Skip to content
Permalink
Browse files

Permissions refactor (#1864)

Refactored permissions to be assignable on a per-isolate 
basis, and added a fix for #1858 to op_fetch_module_meta_data.
  • Loading branch information...
afinch7 authored and ry committed Mar 2, 2019
1 parent 1cc02a5 commit 8c310d3d56c6b1bc67ee81d8c5ea9b20abee8088
Showing with 313 additions and 124 deletions.
  1. +14 −2 src/compiler.rs
  2. +40 −32 src/isolate.rs
  3. +3 −1 src/main.rs
  4. +231 −83 src/ops.rs
  5. +11 −1 src/permissions.rs
  6. +14 −5 src/workers.rs
@@ -2,6 +2,7 @@
use crate::isolate::Buf;
use crate::isolate::IsolateState;
use crate::msg;
use crate::permissions::DenoPermissions;
use crate::resources;
use crate::resources::Resource;
use crate::resources::ResourceId;
@@ -10,6 +11,7 @@ use crate::workers;
use futures::Future;
use serde_json;
use std::str;
use std::sync::atomic::AtomicBool;
use std::sync::Arc;
use std::sync::Mutex;

@@ -48,9 +50,19 @@ impl ModuleMetaData {

fn lazy_start(parent_state: &Arc<IsolateState>) -> Resource {
let mut cell = C_RID.lock().unwrap();
let permissions = DenoPermissions {
allow_read: AtomicBool::new(true),
allow_write: AtomicBool::new(false),
allow_env: AtomicBool::new(false),
allow_net: AtomicBool::new(true),
allow_run: AtomicBool::new(false),
};
let rid = cell.get_or_insert_with(|| {
let resource =
workers::spawn(parent_state.clone(), "compilerMain()".to_string());
let resource = workers::spawn(
parent_state.clone(),
"compilerMain()".to_string(),
permissions,
);
resource.rid
});
Resource { rid: *rid }
@@ -64,6 +64,7 @@ pub struct Isolate {
timeout_due: Cell<Option<Instant>>,
pub modules: RefCell<Modules>,
pub state: Arc<IsolateState>,
pub permissions: Arc<DenoPermissions>,
}

pub type WorkerSender = async_mpsc::Sender<Buf>;
@@ -78,7 +79,6 @@ pub type WorkerChannels = (WorkerSender, WorkerReceiver);
pub struct IsolateState {
pub dir: deno_dir::DenoDir,
pub argv: Vec<String>,
pub permissions: DenoPermissions,
pub flags: flags::DenoFlags,
pub metrics: Metrics,
pub worker_channels: Option<Mutex<WorkerChannels>>,
@@ -96,7 +96,6 @@ impl IsolateState {
dir: deno_dir::DenoDir::new(flags.reload, flags.recompile, custom_root)
.unwrap(),
argv: argv_rest,
permissions: DenoPermissions::new(&flags),
flags,
metrics: Metrics::default(),
worker_channels: worker_channels.map(Mutex::new),
@@ -127,31 +126,6 @@ impl IsolateState {
Arc::new(IsolateState::new(flags, rest_argv, None))
}

#[inline]
pub fn check_read(&self, filename: &str) -> DenoResult<()> {
self.permissions.check_read(filename)
}

#[inline]
pub fn check_write(&self, filename: &str) -> DenoResult<()> {
self.permissions.check_write(filename)
}

#[inline]
pub fn check_env(&self) -> DenoResult<()> {
self.permissions.check_env()
}

#[inline]
pub fn check_net(&self, filename: &str) -> DenoResult<()> {
self.permissions.check_net(filename)
}

#[inline]
pub fn check_run(&self) -> DenoResult<()> {
self.permissions.check_run()
}

fn metrics_op_dispatched(
&self,
bytes_sent_control: usize,
@@ -195,6 +169,7 @@ impl Isolate {
snapshot: libdeno::deno_buf,
state: Arc<IsolateState>,
dispatch: Dispatch,
permissions: DenoPermissions,
) -> Self {
DENO_INIT.call_once(|| {
unsafe { libdeno::deno_init() };
@@ -218,6 +193,7 @@ impl Isolate {
timeout_due: Cell::new(None),
modules: RefCell::new(Modules::new()),
state,
permissions: Arc::new(permissions),
}
}

@@ -242,6 +218,31 @@ impl Isolate {
self.timeout_due.set(inst);
}

#[inline]
pub fn check_read(&self, filename: &str) -> DenoResult<()> {
self.permissions.check_read(filename)
}

#[inline]
pub fn check_write(&self, filename: &str) -> DenoResult<()> {
self.permissions.check_write(filename)
}

#[inline]
pub fn check_env(&self) -> DenoResult<()> {
self.permissions.check_env()
}

#[inline]
pub fn check_net(&self, filename: &str) -> DenoResult<()> {
self.permissions.check_net(filename)
}

#[inline]
pub fn check_run(&self) -> DenoResult<()> {
self.permissions.check_run()
}

pub fn last_exception(&self) -> Option<JSError> {
let ptr = unsafe { libdeno::deno_last_exception(self.libdeno_isolate) };
if ptr.is_null() {
@@ -618,7 +619,8 @@ mod tests {
fn test_dispatch_sync() {
let state = IsolateState::mock();
let snapshot = libdeno::deno_buf::empty();
let isolate = Isolate::new(snapshot, state, dispatch_sync);
let permissions = DenoPermissions::default();
let isolate = Isolate::new(snapshot, state, dispatch_sync, permissions);
tokio_util::init(|| {
isolate
.execute(
@@ -657,7 +659,9 @@ mod tests {
fn test_metrics_sync() {
let state = IsolateState::mock();
let snapshot = libdeno::deno_buf::empty();
let isolate = Isolate::new(snapshot, state, metrics_dispatch_sync);
let permissions = DenoPermissions::default();
let isolate =
Isolate::new(snapshot, state, metrics_dispatch_sync, permissions);
tokio_util::init(|| {
// Verify that metrics have been properly initialized.
{
@@ -691,7 +695,9 @@ mod tests {
fn test_metrics_async() {
let state = IsolateState::mock();
let snapshot = libdeno::deno_buf::empty();
let isolate = Isolate::new(snapshot, state, metrics_dispatch_async);
let permissions = DenoPermissions::default();
let isolate =
Isolate::new(snapshot, state, metrics_dispatch_async, permissions);
tokio_util::init(|| {
// Verify that metrics have been properly initialized.
{
@@ -779,7 +785,8 @@ mod tests {

let state = Arc::new(IsolateState::new(flags, rest_argv, None));
let snapshot = libdeno::deno_buf::empty();
let mut isolate = Isolate::new(snapshot, state, dispatch_sync);
let permissions = DenoPermissions::default();
let mut isolate = Isolate::new(snapshot, state, dispatch_sync, permissions);
tokio_util::init(|| {
isolate
.execute_mod(filename, false)
@@ -801,7 +808,8 @@ mod tests {

let state = Arc::new(IsolateState::new(flags, rest_argv, None));
let snapshot = libdeno::deno_buf::empty();
let mut isolate = Isolate::new(snapshot, state, dispatch_sync);
let permissions = DenoPermissions::default();
let mut isolate = Isolate::new(snapshot, state, dispatch_sync, permissions);
tokio_util::init(|| {
isolate
.execute_mod(filename, false)
@@ -96,7 +96,9 @@ fn main() {

let state = Arc::new(isolate::IsolateState::new(flags, rest_argv, None));
let snapshot = snapshot::deno_snapshot();
let mut isolate = isolate::Isolate::new(snapshot, state, ops::dispatch);
let permissions = permissions::DenoPermissions::from_flags(&state.flags);
let mut isolate =
isolate::Isolate::new(snapshot, state, ops::dispatch, permissions);

tokio_util::init(|| {
// Setup runtime.
Oops, something went wrong.

0 comments on commit 8c310d3

Please sign in to comment.
You can’t perform that action at this time.