cli support for the permission.

blessnetwork · Jan 13, 2025 · 70c982b · 70c982b
1 parent 77cc556
commit 70c982b
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 25 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -30,7 +30,7 @@ wasi-common = { path = "crates/wasi-common", version="=28.0.0" }
 # witx dependency by wiggle
 wiggle = "=28.0.0"
 witx = "0.9.1"
-bls-permissions = {git = "https://github.com/blocklessnetwork/bls-permissions.git", tag="v0.0.2"}
+bls-permissions = {git = "https://github.com/blocklessnetwork/bls-permissions.git"}
 termcolor = { version = "1.1.3"}
 
 anyhow = "1.0.93"

diff --git a/blockless/src/context.rs b/blockless/src/context.rs
@@ -1,5 +1,6 @@
 use std::sync::{Arc, Mutex};
 
+use wasi_common::PermissionConfig;
 use wasmtime::StoreLimits;
 use wasmtime_wasi::preview1::WasiP1Ctx;
 use wasmtime_wasi_threads::WasiThreadsCtx;
@@ -40,6 +41,12 @@ impl BlocklessContext {
             .get_mut()
             .unwrap()
     }
+
+    pub(crate) fn set_permisions(&mut self, options: &PermissionConfig) {
+        self.preview1_ctx.as_mut().map(|ctx| 
+            ctx.set_permissions_options(options.into()
+        ).unwrap());
+    }
 }
 
 impl wasmtime_wasi::WasiView for BlocklessContext {

diff --git a/blockless/src/lib.rs b/blockless/src/lib.rs
@@ -374,6 +374,8 @@ impl BlocklessRunner {
         match linker {
             BlsLinker::Core(ref mut linker) => {
                 Self::preview1_linker_setup(linker);
+                //preview1 setup the permissions with options
+                store.data_mut().set_permisions(&b_conf.permissions_config);
             }
             BlsLinker::Component(ref mut linker) => {
                 is_component = true;

diff --git a/bls-runtime/src/cli_clap.rs b/bls-runtime/src/cli_clap.rs
@@ -1,7 +1,7 @@
 #![allow(unused)]
 use anyhow::{bail, Result};
 use blockless::{
-    BlocklessConfig, BlocklessModule, BlsNnGraph, BlsOptions, ModuleType, OptimizeOpts, OptionParser, Permission, PermissionAllow, Stderr, Stdin, Stdout
+    BlocklessConfig, BlocklessModule, BlsNnGraph, BlsOptions, ModuleType, OptimizeOpts, OptionParser, Permission, PermissionAllow, PermissionConfig, Stderr, Stdin, Stdout
 };
 use clap::{
     builder::{TypedValueParser, ValueParser},
@@ -227,7 +227,17 @@ pub struct PermissionFlags {
     allow_write: Option<PermissionAllow>,
 
     #[clap(long = "allow-all", help = "Allow all permissions.")]
-    allow_all: Option<bool>,
+    allow_all: bool,
+}
+
+impl Into<PermissionConfig> for PermissionFlags {
+    fn into(self) -> PermissionConfig {
+        PermissionConfig {
+            allow_read: self.allow_read,
+            allow_write: self.allow_write,
+            allow_all: self.allow_all,
+        }
+    }
 }
 
 #[derive(Parser, Debug)]
@@ -369,9 +379,7 @@ impl CliCommandOpts {
         conf.0.set_map_dirs(self.dirs);
         conf.0.set_feature_thread(self.feature_thread);
         conf.0.limited_memory(self.max_memory_size);
-        conf.0.permissions.allow_read = self.permission_flags.allow_read;
-        conf.0.permissions.allow_write = self.permission_flags.allow_write;
-        conf.0.permissions.allow_all = self.permission_flags.allow_all;
+        conf.0.permissions_config = self.permission_flags.into();
 
         // Handle IO settings
         if let Some(stderr) = self.stdio.stderr {

diff --git a/crates/wasi-common/src/blockless/config.rs b/crates/wasi-common/src/blockless/config.rs
@@ -1,5 +1,6 @@
 use crate::Permission;
 use anyhow::{bail, Ok};
+use bls_permissions::PermissionsOptions;
 use std::{
     collections::HashMap,
     net::SocketAddr,
@@ -278,18 +279,6 @@ impl OptionParser<String> for wasmtime::RegallocAlgorithm {
     }
 }
 
-#[derive(Clone, Debug)]
-pub enum PermissionAllow {
-    AllowAll,
-    Allow(Vec<String>),
-}
-
-impl Default for PermissionAllow {
-    fn default() -> Self {
-        PermissionAllow::AllowAll
-    }
-}
-
 impl OptionParser<&str> for PermissionAllow {
     fn parse(val: &&str) -> anyhow::Result<Self> {
         match *val {
@@ -495,19 +484,56 @@ pub struct BlsNnGraph {
     pub dir: String,
 }
 
+#[derive(Clone, Debug)]
+pub enum PermissionAllow {
+    AllowAll,
+    Allow(Vec<String>),
+}
+
+impl Default for PermissionAllow {
+    fn default() -> Self {
+        PermissionAllow::AllowAll
+    }
+}
+
 #[derive(Clone, Debug)]
 pub struct PermissionConfig {
     pub allow_read: Option<PermissionAllow>,
     pub allow_write: Option<PermissionAllow>,
-    pub allow_all: Option<bool>,
+    pub allow_all: bool,
+}
+
+impl Into<PermissionsOptions> for &PermissionConfig {
+    fn into(self) -> PermissionsOptions {
+        let mut options = PermissionsOptions::default();
+        macro_rules! set_perm {
+            ($allow_f:expr, $allow_t:expr) => {
+                if let Some(allow_read) = $allow_f {
+                    match allow_read {
+                        PermissionAllow::AllowAll => {
+                            $allow_t = None;
+                        }
+                        PermissionAllow::Allow(allow) => {
+                            $allow_t = Some(allow.clone());
+                        }
+                    }
+                }
+            };
+        }
+        set_perm!(&self.allow_read, options.allow_read);
+        set_perm!(&self.allow_write, options.allow_write);
+        options.prompt = true;
+        options.allow_all = self.allow_all;
+        options
+    }
 }
 
 impl Default for PermissionConfig {
     fn default() -> Self {
         PermissionConfig {
             allow_read: None,
             allow_write: None,
-            allow_all: None,
+            allow_all: false,
         }
     }
 }
@@ -531,7 +557,6 @@ pub struct BlocklessConfig {
     pub unknown_imports_trap: bool,
     pub store_limited: StoreLimited,
     pub envs: Vec<(String, String)>,
-    pub tcp_listens: Vec<(SocketAddr, Option<u32>)>,
     pub permisions: Vec<Permission>,
     pub dirs: Vec<(String, String)>,
     pub fs_root_path: Option<String>,
@@ -544,8 +569,9 @@ pub struct BlocklessConfig {
     pub runtime_logger_level: LoggerLevel,
     pub cli_exit_with_code: bool,
     pub network_error_code: bool,
+    pub tcp_listens: Vec<(SocketAddr, Option<u32>)>,
     pub group_permisions: HashMap<String, Vec<Permission>>,
-    pub permissions: PermissionConfig,
+    pub permissions_config: PermissionConfig,
 }
 
 impl BlocklessConfig {
@@ -584,7 +610,7 @@ impl BlocklessConfig {
             opts: Default::default(),
             runtime_logger_level: LoggerLevel::WARN,
             version: BlocklessConfigVersion::Version0,
-            permissions: Default::default(),
+            permissions_config: Default::default(),
         }
     }
 

diff --git a/crates/wasi-common/src/blockless/permissions.rs b/crates/wasi-common/src/blockless/permissions.rs
@@ -10,7 +10,9 @@ use bls_permissions::ChildPermissionsArg;
 use bls_permissions::ModuleSpecifier;
 use bls_permissions::PermissionDescriptorParser;
 use bls_permissions::PermissionState;
+use bls_permissions::Permissions;
 use bls_permissions::Permissions as BlsPermissions;
+use bls_permissions::PermissionsOptions;
 use bls_permissions::RunQueryDescriptor;
 use bls_permissions::Url;
 
@@ -31,7 +33,7 @@ impl Permission {
 }
 
 #[derive(Clone, Debug)]
-pub struct BlsRuntimePermissionsContainer{
+pub struct BlsRuntimePermissionsContainer {
     pub inner: bls_permissions::BlsPermissionsContainer
 }
 
@@ -42,7 +44,7 @@ impl BlsRuntimePermissionsContainer {
         perms: BlsPermissions
     ) -> Self {
         init_tty_prompter();
-        Self{
+        Self {
             inner: BlsPermissionsContainer::new(descriptor_parser, perms)
         }
     }
@@ -58,6 +60,12 @@ impl BlsRuntimePermissionsContainer {
         )
     }
 
+    pub fn set_permissions_options(&self, permission_options: PermissionsOptions) -> Result<(), AnyError> {
+        let permissions = Permissions::from_options(&*self.inner.descriptor_parser, &permission_options)?;
+        *self.inner.lock() = permissions;
+        Ok(())
+    }
+
     pub fn allow_all(&self) {
         *self.inner.lock() = BlsPermissions::allow_all();
     }

diff --git a/crates/wasi-common/src/ctx.rs b/crates/wasi-common/src/ctx.rs
@@ -6,6 +6,7 @@ use crate::string_array::StringArray;
 use crate::table::Table;
 use crate::{BlocklessConfig, BlsRuntimePermissionsContainer};
 use crate::{Error, StringArrayError};
+use bls_permissions::PermissionsOptions;
 use cap_rand::RngCore;
 use std::ops::Deref;
 use std::path::{Path, PathBuf};
@@ -81,6 +82,10 @@ impl WasiCtx {
         }
     }
 
+    pub fn set_permissions_options(&mut self, permissions: PermissionsOptions) -> Result<(), anyhow::Error> {
+        self.perms_container.set_permissions_options(permissions)
+    }
+
     pub fn insert_file(&self, fd: u32, file: Box<dyn WasiFile>, access_mode: FileAccessMode) {
         self.table()
             .insert_at(fd, Arc::new(FileEntry::new(file, access_mode)));