refactor(permissions): split up Descriptor into Allow, Deny, and Query (#25508)

This makes the permission system more versatile.
author: David Sherret <dsherret@users.noreply.github.com> 2024-09-16 21:39:37 +0100
committer: GitHub <noreply@github.com> 2024-09-16 21:39:37 +0100
commit: 62e952559f600e72d7498c9b12f906cb0b1ba150 (patch)
tree: 6dbcce6592973358ef4bf6341888b0bbbdb98cc5 /tests/specs
parent: e0b9c745c15720914f14996bf357d5b375e2dbd8 (diff)
11 files changed, 132 insertions, 24 deletions
diff --git a/tests/specs/permission/deny_run_binary_absolute_path/__test__.jsonc b/tests/specs/permission/deny_run_binary_absolute_path/__test__.jsonc
new file mode 100644
index 000000000..fac0d928a
--- /dev/null
+++ b/tests/specs/permission/deny_run_binary_absolute_path/__test__.jsonc
@@ -0,0 +1,8 @@
+{
+  "envs": {
+    "DYLD_FALLBACK_LIBRARY_PATH": "",
+    "LD_LIBRARY_PATH": ""
+  },
+  "args": "run --allow-run --deny-run=deno --allow-read main.ts",
+  "output": "main.out"
+}
diff --git a/tests/specs/permission/deny_run_binary_absolute_path/main.out b/tests/specs/permission/deny_run_binary_absolute_path/main.out
new file mode 100644
index 000000000..45b228387
--- /dev/null
+++ b/tests/specs/permission/deny_run_binary_absolute_path/main.out
@@ -0,0 +1,8 @@
+NotCapable: Requires run access to "deno", run again with the --allow-run flag
+    at [WILDCARD] {
+  name: "NotCapable"
+}
+NotCapable: Requires run access to "[WILDLINE]", run again with the --allow-run flag
+    at [WILDCARD] {
+  name: "NotCapable"
+}
diff --git a/tests/specs/permission/deny_run_binary_absolute_path/main.ts b/tests/specs/permission/deny_run_binary_absolute_path/main.ts
new file mode 100644
index 000000000..eca5e5a33
--- /dev/null
+++ b/tests/specs/permission/deny_run_binary_absolute_path/main.ts
@@ -0,0 +1,15 @@
+try {
+  new Deno.Command("deno", {
+    args: ["--version"],
+  }).outputSync();
+} catch (err) {
+  console.error(err);
+}
+
+try {
+  new Deno.Command(Deno.execPath(), {
+    args: ["--version"],
+  }).outputSync();
+} catch (err) {
+  console.error(err);
+}
diff --git a/tests/specs/permission/make_temp_write_perm/056_make_temp_file_write_perm.out b/tests/specs/permission/make_temp_write_perm/056_make_temp_file_write_perm.out
new file mode 100644
index 000000000..7144e088c
--- /dev/null
+++ b/tests/specs/permission/make_temp_write_perm/056_make_temp_file_write_perm.out
@@ -0,0 +1,4 @@
+good [WILDCARD]subdir[WILDCARD]
+good [WILDCARD]subdir[WILDCARD]
+good [WILDCARD]subdir[WILDCARD]
+good [WILDCARD]subdir[WILDCARD]
diff --git a/tests/specs/permission/make_temp_write_perm/056_make_temp_file_write_perm.ts b/tests/specs/permission/make_temp_write_perm/056_make_temp_file_write_perm.ts
new file mode 100644
index 000000000..28661973c
--- /dev/null
+++ b/tests/specs/permission/make_temp_write_perm/056_make_temp_file_write_perm.ts
@@ -0,0 +1,52 @@
+Deno.mkdirSync("subdir");
+
+// async file
+{
+  const path = await Deno.makeTempFile({ dir: `subdir` });
+  try {
+    if (!path.match(/^subdir[/\\][^/\\]+/)) {
+      throw Error("bad " + path);
+    }
+    console.log("good", path);
+  } finally {
+    await Deno.remove(path);
+  }
+}
+// sync file
+{
+  const path = Deno.makeTempFileSync({ dir: `subdir` });
+  try {
+    if (!path.match(/^subdir[/\\][^/\\]+/)) {
+      throw Error("bad " + path);
+    }
+    console.log("good", path);
+  } finally {
+    await Deno.remove(path);
+  }
+}
+
+// async dir
+{
+  const path = await Deno.makeTempDir({ dir: `subdir` });
+  try {
+    if (!path.match(/^subdir[/\\][^/\\]+/)) {
+      throw Error("bad " + path);
+    }
+    console.log("good", path);
+  } finally {
+    await Deno.remove(path);
+  }
+}
+
+// sync dir
+{
+  const path = Deno.makeTempDirSync({ dir: `subdir` });
+  try {
+    if (!path.match(/^subdir[/\\][^/\\]+/)) {
+      throw Error("bad " + path);
+    }
+    console.log("good", path);
+  } finally {
+    await Deno.remove(path);
+  }
+}
diff --git a/tests/specs/permission/make_temp_write_perm/__test__.jsonc b/tests/specs/permission/make_temp_write_perm/__test__.jsonc
new file mode 100644
index 000000000..80a503215
--- /dev/null
+++ b/tests/specs/permission/make_temp_write_perm/__test__.jsonc
@@ -0,0 +1,15 @@
+{
+  "tempDir": true,
+  "tests": {
+    "reduced_perms": {
+      // this should not expose the full directory
+      "args": "run --quiet --allow-read --allow-write=./subdir/ 056_make_temp_file_write_perm.ts",
+      "output": "056_make_temp_file_write_perm.out"
+    },
+    "all_perms": {
+      // this will work the same as above
+      "args": "run --quiet -A 056_make_temp_file_write_perm.ts",
+      "output": "056_make_temp_file_write_perm.out"
+    }
+  }
+}
diff --git a/tests/specs/run/allow_run_allowlist_resolution/__test__.jsonc b/tests/specs/run/allow_run_allowlist_resolution/__test__.jsonc
index 173e13027..3e5d86adf 100644
--- a/tests/specs/run/allow_run_allowlist_resolution/__test__.jsonc
+++ b/tests/specs/run/allow_run_allowlist_resolution/__test__.jsonc
@@ -1,8 +1,9 @@
 {
-  "args": "run --quiet -A main.ts",
-  "output": "main.out",
+  "tempDir": true,
   "envs": {
     "DYLD_FALLBACK_LIBRARY_PATH": "",
     "LD_LIBRARY_PATH": ""
-  }
+  },
+  "args": "run --quiet -A main.ts",
+  "output": "main.out"
 }
diff --git a/tests/specs/run/allow_run_allowlist_resolution/main.out b/tests/specs/run/allow_run_allowlist_resolution/main.out
index f61f9b550..b494bb52f 100644
--- a/tests/specs/run/allow_run_allowlist_resolution/main.out
+++ b/tests/specs/run/allow_run_allowlist_resolution/main.out
@@ -3,7 +3,7 @@ PermissionStatus { state: "granted", onchange: null }
 PermissionStatus { state: "prompt", onchange: null }
 PermissionStatus { state: "granted", onchange: null }
 ---
-Info Failed to resolve 'deno' for allow-run: cannot find binary path
+Info Failed to resolve 'binary' for allow-run: cannot find binary path
 PermissionStatus { state: "prompt", onchange: null }
 PermissionStatus { state: "prompt", onchange: null }
 PermissionStatus { state: "prompt", onchange: null }
diff --git a/tests/specs/run/allow_run_allowlist_resolution/main.ts b/tests/specs/run/allow_run_allowlist_resolution/main.ts
index bf33d8cbe..e43e0b5da 100644
--- a/tests/specs/run/allow_run_allowlist_resolution/main.ts
+++ b/tests/specs/run/allow_run_allowlist_resolution/main.ts
@@ -1,36 +1,41 @@
-// Testing the following (but with `deno` instead of `echo`):
-// | `deno run --allow-run=echo`         | `which path == "/usr/bin/echo"` at startup | `which path != "/usr/bin/echo"` at startup |
-// |-------------------------------------|--------------------------------------------|--------------------------------------------|
-// | **`Deno.Command("echo")`**          | ✅                                          | ✅                                         |
-// | **`Deno.Command("/usr/bin/echo")`** | ✅                                          | ❌                                         |
+// Testing the following:
+// | `deno run --allow-run=binary`         | `which path == "/usr/bin/binary"` at startup | `which path != "/usr/bin/binary"` at startup |
+// |---------------------------------------|----------------------------------------------|--------------------------------------------|
+// | **`Deno.Command("binary")`**          | :white_check_mark:                                          | :white_check_mark:                                         |
+// | **`Deno.Command("/usr/bin/binary")`** | :white_check_mark:                                          | :x:                                         |
+// | `deno run --allow-run=/usr/bin/binary | `which path == "/usr/bin/binary"` at runtime | `which path != "/usr/bin/binary"` at runtime |
+// |---------------------------------------|----------------------------------------------|--------------------------------------------|
+// | **`Deno.Command("binary")`**          | :white_check_mark:                                          | :x:                                         |
+// | **`Deno.Command("/usr/bin/binary")`** | :white_check_mark:                                          | :white_check_mark:                                         |
 
-// | `deno run --allow-run=/usr/bin/echo | `which path == "/usr/bin/echo"` at runtime | `which path != "/usr/bin/echo"` at runtime |
-// |-------------------------------------|--------------------------------------------|--------------------------------------------|
-// | **`Deno.Command("echo")`**          | ✅                                          | ❌                                         |
-// | **`Deno.Command("/usr/bin/echo")`** | ✅                                          | ✅                                         |
+const binaryName = Deno.build.os === "windows" ? "binary.exe" : "binary";
+const pathSep = Deno.build.os === "windows" ? "\\" : "/";
+const cwd = Deno.cwd();
+const execPathParent = `${Deno.cwd()}${pathSep}sub`;
+const execPath = `${execPathParent}${pathSep}${binaryName}`;
 
-const execPath = Deno.execPath();
-const execPathParent = execPath.replace(/[/\\][^/\\]+$/, "");
+Deno.mkdirSync(execPathParent);
+Deno.copyFileSync(Deno.execPath(), execPath);
 
 const testUrl = `data:application/typescript;base64,${
   btoa(`
-  console.error(await Deno.permissions.query({ name: "run", command: "deno" }));
+  console.error(await Deno.permissions.query({ name: "run", command: "binary" }));
   console.error(await Deno.permissions.query({ name: "run", command: "${
     execPath.replaceAll("\\", "\\\\")
   }" }));
   Deno.env.set("PATH", "");
-  console.error(await Deno.permissions.query({ name: "run", command: "deno" }));
+  console.error(await Deno.permissions.query({ name: "run", command: "binary" }));
   console.error(await Deno.permissions.query({ name: "run", command: "${
     execPath.replaceAll("\\", "\\\\")
   }" }));
 `)
 }`;
 
-const process1 = await new Deno.Command(Deno.execPath(), {
+await new Deno.Command(Deno.execPath(), {
   args: [
     "run",
     "--allow-env",
-    "--allow-run=deno",
+    "--allow-run=binary",
     testUrl,
   ],
   stdout: "inherit",
@@ -44,7 +49,7 @@ await new Deno.Command(Deno.execPath(), {
   args: [
     "run",
     "--allow-env",
-    "--allow-run=deno",
+    "--allow-run=binary",
     testUrl,
   ],
   stderr: "inherit",
diff --git a/tests/specs/run/ld_preload/__test__.jsonc b/tests/specs/run/ld_preload/__test__.jsonc
index 882f157e9..16ae697a7 100644
--- a/tests/specs/run/ld_preload/__test__.jsonc
+++ b/tests/specs/run/ld_preload/__test__.jsonc
@@ -6,11 +6,11 @@
   },
   "tests": {
     "env_arg": {
-      "args": "run --allow-run=echo env_arg.ts",
+      "args": "run --allow-run=curl env_arg.ts",
       "output": "env_arg.out"
     },
     "set_with_allow_env": {
-      "args": "run --allow-run=echo --allow-env set_with_allow_env.ts",
+      "args": "run --allow-run=curl --allow-env set_with_allow_env.ts",
       "output": "set_with_allow_env.out"
     }
   }
diff --git a/tests/specs/run/ld_preload/set_with_allow_env.ts b/tests/specs/run/ld_preload/set_with_allow_env.ts
index 79004aa16..a3e8dd397 100644
--- a/tests/specs/run/ld_preload/set_with_allow_env.ts
+++ b/tests/specs/run/ld_preload/set_with_allow_env.ts
@@ -1,7 +1,7 @@
 Deno.env.set("LD_PRELOAD", "./libpreload.so");
 
 try {
-  new Deno.Command("echo").spawn();
+  new Deno.Command("curl").spawn();
 } catch (err) {
   console.log(err);
 }
@@ -9,7 +9,7 @@ try {
 Deno.env.set("DYLD_FALLBACK_LIBRARY_PATH", "./libpreload.so");
 
 try {
-  Deno.run({ cmd: ["echo"] }).spawnSync();
+  Deno.run({ cmd: ["curl"] }).spawnSync();
 } catch (err) {
   console.log(err);
 }
author	David Sherret <dsherret@users.noreply.github.com>	2024-09-16 21:39:37 +0100
committer	GitHub <noreply@github.com>	2024-09-16 21:39:37 +0100
commit	62e952559f600e72d7498c9b12f906cb0b1ba150 (patch)
tree	6dbcce6592973358ef4bf6341888b0bbbdb98cc5 /tests/specs
parent	e0b9c745c15720914f14996bf357d5b375e2dbd8 (diff)