Manual permissions control

prikolium-cfx · prikolium-cfx · commit 57d9fc38ad83 · 2026-01-22T11:59:58.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -45,7 +45,7 @@ jobs:
         run: |
           $startInfo = New-Object System.Diagnostics.ProcessStartInfo
           $startInfo.FileName = "${{ steps.vsinst.outputs.cmd }}"
-          $startInfo.Arguments = 'modify --installPath "${{ steps.vs.outputs.path }}" --add Microsoft.VisualStudio.Component.VC.14.36.17.6.x86.x64 --passive --norestart --wait --noUpdateInstaller'
+          $startInfo.Arguments = 'modify --installPath "${{ steps.vs.outputs.path }}" --add Microsoft.VisualStudio.Component.VC.14.36.17.6.x86.x64 --quiet --norestart --wait --noUpdateInstaller'
           $process = New-Object System.Diagnostics.Process
           $process.StartInfo = $startInfo
           $process.Start()
diff --git a/build-windows.bat b/build-windows.bat
@@ -1,11 +1,90 @@
 @echo off
+setlocal EnableExtensions EnableDelayedExpansion
+
+rem Enter the Node source folder
 pushd node
 
+rem Apply local patches, if any
 for %%f in (../patches/*.patch) do (
     echo Applying %%f...
     git apply --reject --whitespace=fix "../patches/%%f"
 )
 
-python ../HandleScope.py src
+rem Build Release and Debug DLLs (clang-cl, no tests, no npm)
+call vcbuild.bat release x64 dll no-cctest clang-cl nonpm
+call vcbuild.bat debug   x64 dll no-cctest clang-cl nonpm
+
+rem Staging directories for packaging
+set STAGE_ROOT=..\out
+set STAGE_REL=%STAGE_ROOT%\Release
+set STAGE_REL_LIB=%STAGE_REL%\lib
+set STAGE_DBG=%STAGE_ROOT%\Debug
+set STAGE_DBG_LIB=%STAGE_DBG%\lib
+
+if not exist "%STAGE_REL%" mkdir "%STAGE_REL%"
+if not exist "%STAGE_REL_LIB%" mkdir "%STAGE_REL_LIB%"
+if not exist "%STAGE_DBG%" mkdir "%STAGE_DBG%"
+if not exist "%STAGE_DBG_LIB%" mkdir "%STAGE_DBG_LIB%"
+
+rem Helper to copy headers (*.h, *.hpp) recursively
+rem Usage: call :copy_headers "src_dir" "dest_dir"
+goto :after_functions
+:copy_headers
+    set SRC=%~1
+    set DST=%~2
+    if not exist "%DST%" mkdir "%DST%"
+    rem robocopy returns codes <8 for success; ignore non-fatal codes
+    robocopy "%SRC%" "%DST%" *.h   /S >nul & if errorlevel 8 exit /b %ERRORLEVEL%
+    robocopy "%SRC%" "%DST%" *.hpp /S >nul & if errorlevel 8 exit /b %ERRORLEVEL%
+    exit /b 0
+:after_functions
+
+echo Collect includes (node, uv, v8, openssl) into include/node
+set INC_REL=%STAGE_REL%\include\node
+set INC_DBG=%STAGE_DBG%\include\node
+
+call :copy_headers "src"               "%INC_REL%"   || goto :fail
+call :copy_headers "deps\uv\include"  "%INC_REL%\uv\include"   || goto :fail
+call :copy_headers "deps\v8\include"  "%INC_REL%\v8\include"   || goto :fail
+call :copy_headers "deps\openssl"      "%INC_REL%\openssl"       || goto :fail
+
+call :copy_headers "src"               "%INC_DBG%"   || goto :fail
+call :copy_headers "deps\uv\include"  "%INC_DBG%\uv\include"   || goto :fail
+call :copy_headers "deps\v8\include"  "%INC_DBG%\v8\include"   || goto :fail
+call :copy_headers "deps\openssl"      "%INC_DBG%\openssl"       || goto :fail
+
+echo Locate built artifacts and copy/rename to expected names
+echo %CWD%
+set REL_BUILD=out\Release
+set DBG_BUILD=out\Debug
+
+copy /Y "%REL_BUILD%\libnode22.dll" "%STAGE_REL%\lib\libnode22.dll" >nul
+copy /Y "%REL_BUILD%\libnode22.lib" "%STAGE_REL%\lib\libnode22.lib" >nul
+copy /Y "%REL_BUILD%\libnode22.pdb" "%STAGE_REL%\lib\libnode22.pdb" >nul
+
+copy /Y "%DBG_BUILD%\libnode22.dll" "%STAGE_DBG%\lib\libnode22.dll" >nul
+copy /Y "%DBG_BUILD%\libnode22.lib" "%STAGE_DBG%\lib\libnode22.lib" >nul
+copy /Y "%DBG_BUILD%\libnode22.pdb" "%STAGE_DBG%\lib\libnode22.pdb" >nul
+
+echo Create tar.xz packages if tar (bsdtar) is available
+where tar >nul 2>nul
+if %ERRORLEVEL% EQU 0 (
+    echo Creating archives...
+    tar -cJf "%STAGE_ROOT%\libnode22-release.tar.xz" -C "%STAGE_REL%" .
+    tar -cJf "%STAGE_ROOT%\libnode22-debug.tar.xz"   -C "%STAGE_DBG%" .
+    echo Done: %STAGE_ROOT%\libnode22-release.tar.xz
+    echo Done: %STAGE_ROOT%\libnode22-debug.tar.xz
+) else (
+    echo WARN: 'tar' not found. Skipping archive creation. Artifacts left in:
+    echo   %STAGE_REL%
+    echo   %STAGE_DBG%
+)
+
+popd
+echo Windows Node build and packaging completed.
+exit /b 0
 
-vcbuild.bat release x64 dll no-cctest clang-cl nonpm
+:fail
+popd
+echo Build failed. See output above.
+exit /b 1
diff --git a/patches/handle_scope.patch b/patches/handle_scope.patch
@@ -1,107 +1,47 @@
-diff --git forkSrcPrefix/src/node.h forkDstPrefix/src/node.h
-index 60598f54114b2424f10706e57d8aa50c4634bcb0..9213adb06dd45f521867591ff9a4af70096802de 100644
---- forkSrcPrefix/src/node.h
-+++ forkDstPrefix/src/node.h
-@@ -228,6 +228,67 @@ namespace node {
+diff --git forkSrcPrefix/deps/v8/src/api/api.cc forkDstPrefix/deps/v8/src/api/api.cc
+index 2dd476dda34f1cfe3a75b7895009af24963372f2..6476204733a8aa87c4681dbeb5fee12db54e529d 100644
+--- forkSrcPrefix/deps/v8/src/api/api.cc
++++ forkDstPrefix/deps/v8/src/api/api.cc
+@@ -883,7 +883,21 @@ void InternalFieldOutOfBounds(int index) {
  
- class IsolateData;
- class Environment;
-+
-+class ScopeCB
-+{
-+  v8::Isolate* m_isolate;
-+public:
-+ inline ScopeCB(v8::Isolate* isolate) : m_isolate(isolate) {
-+    if(g_enterScopeCB) {
-+      g_enterScopeCB(isolate);
-+    }
-+  }
-+
-+  inline ~ScopeCB() {
-+    if(g_leaveScopeCB) {
-+      g_leaveScopeCB(m_isolate);
-+    }
-+  }
-+
-+  inline static std::function<void(v8::Isolate*)> g_enterScopeCB;
-+  inline static std::function<void(v8::Isolate*)> g_leaveScopeCB;
-+};
-+
-+NODE_EXTERN void SetScopeHandler(const std::function<void(v8::Isolate*)>& enter,
-+                     const std::function<void(v8::Isolate*)>& exit);
-+
-+class NodeHandleScope
-+{
-+  ScopeCB m_scopeCB;
-+  v8::HandleScope m_handleScope; 
-+public:
-+  inline NodeHandleScope(v8::Isolate* isolate) : m_scopeCB(isolate), m_handleScope(isolate) {}
-+  inline ~NodeHandleScope() = default;
-+};
-+
-+class NodeEscapableHandleScope
-+{
-+  ScopeCB m_scopeCB;
-+  v8::EscapableHandleScope m_handleScope; 
-+public:
-+  inline NodeEscapableHandleScope(v8::Isolate* isolate) : m_scopeCB(isolate), m_handleScope(isolate) {}
-+  inline ~NodeEscapableHandleScope() = default;
-+
-+  template <class T>
-+  inline v8::Local<T> Escape(v8::Local<T> value) {
-+    return m_handleScope.Escape(value);
-+  }
+ // --- H a n d l e s ---
+ 
+-HandleScope::HandleScope(Isolate* v8_isolate) { Initialize(v8_isolate); }
++static std::function<void(Isolate*)> g_enterScopeCB;
++static std::function<void(Isolate*)> g_leaveScopeCB;
++
++V8_EXPORT void SetScopeHandler(const std::function<void(Isolate*)>& enter,
++                     const std::function<void(Isolate*)>& exit) {
++  g_enterScopeCB = enter;
++  g_leaveScopeCB = exit;
++}
 +
-+  template <class T>
-+  inline v8::MaybeLocal<T> EscapeMaybe(v8::MaybeLocal<T> value) {
-+    return m_handleScope.EscapeMaybe(value);
++HandleScope::HandleScope(Isolate* v8_isolate) {
++  if(g_enterScopeCB) {
++    g_enterScopeCB(v8_isolate);
 +  }
-+};
-+
-+class NodeSealHandleScope
-+{
-+  ScopeCB m_scopeCB;
-+  v8::SealHandleScope m_handleScope; 
-+public:
-+  inline NodeSealHandleScope(v8::Isolate* isolate) : m_scopeCB(isolate), m_handleScope(isolate) {}
-+  inline ~NodeSealHandleScope() = default;
-+};
-+
- class MultiIsolatePlatform;
- class InitializationResultImpl;
- 
-diff --git forkSrcPrefix/src/node.cc forkDstPrefix/src/node.cc
-index 1a2a43bdd37441400323a800c147fcb89f0d549a..81f15f01e2a59f3752254a768f6a58d4286a23fc 100644
---- forkSrcPrefix/src/node.cc
-+++ forkDstPrefix/src/node.cc
-@@ -290,7 +290,7 @@ void Environment::InitializeDiagnostics() {
- 
- static
- MaybeLocal<Value> StartExecution(Environment* env, const char* main_script_id) {
--  EscapableHandleScope scope(env->isolate());
-+  NodeEscapableHandleScope scope(env->isolate());
-   CHECK_NOT_NULL(main_script_id);
-   Realm* realm = env->principal_realm();
- 
-@@ -338,7 +338,7 @@ MaybeLocal<Value> StartExecution(Environment* env, StartExecutionCallback cb) {
-   // Only snapshot builder or embedder applications set the
-   // callback.
-   if (cb != nullptr) {
--    EscapableHandleScope scope(env->isolate());
-+    NodeEscapableHandleScope scope(env->isolate());
++  Initialize(v8_isolate);
++}
  
-     Local<Value> result;
-     if (env->isolate_data()->is_building_snapshot()) {
-@@ -1548,6 +1548,12 @@ int Stop(Environment* env, StopFlags::Flags flags) {
-   return 0;
+ void HandleScope::Initialize(Isolate* v8_isolate) {
+   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(v8_isolate);
+@@ -908,6 +922,9 @@ void HandleScope::Initialize(Isolate* v8_isolate) {
  }
  
-+void SetScopeHandler(const std::function<void(v8::Isolate*)>& enter,
-+                     const std::function<void(v8::Isolate*)>& exit) {
-+  ScopeCB::g_enterScopeCB = enter;
-+  ScopeCB::g_leaveScopeCB = exit;
-+}
-+
- }  // namespace node
+ HandleScope::~HandleScope() {
++  if(g_leaveScopeCB) {
++    g_leaveScopeCB(reinterpret_cast<Isolate*>(i_isolate_));
++  }
+ #ifdef V8_ENABLE_CHECKS
+   CHECK_EQ(scope_level_, i_isolate_->handle_scope_data()->level);
+ #endif
+@@ -938,6 +955,9 @@ i::Address* HandleScope::CreateHandleForCurrentIsolate(i::Address value) {
+ #endif  // V8_ENABLE_DIRECT_LOCAL
  
- #if !HAVE_INSPECTOR
+ EscapableHandleScopeBase::EscapableHandleScopeBase(Isolate* v8_isolate) {
++  if(g_enterScopeCB) {
++    g_enterScopeCB(v8_isolate);
++  }
+   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(v8_isolate);
+   escape_slot_ = CreateHandle(
+       i_isolate, i::ReadOnlyRoots(i_isolate).the_hole_value().ptr());
diff --git a/patches/manual_permissions_control.patch b/patches/manual_permissions_control.patch
@@ -0,0 +1,107 @@
+diff --git forkSrcPrefix/src/node.h forkDstPrefix/src/node.h
+index 60598f54114b2424f10706e57d8aa50c4634bcb0..b3ebb94dd63ee7edaf8c80f0759ef43d690d54c2 100644
+--- forkSrcPrefix/src/node.h
++++ forkDstPrefix/src/node.h
+@@ -137,6 +137,12 @@ class TracingController;
+ 
+ }
+ 
++namespace permission {
++
++enum class PermissionScope;
++
++}  // namespace permission
++
+ NODE_EXTERN v8::Local<v8::Value> ErrnoException(v8::Isolate* isolate,
+                                                 int errorno,
+                                                 const char* syscall = nullptr,
+@@ -769,6 +775,12 @@ NODE_EXTERN v8::MaybeLocal<v8::Value> LoadEnvironment(
+     EmbedderPreloadCallback preload = nullptr);
+ NODE_EXTERN void FreeEnvironment(Environment* env);
+ 
++// Set a callback for permission control
++NODE_EXTERN void SetPermissionHandler(Environment* env,
++    std::function<bool(Environment*,
++                       permission::PermissionScope,
++                       const std::string_view&)>&& handler);
++
+ // Set a callback that is called when process.exit() is called from JS,
+ // overriding the default handler.
+ // It receives the Environment* instance and the exit code as arguments.
+diff --git forkSrcPrefix/src/api/environment.cc forkDstPrefix/src/api/environment.cc
+index ad323fc800a33c010b0504a4aa55c107498dee26..ec3d61159060f6efbebff3f3a2473a32d11c366a 100644
+--- forkSrcPrefix/src/api/environment.cc
++++ forkDstPrefix/src/api/environment.cc
+@@ -922,4 +922,11 @@ void SetProcessExitHandler(Environment* env,
+   });
+ }
+ 
++void SetPermissionHandler(Environment* env,
++    std::function<bool(Environment*,
++                       permission::PermissionScope,
++                       const std::string_view&)>&& handler) {
++  env->permission()->EnableManualPermissionControl(std::move(handler));
++}
++
+ }  // namespace node
+diff --git forkSrcPrefix/src/permission/permission.cc forkDstPrefix/src/permission/permission.cc
+index 7c84aa044dbbf58e2ae05f29d2cfad5502ea745e..c47992d2b3cdc068e1b74bc36767ded0e1c25acb 100644
+--- forkSrcPrefix/src/permission/permission.cc
++++ forkDstPrefix/src/permission/permission.cc
+@@ -152,6 +152,12 @@ void Permission::EnablePermissions() {
+   }
+ }
+ 
++void Permission::EnableManualPermissionControl(
++    PermissionCheckCallback&& permission_check_callback) {
++  enabled_ = true;
++  permission_check_callback_ = std::move(permission_check_callback);
++}
++
+ void Permission::Apply(Environment* env,
+                        const std::vector<std::string>& allow,
+                        PermissionScope scope) {
+diff --git forkSrcPrefix/src/permission/permission.h forkDstPrefix/src/permission/permission.h
+index 8e5bb87803656f857602736abbb077ec2e192589..3c457293e95fbe6c275829e1c88fa46ab4776703 100644
+--- forkSrcPrefix/src/permission/permission.h
++++ forkDstPrefix/src/permission/permission.h
+@@ -47,6 +47,11 @@ namespace permission {
+ 
+ class Permission {
+  public:
++  using PermissionCheckCallback =
++      std::function<bool(Environment* env,
++                         PermissionScope permission,
++                         const std::string_view& resource)>;
++
+   Permission();
+ 
+   FORCE_INLINE bool is_granted(Environment* env,
+@@ -55,6 +60,9 @@ class Permission {
+     if (!enabled_) [[likely]] {
+       return true;
+     }
++    if (permission_check_callback_) {
++      return permission_check_callback_(env, permission, res);
++    }
+     return is_scope_granted(env, permission, res);
+   }
+ 
+@@ -76,6 +84,9 @@ class Permission {
+              PermissionScope scope);
+   void EnablePermissions();
+ 
++  void EnableManualPermissionControl(
++      PermissionCheckCallback&& permission_check_callback);
++
+  private:
+   COLD_NOINLINE bool is_scope_granted(Environment* env,
+                                       const PermissionScope permission,
+@@ -89,6 +100,7 @@ class Permission {
+ 
+   std::unordered_map<PermissionScope, std::shared_ptr<PermissionBase>> nodes_;
+   bool enabled_;
++  PermissionCheckCallback permission_check_callback_;
+ };
+ 
+ }  // namespace permission
