tauri_utils/acl/
resolved.rs

1// Copyright 2019-2024 Tauri Programme within The Commons Conservancy
2// SPDX-License-Identifier: Apache-2.0
3// SPDX-License-Identifier: MIT
4
5//! Resolved ACL for runtime usage.
6
7use std::{collections::BTreeMap, fmt};
8
9use crate::platform::Target;
10
11use super::{
12  capability::{Capability, PermissionEntry},
13  manifest::Manifest,
14  Commands, Error, ExecutionContext, Identifier, Permission, PermissionSet, Scopes, Value,
15  APP_ACL_KEY,
16};
17
18/// A key for a scope, used to link a [`ResolvedCommand#structfield.scope`] to the store [`Resolved#structfield.scopes`].
19pub type ScopeKey = u64;
20
21/// Metadata for what referenced a [`ResolvedCommand`].
22#[cfg(debug_assertions)]
23#[derive(Default, Clone, PartialEq, Eq)]
24pub struct ResolvedCommandReference {
25  /// Identifier of the capability.
26  pub capability: String,
27  /// Identifier of the permission.
28  pub permission: String,
29}
30
31/// A resolved command permission.
32#[derive(Default, Clone, PartialEq, Eq)]
33pub struct ResolvedCommand {
34  /// The execution context of this command.
35  pub context: ExecutionContext,
36  /// The capability/permission that referenced this command.
37  #[cfg(debug_assertions)]
38  pub referenced_by: ResolvedCommandReference,
39  /// The list of window label patterns that was resolved for this command.
40  pub windows: Vec<glob::Pattern>,
41  /// The list of webview label patterns that was resolved for this command.
42  pub webviews: Vec<glob::Pattern>,
43  /// The reference of the scope that is associated with this command. See [`Resolved#structfield.command_scopes`].
44  pub scope_id: Option<ScopeKey>,
45}
46
47impl fmt::Debug for ResolvedCommand {
48  fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
49    f.debug_struct("ResolvedCommand")
50      .field("context", &self.context)
51      .field("windows", &self.windows)
52      .field("webviews", &self.webviews)
53      .field("scope_id", &self.scope_id)
54      .finish()
55  }
56}
57
58/// A resolved scope. Merges all scopes defined for a single command.
59#[derive(Debug, Default, Clone)]
60pub struct ResolvedScope {
61  /// Allows something on the command.
62  pub allow: Vec<Value>,
63  /// Denies something on the command.
64  pub deny: Vec<Value>,
65}
66
67/// Resolved access control list.
68#[derive(Debug, Default)]
69pub struct Resolved {
70  /// The commands that are allowed. Map each command with its context to a [`ResolvedCommand`].
71  pub allowed_commands: BTreeMap<String, Vec<ResolvedCommand>>,
72  /// The commands that are denied. Map each command with its context to a [`ResolvedCommand`].
73  pub denied_commands: BTreeMap<String, Vec<ResolvedCommand>>,
74  /// The store of scopes referenced by a [`ResolvedCommand`].
75  pub command_scope: BTreeMap<ScopeKey, ResolvedScope>,
76  /// The global scope.
77  pub global_scope: BTreeMap<String, ResolvedScope>,
78}
79
80impl Resolved {
81  /// Resolves the ACL for the given plugin permissions and app capabilities.
82  pub fn resolve(
83    acl: &BTreeMap<String, Manifest>,
84    mut capabilities: BTreeMap<String, Capability>,
85    target: Target,
86  ) -> Result<Self, Error> {
87    let mut allowed_commands = BTreeMap::new();
88    let mut denied_commands = BTreeMap::new();
89
90    let mut current_scope_id = 0;
91    let mut command_scope = BTreeMap::new();
92    let mut global_scope: BTreeMap<String, Vec<Scopes>> = BTreeMap::new();
93
94    // resolve commands
95    for capability in capabilities.values_mut().filter(|c| c.is_active(&target)) {
96      with_resolved_permissions(
97        capability,
98        acl,
99        target,
100        |ResolvedPermission {
101           key,
102           commands,
103           scope,
104           #[cfg_attr(not(debug_assertions), allow(unused))]
105           permission_name,
106         }| {
107          if commands.allow.is_empty() && commands.deny.is_empty() {
108            // global scope
109            global_scope.entry(key.to_string()).or_default().push(scope);
110          } else {
111            let scope_id = if scope.allow.is_some() || scope.deny.is_some() {
112              current_scope_id += 1;
113              command_scope.insert(
114                current_scope_id,
115                ResolvedScope {
116                  allow: scope.allow.unwrap_or_default(),
117                  deny: scope.deny.unwrap_or_default(),
118                },
119              );
120              Some(current_scope_id)
121            } else {
122              None
123            };
124
125            for allowed_command in &commands.allow {
126              resolve_command(
127                &mut allowed_commands,
128                if key == APP_ACL_KEY {
129                  allowed_command.to_string()
130                } else if let Some(core_plugin_name) = key.strip_prefix("core:") {
131                  format!("plugin:{core_plugin_name}|{allowed_command}")
132                } else {
133                  format!("plugin:{key}|{allowed_command}")
134                },
135                capability,
136                scope_id,
137                #[cfg(debug_assertions)]
138                permission_name.to_string(),
139              )?;
140            }
141
142            for denied_command in &commands.deny {
143              resolve_command(
144                &mut denied_commands,
145                if key == APP_ACL_KEY {
146                  denied_command.to_string()
147                } else if let Some(core_plugin_name) = key.strip_prefix("core:") {
148                  format!("plugin:{core_plugin_name}|{denied_command}")
149                } else {
150                  format!("plugin:{key}|{denied_command}")
151                },
152                capability,
153                scope_id,
154                #[cfg(debug_assertions)]
155                permission_name.to_string(),
156              )?;
157            }
158          }
159
160          Ok(())
161        },
162      )?;
163    }
164
165    let global_scope = global_scope
166      .into_iter()
167      .map(|(key, scopes)| {
168        let mut resolved_scope = ResolvedScope {
169          allow: Vec::new(),
170          deny: Vec::new(),
171        };
172        for scope in scopes {
173          if let Some(allow) = scope.allow {
174            resolved_scope.allow.extend(allow);
175          }
176          if let Some(deny) = scope.deny {
177            resolved_scope.deny.extend(deny);
178          }
179        }
180        (key, resolved_scope)
181      })
182      .collect();
183
184    let resolved = Self {
185      allowed_commands,
186      denied_commands,
187      command_scope,
188      global_scope,
189    };
190
191    Ok(resolved)
192  }
193}
194
195fn parse_glob_patterns(mut raw: Vec<String>) -> Result<Vec<glob::Pattern>, Error> {
196  raw.sort();
197
198  let mut patterns = Vec::new();
199  for pattern in raw {
200    patterns.push(glob::Pattern::new(&pattern)?);
201  }
202
203  Ok(patterns)
204}
205
206fn resolve_command(
207  commands: &mut BTreeMap<String, Vec<ResolvedCommand>>,
208  command: String,
209  capability: &Capability,
210  scope_id: Option<ScopeKey>,
211  #[cfg(debug_assertions)] referenced_by_permission_identifier: String,
212) -> Result<(), Error> {
213  let mut contexts = Vec::new();
214  if capability.local {
215    contexts.push(ExecutionContext::Local);
216  }
217  if let Some(remote) = &capability.remote {
218    contexts.extend(remote.urls.iter().map(|url| {
219      ExecutionContext::Remote {
220        url: url
221          .parse()
222          .unwrap_or_else(|e| panic!("invalid URL pattern for remote URL {url}: {e}")),
223      }
224    }));
225  }
226
227  for context in contexts {
228    let resolved_list = commands.entry(command.clone()).or_default();
229
230    resolved_list.push(ResolvedCommand {
231      context,
232      #[cfg(debug_assertions)]
233      referenced_by: ResolvedCommandReference {
234        capability: capability.identifier.clone(),
235        permission: referenced_by_permission_identifier.clone(),
236      },
237      windows: parse_glob_patterns(capability.windows.clone())?,
238      webviews: parse_glob_patterns(capability.webviews.clone())?,
239      scope_id,
240    });
241  }
242
243  Ok(())
244}
245
246struct ResolvedPermission<'a> {
247  key: &'a str,
248  permission_name: &'a str,
249  commands: Commands,
250  scope: Scopes,
251}
252
253/// Iterate over permissions in a capability, resolving permission sets if necessary
254/// to produce a [`ResolvedPermission`] and calling the provided callback with it.
255fn with_resolved_permissions<F: FnMut(ResolvedPermission<'_>) -> Result<(), Error>>(
256  capability: &Capability,
257  acl: &BTreeMap<String, Manifest>,
258  target: Target,
259  mut f: F,
260) -> Result<(), Error> {
261  for permission_entry in &capability.permissions {
262    let permission_id = permission_entry.identifier();
263
264    let permissions = get_permissions(permission_id, acl)?
265      .into_iter()
266      .filter(|p| p.permission.is_active(&target));
267
268    for TraversedPermission {
269      key,
270      permission_name,
271      permission,
272    } in permissions
273    {
274      let mut resolved_scope = Scopes::default();
275      let mut commands = Commands::default();
276
277      if let PermissionEntry::ExtendedPermission {
278        identifier: _,
279        scope,
280      } = permission_entry
281      {
282        if let Some(allow) = scope.allow.clone() {
283          resolved_scope
284            .allow
285            .get_or_insert_with(Default::default)
286            .extend(allow);
287        }
288        if let Some(deny) = scope.deny.clone() {
289          resolved_scope
290            .deny
291            .get_or_insert_with(Default::default)
292            .extend(deny);
293        }
294      }
295
296      if let Some(allow) = permission.scope.allow.clone() {
297        resolved_scope
298          .allow
299          .get_or_insert_with(Default::default)
300          .extend(allow);
301      }
302      if let Some(deny) = permission.scope.deny.clone() {
303        resolved_scope
304          .deny
305          .get_or_insert_with(Default::default)
306          .extend(deny);
307      }
308
309      commands.allow.extend(permission.commands.allow.clone());
310      commands.deny.extend(permission.commands.deny.clone());
311
312      f(ResolvedPermission {
313        key: &key,
314        permission_name: &permission_name,
315        commands,
316        scope: resolved_scope,
317      })?;
318    }
319  }
320
321  Ok(())
322}
323
324#[derive(Debug)]
325struct TraversedPermission<'a> {
326  key: String,
327  permission_name: String,
328  permission: &'a Permission,
329}
330
331fn get_permissions<'a>(
332  permission_id: &Identifier,
333  acl: &'a BTreeMap<String, Manifest>,
334) -> Result<Vec<TraversedPermission<'a>>, Error> {
335  let key = permission_id.get_prefix().unwrap_or(APP_ACL_KEY);
336  let permission_name = permission_id.get_base();
337
338  let manifest = acl.get(key).ok_or_else(|| Error::UnknownManifest {
339    key: display_perm_key(key).to_string(),
340    available: acl.keys().cloned().collect::<Vec<_>>().join(", "),
341  })?;
342
343  if permission_name == "default" {
344    manifest
345      .default_permission
346      .as_ref()
347      .map(|default| get_permission_set_permissions(permission_id, acl, manifest, default))
348      .unwrap_or_else(|| Ok(Default::default()))
349  } else if let Some(set) = manifest.permission_sets.get(permission_name) {
350    get_permission_set_permissions(permission_id, acl, manifest, set)
351  } else if let Some(permission) = manifest.permissions.get(permission_name) {
352    Ok(vec![TraversedPermission {
353      key: key.to_string(),
354      permission_name: permission_name.to_string(),
355      permission,
356    }])
357  } else {
358    Err(Error::UnknownPermission {
359      key: display_perm_key(key).to_string(),
360      permission: permission_name.to_string(),
361    })
362  }
363}
364
365// get the permissions from a permission set
366fn get_permission_set_permissions<'a>(
367  permission_id: &Identifier,
368  acl: &'a BTreeMap<String, Manifest>,
369  manifest: &'a Manifest,
370  set: &'a PermissionSet,
371) -> Result<Vec<TraversedPermission<'a>>, Error> {
372  let key = permission_id.get_prefix().unwrap_or(APP_ACL_KEY);
373
374  let mut permissions = Vec::new();
375
376  for perm in &set.permissions {
377    // a set could include permissions from other plugins
378    // for example `dialog:default`, could include `fs:default`
379    // in this case `perm = "fs:default"` which is not a permission
380    // in the dialog manifest so we check if `perm` still have a prefix (i.e `fs:`)
381    // and if so, we resolve this prefix from `acl` first before proceeding
382    let id = Identifier::try_from(perm.clone()).expect("invalid identifier in permission set?");
383    let (manifest, permission_id, key, permission_name) =
384      if let Some((new_key, manifest)) = id.get_prefix().and_then(|k| acl.get(k).map(|m| (k, m))) {
385        (manifest, &id, new_key, id.get_base())
386      } else {
387        (manifest, permission_id, key, perm.as_str())
388      };
389
390    if permission_name == "default" {
391      permissions.extend(
392        manifest
393          .default_permission
394          .as_ref()
395          .map(|default| get_permission_set_permissions(permission_id, acl, manifest, default))
396          .transpose()?
397          .unwrap_or_default(),
398      );
399    } else if let Some(permission) = manifest.permissions.get(permission_name) {
400      permissions.push(TraversedPermission {
401        key: key.to_string(),
402        permission_name: permission_name.to_string(),
403        permission,
404      });
405    } else if let Some(permission_set) = manifest.permission_sets.get(permission_name) {
406      permissions.extend(get_permission_set_permissions(
407        permission_id,
408        acl,
409        manifest,
410        permission_set,
411      )?);
412    } else {
413      return Err(Error::SetPermissionNotFound {
414        permission: permission_name.to_string(),
415        set: set.identifier.clone(),
416      });
417    }
418  }
419
420  Ok(permissions)
421}
422
423#[inline]
424fn display_perm_key(prefix: &str) -> &str {
425  if prefix == APP_ACL_KEY {
426    "app manifest"
427  } else {
428    prefix
429  }
430}
431
432#[cfg(feature = "build")]
433mod build {
434  use proc_macro2::TokenStream;
435  use quote::{quote, ToTokens, TokenStreamExt};
436  use std::convert::identity;
437
438  use super::*;
439  use crate::{literal_struct, tokens::*};
440
441  #[cfg(debug_assertions)]
442  impl ToTokens for ResolvedCommandReference {
443    fn to_tokens(&self, tokens: &mut TokenStream) {
444      let capability = str_lit(&self.capability);
445      let permission = str_lit(&self.permission);
446      literal_struct!(
447        tokens,
448        ::tauri::utils::acl::resolved::ResolvedCommandReference,
449        capability,
450        permission
451      )
452    }
453  }
454
455  impl ToTokens for ResolvedCommand {
456    fn to_tokens(&self, tokens: &mut TokenStream) {
457      #[cfg(debug_assertions)]
458      let referenced_by = &self.referenced_by;
459
460      let context = &self.context;
461
462      let windows = vec_lit(&self.windows, |window| {
463        let w = window.as_str();
464        quote!(#w.parse().unwrap())
465      });
466      let webviews = vec_lit(&self.webviews, |window| {
467        let w = window.as_str();
468        quote!(#w.parse().unwrap())
469      });
470      let scope_id = opt_lit(self.scope_id.as_ref());
471
472      #[cfg(debug_assertions)]
473      {
474        literal_struct!(
475          tokens,
476          ::tauri::utils::acl::resolved::ResolvedCommand,
477          context,
478          referenced_by,
479          windows,
480          webviews,
481          scope_id
482        )
483      }
484      #[cfg(not(debug_assertions))]
485      literal_struct!(
486        tokens,
487        ::tauri::utils::acl::resolved::ResolvedCommand,
488        context,
489        windows,
490        webviews,
491        scope_id
492      )
493    }
494  }
495
496  impl ToTokens for ResolvedScope {
497    fn to_tokens(&self, tokens: &mut TokenStream) {
498      let allow = vec_lit(&self.allow, identity);
499      let deny = vec_lit(&self.deny, identity);
500      literal_struct!(
501        tokens,
502        ::tauri::utils::acl::resolved::ResolvedScope,
503        allow,
504        deny
505      )
506    }
507  }
508
509  impl ToTokens for Resolved {
510    fn to_tokens(&self, tokens: &mut TokenStream) {
511      let allowed_commands = map_lit(
512        quote! { ::std::collections::BTreeMap },
513        &self.allowed_commands,
514        str_lit,
515        |v| vec_lit(v, identity),
516      );
517
518      let denied_commands = map_lit(
519        quote! { ::std::collections::BTreeMap },
520        &self.denied_commands,
521        str_lit,
522        |v| vec_lit(v, identity),
523      );
524
525      let command_scope = map_lit(
526        quote! { ::std::collections::BTreeMap },
527        &self.command_scope,
528        identity,
529        identity,
530      );
531
532      let global_scope = map_lit(
533        quote! { ::std::collections::BTreeMap },
534        &self.global_scope,
535        str_lit,
536        identity,
537      );
538
539      literal_struct!(
540        tokens,
541        ::tauri::utils::acl::resolved::Resolved,
542        allowed_commands,
543        denied_commands,
544        command_scope,
545        global_scope
546      )
547    }
548  }
549}
550
551#[cfg(test)]
552mod tests {
553
554  use super::{get_permissions, Identifier, Manifest, Permission, PermissionSet};
555
556  fn manifest<const P: usize, const S: usize>(
557    name: &str,
558    permissions: [&str; P],
559    default_set: Option<&[&str]>,
560    sets: [(&str, &[&str]); S],
561  ) -> (String, Manifest) {
562    (
563      name.to_string(),
564      Manifest {
565        default_permission: default_set.map(|perms| PermissionSet {
566          identifier: "default".to_string(),
567          description: "default set".to_string(),
568          permissions: perms.iter().map(|s| s.to_string()).collect(),
569        }),
570        permissions: permissions
571          .iter()
572          .map(|p| {
573            (
574              p.to_string(),
575              Permission {
576                identifier: p.to_string(),
577                ..Default::default()
578              },
579            )
580          })
581          .collect(),
582        permission_sets: sets
583          .iter()
584          .map(|(s, perms)| {
585            (
586              s.to_string(),
587              PermissionSet {
588                identifier: s.to_string(),
589                description: format!("{s} set"),
590                permissions: perms.iter().map(|s| s.to_string()).collect(),
591              },
592            )
593          })
594          .collect(),
595        ..Default::default()
596      },
597    )
598  }
599
600  fn id(id: &str) -> Identifier {
601    Identifier::try_from(id.to_string()).unwrap()
602  }
603
604  #[test]
605  fn resolves_permissions_from_other_plugins() {
606    let acl = [
607      manifest(
608        "fs",
609        ["read", "write", "rm", "exist"],
610        Some(&["read", "exist"]),
611        [],
612      ),
613      manifest(
614        "http",
615        ["fetch", "fetch-cancel"],
616        None,
617        [("fetch-with-cancel", &["fetch", "fetch-cancel"])],
618      ),
619      manifest(
620        "dialog",
621        ["open", "save"],
622        None,
623        [(
624          "extra",
625          &[
626            "save",
627            "fs:default",
628            "fs:write",
629            "http:default",
630            "http:fetch-with-cancel",
631          ],
632        )],
633      ),
634    ]
635    .into();
636
637    let permissions = get_permissions(&id("fs:default"), &acl).unwrap();
638    assert_eq!(permissions.len(), 2);
639    assert_eq!(permissions[0].key, "fs");
640    assert_eq!(permissions[0].permission_name, "read");
641    assert_eq!(permissions[1].key, "fs");
642    assert_eq!(permissions[1].permission_name, "exist");
643
644    let permissions = get_permissions(&id("fs:rm"), &acl).unwrap();
645    assert_eq!(permissions.len(), 1);
646    assert_eq!(permissions[0].key, "fs");
647    assert_eq!(permissions[0].permission_name, "rm");
648
649    let permissions = get_permissions(&id("http:fetch-with-cancel"), &acl).unwrap();
650    assert_eq!(permissions.len(), 2);
651    assert_eq!(permissions[0].key, "http");
652    assert_eq!(permissions[0].permission_name, "fetch");
653    assert_eq!(permissions[1].key, "http");
654    assert_eq!(permissions[1].permission_name, "fetch-cancel");
655
656    let permissions = get_permissions(&id("dialog:extra"), &acl).unwrap();
657    assert_eq!(permissions.len(), 6);
658    assert_eq!(permissions[0].key, "dialog");
659    assert_eq!(permissions[0].permission_name, "save");
660    assert_eq!(permissions[1].key, "fs");
661    assert_eq!(permissions[1].permission_name, "read");
662    assert_eq!(permissions[2].key, "fs");
663    assert_eq!(permissions[2].permission_name, "exist");
664    assert_eq!(permissions[3].key, "fs");
665    assert_eq!(permissions[3].permission_name, "write");
666    assert_eq!(permissions[4].key, "http");
667    assert_eq!(permissions[4].permission_name, "fetch");
668    assert_eq!(permissions[5].key, "http");
669    assert_eq!(permissions[5].permission_name, "fetch-cancel");
670  }
671}