From f06f6d280d0a1f9f0bb350696ea61ec5565c9a2d Mon Sep 17 00:00:00 2001
From: Joinhack <joinhack@gmail.com>
Date: Tue, 21 Jan 2025 10:24:05 +0800
Subject: [PATCH] command line for url permission check in http request.

---
 bls-runtime/src/cli_clap.rs                     | 14 ++++++++++++++
 bls-runtime/src/main.rs                         |  2 ++
 crates/wasi-common/src/blockless/config.rs      |  6 ++++++
 crates/wasi-common/src/blockless/permissions.rs |  6 ++++++
 4 files changed, 28 insertions(+)

diff --git a/bls-runtime/src/cli_clap.rs b/bls-runtime/src/cli_clap.rs
index 4a5d04d..6a201b2 100644
--- a/bls-runtime/src/cli_clap.rs
+++ b/bls-runtime/src/cli_clap.rs
@@ -92,10 +92,14 @@ const ALLOW_READ_ALL_HELP: &str = "Allow the app to all read permissions.";
 
 const ALLOW_WRITE_HELP: &str = "Allow the app to write permissions.";
 
+const ALLOW_NET_HELP: &str = "Allow the app to net accessing permissions.";
+
 const DENY_READ_HELP: &str = "Deny the app to read permissions.";
 
 const DENY_WRITE_HELP: &str = "Deny the app to write permissions.";
 
+const DENY_NET_HELP: &str = "Deny the app to  net accessing permissions.";
+
 const ALLOW_WRITE_ALL_HELP: &str = "Allow the app to all write permissions.";
 
 fn parse_envs(envs: &str) -> Result<(String, String)> {
@@ -235,12 +239,20 @@ pub struct PermissionFlags {
     #[clap(long = "allow-write", id="allow-write", num_args=(0..) , value_name = "PATH[,]", help = ALLOW_WRITE_HELP, value_parser = parser_allow)]
     pub allow_write: Option<PermissionGrant>,
 
+    #[clap(long = "allow-net", id="allow-net", num_args=(0..) , value_name = "PATH[,]", help = ALLOW_NET_HELP, value_parser = parser_allow)]
+    pub allow_net: Option<PermissionGrant>,
+
     #[clap(long = "deny-read", id="deny-read", num_args=(0..) , value_name = "PATH[,]", help = DENY_READ_HELP, value_parser = parser_allow)]
     pub deny_read: Option<PermissionGrant>,
 
     #[clap(long = "deny-write", id="deny-write", num_args=(0..) , value_name = "PATH[,]", help = DENY_WRITE_HELP, value_parser = parser_allow)]
     pub deny_write: Option<PermissionGrant>,
 
+    #[clap(long = "deny-net", id="deny-net", num_args=(0..) , value_name = "URL[,]", help = DENY_NET_HELP, value_parser = parser_allow)]
+    pub deny_net: Option<PermissionGrant>,
+
+    
+
     #[clap(long = "allow-all", id = "allow-all", help = "Allow all permissions.")]
     pub allow_all: bool,
 }
@@ -252,6 +264,8 @@ impl Into<PermissionsConfig> for PermissionFlags {
             deny_read: self.deny_read,
             allow_write: self.allow_write,
             deny_write: self.deny_write,
+            deny_net: self.deny_net,
+            allow_net: self.allow_net,
             allow_all: self.allow_all,
         };
         permissions
diff --git a/bls-runtime/src/main.rs b/bls-runtime/src/main.rs
index 5992ba6..58735ea 100644
--- a/bls-runtime/src/main.rs
+++ b/bls-runtime/src/main.rs
@@ -232,6 +232,8 @@ fn parse_args() -> CliCommandOpts {
             set_perm_grant!("allow-write", o.permission_flags.allow_write);
             set_perm_grant!("deny-read", o.permission_flags.deny_read);
             set_perm_grant!("deny-write", o.permission_flags.deny_write);
+            set_perm_grant!("allow-net", o.permission_flags.allow_net);
+            set_perm_grant!("deny-net", o.permission_flags.deny_net);
             o
         }
         Err(_) => {
diff --git a/crates/wasi-common/src/blockless/config.rs b/crates/wasi-common/src/blockless/config.rs
index ff1910b..bba0499 100644
--- a/crates/wasi-common/src/blockless/config.rs
+++ b/crates/wasi-common/src/blockless/config.rs
@@ -502,6 +502,8 @@ pub struct PermissionsConfig {
     pub allow_write: Option<PermissionGrant>,
     pub deny_read: Option<PermissionGrant>,
     pub deny_write: Option<PermissionGrant>,
+    pub allow_net: Option<PermissionGrant>,
+    pub deny_net: Option<PermissionGrant>,
     pub allow_all: bool,
 }
 
@@ -526,6 +528,8 @@ impl Into<PermissionsOptions> for &PermissionsConfig {
         set_perm!(&self.allow_write, options.allow_write);
         set_perm!(&self.deny_read, options.deny_read);
         set_perm!(&self.deny_write, options.deny_write);
+        set_perm!(&self.allow_net, options.allow_net);
+        set_perm!(&self.deny_net, options.deny_net);
         options.prompt = true;
         options.allow_all = self.allow_all;
         options
@@ -537,8 +541,10 @@ impl Default for PermissionsConfig {
         PermissionsConfig {
             allow_read: None,
             allow_write: None,
+            allow_net: None,
             deny_read: None,
             deny_write: None,
+            deny_net: None,
             allow_all: false,
         }
     }
diff --git a/crates/wasi-common/src/blockless/permissions.rs b/crates/wasi-common/src/blockless/permissions.rs
index 5af1421..144e845 100644
--- a/crates/wasi-common/src/blockless/permissions.rs
+++ b/crates/wasi-common/src/blockless/permissions.rs
@@ -74,12 +74,18 @@ impl BlsRuntimePermissionsContainer {
         if let Some(PermissionGrant::All) = config.deny_write {
             permissions.write.flag_denied_global = true;
         }
+        if let Some(PermissionGrant::All) = config.deny_net {
+            permissions.net.flag_denied_global = true;
+        }
         if let Some(PermissionGrant::All) = config.allow_read {
             permissions.read.granted_global = true;
         }
         if let Some(PermissionGrant::All) = config.allow_write {
             permissions.write.granted_global = true;
         }
+        if let Some(PermissionGrant::All) = config.allow_net {
+            permissions.net.granted_global = true;
+        }
         *self.inner.lock() = permissions;
         Ok(())
     }