Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(runtime/permissions): prompt fallback #9376

Merged
merged 31 commits into from
Apr 12, 2021
Merged

feat(runtime/permissions): prompt fallback #9376

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
0849cdc
feat: --prompt
crowlKats Mar 18, 2021
621fa81
Merge branch 'master' into permission_prompt_fallback
crowlKats Mar 18, 2021
a43fa1d
Merge branch 'master' into permission_prompt_fallback
crowlKats Mar 19, 2021
3078149
add test
crowlKats Mar 20, 2021
f3583b4
first part of denyalways hanndling
crowlKats Mar 20, 2021
2fe71fa
fix
crowlKats Mar 20, 2021
468af79
serde skip prompt
crowlKats Mar 20, 2021
42c607e
clean up
crowlKats Mar 20, 2021
a80e52c
Merge branch 'master' into permission_prompt_fallback
crowlKats Mar 21, 2021
4b94b67
Merge branch 'master' into permission_prompt_fallback
crowlKats Mar 30, 2021
8cef27e
remove 4-state prompting
crowlKats Mar 30, 2021
3f00d23
clean up
crowlKats Apr 4, 2021
33826df
Merge branch 'master' into permission_prompt_fallback
crowlKats Apr 8, 2021
0d59987
CI
crowlKats Apr 8, 2021
2dd190f
Merge branch 'master' into permission_prompt_fallback
crowlKats Apr 8, 2021
f64d83e
fix
crowlKats Apr 8, 2021
d27130d
CI
crowlKats Apr 8, 2021
ce0992c
Merge branch 'main' into permission_prompt_fallback
kt3k Apr 9, 2021
56a7ee6
Merge branch 'master' into permission_prompt_fallback
crowlKats Apr 9, 2021
41dba58
Merge branch 'main' into permission_prompt_fallback
bartlomieju Apr 9, 2021
c04c024
fix
crowlKats Apr 10, 2021
4fa49f5
fmt
crowlKats Apr 10, 2021
fa2b92f
fix
crowlKats Apr 10, 2021
c1d58b0
add test
crowlKats Apr 10, 2021
a22b50a
Merge branch 'master' into permission_prompt_fallback
crowlKats Apr 10, 2021
478e6f5
ci: touch diff files from main
kt3k Apr 10, 2021
a6bc675
ci: fix touch-diff script
kt3k Apr 11, 2021
7fd7415
handle denied_list
crowlKats Apr 11, 2021
63943d1
fix
crowlKats Apr 11, 2021
ee8d6da
CI
crowlKats Apr 11, 2021
0851bf7
Merge branch 'master' into permission_prompt_fallback
crowlKats Apr 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Merge branch 'master' into permission_prompt_fallback 
# Conflicts:
#	runtime/ops/os.rs
#	runtime/ops/process.rs
#	runtime/ops/worker_host.rs
  • Loading branch information
@crowlKats
crowlKats committed Mar 19, 2021
commit a43fa1db743726be0e0cb95482b4340c604127e6
3 changes: 0 additions & 3 deletions runtime/ops/os.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ fn op_set_env(
args: SetEnv,
_zero_copy: &mut [ZeroCopyBuf],
) -> Result<Value, AnyError> {
let args: SetEnv = serde_json::from_value(args)?;
state.borrow_mut::<Permissions>().env.check()?;
let invalid_key =
args.key.is_empty() || args.key.contains(&['=', '\0'] as &[char]);
Expand Down Expand Up @@ -85,7 +84,6 @@ fn op_get_env(
args: GetEnv,
_zero_copy: &mut [ZeroCopyBuf],
) -> Result<Value, AnyError> {
let args: GetEnv = serde_json::from_value(args)?;
state.borrow_mut::<Permissions>().env.check()?;
if args.key.is_empty() || args.key.contains(&['=', '\0'] as &[char]) {
return Err(type_error("Key contains invalid characters."));
Expand All @@ -107,7 +105,6 @@ fn op_delete_env(
args: DeleteEnv,
_zero_copy: &mut [ZeroCopyBuf],
) -> Result<Value, AnyError> {
let args: DeleteEnv = serde_json::from_value(args)?;
state.borrow_mut::<Permissions>().env.check()?;
if args.key.is_empty() || args.key.contains(&['=', '\0'] as &[char]) {
return Err(type_error("Key contains invalid characters."));
Expand Down
1 change: 0 additions & 1 deletion runtime/ops/process.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,6 @@ fn op_run(
run_args: RunArgs,
_zero_copy: &mut [ZeroCopyBuf],
) -> Result<Value, AnyError> {
let run_args: RunArgs = serde_json::from_value(args)?;
state.borrow_mut::<Permissions>().run.check()?;

let args = run_args.cmd;
Expand Down
281 changes: 56 additions & 225 deletions runtime/ops/worker_host.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,252 +129,83 @@ fn merge_net_permission(
mut main: UnaryPermission<NetPermission>,
worker: Option<UnaryPermission<NetPermission>>,
) -> Result<UnaryPermission<NetPermission>, AnyError> {
if incoming.is_none() {
return Ok(target.clone());
};

let new_permissions = incoming.unwrap();
match &target.global_state {
PermissionState::Granted => Ok(UnaryPermission::<NetPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_net(&None, false)
}),
PermissionState::Prompt => match new_permissions.global_state {
//Throw
PermissionState::Granted => Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
)),
//Merge
PermissionState::Prompt => {
if check_net_permission_contains(
&target.granted_list,
&new_permissions.granted_list,
) {
Ok(UnaryPermission::<NetPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: target.denied_list.clone(),
..Permissions::new_net(&None, false)
})
} else {
Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
))
}
}
//Copy
PermissionState::Denied => Ok(UnaryPermission::<NetPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_net(&None, false)
}),
},
PermissionState::Denied => match new_permissions.global_state {
PermissionState::Denied => Ok(UnaryPermission::<NetPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_net(&None, false)
}),
_ => Err(custom_error(
if let Some(worker) = worker {
if (worker.global_state < main.global_state)
|| !worker
.granted_list
.iter()
.all(|x| main.check(&(&x.0, x.1)).is_ok())
{
return Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
)),
},
));
} else {
main.global_state = worker.global_state;
main.granted_list = worker.granted_list;
}
}
Ok(main)
}

fn check_read_permissions(
allow_list: &HashSet<ReadPermission>,
current_permissions: &mut Permissions,
) -> bool {
allow_list
.iter()
.all(|x| current_permissions.read.check(&x.0).is_ok())
}

fn check_write_permissions(
allow_list: &HashSet<WritePermission>,
current_permissions: &mut Permissions,
) -> bool {
allow_list
.iter()
.all(|x| current_permissions.write.check(&x.0).is_ok())
}

fn merge_read_permissions(
target: UnaryPermission<ReadPermission>,
incoming: Option<UnaryPermission<ReadPermission>>,
current_permissions: &mut Permissions,
fn merge_read_permission(
mut main: UnaryPermission<ReadPermission>,
worker: Option<UnaryPermission<ReadPermission>>,
) -> Result<UnaryPermission<ReadPermission>, AnyError> {
if incoming.is_none() {
return Ok(target);
};

let new_permissions = incoming.unwrap();
match &target.global_state {
PermissionState::Granted => Ok(UnaryPermission::<ReadPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_read(&None, false)
}),
PermissionState::Prompt => match new_permissions.global_state {
//Throw
PermissionState::Granted => Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
)),
//Merge
PermissionState::Prompt => {
if check_read_permissions(
&new_permissions.granted_list,
current_permissions,
) {
Ok(UnaryPermission::<ReadPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: target.denied_list,
..Permissions::new_read(&None, false)
})
} else {
Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
))
}
}
//Copy
PermissionState::Denied => Ok(UnaryPermission::<ReadPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_read(&None, false)
}),
},
PermissionState::Denied => match new_permissions.global_state {
PermissionState::Denied => Ok(UnaryPermission::<ReadPermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_read(&None, false)
}),
_ => Err(custom_error(
if let Some(worker) = worker {
if (worker.global_state < main.global_state)
|| !worker
.granted_list
.iter()
.all(|x| main.check(x.0.as_path()).is_ok())
{
return Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
)),
},
));
} else {
main.global_state = worker.global_state;
main.granted_list = worker.granted_list;
}
}
Ok(main)
}

fn merge_write_permissions(
target: UnaryPermission<WritePermission>,
incoming: Option<UnaryPermission<WritePermission>>,
current_permissions: &mut Permissions,
fn merge_write_permission(
mut main: UnaryPermission<WritePermission>,
worker: Option<UnaryPermission<WritePermission>>,
) -> Result<UnaryPermission<WritePermission>, AnyError> {
if incoming.is_none() {
return Ok(target);
};

let new_permissions = incoming.unwrap();
match &target.global_state {
PermissionState::Granted => Ok(UnaryPermission::<WritePermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_write(&None, false)
}),
PermissionState::Prompt => match new_permissions.global_state {
//Throw
PermissionState::Granted => Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
)),
//Merge
PermissionState::Prompt => {
if check_write_permissions(
&new_permissions.granted_list,
current_permissions,
) {
Ok(UnaryPermission::<WritePermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: target.denied_list,
..Permissions::new_write(&None, false)
})
} else {
Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
))
}
}
//Copy
PermissionState::Denied => Ok(UnaryPermission::<WritePermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_write(&None, false)
}),
},
PermissionState::Denied => match new_permissions.global_state {
PermissionState::Denied => Ok(UnaryPermission::<WritePermission> {
global_state: new_permissions.global_state,
granted_list: new_permissions.granted_list,
denied_list: new_permissions.denied_list,
..Permissions::new_write(&None, false)
}),
_ => Err(custom_error(
if let Some(worker) = worker {
if (worker.global_state < main.global_state)
|| !worker
.granted_list
.iter()
.all(|x| main.check(x.0.as_path()).is_ok())
{
return Err(custom_error(
"PermissionDenied",
"Can't escalate parent thread permissions",
)),
},
));
} else {
main.global_state = worker.global_state;
main.granted_list = worker.granted_list;
}
}
Ok(main)
}

fn create_worker_permissions(
main_thread_permissions: &mut Permissions,
permission_args: PermissionsArg,
main_perms: Permissions,
worker_perms: PermissionsArg,
) -> Result<Permissions, AnyError> {
Ok(Permissions {
env: merge_boolean_permission(
&main_thread_permissions.env,
permission_args.env,
)?,
hrtime: merge_boolean_permission(
&main_thread_permissions.hrtime,
permission_args.hrtime,
)?,
net: merge_net_permissions(
&main_thread_permissions.net,
permission_args.net,
)?,
plugin: merge_boolean_permission(
&main_thread_permissions.plugin,
permission_args.plugin,
)?,
read: merge_read_permissions(
main_thread_permissions.read.clone(),
permission_args.read,
main_thread_permissions,
)?,
run: merge_boolean_permission(
&main_thread_permissions.run,
permission_args.run,
)?,
write: merge_write_permissions(
main_thread_permissions.write.clone(),
permission_args.write,
main_thread_permissions,
)?,
env: merge_boolean_permission(main_perms.env, worker_perms.env)?,
hrtime: merge_boolean_permission(main_perms.hrtime, worker_perms.hrtime)?,
net: merge_net_permission(main_perms.net, worker_perms.net)?,
plugin: merge_boolean_permission(main_perms.plugin, worker_perms.plugin)?,
read: merge_read_permission(main_perms.read, worker_perms.read)?,
run: merge_boolean_permission(main_perms.run, worker_perms.run)?,
write: merge_write_permission(main_perms.write, worker_perms.write)?,
})
}

Expand Down Expand Up @@ -543,10 +374,10 @@ fn op_create_worker(
if use_deno_namespace {
super::check_unstable(state, "Worker.deno.namespace");
}
let mut parent_permissions = state.borrow::<Permissions>().clone();
let parent_permissions = state.borrow::<Permissions>().clone();
let worker_permissions = if let Some(permissions) = args.permissions {
super::check_unstable(state, "Worker.deno.permissions");
create_worker_permissions(&mut parent_permissions, permissions)?
create_worker_permissions(parent_permissions.clone(), permissions)?
} else {
parent_permissions.clone()
};
Expand Down
You are viewing a condensed version of this merge commit. You can view the full changes here.