src,permission: add support to permission.has(addon)

node.gyp

@@ -164,6 +164,7 @@
       'src/permission/wasi_permission.cc',
       'src/permission/worker_permission.cc',
       'src/permission/net_permission.cc',
+      'src/permission/addon_permission.cc',
       'src/pipe_wrap.cc',
       'src/process_wrap.cc',
       'src/signal_wrap.cc',
@@ -294,6 +295,7 @@
       'src/permission/wasi_permission.h',
       'src/permission/worker_permission.h',
       'src/permission/net_permission.h',
+      'src/permission/addon_permission.h',
       'src/pipe_wrap.h',
       'src/req_wrap.h',
       'src/req_wrap-inl.h',

src/env.cc

@@ -913,6 +913,7 @@ Environment::Environment(IsolateData* isolate_data,
     // unless explicitly allowed by the user
     if (!options_->allow_addons) {
       options_->allow_native_addons = false;
+      permission()->Apply(this, {"*"}, permission::PermissionScope::kAddon);
     }
     flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
     permission()->Apply(this, {"*"}, permission::PermissionScope::kInspector);

src/permission/addon_permission.cc

@@ -0,0 +1,24 @@
+#include "addon_permission.h"
+
+#include <string>
+
+namespace node {
+
+namespace permission {
+
+// Currently, Addon manage a single state
+// Once denied, it's always denied
+void AddonPermission::Apply(Environment* env,
+                            const std::vector<std::string>& allow,
+                            PermissionScope scope) {
+  deny_all_ = true;
+}
+
+bool AddonPermission::is_granted(Environment* env,
+                                 PermissionScope perm,
+                                 const std::string_view& param) const {
+  return deny_all_ == false;
+}
+
+}  // namespace permission
+}  // namespace node

src/permission/addon_permission.h

@@ -0,0 +1,31 @@
+#ifndef SRC_PERMISSION_ADDON_PERMISSION_H_
+#define SRC_PERMISSION_ADDON_PERMISSION_H_
+
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#include <string>
+#include "permission/permission_base.h"
+
+namespace node {
+
+namespace permission {
+
+class AddonPermission final : public PermissionBase {
+ public:
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
+             PermissionScope scope) override;
+  bool is_granted(Environment* env,
+                  PermissionScope perm,
+                  const std::string_view& param = "") const override;
+
+ private:
+  bool deny_all_;
+};
+
+}  // namespace permission
+
+}  // namespace node
+
+#endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+#endif  // SRC_PERMISSION_ADDON_PERMISSION_H_

src/permission/permission.cc

@@ -85,6 +85,7 @@ Permission::Permission() : enabled_(false) {
       std::make_shared<InspectorPermission>();
   std::shared_ptr<PermissionBase> wasi = std::make_shared<WASIPermission>();
   std::shared_ptr<PermissionBase> net = std::make_shared<NetPermission>();
+  std::shared_ptr<PermissionBase> addon = std::make_shared<AddonPermission>();
 #define V(Name, _, __, ___)                                                    \
   nodes_.insert(std::make_pair(PermissionScope::k##Name, fs));
   FILESYSTEM_PERMISSIONS(V)
@@ -109,6 +110,10 @@ Permission::Permission() : enabled_(false) {
   nodes_.insert(std::make_pair(PermissionScope::k##Name, net));
   NET_PERMISSIONS(V)
 #undef V
+#define V(Name, _, __, ___)                                                    \
+  nodes_.insert(std::make_pair(PermissionScope::k##Name, addon));
+  ADDON_PERMISSIONS(V)
+#undef V
 }
 
 const char* GetErrorFlagSuggestion(node::permission::PermissionScope perm) {

src/permission/permission.h

@@ -5,6 +5,7 @@
 
 #include "debug_utils.h"
 #include "node_options.h"
+#include "permission/addon_permission.h"
 #include "permission/child_process_permission.h"
 #include "permission/fs_permission.h"
 #include "permission/inspector_permission.h"

src/permission/permission_base.h

@@ -31,13 +31,17 @@ namespace permission {
 
 #define NET_PERMISSIONS(V) V(Net, "net", PermissionsRoot, "--allow-net")
 
+#define ADDON_PERMISSIONS(V)                                                   \
+  V(Addon, "addon", PermissionsRoot, "--allow-addons")
+
 #define PERMISSIONS(V)                                                         \
   FILESYSTEM_PERMISSIONS(V)                                                    \
   CHILD_PROCESS_PERMISSIONS(V)                                                 \
   WASI_PERMISSIONS(V)                                                          \
   WORKER_THREADS_PERMISSIONS(V)                                                \
   INSPECTOR_PERMISSIONS(V)                                                     \
-  NET_PERMISSIONS(V)
+  NET_PERMISSIONS(V)                                                           \
+  ADDON_PERMISSIONS(V)
 
 #define V(name, _, __, ___) k##name,
 enum class PermissionScope {

test/parallel/test-permission-allow-addons-cli.js

@@ -19,3 +19,7 @@ const loadFixture = createRequire(fixtures.path('node_modules'));
   const msg = loadFixture('pkgexports/no-addons');
   assert.strictEqual(msg, 'using native addons');
 }
+
+{
+  assert.ok(process.permission.has('addon'));
+}

test/parallel/test-permission-has.js

@@ -34,5 +34,5 @@ const assert = require('assert');
   assert.ok(!process.permission.has('worker'));
   assert.ok(!process.permission.has('inspector'));
   assert.ok(!process.permission.has('net'));
-  // TODO(rafaelgss): add addon
+  assert.ok(!process.permission.has('addon'));
 }