src,process: add permission model

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: https://github.com/nodejs/node/pull/44004 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
author: Rafael Gonzaga <rafael.nunu@hotmail.com> 2023-02-23 15:11:51 -0300
committer: GitHub <noreply@github.com> 2023-02-23 18:11:51 +0000
commit: 00c222593e49d817281bc88a322f41f8dca95885 (patch)
tree: 29e6fd71f93dd98d8bb3fcd535d49ed80bdeacd5 /benchmark
parent: 42be7f6a0335c396810be91c3f3724007029f83d (diff)
download: node-new-00c222593e49d817281bc88a322f41f8dca95885.tar.gz
3 files changed, 141 insertions, 0 deletions
diff --git a/benchmark/fs/readfile-permission-enabled.js b/benchmark/fs/readfile-permission-enabled.js
new file mode 100644
index 0000000000..3053d5aa08
--- /dev/null
+++ b/benchmark/fs/readfile-permission-enabled.js
@@ -0,0 +1,72 @@
+// Call fs.readFile with permission system enabled
+// over and over again really fast.
+// Then see how many times it got called.
+'use strict';
+
+const path = require('path');
+const common = require('../common.js');
+const fs = require('fs');
+const assert = require('assert');
+
+const tmpdir = require('../../test/common/tmpdir');
+tmpdir.refresh();
+const filename = path.resolve(tmpdir.path,
+                              `.removeme-benchmark-garbage-${process.pid}`);
+
+const bench = common.createBenchmark(main, {
+  duration: [5],
+  encoding: ['', 'utf-8'],
+  len: [1024, 16 * 1024 * 1024],
+  concurrent: [1, 10],
+}, {
+  flags: ['--experimental-permission', '--allow-fs-read=*', '--allow-fs-write=*'],
+});
+
+function main({ len, duration, concurrent, encoding }) {
+  try {
+    fs.unlinkSync(filename);
+  } catch {
+    // Continue regardless of error.
+  }
+  let data = Buffer.alloc(len, 'x');
+  fs.writeFileSync(filename, data);
+  data = null;
+
+  let reads = 0;
+  let benchEnded = false;
+  bench.start();
+  setTimeout(() => {
+    benchEnded = true;
+    bench.end(reads);
+    try {
+      fs.unlinkSync(filename);
+    } catch {
+      // Continue regardless of error.
+    }
+    process.exit(0);
+  }, duration * 1000);
+
+  function read() {
+    fs.readFile(filename, encoding, afterRead);
+  }
+
+  function afterRead(er, data) {
+    if (er) {
+      if (er.code === 'ENOENT') {
+        // Only OK if unlinked by the timer from main.
+        assert.ok(benchEnded);
+        return;
+      }
+      throw er;
+    }
+
+    if (data.length !== len)
+      throw new Error('wrong number of bytes returned');
+
+    reads++;
+    if (!benchEnded)
+      read();
+  }
+
+  while (concurrent--) read();
+}
diff --git a/benchmark/permission/permission-fs-deny.js b/benchmark/permission/permission-fs-deny.js
new file mode 100644
index 0000000000..29bbeb27dc
--- /dev/null
+++ b/benchmark/permission/permission-fs-deny.js
@@ -0,0 +1,19 @@
+'use strict';
+const common = require('../common.js');
+
+const configs = {
+  n: [1e5],
+  concurrent: [1, 10],
+};
+
+const options = { flags: ['--experimental-permission'] };
+
+const bench = common.createBenchmark(main, configs, options);
+
+async function main(conf) {
+  bench.start();
+  for (let i = 0; i < conf.n; i++) {
+    process.permission.deny('fs.read', ['/home/example-file-' + i]);
+  }
+  bench.end(conf.n);
+}
diff --git a/benchmark/permission/permission-fs-is-granted.js b/benchmark/permission/permission-fs-is-granted.js
new file mode 100644
index 0000000000..062ba19445
--- /dev/null
+++ b/benchmark/permission/permission-fs-is-granted.js
@@ -0,0 +1,50 @@
+'use strict';
+const common = require('../common.js');
+const fs = require('fs/promises');
+const path = require('path');
+
+const configs = {
+  n: [1e5],
+  concurrent: [1, 10],
+};
+
+const rootPath = path.resolve(__dirname, '../../..');
+
+const options = {
+  flags: [
+    '--experimental-permission',
+    `--allow-fs-read=${rootPath}`,
+  ],
+};
+
+const bench = common.createBenchmark(main, configs, options);
+
+const recursivelyDenyFiles = async (dir) => {
+  const files = await fs.readdir(dir, { withFileTypes: true });
+  for (const file of files) {
+    if (file.isDirectory()) {
+      await recursivelyDenyFiles(path.join(dir, file.name));
+    } else if (file.isFile()) {
+      process.permission.deny('fs.read', [path.join(dir, file.name)]);
+    }
+  }
+};
+
+async function main(conf) {
+  const benchmarkDir = path.join(__dirname, '../..');
+  // Get all the benchmark files and deny access to it
+  await recursivelyDenyFiles(benchmarkDir);
+
+  bench.start();
+
+  for (let i = 0; i < conf.n; i++) {
+    // Valid file in a sequence of denied files
+    process.permission.has('fs.read', benchmarkDir + '/valid-file');
+    // Denied file
+    process.permission.has('fs.read', __filename);
+    // Valid file a granted directory
+    process.permission.has('fs.read', '/tmp/example');
+  }
+
+  bench.end(conf.n);
+}
author	Rafael Gonzaga <rafael.nunu@hotmail.com>	2023-02-23 15:11:51 -0300
committer	GitHub <noreply@github.com>	2023-02-23 18:11:51 +0000
commit	00c222593e49d817281bc88a322f41f8dca95885 (patch)
tree	29e6fd71f93dd98d8bb3fcd535d49ed80bdeacd5 /benchmark
parent	42be7f6a0335c396810be91c3f3724007029f83d (diff)
download	node-new-00c222593e49d817281bc88a322f41f8dca95885.tar.gz