forked from nodejs/node
-
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
src: clarify the parameter name in
Permission::Apply
This fixes confusing parameter names. They are references to set allow-permission. Signed-off-by: Daeyeon Jeong <daeyeon.dev@gmail.com> PR-URL: nodejs#47874 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Debadree Chatterjee <debadree333@gmail.com>
- Loading branch information
Showing
7 changed files
with
222 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
#include "child_process_permission.h" | ||
|
||
#include <string> | ||
#include <vector> | ||
|
||
namespace node { | ||
|
||
namespace permission { | ||
|
||
// Currently, ChildProcess manage a single state | ||
// Once denied, it's always denied | ||
void ChildProcessPermission::Apply(const std::string& allow, | ||
PermissionScope scope) { | ||
deny_all_ = true; | ||
} | ||
|
||
bool ChildProcessPermission::is_granted(PermissionScope perm, | ||
const std::string_view& param) { | ||
return deny_all_ == false; | ||
} | ||
|
||
} // namespace permission | ||
} // namespace node |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
#ifndef SRC_PERMISSION_CHILD_PROCESS_PERMISSION_H_ | ||
#define SRC_PERMISSION_CHILD_PROCESS_PERMISSION_H_ | ||
|
||
#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
|
||
#include <vector> | ||
#include "permission/permission_base.h" | ||
|
||
namespace node { | ||
|
||
namespace permission { | ||
|
||
class ChildProcessPermission final : public PermissionBase { | ||
public: | ||
void Apply(const std::string& allow, PermissionScope scope) override; | ||
bool is_granted(PermissionScope perm, | ||
const std::string_view& param = "") override; | ||
|
||
private: | ||
bool deny_all_; | ||
}; | ||
|
||
} // namespace permission | ||
|
||
} // namespace node | ||
|
||
#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
#endif // SRC_PERMISSION_CHILD_PROCESS_PERMISSION_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
#ifndef SRC_PERMISSION_PERMISSION_H_ | ||
#define SRC_PERMISSION_PERMISSION_H_ | ||
|
||
#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
|
||
#include "debug_utils.h" | ||
#include "node_options.h" | ||
#include "permission/child_process_permission.h" | ||
#include "permission/fs_permission.h" | ||
#include "permission/permission_base.h" | ||
#include "permission/worker_permission.h" | ||
#include "v8.h" | ||
|
||
#include <string_view> | ||
#include <unordered_map> | ||
|
||
namespace node { | ||
|
||
class Environment; | ||
|
||
namespace permission { | ||
|
||
#define THROW_IF_INSUFFICIENT_PERMISSIONS(env, perm_, resource_, ...) \ | ||
do { \ | ||
if (UNLIKELY(!(env)->permission()->is_granted(perm_, resource_))) { \ | ||
node::permission::Permission::ThrowAccessDenied( \ | ||
(env), perm_, resource_); \ | ||
return __VA_ARGS__; \ | ||
} \ | ||
} while (0) | ||
|
||
class Permission { | ||
public: | ||
Permission(); | ||
|
||
FORCE_INLINE bool is_granted(const PermissionScope permission, | ||
const std::string_view& res = "") const { | ||
if (LIKELY(!enabled_)) return true; | ||
return is_scope_granted(permission, res); | ||
} | ||
|
||
static PermissionScope StringToPermission(const std::string& perm); | ||
static const char* PermissionToString(PermissionScope perm); | ||
static void ThrowAccessDenied(Environment* env, | ||
PermissionScope perm, | ||
const std::string_view& res); | ||
|
||
// CLI Call | ||
void Apply(const std::string& allow, PermissionScope scope); | ||
void EnablePermissions(); | ||
|
||
private: | ||
COLD_NOINLINE bool is_scope_granted(const PermissionScope permission, | ||
const std::string_view& res = "") const { | ||
auto perm_node = nodes_.find(permission); | ||
if (perm_node != nodes_.end()) { | ||
return perm_node->second->is_granted(permission, res); | ||
} | ||
return false; | ||
} | ||
|
||
std::unordered_map<PermissionScope, std::shared_ptr<PermissionBase>> nodes_; | ||
bool enabled_; | ||
}; | ||
|
||
} // namespace permission | ||
|
||
} // namespace node | ||
|
||
#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
#endif // SRC_PERMISSION_PERMISSION_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#ifndef SRC_PERMISSION_PERMISSION_BASE_H_ | ||
#define SRC_PERMISSION_PERMISSION_BASE_H_ | ||
|
||
#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
|
||
#include <map> | ||
#include <string> | ||
#include <string_view> | ||
#include "v8.h" | ||
|
||
namespace node { | ||
|
||
namespace permission { | ||
|
||
#define FILESYSTEM_PERMISSIONS(V) \ | ||
V(FileSystem, "fs", PermissionsRoot) \ | ||
V(FileSystemRead, "fs.read", FileSystem) \ | ||
V(FileSystemWrite, "fs.write", FileSystem) | ||
|
||
#define CHILD_PROCESS_PERMISSIONS(V) V(ChildProcess, "child", PermissionsRoot) | ||
|
||
#define WORKER_THREADS_PERMISSIONS(V) \ | ||
V(WorkerThreads, "worker", PermissionsRoot) | ||
|
||
#define PERMISSIONS(V) \ | ||
FILESYSTEM_PERMISSIONS(V) \ | ||
CHILD_PROCESS_PERMISSIONS(V) \ | ||
WORKER_THREADS_PERMISSIONS(V) | ||
|
||
#define V(name, _, __) k##name, | ||
enum class PermissionScope { | ||
kPermissionsRoot = -1, | ||
PERMISSIONS(V) kPermissionsCount | ||
}; | ||
#undef V | ||
|
||
class PermissionBase { | ||
public: | ||
virtual void Apply(const std::string& allow, PermissionScope scope) = 0; | ||
virtual bool is_granted(PermissionScope perm, | ||
const std::string_view& param = "") = 0; | ||
}; | ||
|
||
} // namespace permission | ||
|
||
} // namespace node | ||
|
||
#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
#endif // SRC_PERMISSION_PERMISSION_BASE_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#include "permission/worker_permission.h" | ||
|
||
#include <string> | ||
#include <vector> | ||
|
||
namespace node { | ||
|
||
namespace permission { | ||
|
||
// Currently, PolicyDenyWorker manage a single state | ||
// Once denied, it's always denied | ||
void WorkerPermission::Apply(const std::string& allow, PermissionScope scope) { | ||
deny_all_ = true; | ||
} | ||
|
||
bool WorkerPermission::is_granted(PermissionScope perm, | ||
const std::string_view& param) { | ||
return deny_all_ == false; | ||
} | ||
|
||
} // namespace permission | ||
} // namespace node |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
#ifndef SRC_PERMISSION_WORKER_PERMISSION_H_ | ||
#define SRC_PERMISSION_WORKER_PERMISSION_H_ | ||
|
||
#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
|
||
#include <vector> | ||
#include "permission/permission_base.h" | ||
|
||
namespace node { | ||
|
||
namespace permission { | ||
|
||
class WorkerPermission final : public PermissionBase { | ||
public: | ||
void Apply(const std::string& allow, PermissionScope scope) override; | ||
bool is_granted(PermissionScope perm, | ||
const std::string_view& param = "") override; | ||
|
||
private: | ||
bool deny_all_; | ||
}; | ||
|
||
} // namespace permission | ||
|
||
} // namespace node | ||
|
||
#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS | ||
#endif // SRC_PERMISSION_WORKER_PERMISSION_H_ |