranted,
net: ChildUnaryPermissionArg::NotGranted,
ffi: ChildUnaryPermissionArg::NotGranted,
read: ChildUnaryPermissionArg::NotGranted,
run: ChildUnaryPermissionArg::NotGranted,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg::NotGranted,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
write: ChildUnaryPermissionArg::NotGranted,
}
);
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!("inherit")).unwrap(),
ChildPermissionsArg::inherit()
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!("none")).unwrap(),
ChildPermissionsArg::none()
);
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({})).unwrap(),
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
ChildPermissionsArg::none()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({
"env": ["foo", "bar"],
}))
.unwrap(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::GrantedList(svec!["foo", "bar"]),
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
..ChildPermissionsArg::none()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({
"env": true,
"net": true,
"ffi": true,
"read": true,
"run": true,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
"sys": true,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
"write": true,
}))
.unwrap(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::Granted,
net: ChildUnaryPermissionArg::Granted,
ffi: ChildUnaryPermissionArg::Granted,
read: ChildUnaryPermissionArg::Granted,
run: ChildUnaryPermissionArg::Granted,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg::Granted,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
write: ChildUnaryPermissionArg::Granted,
}
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({
"env": false,
"net": false,
"ffi": false,
"read": false,
"run": false,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
"sys": false,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
"write": false,
}))
.unwrap(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::NotGranted,
net: ChildUnaryPermissionArg::NotGranted,
ffi: ChildUnaryPermissionArg::NotGranted,
read: ChildUnaryPermissionArg::NotGranted,
run: ChildUnaryPermissionArg::NotGranted,
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg::NotGranted,
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
write: ChildUnaryPermissionArg::NotGranted,
}
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({
"env": ["foo", "bar"],
"net": ["foo", "bar:8000"],
"ffi": ["foo", "file:///bar/baz"],
"read": ["foo", "file:///bar/baz"],
"run": ["foo", "file:///bar/baz", "./qux"],
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
"sys": ["hostname", "osRelease"],
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
"write": ["foo", "file:///bar/baz"],
}))
.unwrap(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::GrantedList(svec!["foo", "bar"]),
net: ChildUnaryPermissionArg::GrantedList(svec!["foo", "bar:8000"]),
ffi: ChildUnaryPermissionArg::GrantedList(svec![
"foo",
"file:///bar/baz"
]),
read: ChildUnaryPermissionArg::GrantedList(svec![
"foo",
"file:///bar/baz"
]),
run: ChildUnaryPermissionArg::GrantedList(svec![
"foo",
"file:///bar/baz",
"./qux"
]),
feat: add --allow-sys permission flag (#16028)
2022-09-28 08:46:50 -04:00
sys: ChildUnaryPermissionArg::GrantedList(svec![
"hostname",
"osRelease"
]),
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
write: ChildUnaryPermissionArg::GrantedList(svec![
"foo",
"file:///bar/baz"
]),
}
);
}
#[test]
fn test_create_child_permissions() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
let mut main_perms = Permissions {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
env: Permissions::new_unary(Some(&[]), None, false).unwrap(),
net: Permissions::new_unary(Some(&sarr!["foo", "bar"]), None, false)
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
.unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
..Permissions::none_without_prompt()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
};
assert_eq!(
create_child_permissions(
&mut main_perms.clone(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::Inherit,
net: ChildUnaryPermissionArg::GrantedList(svec!["foo"]),
ffi: ChildUnaryPermissionArg::NotGranted,
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
..ChildPermissionsArg::none()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
)
.unwrap(),
Permissions {
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
env: Permissions::new_unary(Some(&[]), None, false).unwrap(),
net: Permissions::new_unary(Some(&sarr!["foo"]), None, false).unwrap(),
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
..Permissions::none_without_prompt()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
);
assert!(create_child_permissions(
&mut main_perms.clone(),
ChildPermissionsArg {
net: ChildUnaryPermissionArg::Granted,
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
..ChildPermissionsArg::none()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
)
.is_err());
assert!(create_child_permissions(
&mut main_perms.clone(),
ChildPermissionsArg {
net: ChildUnaryPermissionArg::GrantedList(svec!["foo", "bar", "baz"]),
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
..ChildPermissionsArg::none()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
)
.is_err());
assert!(create_child_permissions(
&mut main_perms,
ChildPermissionsArg {
ffi: ChildUnaryPermissionArg::GrantedList(svec!["foo"]),
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
..ChildPermissionsArg::none()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
)
.is_err());
}
#[test]
fn test_create_child_permissions_with_prompt() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
let prompt_value = PERMISSION_PROMPT_STUB_VALUE_SETTER.lock();
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
let mut main_perms = Permissions::from_options(&PermissionsOptions {
prompt: true,
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(true);
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
let worker_perms = create_child_permissions(
&mut main_perms,
ChildPermissionsArg {
read: ChildUnaryPermissionArg::Granted,
run: ChildUnaryPermissionArg::GrantedList(svec!["foo", "bar"]),
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
..ChildPermissionsArg::none()
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
},
)
.unwrap();
assert_eq!(main_perms, worker_perms);
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
assert_eq!(
main_perms.run.granted_list,
HashSet::from([
RunDescriptor::Name("bar".to_owned()),
RunDescriptor::Name("foo".to_owned())
])
);
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
#[test]
fn test_create_child_permissions_with_inherited_denied_list() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
let prompt_value = PERMISSION_PROMPT_STUB_VALUE_SETTER.lock();
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
let mut main_perms = Permissions::from_options(&PermissionsOptions {
prompt: true,
..Default::default()
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
})
.unwrap();
chore: fix flaky permissions tests on windows (#12552)
2021-10-26 11:49:07 -04:00
prompt_value.set(false);
feat: Add requesting API name to permission prompt (#15936) Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
2022-09-27 16:36:33 -04:00
assert!(main_perms.write.check(&PathBuf::from("foo"), None).is_err());
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
let worker_perms = create_child_permissions(
&mut main_perms.clone(),
fix: actually don't inherit runtime permissions (#14024)
2022-03-20 17:46:39 -04:00
ChildPermissionsArg::none(),
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
)
.unwrap();
feat(permissions): add "--deny-*" flags (#19070) This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
2023-08-03 07:19:19 -04:00
assert_eq!(
worker_perms.write.flag_denied_list,
main_perms.write.flag_denied_list
);
fix(runtime/ops/worker_host): move permission arg parsing to Rust (#12297)
2021-10-13 13:04:44 -04:00
}
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
#[test]
fn test_handle_empty_value() {
refactor(permissions): factor out PermissionPrompter trait, add callbacks (#16975) This commit refactors several things in "runtime/permissions" module: - splits it into "mod.rs" and "prompter.rs" - adds "PermissionPrompter" trait with two implementations: * "TtyPrompter" * "TestPrompter" - adds "before" and "after" prompt callback which can be used to hide progress bar in the CLI (to be done in a follow up) - "permissions_prompt" API returns "PromptResponse" enum, instead of a boolean; this allows to add "allow all"/"deny all" functionality for the prompt
2022-12-17 19:12:28 -05:00
set_prompter(Box::new(TestPrompter));
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
assert!(Permissions::new_unary::<ReadDescriptor>(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[Default::default()]),
None,
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
false
)
.is_err());
assert!(Permissions::new_unary::<EnvDescriptor>(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[Default::default()]),
None,
perf(permissions): Fast exit from checks when permission is in "fully-granted" state (#22894) Skips the access check if the specific unary permission is in an all-granted state. Generally prevents an allocation or two. Hooks up a quiet "all" permission that is automatically inherited. This permission will be used in the future to indicate that the user wishes to accept all side-effects of the permissions they explicitly granted. The "all" permission is an "ambient flag"-style permission that states whether "allow-all" was passed on the command-line.
2024-03-13 16:30:48 -04:00
false
)
.is_err());
assert!(Permissions::new_unary::<NetDescriptor>(
fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.
2024-09-04 08:51:24 -04:00
Some(&[Default::default()]),
None,
chore(permissions): add allow_all flag (#22890) Unlocking a potential perf optimization at a later date -- carry the `allow_all` flag into the permission container.
2024-03-13 12:07:24 -04:00
false
)
.is_err());
fix(permissions): ignore empty values (#15447)
2022-08-10 15:13:53 -04:00
}
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
#[test]
fn test_host_parse() {
let hosts = &[
("deno.land", Some(Host::Fqdn(fqdn!("deno.land")))),
("DENO.land", Some(Host::Fqdn(fqdn!("deno.land")))),
("deno.land.", Some(Host::Fqdn(fqdn!("deno.land")))),
(
"1.1.1.1",
Some(Host::Ip(IpAddr::V4(Ipv4Addr::new(1, 1, 1, 1)))),
),
(
"::1",
Some(Host::Ip(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)))),
),
(
"[::1]",
Some(Host::Ip(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)))),
),
("[::1", None),
("::1]", None),
("deno. land", None),
("1. 1.1.1", None),
("1.1.1.1.", None),
("1::1.", None),
("deno.land.", Some(Host::Fqdn(fqdn!("deno.land")))),
(".deno.land", None),
(
"::ffff:1.1.1.1",
Some(Host::Ip(IpAddr::V6(Ipv6Addr::new(
0, 0, 0, 0, 0, 0xffff, 0x0101, 0x0101,
)))),
),
];
for (host_str, expected) in hosts {
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(Host::parse(host_str).ok(), *expected, "{host_str}");
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
}
}
#[test]
fn test_net_descriptor_parse() {
let cases = &[
(
"deno.land",
Some(NetDescriptor(Host::Fqdn(fqdn!("deno.land")), None)),
),
(
"DENO.land",
Some(NetDescriptor(Host::Fqdn(fqdn!("deno.land")), None)),
),
(
"deno.land:8000",
Some(NetDescriptor(Host::Fqdn(fqdn!("deno.land")), Some(8000))),
),
("deno.land:", None),
("deno.land:a", None),
("deno. land:a", None),
("deno.land.: a", None),
(
"1.1.1.1",
Some(NetDescriptor(
Host::Ip(IpAddr::V4(Ipv4Addr::new(1, 1, 1, 1))),
None,
)),
),
("1.1.1.1.", None),
("1.1.1.1..", None),
(
"1.1.1.1:8000",
Some(NetDescriptor(
Host::Ip(IpAddr::V4(Ipv4Addr::new(1, 1, 1, 1))),
Some(8000),
)),
),
("::", None),
(":::80", None),
("::80", None),
(
"[::]",
Some(NetDescriptor(
Host::Ip(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0))),
None,
)),
),
("[::1", None),
("::1]", None),
("::1]", None),
("[::1]:", None),
("[::1]:a", None),
(
"[::1]:443",
Some(NetDescriptor(
Host::Ip(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1))),
Some(443),
)),
),
("", None),
("deno.land..", None),
];
for (input, expected) in cases {
refactor(permissions): remove FromStr implementations, add ::parse methods (#25473) The `.parse()` calls in permission code are only making it more confusing, verbosity is encouraged and welcome in this code even at the cost of not being concise. Left a couple TODOs to not use `AnyError`.
2024-09-06 05:28:53 -04:00
assert_eq!(NetDescriptor::parse(input).ok(), *expected, "'{input}'");
fix(permissions): handle ipv6 addresses correctly (#24397) Also don't panic on invalid domain names and addresses. Extracted with cleanups up from #24080 Co-authored-by: Yazan AbdAl-Rahman <yazan.abdalrahman@exalt.ps>
2024-07-05 18:45:06 -04:00
}
}
First pass at permissions whitelist (#2129)
2019-05-08 19:20:30 -04:00
}
Copy permalink