3 files changed, 116 insertions, 51 deletions

diff --git a/cli/ops.rs b/cli/ops.rs
index 9b5bc0079..2960f3d9d 100644
--- a/cli/ops.rs
+++ b/cli/ops.rs
@@ -1625,19 +1625,18 @@ fn op_listen(
   data: Option<PinnedBuf>,
 ) -> Box<OpWithError> {
   assert!(data.is_none());
-  if let Err(e) = state.check_net("listen") {
-    return odd_future(e);
-  }
-
   let cmd_id = base.cmd_id();
   let inner = base.inner_as_listen().unwrap();
   let network = inner.network().unwrap();
   assert_eq!(network, "tcp");
   let address = inner.address().unwrap();
 
+  if let Err(e) = state.check_net(&address) {
+    return odd_future(e);
+  }
+
   Box::new(futures::future::result((move || {
     let addr = resolve_addr(address).wait()?;
-
     let listener = TcpListener::bind(&addr)?;
     let resource = resources::add_tcp_listener(listener);
 
@@ -1682,14 +1681,11 @@ fn new_conn(cmd_id: u32, tcp_stream: TcpStream) -> OpResult {
 }
 
 fn op_accept(
-  state: &ThreadSafeState,
+  _state: &ThreadSafeState,
   base: &msg::Base<'_>,
   data: Option<PinnedBuf>,
 ) -> Box<OpWithError> {
   assert!(data.is_none());
-  if let Err(e) = state.check_net("accept") {
-    return odd_future(e);
-  }
   let cmd_id = base.cmd_id();
   let inner = base.inner_as_accept().unwrap();
   let server_rid = inner.rid();
@@ -1713,15 +1709,16 @@ fn op_dial(
   data: Option<PinnedBuf>,
 ) -> Box<OpWithError> {
   assert!(data.is_none());
-  if let Err(e) = state.check_net("dial") {
-    return odd_future(e);
-  }
   let cmd_id = base.cmd_id();
   let inner = base.inner_as_dial().unwrap();
   let network = inner.network().unwrap();
   assert_eq!(network, "tcp"); // TODO Support others.
   let address = inner.address().unwrap();
 
+  if let Err(e) = state.check_net(&address) {
+    return odd_future(e);
+  }
+
   let op =
     resolve_addr(address)
       .map_err(DenoError::from)
diff --git a/tools/complex_permissions_test.py b/tools/complex_permissions_test.py
index 8fdc99d8b..a338654fe 100755
--- a/tools/complex_permissions_test.py
+++ b/tools/complex_permissions_test.py
@@ -8,6 +8,7 @@ import subprocess
 import sys
 import time
 
+import http_server
 from util import build_path, root_path, executable_suffix, green_ok, red_failed
 
 PERMISSIONS_PROMPT_TEST_TS = "tools/complex_permissions_test.ts"
@@ -96,15 +97,53 @@ class Prompt(object):
                       test_type)
             wrap_test(test_name_base + "_no_prefix", self.test_no_prefix,
                       test_type)
+
+        test_name = "net_fetch"
+        test_name_base = "test_" + test_name
+        wrap_test(test_name_base + "_allow_localhost_4545",
+                  self.test_allow_localhost_4545, test_name,
+                  ["http://localhost:4545"])
+        wrap_test(test_name_base + "_allow_deno_land",
+                  self.test_allow_deno_land, test_name,
+                  ["http://localhost:4545"])
+        wrap_test(test_name_base + "_allow_localhost_4545_fail",
+                  self.test_allow_localhost_4545_fail, test_name,
+                  ["http://localhost:4546"])
+        wrap_test(test_name_base + "_allow_localhost",
+                  self.test_allow_localhost, test_name, [
+                      "http://localhost:4545", "http://localhost:4546",
+                      "http://localhost:4547"
+                  ])
+
+        test_name = "net_dial"
+        test_name_base = "test_" + test_name
         wrap_test(test_name_base + "_allow_localhost_4545",
-                  self.test_allow_localhost_4545)
+                  self.test_allow_localhost_4545, test_name,
+                  ["localhost:4545"])
         wrap_test(test_name_base + "_allow_deno_land",
-                  self.test_allow_deno_land)
+                  self.test_allow_deno_land, test_name, ["localhost:4545"])
         wrap_test(test_name_base + "_allow_localhost_4545_fail",
-                  self.test_allow_localhost_4545_fail)
+                  self.test_allow_localhost_4545_fail, test_name,
+                  ["localhost:4546"])
         wrap_test(test_name_base + "_allow_localhost",
-                  self.test_allow_localhost)
+                  self.test_allow_localhost, test_name,
+                  ["localhost:4545", "localhost:4546", "localhost:4547"])
 
+        test_name = "net_listen"
+        test_name_base = "test_" + test_name
+        wrap_test(test_name_base + "_allow_localhost_4555",
+                  self.test_allow_localhost_4555, test_name,
+                  ["localhost:4555"])
+        wrap_test(test_name_base + "_allow_deno_land",
+                  self.test_allow_deno_land, test_name, ["localhost:4545"])
+        wrap_test(test_name_base + "_allow_localhost_4555_fail",
+                  self.test_allow_localhost_4555_fail, test_name,
+                  ["localhost:4556"])
+        wrap_test(test_name_base + "_allow_localhost",
+                  self.test_allow_localhost, test_name,
+                  ["localhost:4555", "localhost:4556", "localhost:4557"])
+
+    # read/write tests
     def test_inside_project_dir(self, test_type):
         code, _stdout, stderr = self.run(
             ["--no-prompt", "--allow-" + test_type + "=" + root_path],
@@ -149,40 +188,6 @@ class Prompt(object):
         assert not PROMPT_PATTERN in stderr
         assert not PERMISSION_DENIED_PATTERN in stderr
 
-    def test_allow_localhost_4545(self):
-        code, _stdout, stderr = self.run(
-            ["--no-prompt", "--allow-net=localhost:4545"],
-            ["net", "http://localhost:4545"], b'')
-        assert code == 0
-        assert not PROMPT_PATTERN in stderr
-        assert not PERMISSION_DENIED_PATTERN in stderr
-
-    def test_allow_deno_land(self):
-        code, _stdout, stderr = self.run(
-            ["--no-prompt", "--allow-net=deno.land"],
-            ["net", "http://localhost:4545"], b'')
-        assert code == 1
-        assert not PROMPT_PATTERN in stderr
-        assert PERMISSION_DENIED_PATTERN in stderr
-
-    def test_allow_localhost_4545_fail(self):
-        code, _stdout, stderr = self.run(
-            ["--no-prompt", "--allow-net=localhost:4545"],
-            ["net", "http://localhost:4546"], b'')
-        assert code == 1
-        assert not PROMPT_PATTERN in stderr
-        assert PERMISSION_DENIED_PATTERN in stderr
-
-    def test_allow_localhost(self):
-        code, _stdout, stderr = self.run(
-            ["--no-prompt", "--allow-net=localhost"], [
-                "net", "http://localhost:4545", "http://localhost:4546",
-                "http://localhost:4547"
-            ], b'')
-        assert code == 0
-        assert not PROMPT_PATTERN in stderr
-        assert not PERMISSION_DENIED_PATTERN in stderr
-
     def test_relative(self, test_type):
         # Save and restore curdir
         saved_curdir = os.getcwd()
@@ -207,6 +212,53 @@ class Prompt(object):
         assert not PERMISSION_DENIED_PATTERN in stderr
         os.chdir(saved_curdir)
 
+    # net tests
+    def test_allow_localhost_4545(self, test_type, hosts):
+        code, _stdout, stderr = self.run(
+            ["--no-prompt", "--allow-net=localhost:4545"], [test_type] + hosts,
+            b'')
+        assert code == 0
+        assert not PROMPT_PATTERN in stderr
+        assert not PERMISSION_DENIED_PATTERN in stderr
+
+    def test_allow_localhost_4555(self, test_type, hosts):
+        code, _stdout, stderr = self.run(
+            ["--no-prompt", "--allow-net=localhost:4555"], [test_type] + hosts,
+            b'')
+        assert code == 0
+        assert not PROMPT_PATTERN in stderr
+        assert not PERMISSION_DENIED_PATTERN in stderr
+
+    def test_allow_deno_land(self, test_type, hosts):
+        code, _stdout, stderr = self.run(
+            ["--no-prompt", "--allow-net=deno.land"], [test_type] + hosts, b'')
+        assert code == 1
+        assert not PROMPT_PATTERN in stderr
+        assert PERMISSION_DENIED_PATTERN in stderr
+
+    def test_allow_localhost_4545_fail(self, test_type, hosts):
+        code, _stdout, stderr = self.run(
+            ["--no-prompt", "--allow-net=localhost:4545"], [test_type] + hosts,
+            b'')
+        assert code == 1
+        assert not PROMPT_PATTERN in stderr
+        assert PERMISSION_DENIED_PATTERN in stderr
+
+    def test_allow_localhost_4555_fail(self, test_type, hosts):
+        code, _stdout, stderr = self.run(
+            ["--no-prompt", "--allow-net=localhost:4555"], [test_type] + hosts,
+            b'')
+        assert code == 1
+        assert not PROMPT_PATTERN in stderr
+        assert PERMISSION_DENIED_PATTERN in stderr
+
+    def test_allow_localhost(self, test_type, hosts):
+        code, _stdout, stderr = self.run(
+            ["--no-prompt", "--allow-net=localhost"], [test_type] + hosts, b'')
+        assert code == 0
+        assert not PROMPT_PATTERN in stderr
+        assert not PERMISSION_DENIED_PATTERN in stderr
+
 
 def complex_permissions_test(deno_exe):
     p = Prompt(deno_exe, ["read", "write", "net"])
@@ -216,6 +268,7 @@ def complex_permissions_test(deno_exe):
 def main():
     print "Permissions prompt tests"
     deno_exe = os.path.join(build_path(), "deno" + executable_suffix)
+    http_server.spawn()
     complex_permissions_test(deno_exe)
 
 
diff --git a/tools/complex_permissions_test.ts b/tools/complex_permissions_test.ts
index 72377ff93..da3ca5314 100644
--- a/tools/complex_permissions_test.ts
+++ b/tools/complex_permissions_test.ts
@@ -11,8 +11,23 @@ const test: (args: string[]) => void = {
       (file): any => writeFileSync(file, new Uint8Array(), { append: true })
     );
   },
-  net: (hosts: string[]): void => {
+  net_fetch: (hosts: string[]): void => {
     hosts.forEach((host): any => fetch(host));
+  },
+  net_listen: (hosts: string[]): void => {
+    hosts.forEach(
+      (host): any => {
+        const listener = Deno.listen("tcp", host);
+        listener.close();
+      }
+    );
+  },
+  net_dial: async (hosts: string[]): Promise<void> => {
+    for (const host of hosts) {
+      console.log("host in dial:", host);
+      const listener = await Deno.dial("tcp", host);
+      listener.close();
+    }
   }
 }[name];