Browse Source

Fix permissions for dial and listen (#2373)

tags/v0.6.0
Bartek Iwańczuk 4 months ago
parent
commit
7219787894
3 changed files with 116 additions and 51 deletions
  1. 9
    12
      cli/ops.rs
  2. 91
    38
      tools/complex_permissions_test.py
  3. 16
    1
      tools/complex_permissions_test.ts

+ 9
- 12
cli/ops.rs View File

@@ -1625,19 +1625,18 @@ fn op_listen(
data: Option<PinnedBuf>,
) -> Box<OpWithError> {
assert!(data.is_none());
if let Err(e) = state.check_net("listen") {
return odd_future(e);
}

let cmd_id = base.cmd_id();
let inner = base.inner_as_listen().unwrap();
let network = inner.network().unwrap();
assert_eq!(network, "tcp");
let address = inner.address().unwrap();

if let Err(e) = state.check_net(&address) {
return odd_future(e);
}

Box::new(futures::future::result((move || {
let addr = resolve_addr(address).wait()?;

let listener = TcpListener::bind(&addr)?;
let resource = resources::add_tcp_listener(listener);

@@ -1682,14 +1681,11 @@ fn new_conn(cmd_id: u32, tcp_stream: TcpStream) -> OpResult {
}

fn op_accept(
state: &ThreadSafeState,
_state: &ThreadSafeState,
base: &msg::Base<'_>,
data: Option<PinnedBuf>,
) -> Box<OpWithError> {
assert!(data.is_none());
if let Err(e) = state.check_net("accept") {
return odd_future(e);
}
let cmd_id = base.cmd_id();
let inner = base.inner_as_accept().unwrap();
let server_rid = inner.rid();
@@ -1713,15 +1709,16 @@ fn op_dial(
data: Option<PinnedBuf>,
) -> Box<OpWithError> {
assert!(data.is_none());
if let Err(e) = state.check_net("dial") {
return odd_future(e);
}
let cmd_id = base.cmd_id();
let inner = base.inner_as_dial().unwrap();
let network = inner.network().unwrap();
assert_eq!(network, "tcp"); // TODO Support others.
let address = inner.address().unwrap();

if let Err(e) = state.check_net(&address) {
return odd_future(e);
}

let op =
resolve_addr(address)
.map_err(DenoError::from)

+ 91
- 38
tools/complex_permissions_test.py View File

@@ -8,6 +8,7 @@ import subprocess
import sys
import time

import http_server
from util import build_path, root_path, executable_suffix, green_ok, red_failed

PERMISSIONS_PROMPT_TEST_TS = "tools/complex_permissions_test.ts"
@@ -96,15 +97,53 @@ class Prompt(object):
test_type)
wrap_test(test_name_base + "_no_prefix", self.test_no_prefix,
test_type)

test_name = "net_fetch"
test_name_base = "test_" + test_name
wrap_test(test_name_base + "_allow_localhost_4545",
self.test_allow_localhost_4545, test_name,
["http://localhost:4545"])
wrap_test(test_name_base + "_allow_deno_land",
self.test_allow_deno_land, test_name,
["http://localhost:4545"])
wrap_test(test_name_base + "_allow_localhost_4545_fail",
self.test_allow_localhost_4545_fail, test_name,
["http://localhost:4546"])
wrap_test(test_name_base + "_allow_localhost",
self.test_allow_localhost, test_name, [
"http://localhost:4545", "http://localhost:4546",
"http://localhost:4547"
])

test_name = "net_dial"
test_name_base = "test_" + test_name
wrap_test(test_name_base + "_allow_localhost_4545",
self.test_allow_localhost_4545)
self.test_allow_localhost_4545, test_name,
["localhost:4545"])
wrap_test(test_name_base + "_allow_deno_land",
self.test_allow_deno_land)
self.test_allow_deno_land, test_name, ["localhost:4545"])
wrap_test(test_name_base + "_allow_localhost_4545_fail",
self.test_allow_localhost_4545_fail)
self.test_allow_localhost_4545_fail, test_name,
["localhost:4546"])
wrap_test(test_name_base + "_allow_localhost",
self.test_allow_localhost)
self.test_allow_localhost, test_name,
["localhost:4545", "localhost:4546", "localhost:4547"])

test_name = "net_listen"
test_name_base = "test_" + test_name
wrap_test(test_name_base + "_allow_localhost_4555",
self.test_allow_localhost_4555, test_name,
["localhost:4555"])
wrap_test(test_name_base + "_allow_deno_land",
self.test_allow_deno_land, test_name, ["localhost:4545"])
wrap_test(test_name_base + "_allow_localhost_4555_fail",
self.test_allow_localhost_4555_fail, test_name,
["localhost:4556"])
wrap_test(test_name_base + "_allow_localhost",
self.test_allow_localhost, test_name,
["localhost:4555", "localhost:4556", "localhost:4557"])

# read/write tests
def test_inside_project_dir(self, test_type):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-" + test_type + "=" + root_path],
@@ -149,40 +188,6 @@ class Prompt(object):
assert not PROMPT_PATTERN in stderr
assert not PERMISSION_DENIED_PATTERN in stderr

def test_allow_localhost_4545(self):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost:4545"],
["net", "http://localhost:4545"], b'')
assert code == 0
assert not PROMPT_PATTERN in stderr
assert not PERMISSION_DENIED_PATTERN in stderr

def test_allow_deno_land(self):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=deno.land"],
["net", "http://localhost:4545"], b'')
assert code == 1
assert not PROMPT_PATTERN in stderr
assert PERMISSION_DENIED_PATTERN in stderr

def test_allow_localhost_4545_fail(self):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost:4545"],
["net", "http://localhost:4546"], b'')
assert code == 1
assert not PROMPT_PATTERN in stderr
assert PERMISSION_DENIED_PATTERN in stderr

def test_allow_localhost(self):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost"], [
"net", "http://localhost:4545", "http://localhost:4546",
"http://localhost:4547"
], b'')
assert code == 0
assert not PROMPT_PATTERN in stderr
assert not PERMISSION_DENIED_PATTERN in stderr

def test_relative(self, test_type):
# Save and restore curdir
saved_curdir = os.getcwd()
@@ -207,6 +212,53 @@ class Prompt(object):
assert not PERMISSION_DENIED_PATTERN in stderr
os.chdir(saved_curdir)

# net tests
def test_allow_localhost_4545(self, test_type, hosts):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost:4545"], [test_type] + hosts,
b'')
assert code == 0
assert not PROMPT_PATTERN in stderr
assert not PERMISSION_DENIED_PATTERN in stderr

def test_allow_localhost_4555(self, test_type, hosts):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost:4555"], [test_type] + hosts,
b'')
assert code == 0
assert not PROMPT_PATTERN in stderr
assert not PERMISSION_DENIED_PATTERN in stderr

def test_allow_deno_land(self, test_type, hosts):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=deno.land"], [test_type] + hosts, b'')
assert code == 1
assert not PROMPT_PATTERN in stderr
assert PERMISSION_DENIED_PATTERN in stderr

def test_allow_localhost_4545_fail(self, test_type, hosts):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost:4545"], [test_type] + hosts,
b'')
assert code == 1
assert not PROMPT_PATTERN in stderr
assert PERMISSION_DENIED_PATTERN in stderr

def test_allow_localhost_4555_fail(self, test_type, hosts):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost:4555"], [test_type] + hosts,
b'')
assert code == 1
assert not PROMPT_PATTERN in stderr
assert PERMISSION_DENIED_PATTERN in stderr

def test_allow_localhost(self, test_type, hosts):
code, _stdout, stderr = self.run(
["--no-prompt", "--allow-net=localhost"], [test_type] + hosts, b'')
assert code == 0
assert not PROMPT_PATTERN in stderr
assert not PERMISSION_DENIED_PATTERN in stderr


def complex_permissions_test(deno_exe):
p = Prompt(deno_exe, ["read", "write", "net"])
@@ -216,6 +268,7 @@ def complex_permissions_test(deno_exe):
def main():
print "Permissions prompt tests"
deno_exe = os.path.join(build_path(), "deno" + executable_suffix)
http_server.spawn()
complex_permissions_test(deno_exe)



+ 16
- 1
tools/complex_permissions_test.ts View File

@@ -11,8 +11,23 @@ const test: (args: string[]) => void = {
(file): any => writeFileSync(file, new Uint8Array(), { append: true })
);
},
net: (hosts: string[]): void => {
net_fetch: (hosts: string[]): void => {
hosts.forEach((host): any => fetch(host));
},
net_listen: (hosts: string[]): void => {
hosts.forEach(
(host): any => {
const listener = Deno.listen("tcp", host);
listener.close();
}
);
},
net_dial: async (hosts: string[]): Promise<void> => {
for (const host of hosts) {
console.log("host in dial:", host);
const listener = await Deno.dial("tcp", host);
listener.close();
}
}
}[name];


Loading…
Cancel
Save