aljaz/ditto
1
0
Fork 0
mirror of https://github.com/aljazceru/ditto.git synced 2026-01-20 13:54:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Let PolicyWorker run in sandbox with store

Browse Source
This commit is contained in:
Alex Gleason
2024-09-11 14:04:11 -05:00
parent ebc0250d81
commit cae0f492f3
3 changed files with 34 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/workers/policy.ts
View File

@@ -13,8 +13,8 @@ export const policyWorker = Comlink.wrap<CustomPolicy>(
type: 'module',
deno: {
permissions: {
read: [Conf.policy],
write: false,
read: [Conf.denoDir, Conf.policy, Conf.dataDir],
write: [Conf.dataDir],
net: 'inherit',
env: false,
},
@@ -24,7 +24,12 @@ export const policyWorker = Comlink.wrap<CustomPolicy>(
);
try {
await policyWorker.init(Conf.policy, Conf.databaseUrl, Conf.pubkey);
await policyWorker.init({
path: Conf.policy,
cwd: Deno.cwd(),
databaseUrl: Conf.databaseUrl,
adminPubkey: Conf.pubkey,
});
console.debug(`Using custom policy: ${Conf.policy}`);
} catch (e) {
if (e.message.includes('Module not found')) {

18
src/workers/policy.worker.ts
View File

@@ -6,6 +6,18 @@ import * as Comlink from 'comlink';
import { DittoDB } from '@/db/DittoDB.ts';
import { EventsDB } from '@/storages/EventsDB.ts';
/** Serializable object the worker can use to set up the state. */
interface PolicyInit {
/** Path to the policy module (https, jsr, file, etc) */
path: string;
/** Current working directory. */
cwd: string;
/** Database URL to connect to. */
databaseUrl: string;
/** Admin pubkey to use for EventsDB checks. */
adminPubkey: string;
}
export class CustomPolicy implements NPolicy {
private policy: NPolicy = new ReadOnlyPolicy();
@@ -14,7 +26,11 @@ export class CustomPolicy implements NPolicy {
return this.policy.call(event);
}
async init(path: string, databaseUrl: string, adminPubkey: string): Promise<void> {
async init({ path, cwd, databaseUrl, adminPubkey }: PolicyInit): Promise<void> {
// HACK: PGlite uses `path.resolve`, which requires read permission on Deno (which we don't want to give).
// We can work around this getting the cwd from the caller and overwriting `Deno.cwd`.
Deno.cwd = () => cwd;
const { kysely } = DittoDB.create(databaseUrl, { poolSize: 1 });
const store = new EventsDB({