CalvinBackup/tauri
1
0
Fork 0
mirror of https://github.com/tauri-apps/tauri.git synced 2026-04-03 10:11:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor(core): merge scope and commands resolving permission sets (#8731)

Browse Source
This commit is contained in:
Lucas Fernandes Nogueira
2024-02-02 09:18:59 -03:00
committed by GitHub
parent 3e5c28ff4f
commit a35b416e38
7 changed files with 216 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
core/tauri-utils/src/acl/resolved.rs
View File

@@ -17,7 +17,7 @@ use crate::platform::Target;
use super::{
capability::{Capability, CapabilityContext, PermissionEntry},
plugin::Manifest,
Error, ExecutionContext, Permission, PermissionSet, Scopes, Value,
Commands, Error, ExecutionContext, Permission, PermissionSet, Scopes, Value,
};
/// A key for a scope, used to link a [`ResolvedCommand#structfield.scope`] to the store [`Resolved#structfield.scopes`].
@@ -127,70 +127,85 @@ impl Resolved {
if let Some(plugin_name) = permission_id.get_prefix() {
let permissions = get_permissions(plugin_name, permission_name, &acl)?;
let mut resolved_scope = Scopes::default();
let mut commands = Commands::default();
if let PermissionEntry::ExtendedPermission {
identifier: _,
scope,
} = permission_entry
{
if let Some(allow) = scope.allow.clone() {
resolved_scope
.allow
.get_or_insert_with(Default::default)
.extend(allow);
}
if let Some(deny) = scope.deny.clone() {
resolved_scope
.deny
.get_or_insert_with(Default::default)
.extend(deny);
}
}
for permission in permissions {
let scope = match permission_entry {
PermissionEntry::PermissionRef(_) => permission.scope.clone(),
PermissionEntry::ExtendedPermission {
identifier: _,
scope,
} => {
let mut merged = permission.scope.clone();
if let Some(allow) = scope.allow.clone() {
merged
.allow
.get_or_insert_with(Default::default)
.extend(allow);
}
if let Some(deny) = scope.deny.clone() {
merged
.deny
.get_or_insert_with(Default::default)
.extend(deny);
}
merged
}
if let Some(allow) = permission.scope.allow.clone() {
resolved_scope
.allow
.get_or_insert_with(Default::default)
.extend(allow);
}
if let Some(deny) = permission.scope.deny.clone() {
resolved_scope
.deny
.get_or_insert_with(Default::default)
.extend(deny);
}
commands.allow.extend(permission.commands.allow.clone());
commands.deny.extend(permission.commands.deny.clone());
}
if commands.allow.is_empty() && commands.deny.is_empty() {
// global scope
global_scope
.entry(plugin_name.to_string())
.or_default()
.push(resolved_scope);
} else {
let has_scope = resolved_scope.allow.is_some() || resolved_scope.deny.is_some();
if has_scope {
current_scope_id += 1;
command_scopes.insert(current_scope_id, resolved_scope);
}
let scope_id = if has_scope {
Some(current_scope_id)
} else {
None
};
if permission.commands.allow.is_empty() && permission.commands.deny.is_empty() {
// global scope
global_scope
.entry(plugin_name.to_string())
.or_default()
.push(scope.clone());
} else {
let has_scope = scope.allow.is_some() || scope.deny.is_some();
if has_scope {
current_scope_id += 1;
command_scopes.insert(current_scope_id, scope.clone());
}
for allowed_command in &commands.allow {
resolve_command(
&mut allowed_commands,
format!("plugin:{plugin_name}|{allowed_command}"),
capability,
scope_id,
#[cfg(debug_assertions)]
permission_name.to_string(),
);
}
let scope_id = if has_scope {
Some(current_scope_id)
} else {
None
};
for allowed_command in &permission.commands.allow {
resolve_command(
&mut allowed_commands,
format!("plugin:{plugin_name}|{allowed_command}"),
capability,
scope_id,
#[cfg(debug_assertions)]
permission,
);
}
for denied_command in &permission.commands.deny {
resolve_command(
&mut denied_commands,
format!("plugin:{plugin_name}|{denied_command}"),
capability,
scope_id,
#[cfg(debug_assertions)]
permission,
);
}
for denied_command in &commands.deny {
resolve_command(
&mut denied_commands,
format!("plugin:{plugin_name}|{denied_command}"),
capability,
scope_id,
#[cfg(debug_assertions)]
permission_name.to_string(),
);
}
}
}
@@ -306,7 +321,7 @@ fn resolve_command(
command: String,
capability: &Capability,
scope_id: Option<ScopeKey>,
#[cfg(debug_assertions)] permission: &Permission,
#[cfg(debug_assertions)] referenced_by_permission_identifier: String,
) {
let contexts = match &capability.context {
CapabilityContext::Local => {
@@ -332,7 +347,7 @@ fn resolve_command(
#[cfg(debug_assertions)]
resolved.referenced_by.push(ResolvedCommandReference {
capability: capability.identifier.clone(),
permission: permission.identifier.clone(),
permission: referenced_by_permission_identifier.clone(),
});
resolved.windows.extend(capability.windows.clone());

3
core/tests/acl/fixtures/capabilities/scope-extended/cap.json
View File

@@ -35,6 +35,7 @@
"path": "$APP/*.db"
}
]
}
},
"fs:read-download-dir"
]
}

1
core/tests/acl/fixtures/capabilities/scope/cap.toml
View File

@@ -7,4 +7,5 @@ permissions = [
"fs:deny-home",
"fs:allow-read-resources",
"fs:allow-move-temp",
"fs:read-download-dir"
]

4
core/tests/acl/fixtures/plugins/fs/read-download-dir.toml Normal file
View File

@@ -0,0 +1,4 @@
[[set]]
identifier = "read-download-dir"
description = "allows all read the $DOWNLOAD dir"
permissions = ["allow-read-dir", "allow-download-dir"]

10
core/tests/acl/fixtures/plugins/fs/scope.toml
View File

@@ -1,6 +1,14 @@
[[permission]]
identifier = "allow-app"
description = "Allows accessing the $APP path."
[[permission.scope.allow]]
path = "$APP"
[[permission]]
identifier = "allow-download-dir"
description = "Allows accessing the $DOWNLOAD directory."
[[permission.scope.allow]]
path = "$DOWNLOAD"
[[permission.scope.allow]]
path = "$DOWNLOAD/**"

163
core/tests/acl/fixtures/snapshots/acl_tests__tests__scope-extended.snap
View File

@@ -1,6 +1,5 @@
---
source: core/tests/acl/src/lib.rs
assertion_line: 59
expression: resolved
---
Resolved {
@@ -30,7 +29,7 @@ Resolved {
},
],
scope: Some(
792017965103506125,
9188997750422900590,
),
},
CommandKey {
@@ -58,7 +57,7 @@ Resolved {
},
],
scope: Some(
5856262838373339618,
1349364295896631601,
),
},
CommandKey {
@@ -86,13 +85,95 @@ Resolved {
},
],
scope: Some(
10252531491715478446,
8031926490300119127,
),
},
},
denied_commands: {},
command_scope: {
792017965103506125: ResolvedScope {
1349364295896631601: ResolvedScope {
allow: [
Map(
{
"path": String(
"$HOME/.config/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE",
),
},
),
Map(
{
"path": String(
"$DOWNLOAD",
),
},
),
Map(
{
"path": String(
"$DOWNLOAD/**",
),
},
),
],
deny: [
Map(
{
"path": String(
"$RESOURCE/**/*.key",
),
},
),
],
},
8031926490300119127: ResolvedScope {
allow: [
Map(
{
"path": String(
"$HOME/.config/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE",
),
},
),
],
deny: [
Map(
{
"path": String(
"$RESOURCE/**/*.key",
),
},
),
],
},
9188997750422900590: ResolvedScope {
allow: [
Map(
{
@@ -104,74 +185,6 @@ Resolved {
],
deny: [],
},
5856262838373339618: ResolvedScope {
allow: [
Map(
{
"path": String(
"$HOME/.config/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE",
),
},
),
],
deny: [
Map(
{
"path": String(
"$RESOURCE/**/*.key",
),
},
),
],
},
10252531491715478446: ResolvedScope {
allow: [
Map(
{
"path": String(
"$HOME/.config/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE",
),
},
),
],
deny: [
Map(
{
"path": String(
"$RESOURCE/**/*.key",
),
},
),
],
},
},
global_scope: {
"fs": ResolvedScope {
@@ -179,14 +192,14 @@ Resolved {
Map(
{
"path": String(
"$APP",
"$APP/**",
),
},
),
Map(
{
"path": String(
"$APP/**",
"$APP",
),
},
),

36
core/tests/acl/fixtures/snapshots/acl_tests__tests__scope.snap
View File

@@ -1,6 +1,5 @@
---
source: core/tests/acl/src/lib.rs
assertion_line: 59
expression: resolved
---
Resolved {
@@ -58,7 +57,7 @@ Resolved {
},
],
scope: Some(
7912899488978770657,
5856262838373339618,
),
},
CommandKey {
@@ -92,6 +91,39 @@ Resolved {
},
denied_commands: {},
command_scope: {
5856262838373339618: ResolvedScope {
allow: [
Map(
{
"path": String(
"$RESOURCE/**",
),
},
),
Map(
{
"path": String(
"$RESOURCE",
),
},
),
Map(
{
"path": String(
"$DOWNLOAD",
),
},
),
Map(
{
"path": String(
"$DOWNLOAD/**",
),
},
),
],
deny: [],
},
7912899488978770657: ResolvedScope {
allow: [
Map(