Skip to content

Commit

Permalink
src: clarify the parameter name in Permission::Apply
Browse files Browse the repository at this point in the history
This fixes confusing parameter names. They are references
to set allow-permission.

Signed-off-by: Daeyeon Jeong <daeyeon.dev@gmail.com>
PR-URL: nodejs#47874
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Debadree Chatterjee <debadree333@gmail.com>
  • Loading branch information
daeyeon authored and MoLow committed Jul 6, 2023
1 parent 49875f0 commit 30b7133
Show file tree
Hide file tree
Showing 7 changed files with 222 additions and 1 deletion.
23 changes: 23 additions & 0 deletions src/permission/child_process_permission.cc
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#include "child_process_permission.h"

#include <string>
#include <vector>

namespace node {

namespace permission {

// Currently, ChildProcess manage a single state
// Once denied, it's always denied
void ChildProcessPermission::Apply(const std::string& allow,
PermissionScope scope) {
deny_all_ = true;
}

bool ChildProcessPermission::is_granted(PermissionScope perm,
const std::string_view& param) {
return deny_all_ == false;
}

} // namespace permission
} // namespace node
28 changes: 28 additions & 0 deletions src/permission/child_process_permission.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#ifndef SRC_PERMISSION_CHILD_PROCESS_PERMISSION_H_
#define SRC_PERMISSION_CHILD_PROCESS_PERMISSION_H_

#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS

#include <vector>
#include "permission/permission_base.h"

namespace node {

namespace permission {

class ChildProcessPermission final : public PermissionBase {
public:
void Apply(const std::string& allow, PermissionScope scope) override;
bool is_granted(PermissionScope perm,
const std::string_view& param = "") override;

private:
bool deny_all_;
};

} // namespace permission

} // namespace node

#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
#endif // SRC_PERMISSION_CHILD_PROCESS_PERMISSION_H_
2 changes: 1 addition & 1 deletion src/permission/fs_permission.h
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ namespace permission {

class FSPermission final : public PermissionBase {
public:
void Apply(const std::string& deny, PermissionScope scope) override;
void Apply(const std::string& allow, PermissionScope scope) override;
bool is_granted(PermissionScope perm, const std::string_view& param) override;

// For debugging purposes, use the gist function to print the whole tree
Expand Down
71 changes: 71 additions & 0 deletions src/permission/permission.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
#ifndef SRC_PERMISSION_PERMISSION_H_
#define SRC_PERMISSION_PERMISSION_H_

#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS

#include "debug_utils.h"
#include "node_options.h"
#include "permission/child_process_permission.h"
#include "permission/fs_permission.h"
#include "permission/permission_base.h"
#include "permission/worker_permission.h"
#include "v8.h"

#include <string_view>
#include <unordered_map>

namespace node {

class Environment;

namespace permission {

#define THROW_IF_INSUFFICIENT_PERMISSIONS(env, perm_, resource_, ...) \
do { \
if (UNLIKELY(!(env)->permission()->is_granted(perm_, resource_))) { \
node::permission::Permission::ThrowAccessDenied( \
(env), perm_, resource_); \
return __VA_ARGS__; \
} \
} while (0)

class Permission {
public:
Permission();

FORCE_INLINE bool is_granted(const PermissionScope permission,
const std::string_view& res = "") const {
if (LIKELY(!enabled_)) return true;
return is_scope_granted(permission, res);
}

static PermissionScope StringToPermission(const std::string& perm);
static const char* PermissionToString(PermissionScope perm);
static void ThrowAccessDenied(Environment* env,
PermissionScope perm,
const std::string_view& res);

// CLI Call
void Apply(const std::string& allow, PermissionScope scope);
void EnablePermissions();

private:
COLD_NOINLINE bool is_scope_granted(const PermissionScope permission,
const std::string_view& res = "") const {
auto perm_node = nodes_.find(permission);
if (perm_node != nodes_.end()) {
return perm_node->second->is_granted(permission, res);
}
return false;
}

std::unordered_map<PermissionScope, std::shared_ptr<PermissionBase>> nodes_;
bool enabled_;
};

} // namespace permission

} // namespace node

#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
#endif // SRC_PERMISSION_PERMISSION_H_
49 changes: 49 additions & 0 deletions src/permission/permission_base.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
#ifndef SRC_PERMISSION_PERMISSION_BASE_H_
#define SRC_PERMISSION_PERMISSION_BASE_H_

#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS

#include <map>
#include <string>
#include <string_view>
#include "v8.h"

namespace node {

namespace permission {

#define FILESYSTEM_PERMISSIONS(V) \
V(FileSystem, "fs", PermissionsRoot) \
V(FileSystemRead, "fs.read", FileSystem) \
V(FileSystemWrite, "fs.write", FileSystem)

#define CHILD_PROCESS_PERMISSIONS(V) V(ChildProcess, "child", PermissionsRoot)

#define WORKER_THREADS_PERMISSIONS(V) \
V(WorkerThreads, "worker", PermissionsRoot)

#define PERMISSIONS(V) \
FILESYSTEM_PERMISSIONS(V) \
CHILD_PROCESS_PERMISSIONS(V) \
WORKER_THREADS_PERMISSIONS(V)

#define V(name, _, __) k##name,
enum class PermissionScope {
kPermissionsRoot = -1,
PERMISSIONS(V) kPermissionsCount
};
#undef V

class PermissionBase {
public:
virtual void Apply(const std::string& allow, PermissionScope scope) = 0;
virtual bool is_granted(PermissionScope perm,
const std::string_view& param = "") = 0;
};

} // namespace permission

} // namespace node

#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
#endif // SRC_PERMISSION_PERMISSION_BASE_H_
22 changes: 22 additions & 0 deletions src/permission/worker_permission.cc
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#include "permission/worker_permission.h"

#include <string>
#include <vector>

namespace node {

namespace permission {

// Currently, PolicyDenyWorker manage a single state
// Once denied, it's always denied
void WorkerPermission::Apply(const std::string& allow, PermissionScope scope) {
deny_all_ = true;
}

bool WorkerPermission::is_granted(PermissionScope perm,
const std::string_view& param) {
return deny_all_ == false;
}

} // namespace permission
} // namespace node
28 changes: 28 additions & 0 deletions src/permission/worker_permission.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#ifndef SRC_PERMISSION_WORKER_PERMISSION_H_
#define SRC_PERMISSION_WORKER_PERMISSION_H_

#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS

#include <vector>
#include "permission/permission_base.h"

namespace node {

namespace permission {

class WorkerPermission final : public PermissionBase {
public:
void Apply(const std::string& allow, PermissionScope scope) override;
bool is_granted(PermissionScope perm,
const std::string_view& param = "") override;

private:
bool deny_all_;
};

} // namespace permission

} // namespace node

#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
#endif // SRC_PERMISSION_WORKER_PERMISSION_H_

0 comments on commit 30b7133

Please sign in to comment.