feat(acl): allow a permission to apply to a subset of target platforms (#9014)

* feat(acl): allow a permission to apply to a subset of target platforms

* fix cli

Author: lucasfernog

.changes/permission-platforms.md

@@ -0,0 +1,6 @@
+---
+"tauri": patch:feat
+"tauri-utils": patch:feat
+---
+
+Allow defining a permission that only applies to a set of target platforms via the `platforms` configuration option.

core/tauri-config-schema/schema.json

@@ -1123,7 +1123,7 @@
           }
         },
         "platforms": {
-          "description": "Target platforms this capability applies. By default all platforms applies.",
+          "description": "Target platforms this capability applies. By default all platforms are affected by this capability.",
           "default": [
             "linux",
             "macOS",

core/tauri-utils/src/acl/capability.rs

@@ -74,7 +74,7 @@ pub struct Capability {
   pub webviews: Vec<String>,
   /// List of permissions attached to this capability. Must include the plugin name as prefix in the form of `${plugin-name}:${permission-name}`.
   pub permissions: Vec<PermissionEntry>,
-  /// Target platforms this capability applies. By default all platforms applies.
+  /// Target platforms this capability applies. By default all platforms are affected by this capability.
   #[serde(default = "default_platforms", skip_serializing_if = "Vec::is_empty")]
   pub platforms: Vec<Target>,
 }

core/tauri-utils/src/acl/mod.rs

@@ -9,6 +9,8 @@ use serde::{Deserialize, Serialize};
 use std::num::NonZeroU64;
 use thiserror::Error;
 
+use crate::platform::Target;
+
 pub use self::{identifier::*, value::*};
 
 /// Known filename of the permission schema JSON file
@@ -172,6 +174,20 @@ pub struct Permission {
   /// Allowed or denied scoped when using this permission.
   #[serde(default, skip_serializing_if = "Scopes::is_empty")]
   pub scope: Scopes,
+
+  /// Target platforms this permission applies. By default all platforms are affected by this permission.
+  #[serde(default = "default_platforms", skip_serializing_if = "Vec::is_empty")]
+  pub platforms: Vec<Target>,
+}
+
+fn default_platforms() -> Vec<Target> {
+  vec![
+    Target::Linux,
+    Target::MacOS,
+    Target::Windows,
+    Target::Android,
+    Target::Ios,
+  ]
 }
 
 /// A set of direct permissions grouped together under a new name.
@@ -252,14 +268,17 @@ mod build_ {
       let description = opt_str_lit(self.description.as_ref());
       let commands = &self.commands;
       let scope = &self.scope;
+      let platforms = vec_lit(&self.platforms, identity);
+
       literal_struct!(
         tokens,
         ::tauri::utils::acl::Permission,
         version,
         identifier,
         description,
         commands,
-        scope
+        scope,
+        platforms
       )
     }
   }

core/tauri-utils/src/acl/resolved.rs

@@ -112,6 +112,7 @@ impl Resolved {
       with_resolved_permissions(
         capability,
         acl,
+        target,
         |ResolvedPermission {
            key,
            permission_name,
@@ -273,6 +274,7 @@ struct ResolvedPermission<'a> {
 fn with_resolved_permissions<F: FnMut(ResolvedPermission<'_>)>(
   capability: &Capability,
   acl: &BTreeMap<String, Manifest>,
+  target: Target,
   mut f: F,
 ) -> Result<(), Error> {
   for permission_entry in &capability.permissions {
@@ -281,7 +283,10 @@ fn with_resolved_permissions<F: FnMut(ResolvedPermission<'_>)>(
 
     let key = permission_id.get_prefix().unwrap_or(APP_ACL_KEY);
 
-    let permissions = get_permissions(key, permission_name, acl)?;
+    let permissions = get_permissions(key, permission_name, acl)?
+      .into_iter()
+      .filter(|p| p.platforms.contains(&target))
+      .collect::<Vec<_>>();
 
     let mut resolved_scope = Scopes::default();
     let mut commands = Commands::default();

core/tests/acl/fixtures/capabilities/platform-specific-permissions/cap.toml

@@ -0,0 +1,9 @@
+identifier = "run-app"
+description = "app capability"
+windows = ["main"]
+permissions = [
+  "os:allow-apt-linux",
+  "os:allow-library-folder-macos",
+  "os:deny-webview-folder-windows",
+  "os:open-browser",
+]

core/tests/acl/fixtures/capabilities/platform-specific-permissions/required-plugins.json

@@ -0,0 +1 @@
+["os"]

core/tests/acl/fixtures/plugins/os/linux.toml

@@ -0,0 +1,7 @@
+[[permission]]
+identifier = "allow-apt-linux"
+platforms = ["linux"]
+description = "Allows spawning the apt command on Linux"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "apt"

core/tests/acl/fixtures/plugins/os/macos.toml

@@ -0,0 +1,7 @@
+
+[[permission]]
+identifier = "allow-library-folder-macos"
+platforms = ["macOS"]
+description = "Allows access to the $HOME/Library folder on maOS"
+[[permission.scope.allow]]
+path = "$HOME/Library/**"

core/tests/acl/fixtures/plugins/os/open-browser.toml

@@ -0,0 +1,28 @@
+[[permission]]
+identifier = "allow-servo-linux"
+platforms = ["linux"]
+description = "Allows starting servo on Linux"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "servo"
+
+[[permission]]
+identifier = "allow-edge-windows"
+platforms = ["windows"]
+description = "Allows starting edge on Windows"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "edge"
+
+[[permission]]
+identifier = "allow-safari-macos"
+platforms = ["macOS"]
+description = "Allows starting safari on macOS"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "safari"
+
+[[set]]
+identifier = "open-browser"
+description = "allows opening a URL on the platform browser"
+permissions = ["allow-servo-linux", "allow-edge-windows", "allow-safari-macos"]