test: improve config-file permission test coverage · nodejs/node@f50ac5b

@@ -5,15 +5,16 @@ import { describe, it } from 'node:test';

5566describe('Permission model config file support', () => {77it('should load filesystem read/write permissions from config file', async () => {8-const configPath = fixtures.path('permission/config-fs-read-write.json');8+const readWriteConfigPath = fixtures.path('permission/config-fs-read-write.json');9+const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');910const readTestPath = fixtures.path('permission/fs-read-test.js');1011const writeTestPath = fixtures.path('permission/fs-write-test.js');11121213{1314const result = await spawnPromisified(process.execPath, [1415'--permission',1516'--experimental-config-file',16-configPath,17+readOnlyConfigPath,1718readTestPath,1819]);1920assert.strictEqual(result.code, 0);

@@ -23,40 +24,78 @@ describe('Permission model config file support', () => {

2324const result = await spawnPromisified(process.execPath, [2425'--permission',2526'--experimental-config-file',26-configPath,27+readWriteConfigPath,2728writeTestPath,2829]);2930assert.strictEqual(result.code, 0);3031}32+33+{34+const result = await spawnPromisified(process.execPath, [35+'--permission',36+'--experimental-config-file',37+readOnlyConfigPath,38+writeTestPath,39+]);40+assert.strictEqual(result.code, 1);41+assert.match(result.stderr, /Access to this API has been restricted\. Use --allow-fs-write to manage permissions/);42+}3143});32443345it('should load child process and worker permissions from config file', async () => {3446const configPath = fixtures.path('permission/config-child-worker.json');47+const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');3548const childTestPath = fixtures.path('permission/child-process-test.js');364937-const result = await spawnPromisified(process.execPath, [38-'--permission',39-'--experimental-config-file',40-configPath,41-'--allow-fs-read=*',42-childTestPath,43-]);44-assert.strictEqual(result.code, 0);50+{51+const result = await spawnPromisified(process.execPath, [52+'--permission',53+'--experimental-config-file',54+configPath,55+childTestPath,56+]);57+assert.strictEqual(result.code, 0);58+}59+60+{61+const result = await spawnPromisified(process.execPath, [62+'--permission',63+'--experimental-config-file',64+readOnlyConfigPath,65+childTestPath,66+]);67+assert.strictEqual(result.code, 1, result.stderr);68

+assert.match(result.stderr, /Access to this API has been restricted\. Use --allow-child-process to manage permissions/);

69+}4570});46714772it('should load network and inspector permissions from config file', async () => {4873const configPath = fixtures.path('permission/config-net-inspector.json');74+const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');497550-const result = await spawnPromisified(process.execPath, [51-'--permission',52-'--experimental-config-file',53-configPath,54-'--allow-fs-read=*',55-'-p',56-'process.permission.has("wasi") && process.permission.has("inspector")',57-]);58-assert.match(result.stdout, /true/);59-assert.strictEqual(result.code, 0);76+{77+const result = await spawnPromisified(process.execPath, [78+'--permission',79+'--experimental-config-file',80+configPath,81+'-p',82+'process.permission.has("wasi") && process.permission.has("inspector")',83+]);84+assert.match(result.stdout, /true/);85+assert.strictEqual(result.code, 0);86+}87+88+{89+const result = await spawnPromisified(process.execPath, [90+'--permission',91+'--experimental-config-file',92+readOnlyConfigPath,93+'-p',94+'process.permission.has("wasi") + process.permission.has("inspector")',95+]);96+assert.match(result.stdout, /0/);97+assert.strictEqual(result.code, 0);98+}6099});6110062101it('should load addons and wasi permissions from config file', async () => {

@@ -74,32 +113,17 @@ describe('Permission model config file support', () => {

74113assert.strictEqual(result.code, 0);75114});7611577-it('should deny operations when permissions are not in config file', async () => {78-const configPath = fixtures.path('permission/config-fs-read-write.json');79-80-const result = await spawnPromisified(process.execPath, [81-'--permission',82-'--experimental-config-file',83-configPath,84-'--allow-fs-read=*',85-'-p',86-'process.permission.has("child")',87-]);88-assert.match(result.stdout, /false/);89-assert.strictEqual(result.code, 0);90-});91-92116it('should combine config file permissions with CLI flags', async () => {93-const configPath = fixtures.path('permission/config-fs-read-write.json');117+const configPath = fixtures.path('permission/config-fs-read-only.json');9411895119const result = await spawnPromisified(process.execPath, [96120'--permission',97121'--experimental-config-file',98122configPath,99123'--allow-child-process',100-'--allow-fs-read=*',124+'--allow-fs-write=*',101125'-p',102-'process.permission.has("child") && process.permission.has("fs.read")',126+'process.permission.has("child") && process.permission.has("fs.read") && process.permission.has("fs.write")',103127]);104128assert.match(result.stdout, /true/);105129assert.strictEqual(result.code, 0);