@@ -5,15 +5,16 @@ import { describe, it } from 'node:test';
55
66describe ( 'Permission model config file support' , ( ) => {
77 it ( 'should load filesystem read/write permissions from config file' , async ( ) => {
8- const configPath = fixtures . path ( 'permission/config-fs-read-write.json' ) ;
8+ const readWriteConfigPath = fixtures . path ( 'permission/config-fs-read-write.json' ) ;
9+ const readOnlyConfigPath = fixtures . path ( 'permission/config-fs-read-only.json' ) ;
910 const readTestPath = fixtures . path ( 'permission/fs-read-test.js' ) ;
1011 const writeTestPath = fixtures . path ( 'permission/fs-write-test.js' ) ;
1112
1213 {
1314 const result = await spawnPromisified ( process . execPath , [
1415 '--permission' ,
1516 '--experimental-config-file' ,
16- configPath ,
17+ readOnlyConfigPath ,
1718 readTestPath ,
1819 ] ) ;
1920 assert . strictEqual ( result . code , 0 ) ;
@@ -23,40 +24,78 @@ describe('Permission model config file support', () => {
2324 const result = await spawnPromisified ( process . execPath , [
2425 '--permission' ,
2526 '--experimental-config-file' ,
26- configPath ,
27+ readWriteConfigPath ,
2728 writeTestPath ,
2829 ] ) ;
2930 assert . strictEqual ( result . code , 0 ) ;
3031 }
32+
33+ {
34+ const result = await spawnPromisified ( process . execPath , [
35+ '--permission' ,
36+ '--experimental-config-file' ,
37+ readOnlyConfigPath ,
38+ writeTestPath ,
39+ ] ) ;
40+ assert . strictEqual ( result . code , 1 ) ;
41+ assert . match ( result . stderr , / A c c e s s t o t h i s A P I h a s b e e n r e s t r i c t e d \. U s e - - a l l o w - f s - w r i t e t o m a n a g e p e r m i s s i o n s / ) ;
42+ }
3143 } ) ;
3244
3345 it ( 'should load child process and worker permissions from config file' , async ( ) => {
3446 const configPath = fixtures . path ( 'permission/config-child-worker.json' ) ;
47+ const readOnlyConfigPath = fixtures . path ( 'permission/config-fs-read-only.json' ) ;
3548 const childTestPath = fixtures . path ( 'permission/child-process-test.js' ) ;
3649
37- const result = await spawnPromisified ( process . execPath , [
38- '--permission' ,
39- '--experimental-config-file' ,
40- configPath ,
41- '--allow-fs-read=*' ,
42- childTestPath ,
43- ] ) ;
44- assert . strictEqual ( result . code , 0 ) ;
50+ {
51+ const result = await spawnPromisified ( process . execPath , [
52+ '--permission' ,
53+ '--experimental-config-file' ,
54+ configPath ,
55+ childTestPath ,
56+ ] ) ;
57+ assert . strictEqual ( result . code , 0 ) ;
58+ }
59+
60+ {
61+ const result = await spawnPromisified ( process . execPath , [
62+ '--permission' ,
63+ '--experimental-config-file' ,
64+ readOnlyConfigPath ,
65+ childTestPath ,
66+ ] ) ;
67+ assert . strictEqual ( result . code , 1 , result . stderr ) ;
68+ assert . match ( result . stderr , / A c c e s s t o t h i s A P I h a s b e e n r e s t r i c t e d \. U s e - - a l l o w - c h i l d - p r o c e s s t o m a n a g e p e r m i s s i o n s / ) ;
69+ }
4570 } ) ;
4671
4772 it ( 'should load network and inspector permissions from config file' , async ( ) => {
4873 const configPath = fixtures . path ( 'permission/config-net-inspector.json' ) ;
74+ const readOnlyConfigPath = fixtures . path ( 'permission/config-fs-read-only.json' ) ;
4975
50- const result = await spawnPromisified ( process . execPath , [
51- '--permission' ,
52- '--experimental-config-file' ,
53- configPath ,
54- '--allow-fs-read=*' ,
55- '-p' ,
56- 'process.permission.has("wasi") && process.permission.has("inspector")' ,
57- ] ) ;
58- assert . match ( result . stdout , / t r u e / ) ;
59- assert . strictEqual ( result . code , 0 ) ;
76+ {
77+ const result = await spawnPromisified ( process . execPath , [
78+ '--permission' ,
79+ '--experimental-config-file' ,
80+ configPath ,
81+ '-p' ,
82+ 'process.permission.has("wasi") && process.permission.has("inspector")' ,
83+ ] ) ;
84+ assert . match ( result . stdout , / t r u e / ) ;
85+ assert . strictEqual ( result . code , 0 ) ;
86+ }
87+
88+ {
89+ const result = await spawnPromisified ( process . execPath , [
90+ '--permission' ,
91+ '--experimental-config-file' ,
92+ readOnlyConfigPath ,
93+ '-p' ,
94+ 'process.permission.has("wasi") + process.permission.has("inspector")' ,
95+ ] ) ;
96+ assert . match ( result . stdout , / 0 / ) ;
97+ assert . strictEqual ( result . code , 0 ) ;
98+ }
6099 } ) ;
61100
62101 it ( 'should load addons and wasi permissions from config file' , async ( ) => {
@@ -74,32 +113,17 @@ describe('Permission model config file support', () => {
74113 assert . strictEqual ( result . code , 0 ) ;
75114 } ) ;
76115
77- it ( 'should deny operations when permissions are not in config file' , async ( ) => {
78- const configPath = fixtures . path ( 'permission/config-fs-read-write.json' ) ;
79-
80- const result = await spawnPromisified ( process . execPath , [
81- '--permission' ,
82- '--experimental-config-file' ,
83- configPath ,
84- '--allow-fs-read=*' ,
85- '-p' ,
86- 'process.permission.has("child")' ,
87- ] ) ;
88- assert . match ( result . stdout , / f a l s e / ) ;
89- assert . strictEqual ( result . code , 0 ) ;
90- } ) ;
91-
92116 it ( 'should combine config file permissions with CLI flags' , async ( ) => {
93- const configPath = fixtures . path ( 'permission/config-fs-read-write .json' ) ;
117+ const configPath = fixtures . path ( 'permission/config-fs-read-only .json' ) ;
94118
95119 const result = await spawnPromisified ( process . execPath , [
96120 '--permission' ,
97121 '--experimental-config-file' ,
98122 configPath ,
99123 '--allow-child-process' ,
100- '--allow-fs-read =*' ,
124+ '--allow-fs-write =*' ,
101125 '-p' ,
102- 'process.permission.has("child") && process.permission.has("fs.read")' ,
126+ 'process.permission.has("child") && process.permission.has("fs.read") && process.permission.has("fs.write") ' ,
103127 ] ) ;
104128 assert . match ( result . stdout , / t r u e / ) ;
105129 assert . strictEqual ( result . code , 0 ) ;
0 commit comments