feat(acl): allow a permission to apply to a subset of target platforms (#9014)

* feat(acl): allow a permission to apply to a subset of target platforms

* fix cli

Author: lucasfernog

.changes/permission-platforms.md

@@ -0,0 +1,6 @@
+---
+"tauri": patch:feat
+"tauri-utils": patch:feat
+---
+
+Allow defining a permission that only applies to a set of target platforms via the `platforms` configuration option.

core/tauri-config-schema/schema.json

@@ -1123,7 +1123,7 @@
           }
         },
         "platforms": {
-          "description": "Target platforms this capability applies. By default all platforms applies.",
+          "description": "Target platforms this capability applies. By default all platforms are affected by this capability.",
           "default": [
             "linux",
             "macOS",

core/tauri-utils/src/acl/capability.rs

@@ -74,7 +74,7 @@ pub struct Capability {
   pub webviews: Vec<String>,
   /// List of permissions attached to this capability. Must include the plugin name as prefix in the form of `${plugin-name}:${permission-name}`.
   pub permissions: Vec<PermissionEntry>,
-  /// Target platforms this capability applies. By default all platforms applies.
+  /// Target platforms this capability applies. By default all platforms are affected by this capability.
   #[serde(default = "default_platforms", skip_serializing_if = "Vec::is_empty")]
   pub platforms: Vec<Target>,
 }

core/tauri-utils/src/acl/mod.rs

@@ -9,6 +9,8 @@ use serde::{Deserialize, Serialize};
 use std::num::NonZeroU64;
 use thiserror::Error;
 
+use crate::platform::Target;
+
 pub use self::{identifier::*, value::*};
 
 /// Known filename of the permission schema JSON file
@@ -172,6 +174,20 @@ pub struct Permission {
   /// Allowed or denied scoped when using this permission.
   #[serde(default, skip_serializing_if = "Scopes::is_empty")]
   pub scope: Scopes,
+
+  /// Target platforms this permission applies. By default all platforms are affected by this permission.
+  #[serde(default = "default_platforms", skip_serializing_if = "Vec::is_empty")]
+  pub platforms: Vec<Target>,
+}
+
+fn default_platforms() -> Vec<Target> {
+  vec![
+    Target::Linux,
+    Target::MacOS,
+    Target::Windows,
+    Target::Android,
+    Target::Ios,
+  ]
 }
 
 /// A set of direct permissions grouped together under a new name.
@@ -252,14 +268,17 @@ mod build_ {
       let description = opt_str_lit(self.description.as_ref());
       let commands = &self.commands;
       let scope = &self.scope;
+      let platforms = vec_lit(&self.platforms, identity);
+
       literal_struct!(
         tokens,
         ::tauri::utils::acl::Permission,
         version,
         identifier,
         description,
         commands,
-        scope
+        scope,
+        platforms
       )
     }
   }

core/tauri-utils/src/acl/resolved.rs

@@ -112,6 +112,7 @@ impl Resolved {
       with_resolved_permissions(
         capability,
         acl,
+        target,
         |ResolvedPermission {
            key,
            permission_name,
@@ -273,6 +274,7 @@ struct ResolvedPermission<'a> {
 fn with_resolved_permissions<F: FnMut(ResolvedPermission<'_>)>(
   capability: &Capability,
   acl: &BTreeMap<String, Manifest>,
+  target: Target,
   mut f: F,
 ) -> Result<(), Error> {
   for permission_entry in &capability.permissions {
@@ -281,7 +283,10 @@ fn with_resolved_permissions<F: FnMut(ResolvedPermission<'_>)>(
 
     let key = permission_id.get_prefix().unwrap_or(APP_ACL_KEY);
 
-    let permissions = get_permissions(key, permission_name, acl)?;
+    let permissions = get_permissions(key, permission_name, acl)?
+      .into_iter()
+      .filter(|p| p.platforms.contains(&target))
+      .collect::<Vec<_>>();
 
     let mut resolved_scope = Scopes::default();
     let mut commands = Commands::default();

core/tests/acl/fixtures/capabilities/platform-specific-permissions/cap.toml

@@ -0,0 +1,9 @@
+identifier = "run-app"
+description = "app capability"
+windows = ["main"]
+permissions = [
+  "os:allow-apt-linux",
+  "os:allow-library-folder-macos",
+  "os:deny-webview-folder-windows",
+  "os:open-browser",
+]

core/tests/acl/fixtures/capabilities/platform-specific-permissions/required-plugins.json

@@ -0,0 +1 @@
+["os"]

core/tests/acl/fixtures/plugins/os/linux.toml

@@ -0,0 +1,7 @@
+[[permission]]
+identifier = "allow-apt-linux"
+platforms = ["linux"]
+description = "Allows spawning the apt command on Linux"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "apt"

core/tests/acl/fixtures/plugins/os/macos.toml

@@ -0,0 +1,7 @@
+
+[[permission]]
+identifier = "allow-library-folder-macos"
+platforms = ["macOS"]
+description = "Allows access to the $HOME/Library folder on maOS"
+[[permission.scope.allow]]
+path = "$HOME/Library/**"

core/tests/acl/fixtures/plugins/os/open-browser.toml

@@ -0,0 +1,28 @@
+[[permission]]
+identifier = "allow-servo-linux"
+platforms = ["linux"]
+description = "Allows starting servo on Linux"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "servo"
+
+[[permission]]
+identifier = "allow-edge-windows"
+platforms = ["windows"]
+description = "Allows starting edge on Windows"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "edge"
+
+[[permission]]
+identifier = "allow-safari-macos"
+platforms = ["macOS"]
+description = "Allows starting safari on macOS"
+commands.allow = ["spawn"]
+[[permission.scope.allow]]
+command = "safari"
+
+[[set]]
+identifier = "open-browser"
+description = "allows opening a URL on the platform browser"
+permissions = ["allow-servo-linux", "allow-edge-windows", "allow-safari-macos"]

core/tests/acl/fixtures/plugins/os/windows.toml

@@ -0,0 +1,6 @@
+[[permission]]
+identifier = "deny-webview-folder-windows"
+platforms = ["windows"]
+description = "Denies access to the webview folder on Windows"
+[[permission.scope.deny]]
+path = "$APP/EBWebView/**"

core/tests/acl/fixtures/snapshots/linux/acl_tests__tests__platform-specific-permissions.snap

@@ -0,0 +1,65 @@
+---
+source: core/tests/acl/src/lib.rs
+expression: resolved
+---
+Resolved {
+    allowed_commands: {
+        CommandKey {
+            name: "plugin:os|spawn",
+            context: Local,
+        }: ResolvedCommand {
+            windows: [
+                Pattern {
+                    original: "main",
+                    tokens: [
+                        Char(
+                            'm',
+                        ),
+                        Char(
+                            'a',
+                        ),
+                        Char(
+                            'i',
+                        ),
+                        Char(
+                            'n',
+                        ),
+                    ],
+                    is_recursive: false,
+                },
+            ],
+            webviews: [],
+            scope: Some(
+                8031926490300119127,
+            ),
+        },
+    },
+    denied_commands: {},
+    command_scope: {
+        8031926490300119127: ResolvedScope {
+            allow: [
+                Map(
+                    {
+                        "command": String(
+                            "apt",
+                        ),
+                    },
+                ),
+                Map(
+                    {
+                        "command": String(
+                            "servo",
+                        ),
+                    },
+                ),
+            ],
+            deny: [],
+        },
+    },
+    global_scope: {
+        "os": ResolvedScope {
+            allow: [],
+            deny: [],
+        },
+    },
+}

core/tests/acl/fixtures/snapshots/macOS/acl_tests__tests__platform-specific-permissions.snap

@@ -0,0 +1,66 @@
+---
+source: core/tests/acl/src/lib.rs
+expression: resolved
+---
+Resolved {
+    allowed_commands: {
+        CommandKey {
+            name: "plugin:os|spawn",
+            context: Local,
+        }: ResolvedCommand {
+            windows: [
+                Pattern {
+                    original: "main",
+                    tokens: [
+                        Char(
+                            'm',
+                        ),
+                        Char(
+                            'a',
+                        ),
+                        Char(
+                            'i',
+                        ),
+                        Char(
+                            'n',
+                        ),
+                    ],
+                    is_recursive: false,
+                },
+            ],
+            webviews: [],
+            scope: Some(
+                7912899488978770657,
+            ),
+        },
+    },
+    denied_commands: {},
+    command_scope: {
+        7912899488978770657: ResolvedScope {
+            allow: [
+                Map(
+                    {
+                        "command": String(
+                            "safari",
+                        ),
+                    },
+                ),
+            ],
+            deny: [],
+        },
+    },
+    global_scope: {
+        "os": ResolvedScope {
+            allow: [
+                Map(
+                    {
+                        "path": String(
+                            "$HOME/Library/**",
+                        ),
+                    },
+                ),
+            ],
+            deny: [],
+        },
+    },
+}

core/tests/acl/fixtures/snapshots/windows/acl_tests__tests__platform-specific-permissions.snap

@@ -0,0 +1,66 @@
+---
+source: core/tests/acl/src/lib.rs
+expression: resolved
+---
+Resolved {
+    allowed_commands: {
+        CommandKey {
+            name: "plugin:os|spawn",
+            context: Local,
+        }: ResolvedCommand {
+            windows: [
+                Pattern {
+                    original: "main",
+                    tokens: [
+                        Char(
+                            'm',
+                        ),
+                        Char(
+                            'a',
+                        ),
+                        Char(
+                            'i',
+                        ),
+                        Char(
+                            'n',
+                        ),
+                    ],
+                    is_recursive: false,
+                },
+            ],
+            webviews: [],
+            scope: Some(
+                7912899488978770657,
+            ),
+        },
+    },
+    denied_commands: {},
+    command_scope: {
+        7912899488978770657: ResolvedScope {
+            allow: [
+                Map(
+                    {
+                        "command": String(
+                            "edge",
+                        ),
+                    },
+                ),
+            ],
+            deny: [],
+        },
+    },
+    global_scope: {
+        "os": ResolvedScope {
+            allow: [],
+            deny: [
+                Map(
+                    {
+                        "path": String(
+                            "$APP/EBWebView/**",
+                        ),
+                    },
+                ),
+            ],
+        },
+    },
+}

core/tests/acl/src/lib.rs

@@ -41,14 +41,21 @@ mod tests {
 
   #[test]
   fn resolve_acl() {
-    let mut settings = insta::Settings::clone_current();
-    settings.set_snapshot_path("../fixtures/snapshots");
-    let _guard = settings.bind_to_scope();
-
     let manifest_dir = Path::new(env!("CARGO_MANIFEST_DIR"));
     let fixtures_path = manifest_dir.join("fixtures").join("capabilities");
     for fixture_path in read_dir(fixtures_path).expect("failed to read fixtures") {
       let fixture_entry = fixture_path.expect("failed to read fixture entry");
+
+      let mut settings = insta::Settings::clone_current();
+      settings.set_snapshot_path(
+        if fixture_entry.path().file_name().unwrap() == "platform-specific-permissions" {
+          Path::new("../fixtures/snapshots").join(Target::current().to_string())
+        } else {
+          Path::new("../fixtures/snapshots").to_path_buf()
+        },
+      );
+      let _guard = settings.bind_to_scope();
+
       let fixture_plugins_str = read_to_string(fixture_entry.path().join("required-plugins.json"))
         .expect("failed to read fixture required-plugins.json file");
       let fixture_plugins: Vec<String> = serde_json::from_str(&fixture_plugins_str)