feat(cli): add test permissions to Deno.test

cli/Cargo.toml

@@ -78,7 +78,7 @@ termcolor = "1.1.2"
 text-size = "1.1.0"
 tokio = { version = "1.4.0", features = ["full"] }
 tokio-rustls = "0.22.0"
-uuid = { version = "0.8.2", features = ["v4"] }
+uuid = { version = "0.8.2", features = ["v4", "serde"] }
 walkdir = "2.3.2"
 
 [target.'cfg(windows)'.dependencies]

cli/dts/lib.deno.unstable.d.ts

@@ -1181,6 +1181,35 @@ declare namespace Deno {
    * then the underlying HttpConn resource is closed automatically.
    */
   export function serveHttp(conn: Conn): HttpConn;
+
+  /** **UNSTABLE**: New option, permissions are yet to be vetted.
+   *
+   * Use the peermissions options to change the level of access the test will
+   * have. By default it will inherit the permissions of its parent thread. The permissions
+   * of a test can't be extended beyond its parent's permissions reach.
+   * - "inherit" will take the permissions of the thread the test is created in
+   * - You can disable/enable permissions all together by passing a boolean
+   * - You can provide a list permissions to narrow the permissions a test has.
+  */
+  export interface TestDefinition {
+    /** Set to `"none"` to disable all the permissions in the test. */
+    permissions?: "inherit" | "none" | {
+      env?: "inherit" | boolean;
+      hrtime?: "inherit" | boolean;
+      /** The format of the net access list must be `hostname[:port]`
+       * in order to be resolved.
+       *
+       * ```
+       * net: ["https://deno.land", "localhost:8080"],
+       * ```
+       * */
+      net?: "inherit" | boolean | string[];
+      plugin?: "inherit" | boolean;
+      read?: "inherit" | boolean | Array<string | URL>;
+      run?: "inherit" | boolean;
+      write?: "inherit" | boolean | Array<string | URL>;
+    };
+  }
 }
 
 declare function fetch(

cli/main.rs

@@ -159,6 +159,7 @@ pub fn create_main_worker(
   program_state: &Arc<ProgramState>,
   main_module: ModuleSpecifier,
   permissions: Permissions,
+  enable_testing: bool,
 ) -> MainWorker {
   let module_loader = CliModuleLoader::new(program_state.clone());
 
@@ -218,6 +219,10 @@ pub fn create_main_worker(
     // above
     ops::errors::init(js_runtime);
     ops::runtime_compiler::init(js_runtime);
+
+    if enable_testing {
+      ops::test_runner::init(js_runtime);
+    }
   }
   worker.bootstrap(&options);
 
@@ -425,7 +430,7 @@ async fn install_command(
   let program_state = ProgramState::build(preload_flags).await?;
   let main_module = resolve_url_or_path(&module_url)?;
   let mut worker =
-    create_main_worker(&program_state, main_module.clone(), permissions);
+    create_main_worker(&program_state, main_module.clone(), permissions, false);
   // First, fetch and compile the module; this step ensures that the module exists.
   worker.preload_module(&main_module).await?;
   tools::installer::install(flags, &module_url, args, name, root, force)
@@ -492,7 +497,7 @@ async fn eval_command(
   let permissions = Permissions::from_options(&flags.clone().into());
   let program_state = ProgramState::build(flags).await?;
   let mut worker =
-    create_main_worker(&program_state, main_module.clone(), permissions);
+    create_main_worker(&program_state, main_module.clone(), permissions, false);
   // Create a dummy source file.
   let source_code = if print {
     format!("console.log({})", code)
@@ -726,7 +731,7 @@ async fn run_repl(flags: Flags) -> Result<(), AnyError> {
   let permissions = Permissions::from_options(&flags.clone().into());
   let program_state = ProgramState::build(flags).await?;
   let mut worker =
-    create_main_worker(&program_state, main_module.clone(), permissions);
+    create_main_worker(&program_state, main_module.clone(), permissions, false);
   worker.run_event_loop().await?;
 
   tools::repl::run(&program_state, worker).await
@@ -740,6 +745,7 @@ async fn run_from_stdin(flags: Flags) -> Result<(), AnyError> {
     &program_state.clone(),
     main_module.clone(),
     permissions,
+    false,
   );
 
   let mut source = Vec::new();
@@ -817,8 +823,12 @@ async fn run_with_watch(flags: Flags, script: String) -> Result<(), AnyError> {
     async move {
       let main_module = main_module.clone();
       let program_state = ProgramState::build(flags).await?;
-      let mut worker =
-        create_main_worker(&program_state, main_module.clone(), permissions);
+      let mut worker = create_main_worker(
+        &program_state,
+        main_module.clone(),
+        permissions,
+        false,
+      );
       debug!("main_module {}", main_module);
       worker.execute_module(&main_module).await?;
       worker.execute("window.dispatchEvent(new Event('load'))")?;
@@ -851,7 +861,7 @@ async fn run_command(flags: Flags, script: String) -> Result<(), AnyError> {
   let program_state = ProgramState::build(flags.clone()).await?;
   let permissions = Permissions::from_options(&flags.clone().into());
   let mut worker =
-    create_main_worker(&program_state, main_module.clone(), permissions);
+    create_main_worker(&program_state, main_module.clone(), permissions, false);
 
   let mut maybe_coverage_collector =
     if let Some(ref coverage_dir) = program_state.coverage_dir {
@@ -968,7 +978,7 @@ async fn test_command(
   }
 
   let mut worker =
-    create_main_worker(&program_state, main_module.clone(), permissions);
+    create_main_worker(&program_state, main_module.clone(), permissions, true);
 
   if let Some(ref coverage_dir) = flags.coverage_dir {
     env::set_var("DENO_UNSTABLE_COVERAGE_DIR", coverage_dir);

cli/ops/mod.rs

@@ -2,5 +2,6 @@
 
 pub mod errors;
 pub mod runtime_compiler;
+pub mod test_runner;
 
 pub use deno_runtime::ops::{reg_async, reg_sync};

cli/ops/test_runner.rs

@@ -0,0 +1,65 @@
+// Copyright 2018-2021 the Deno authors. All rights reserved. MIT license.
+
+use deno_core::error::generic_error;
+use deno_core::error::AnyError;
+use deno_core::serde_json;
+use deno_core::serde_json::json;
+use deno_core::serde_json::Value;
+use deno_core::OpState;
+use deno_core::ZeroCopyBuf;
+use deno_runtime::ops::worker_host::create_worker_permissions;
+use deno_runtime::ops::worker_host::PermissionsArg;
+use deno_runtime::permissions::Permissions;
+use uuid::Uuid;
+
+pub fn init(rt: &mut deno_core::JsRuntime) {
+  super::reg_sync(rt, "op_pledge_test_permissions", op_pledge_test_permissions);
+  super::reg_sync(
+    rt,
+    "op_restore_test_permissions",
+    op_restore_test_permissions,
+  );
+}
+
+#[derive(Clone)]
+struct PermissionsHolder(Uuid, Permissions);
+
+pub fn op_pledge_test_permissions(
+  state: &mut OpState,
+  args: Value,
+  _zero_copy: Option<ZeroCopyBuf>,
+) -> Result<Uuid, AnyError> {
+  deno_runtime::ops::check_unstable(state, "Deno.test.permissions");
+
+  let token = Uuid::new_v4();
+  let parent_permissions = state.borrow::<Permissions>().clone();
+  let worker_permissions = {
+    let permissions: PermissionsArg = serde_json::from_value(args)?;
+    create_worker_permissions(parent_permissions.clone(), permissions)?
+  };
+
+  state.put::<PermissionsHolder>(PermissionsHolder(token, parent_permissions));
+  state.put::<Permissions>(worker_permissions);
+
+  Ok(token)
+}
+
+pub fn op_restore_test_permissions(
+  state: &mut OpState,
+  token: Uuid,
+  _zero_copy: Option<ZeroCopyBuf>,
+) -> Result<Value, AnyError> {
+  deno_runtime::ops::check_unstable(state, "Deno.test.permissions");
+
+  if let Some(permissions_holder) = state.try_take::<PermissionsHolder>() {
+    if token != permissions_holder.0 {
+      panic!("restore test permissions token does not match the stored token");
+    }
+
+    let permissions = permissions_holder.1;
+    state.put::<Permissions>(permissions);
+    Ok(json!({}))
+  } else {
+    Err(generic_error("no permissions to restore"))
+  }
+}

cli/tests/integration_tests.rs

@@ -2395,6 +2395,18 @@ mod integration {
       output: "test/deno_test.out",
     });
 
+    itest!(allow_all {
+      args: "test --unstable --allow-all test/allow_all.ts",
+      exit_code: 0,
+      output: "test/allow_all.out",
+    });
+
+    itest!(allow_none {
+      args: "test --unstable test/allow_none.ts",
+      exit_code: 1,
+      output: "test/allow_none.out",
+    });
+
     itest!(fail_fast {
       args: "test --fail-fast test/test_runner_test.ts",
       exit_code: 1,

cli/tests/test/allow_all.out

@@ -0,0 +1,18 @@
+[WILDCARD]
+running 14 tests
+test read false ... ok [WILDCARD]
+test read true ... ok [WILDCARD]
+test write false ... ok [WILDCARD]
+test write true ... ok [WILDCARD]
+test net false ... ok [WILDCARD]
+test net true ... ok [WILDCARD]
+test env false ... ok [WILDCARD]
+test env true ... ok [WILDCARD]
+test run false ... ok [WILDCARD]
+test run true ... ok [WILDCARD]
+test plugin false ... ok [WILDCARD]
+test plugin true ... ok [WILDCARD]
+test hrtime false ... ok [WILDCARD]
+test hrtime true ... ok [WILDCARD]
+
+test result: ok. 14 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out [WILDCARD]

cli/tests/test/allow_all.ts

@@ -0,0 +1,35 @@
+import { assertEquals } from "../../../test_util/std/testing/asserts.ts";
+
+const permissions: Deno.PermissionName[] = [
+  "read",
+  "write",
+  "net",
+  "env",
+  "run",
+  "plugin",
+  "hrtime",
+];
+
+for (const name of permissions) {
+  Deno.test({
+    name: `${name} false`,
+    permissions: {
+      [name]: false,
+    },
+    async fn() {
+      const status = await Deno.permissions.query({ name });
+      assertEquals(status.state, "denied");
+    },
+  });
+
+  Deno.test({
+    name: `${name} true`,
+    permissions: {
+      [name]: true,
+    },
+    async fn() {
+      const status = await Deno.permissions.query({ name });
+      assertEquals(status.state, "granted");
+    },
+  });
+}

cli/tests/test/allow_none.out

@@ -0,0 +1,51 @@
+[WILDCARD]
+running 7 tests
+test read ... FAILED [WILDCARD]
+test write ... FAILED [WILDCARD]
+test net ... FAILED [WILDCARD]
+test env ... FAILED [WILDCARD]
+test run ... FAILED [WILDCARD]
+test plugin ... FAILED [WILDCARD]
+test hrtime ... FAILED [WILDCARD]
+
+failures:
+
+read
+PermissionDenied: Can't escalate parent thread permissions
+[WILDCARD]
+
+write
+PermissionDenied: Can't escalate parent thread permissions
+[WILDCARD]
+
+net
+PermissionDenied: Can't escalate parent thread permissions
+[WILDCARD]
+
+env
+PermissionDenied: Can't escalate parent thread permissions
+[WILDCARD]
+
+run
+PermissionDenied: Can't escalate parent thread permissions
+[WILDCARD]
+
+plugin
+PermissionDenied: Can't escalate parent thread permissions
+[WILDCARD]
+
+hrtime
+PermissionDenied: Can't escalate parent thread permissions
+[WILDCARD]
+
+failures:
+
+	read
+	write
+	net
+	env
+	run
+	plugin
+	hrtime
+
+test result: FAILED. 0 passed; 7 failed; 0 ignored; 0 measured; 0 filtered out [WILDCARD]

cli/tests/test/allow_none.ts

@@ -0,0 +1,23 @@
+import { unreachable } from "../../../test_util/std/testing/asserts.ts";
+
+const permissions: Deno.PermissionName[] = [
+  "read",
+  "write",
+  "net",
+  "env",
+  "run",
+  "plugin",
+  "hrtime",
+];
+
+for (const name of permissions) {
+  Deno.test({
+    name,
+    permissions: {
+      [name]: true,
+    },
+    fn() {
+      unreachable();
+    },
+  });
+}

runtime/js/11_workers.js

@@ -333,6 +333,7 @@
   defineEventHandler(Worker.prototype, "messageerror");
 
   window.__bootstrap.worker = {
+    parsePermissions,
     Worker,
   };
 })(this);