11cb0ef41Sopenharmony_ci'use strict';
21cb0ef41Sopenharmony_ciconst common = require('../common');
31cb0ef41Sopenharmony_ciif (process.platform !== 'darwin')
41cb0ef41Sopenharmony_ci  common.skip('App Sandbox is only available on Darwin');
51cb0ef41Sopenharmony_ciif (process.config.variables.node_builtin_modules_path)
61cb0ef41Sopenharmony_ci  common.skip('App Sandbox cannot load modules from outside the sandbox');
71cb0ef41Sopenharmony_ci
81cb0ef41Sopenharmony_ciconst fixtures = require('../common/fixtures');
91cb0ef41Sopenharmony_ciconst tmpdir = require('../common/tmpdir');
101cb0ef41Sopenharmony_ciconst assert = require('assert');
111cb0ef41Sopenharmony_ciconst child_process = require('child_process');
121cb0ef41Sopenharmony_ciconst path = require('path');
131cb0ef41Sopenharmony_ciconst fs = require('fs');
141cb0ef41Sopenharmony_ciconst os = require('os');
151cb0ef41Sopenharmony_ci
161cb0ef41Sopenharmony_ciconst nodeBinary = process.execPath;
171cb0ef41Sopenharmony_ci
181cb0ef41Sopenharmony_citmpdir.refresh();
191cb0ef41Sopenharmony_ci
201cb0ef41Sopenharmony_ciconst appBundlePath = path.join(tmpdir.path, 'node_sandboxed.app');
211cb0ef41Sopenharmony_ciconst appBundleContentPath = path.join(appBundlePath, 'Contents');
221cb0ef41Sopenharmony_ciconst appExecutablePath = path.join(
231cb0ef41Sopenharmony_ci  appBundleContentPath, 'MacOS', 'node');
241cb0ef41Sopenharmony_ci
251cb0ef41Sopenharmony_ci// Construct the app bundle and put the node executable in it:
261cb0ef41Sopenharmony_ci// node_sandboxed.app/
271cb0ef41Sopenharmony_ci// └── Contents
281cb0ef41Sopenharmony_ci//     ├── Info.plist
291cb0ef41Sopenharmony_ci//     ├── MacOS
301cb0ef41Sopenharmony_ci//     │   └── node
311cb0ef41Sopenharmony_cifs.mkdirSync(appBundlePath);
321cb0ef41Sopenharmony_cifs.mkdirSync(appBundleContentPath);
331cb0ef41Sopenharmony_cifs.mkdirSync(path.join(appBundleContentPath, 'MacOS'));
341cb0ef41Sopenharmony_cifs.copyFileSync(
351cb0ef41Sopenharmony_ci  fixtures.path('macos-app-sandbox', 'Info.plist'),
361cb0ef41Sopenharmony_ci  path.join(appBundleContentPath, 'Info.plist'));
371cb0ef41Sopenharmony_cifs.copyFileSync(
381cb0ef41Sopenharmony_ci  nodeBinary,
391cb0ef41Sopenharmony_ci  appExecutablePath);
401cb0ef41Sopenharmony_ci
411cb0ef41Sopenharmony_ci
421cb0ef41Sopenharmony_ci// Sign the app bundle with sandbox entitlements:
431cb0ef41Sopenharmony_ciassert.strictEqual(
441cb0ef41Sopenharmony_ci  child_process.spawnSync('/usr/bin/codesign', [
451cb0ef41Sopenharmony_ci    '--entitlements', fixtures.path(
461cb0ef41Sopenharmony_ci      'macos-app-sandbox', 'node_sandboxed.entitlements'),
471cb0ef41Sopenharmony_ci    '--force', '-s', '-',
481cb0ef41Sopenharmony_ci    appBundlePath,
491cb0ef41Sopenharmony_ci  ]).status,
501cb0ef41Sopenharmony_ci  0);
511cb0ef41Sopenharmony_ci
521cb0ef41Sopenharmony_ci// Sandboxed app shouldn't be able to read the home dir
531cb0ef41Sopenharmony_ciassert.notStrictEqual(
541cb0ef41Sopenharmony_ci  child_process.spawnSync(appExecutablePath, [
551cb0ef41Sopenharmony_ci    '-e', 'fs.readdirSync(process.argv[1])', os.homedir(),
561cb0ef41Sopenharmony_ci  ]).status,
571cb0ef41Sopenharmony_ci  0);
581cb0ef41Sopenharmony_ci
591cb0ef41Sopenharmony_ciif (process.stdin.isTTY) {
601cb0ef41Sopenharmony_ci  // Run the sandboxed node instance with inherited tty stdin
611cb0ef41Sopenharmony_ci  const spawnResult = child_process.spawnSync(
621cb0ef41Sopenharmony_ci    appExecutablePath, ['-e', ''],
631cb0ef41Sopenharmony_ci    { stdio: 'inherit' }
641cb0ef41Sopenharmony_ci  );
651cb0ef41Sopenharmony_ci
661cb0ef41Sopenharmony_ci  assert.strictEqual(spawnResult.signal, null);
671cb0ef41Sopenharmony_ci}
68