denoland · bartlomieju · Apr 25, 2021 · Apr 14, 2021 · Apr 14, 2021 · Apr 14, 2021
diff --git a/cli/dts/lib.deno.ns.d.ts b/cli/dts/lib.deno.ns.d.ts
@@ -94,6 +94,16 @@ declare namespace Deno {
    * See: https://no-color.org/ */
   export const noColor: boolean;
 
+  export interface TestPermissions {
+    read?: string[] | boolean;
+    write?: string[] | boolean;
+    net?: string[] | boolean;
+    env?: string[] | boolean;
+    run?: string[] | boolean;
+    plugin?: boolean;
+    hrtime?: boolean;
+  }
+
   export interface TestDefinition {
     fn: () => void | Promise<void>;
     name: string;
@@ -112,6 +122,10 @@ declare namespace Deno {
     /** Ensure the test case does not prematurely cause the process to exit,
      * for example via a call to `Deno.exit`. Defaults to true. */
     sanitizeExit?: boolean;
+
+    /** Ensure the test runs with the given permission set.
+     * These permissions can not escalate beyond the currently active permissions. */
+    permissions?: TestPermissions;
   }
 
   /** Register a test which will be run when `deno test` is used on the command

diff --git a/cli/main.rs b/cli/main.rs
@@ -218,6 +218,7 @@ pub fn create_main_worker(
     // above
     ops::errors::init(js_runtime);
     ops::runtime_compiler::init(js_runtime);
+    ops::test_runner::init(js_runtime);
   }
   worker.bootstrap(&options);
 

diff --git a/cli/ops/mod.rs b/cli/ops/mod.rs
@@ -2,6 +2,7 @@
 
 pub mod errors;
 pub mod runtime_compiler;
+pub mod test_runner;
 
 use deno_core::error::AnyError;
 use deno_core::op_async;

diff --git a/cli/ops/test_runner.rs b/cli/ops/test_runner.rs
@@ -0,0 +1,234 @@
+// Copyright 2018-2021 the Deno authors. All rights reserved. MIT license.
+
+use deno_core::error::custom_error;
+use deno_core::error::AnyError;
+use deno_core::serde_json;
+use deno_core::serde_json::json;
+use deno_core::serde_json::Value;
+use deno_core::url::Url;
+use deno_core::OpState;
+use deno_core::ZeroCopyBuf;
+use deno_runtime::permissions::PermissionState;
+use deno_runtime::permissions::Permissions;
+use deno_runtime::permissions::PermissionsOptions;
+use serde::Deserialize;
+use std::path::PathBuf;
+
+pub fn init(rt: &mut deno_core::JsRuntime) {
+  super::reg_sync(
+    rt,
+    "op_request_test_permissions",
+    op_request_test_permissions,
+  );
+  super::reg_sync(
+    rt,
+    "op_restore_test_permissions",
+    op_restore_test_permissions,
+  );
+}
+
+fn test_permission_error(name: &str, info: Option<&str>) -> AnyError {
+  custom_error(
+    "PermissionDenied",
+    format!(
+      "Requires {}, run test again with the --allow-{} flag",
+      format!(
+        "{} access{}",
+        name,
+        info.map_or(String::new(), |info| { format!(" to {}", info) }),
+      ),
+      name
+    ),
+  )
+}
+
+struct RestoreTestPermissions(Permissions);
+
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct RequestTestPermissionsArgs {
+  read: Option<Vec<String>>,
+  write: Option<Vec<String>>,
+  net: Option<Vec<String>>,
+  env: Option<Vec<String>>,
+  run: Option<Vec<String>>,
+  hrtime: Option<bool>,
+  plugin: Option<bool>,
+}
+
+pub fn op_request_test_permissions(
+  state: &mut OpState,
+  args: Value,
+  _zero_copy: Option<ZeroCopyBuf>,
+) -> Result<Value, AnyError> {
+  let args: RequestTestPermissionsArgs = serde_json::from_value(args)?;
+
+  let mut permissions = state.borrow::<Permissions>().clone();
+  state
+    .put::<RestoreTestPermissions>(RestoreTestPermissions(permissions.clone()));
+
+  let allow_read = if let Some(paths) = args.read {
+    let mut allow_read = Vec::new();
+
+    if paths.is_empty() {
+      if permissions.read.request(None) != PermissionState::Granted {
+        return Err(test_permission_error("read", None));
+      }
+    } else {
+      for path in paths {
+        let path = PathBuf::from(path);
+        if permissions.read.request(Some(&path)) != PermissionState::Granted {
+          return Err(test_permission_error("read", None));
+        }
+
+        allow_read.push(path)
+      }
+    }
+
+    Some(allow_read)
+  } else {
+    None
+  };
+
+  let allow_write = if let Some(paths) = args.write {
+    let mut allow_write = Vec::new();
+
+    if paths.is_empty() {
+      if permissions.write.request(None) != PermissionState::Granted {
+        return Err(test_permission_error("write", None));
+      }
+    } else {
+      for path in paths {
+        let path = PathBuf::from(path);
+        if permissions.write.request(Some(&path)) != PermissionState::Granted {
+          return Err(test_permission_error("write", None));
+        }
+
+        allow_write.push(path)
+      }
+    }
+
+    Some(allow_write)
+  } else {
+    None
+  };
+
+  let allow_net = if let Some(hosts) = args.net {
+    let mut allow_net = Vec::new();
+
+    if hosts.is_empty() {
+      if permissions.net.request::<String>(None) != PermissionState::Granted {
+        return Err(test_permission_error("net", None));
+      }
+    } else {
+      for host in hosts {
+        let url = Url::parse(&format!("http://{}", host))?;
+        let hostname = url.host_str().unwrap().to_string();
+        let port = url.port();
+
+        if permissions.net.request(Some(&(&hostname, port)))
+          != PermissionState::Granted
+        {
+          return Err(test_permission_error("net", None));
+        }
+
+        allow_net.push(host);
+      }
+    }
+
+    Some(allow_net)
+  } else {
+    None
+  };
+
+  let allow_env = if let Some(names) = args.env {
+    let mut allow_env = Vec::new();
+
+    if names.is_empty() {
+      if permissions.env.request(None) != PermissionState::Granted {
+        return Err(test_permission_error("env", None));
+      }
+    } else {
+      for name in names {
+        if permissions.env.request(Some(&name)) != PermissionState::Granted {
+          return Err(test_permission_error("env", None));
+        }
+
+        allow_env.push(name);
+      }
+    }
+
+    Some(allow_env)
+  } else {
+    None
+  };
+
+  let allow_run = if let Some(commands) = args.run {
+    let mut allow_run = Vec::new();
+
+    if commands.is_empty() {
+      if permissions.run.request(None) != PermissionState::Granted {
+        return Err(test_permission_error("run", None));
+      }
+    } else {
+      for command in commands {
+        if permissions.run.request(Some(&command)) != PermissionState::Granted {
+          return Err(test_permission_error("run", None));
+        }
+
+        allow_run.push(command);
+      }
+    }
+
+    Some(allow_run)
+  } else {
+    None
+  };
+
+  let allow_hrtime = if args.plugin.unwrap_or(false) {
+    if permissions.hrtime.request() != PermissionState::Granted {
+      return Err(test_permission_error("hrtime", None));
+    }
+
+    true
+  } else {
+    false
+  };
+
+  let allow_plugin = if args.plugin.unwrap_or(false) {
+    if permissions.plugin.request() != PermissionState::Granted {
+      return Err(test_permission_error("plugin", None));
+    }
+
+    true
+  } else {
+    false
+  };
+
+  let permissions = Permissions::from_options(&PermissionsOptions {
+    allow_read,
+    allow_write,
+    allow_net,
+    allow_env,
+    allow_run,
+    allow_hrtime,
+    allow_plugin,
+    prompt: false,
+  });
+
+  state.put::<Permissions>(permissions);
+
+  Ok(json!({}))
+}
+
+pub fn op_restore_test_permissions(
+  state: &mut OpState,
+  _args: Value,
+  _zero_copy: Option<ZeroCopyBuf>,
+) -> Result<Value, AnyError> {
+  let restore_test_permissions =
+    state.borrow::<RestoreTestPermissions>().clone().0.clone();
+  state.put::<Permissions>(restore_test_permissions);
+
+  Ok(json!({}))
+}
diff --git a/cli/tests/integration_tests.rs b/cli/tests/integration_tests.rs
@@ -2395,6 +2395,18 @@ mod integration {
       output: "test/deno_test.out",
     });
 
+    itest!(allow_all {
+      args: "test --allow-all test/allow_all.ts",
+      exit_code: 0,
+      output: "test/allow_all.out",
+    });
+
+    itest!(allow_none {
+      args: "test test/allow_none.ts",
+      exit_code: 1,
+      output: "test/allow_none.out",
+    });
+
     itest!(fail_fast {
       args: "test --fail-fast test/test_runner_test.ts",
       exit_code: 1,

diff --git a/cli/tests/test/allow_all.out b/cli/tests/test/allow_all.out
@@ -0,0 +1,8 @@
+[WILDCARD]
+running 4 tests
+test readGranted ... ok [WILDCARD]
+test readRevoked ... ok [WILDCARD]
+test readGrantedAgain ... ok [WILDCARD]
+test readRevokedAgain ... ok [WILDCARD]
+
+test result: ok. 4 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out [WILDCARD]
diff --git a/cli/tests/test/allow_all.ts b/cli/tests/test/allow_all.ts
@@ -0,0 +1,44 @@
+import { assertEquals } from "../../../test_util/std/testing/asserts.ts";
+
+// TODO(DO NOT MERGE) test all the things
+
+Deno.test({
+  name: `readGranted`,
+  async fn() {
+    const status = await Deno.permissions.query({ name: "read" });
+    assertEquals(status.state, "granted");
+  },
+});
+
+Deno.test({
+  name: `readRevoked`,
+  permissions: {
+    read: false,
+  },
+  async fn() {
+    const status = await Deno.permissions.query({ name: "read" });
+    assertEquals(status.state, "prompt");
+  },
+});
+
+Deno.test({
+  name: `readGrantedAgain`,
+  permissions: {
+    read: [],
+  },
+  async fn() {
+    const status = await Deno.permissions.query({ name: "read" });
+    assertEquals(status.state, "granted");
+  },
+});
+
+Deno.test({
+  name: `readRevokedAgain`,
+  permissions: {
+    read: false,
+  },
+  async fn() {
+    const status = await Deno.permissions.query({ name: "read" });
+    assertEquals(status.state, "prompt");
+  },
+});
diff --git a/cli/tests/test/allow_none.out b/cli/tests/test/allow_none.out
@@ -0,0 +1,18 @@
+[WILDCARD]
+running 1 tests
+test permissionDenied ... FAILED [WILDCARD]
+
+failures:
+
+permissionDenied
+PermissionDenied: Requires read access, run test again with the --allow-read flag
+[WILDCARD]
+
+failures:
+
+	permissionDenied
+
+test result: FAILED. 0 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out [WILDCARD]
+
+
+
diff --git a/cli/tests/test/allow_none.ts b/cli/tests/test/allow_none.ts
@@ -0,0 +1,15 @@
+import { assertEquals } from "../../../test_util/std/testing/asserts.ts";
+
+const status = await Deno.permissions.query({ name: "read" });
+assertEquals(status.state, "prompt");
+
+Deno.test({
+  name: `permissionDenied`,
+  permissions: {
+    read: true,
+  },
+  async fn() {
+    const status = await Deno.permissions.query({ name: "read" });
+    assertEquals(status.state, "granted");
+  },
+});