tauri-apps · lucasfernog · Feb 19, 2024 · Feb 6, 2024 · Feb 6, 2024 · Feb 6, 2024
diff --git a/.changes/capabilities-tauri-conf.md b/.changes/capabilities-tauri-conf.md
@@ -0,0 +1,7 @@
+---
+"tauri-build": patch:breaking
+"tauri-utils": patch:enhance
+"tauri-codegen": patch:enhance
+---
+
+Added a new configuration option `tauri.conf.json > app > security > capabilities` to reference existing capabilities and inline new ones. If it is empty, all capabilities are still included preserving the current behavior.
@@ -0,0 +1,6 @@
+---
+"tauri-macros": patch:enhance
+"tauri-codegen": patch:enhance
+---
+
+The `generate_context` proc macro now accepts a `capabilities` attribute where the value is an array of file paths that can be [conditionally compiled](https://doc.rust-lang.org/reference/conditional-compilation.html). These capabilities are added to the application along the capabilities defined in the Tauri configuration file.
@@ -0,0 +1,5 @@
+---
+"tauri-utils": patch:enhance
+---
+
+The `Context` struct now includes the runtime authority instead of the resolved ACL. This does not impact most applications.
@@ -0,0 +1,5 @@
+---
+"tauri-build": patch:enhance
+---
+
+Added `CodegenContext::capability` to include a capability file dynamically.
@@ -0,0 +1,5 @@
+---
+"tauri-utils": patch:enhance
+---
+
+Refactored the capability types and resolution algorithm.
diff --git a/.changes/update-app-template-capabilities-conf.md b/.changes/update-app-template-capabilities-conf.md
@@ -0,0 +1,6 @@
+---
+"@tauri-apps/cli": patch:enhance
+"tauri-cli": patch:enhance
+---
+
+Update app template following capabilities configuration change.
@@ -17,7 +17,10 @@ use schemars::{
   schema_for,
 };
 use tauri_utils::{
-  acl::{build::CapabilityFile, capability::Capability, plugin::Manifest},
+  acl::{
+    capability::{Capability, CapabilityFile},
+    plugin::Manifest,
+  },
   platform::Target,
 };
 

@@ -7,9 +7,9 @@ use std::{
   env::var,
   fs::{create_dir_all, File},
   io::{BufWriter, Write},
-  path::PathBuf,
+  path::{Path, PathBuf},
 };
-use tauri_codegen::{context_codegen, ContextData};
+use tauri_codegen::{context_codegen, Capabilities, ContextData};
 use tauri_utils::config::FrontendDist;
 
 // TODO docs
@@ -20,6 +20,7 @@ pub struct CodegenContext {
   dev: bool,
   config_path: PathBuf,
   out_file: PathBuf,
+  capabilities: Option<Vec<PathBuf>>,
 }
 
 impl Default for CodegenContext {
@@ -28,6 +29,7 @@ impl Default for CodegenContext {
       dev: false,
       config_path: PathBuf::from("tauri.conf.json"),
       out_file: PathBuf::from("tauri-build-context.rs"),
+      capabilities: None,
     }
   }
 }
@@ -74,6 +76,16 @@ impl CodegenContext {
     self
   }
 
+  /// Adds a capability file to the generated context.
+  #[must_use]
+  pub fn capability<P: AsRef<Path>>(mut self, path: P) -> Self {
+    self
+      .capabilities
+      .get_or_insert_with(Default::default)
+      .push(path.as_ref().to_path_buf());
+    self
+  }
+
   /// Generate the code and write it to the output file - returning the path it was saved to.
   ///
   /// Unless you are doing something special with this builder, you don't need to do anything with
@@ -125,6 +137,7 @@ impl CodegenContext {
       // it's very hard to have a build script for unit tests, so assume this is always called from
       // outside the tauri crate, making the ::tauri root valid.
       root: quote::quote!(::tauri),
+      capabilities: self.capabilities.map(Capabilities::FromFiles),
     })?;
 
     // get the full output file path

diff --git a/core/tauri-build/src/lib.rs b/core/tauri-build/src/lib.rs
@@ -478,6 +478,7 @@ pub fn try_build(attributes: Attributes) -> Result<()> {
     out_dir.join(PLUGIN_MANIFESTS_FILE_NAME),
     serde_json::to_string(&plugin_manifests)?,
   )?;
+
   let capabilities = if let Some(pattern) = attributes.capabilities_path_pattern {
     parse_capabilities(pattern)?
   } else {

@@ -17,6 +17,7 @@ sha2 = "0.10"
 base64 = "0.21"
 proc-macro2 = "1"
 quote = "1"
+syn = "2"
 serde = { version = "1", features = [ "derive" ] }
 serde_json = "1"
 tauri-utils = { version = "2.0.0-beta.1", path = "../tauri-utils", features = [ "build" ] }

@@ -3,23 +3,26 @@
 // SPDX-License-Identifier: MIT
 
 use std::collections::BTreeMap;
+use std::convert::identity;
 use std::path::{Path, PathBuf};
 use std::{ffi::OsStr, str::FromStr};
 
 use base64::Engine;
 use proc_macro2::TokenStream;
-use quote::quote;
+use quote::{quote, TokenStreamExt};
 use sha2::{Digest, Sha256};
 
-use tauri_utils::acl::capability::Capability;
+use syn::Attribute;
+use tauri_utils::acl::capability::{Capability, CapabilityFile};
 use tauri_utils::acl::plugin::Manifest;
 use tauri_utils::acl::resolved::Resolved;
 use tauri_utils::assets::AssetKey;
-use tauri_utils::config::{Config, FrontendDist, PatternKind};
+use tauri_utils::config::{CapabilityEntry, Config, FrontendDist, PatternKind};
 use tauri_utils::html::{
   inject_nonce_token, parse as parse_html, serialize_node as serialize_html_node,
 };
 use tauri_utils::platform::Target;
+use tauri_utils::tokens::{map_lit, str_lit};
 
 use crate::embedded_assets::{AssetOptions, CspHashes, EmbeddedAssets, EmbeddedAssetsError};
 
@@ -32,6 +35,23 @@ pub struct ContextData {
   pub config: Config,
   pub config_parent: PathBuf,
   pub root: TokenStream,
+  pub capabilities: Option<Capabilities>,
+}
+
+/// Additional capabilities to include.
+pub enum Capabilities {
+  /// Capabilities from Rust tokens.
+  FromTokens(Vec<CapabilityToken>),
+  /// Capabilities from files.
+  FromFiles(Vec<PathBuf>),
+}
+
+/// Capability that was parsed from a stream of Rust tokens.
+pub struct CapabilityToken {
+  /// Attributes.
+  pub attrs: Vec<Attribute>,
+  /// Path to the capability file.
+  pub path: String,
 }
 
 fn map_core_assets(
@@ -126,6 +146,7 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
     config,
     config_parent,
     root,
+    capabilities: additional_capabilities,
   } = data;
 
   let target = std::env::var("TARGET")
@@ -381,15 +402,92 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
   };
 
   let capabilities_file_path = out_dir.join(CAPABILITIES_FILE_NAME);
-  let capabilities: BTreeMap<String, Capability> = if capabilities_file_path.exists() {
+  let mut capabilities_from_files: BTreeMap<String, Capability> = if capabilities_file_path.exists()
+  {
     let capabilities_file =
       std::fs::read_to_string(capabilities_file_path).expect("failed to read capabilities");
     serde_json::from_str(&capabilities_file).expect("failed to parse capabilities")
   } else {
     Default::default()
   };
 
-  let resolved_acl = Resolved::resolve(acl, capabilities, target).expect("failed to resolve ACL");
+  let capabilities = if config.app.security.capabilities.is_empty() {
+    capabilities_from_files
+  } else {
+    let mut capabilities = BTreeMap::new();
+    for capability_entry in &config.app.security.capabilities {
+      match capability_entry {
+        CapabilityEntry::Inlined(capability) => {
+          capabilities.insert(capability.identifier.clone(), capability.clone());
+        }
+        CapabilityEntry::Reference(id) => {
+          let capability = capabilities_from_files
+            .remove(id)
+            .unwrap_or_else(|| panic!("capability with identifier {id} not found"));
+          capabilities.insert(id.clone(), capability);
+        }
+      }
+    }
+    capabilities
+  };
+
+  let acl_tokens = map_lit(
+    quote! { ::std::collections::BTreeMap },
+    &acl,
+    str_lit,
+    identity,
+  );
+
+  let runtime_authority = match additional_capabilities {
+    Some(Capabilities::FromFiles(paths)) => {
+      let mut capabilities = capabilities;
+
+      for path in paths {
+        let capability = CapabilityFile::load(&path)
+          .unwrap_or_else(|e| panic!("failed to read capability {}: {e}", path.display()));
+        match capability {
+          CapabilityFile::Capability(c) => {
+            capabilities.insert(c.identifier.clone(), c);
+          }
+          CapabilityFile::List {
+            capabilities: capabilities_list,
+          } => {
+            capabilities.extend(
+              capabilities_list
+                .into_iter()
+                .map(|c| (c.identifier.clone(), c)),
+            );
+          }
+        }
+      }
+
+      let resolved = Resolved::resolve(&acl, capabilities, target).expect("failed to resolve ACL");
+      quote!(#root::ipc::RuntimeAuthority::new(#acl_tokens, #resolved))
+    }
+    Some(Capabilities::FromTokens(tokens)) => {
+      let resolved = Resolved::resolve(&acl, capabilities, target).expect("failed to resolve ACL");
+
+      let mut additions = quote!();
+
+      for CapabilityToken { attrs, path } in tokens {
+        let path = path.as_str();
+        additions.append_all(quote!(
+          #(#attrs),*
+          authority.add_capability(include_str!(#path).parse().expect("invalid capability file")).expect("failed to add capability");
+        ));
+      }
+
+      quote!({
+        let mut authority = #root::ipc::RuntimeAuthority::new(#acl_tokens, #resolved);
+        #additions
+        authority
+      })
+    }
+    None => {
+      let resolved = Resolved::resolve(&acl, capabilities, target).expect("failed to resolve ACL");
+      quote!(#root::ipc::RuntimeAuthority::new(#acl_tokens, #resolved))
+    }
+  };
 
   Ok(quote!({
     #[allow(unused_mut, clippy::let_and_return)]
@@ -401,7 +499,7 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
       #package_info,
       #info_plist,
       #pattern,
-      #resolved_acl
+      #runtime_authority
     );
     #with_tray_icon_code
     context

diff --git a/core/tauri-codegen/src/lib.rs b/core/tauri-codegen/src/lib.rs
@@ -12,7 +12,7 @@
   html_favicon_url = "https://github.com/tauri-apps/tauri/raw/dev/app-icon.png"
 )]
 
-pub use self::context::{context_codegen, ContextData};
+pub use self::context::{context_codegen, Capabilities, CapabilityToken, ContextData};
 use std::{
   borrow::Cow,
   path::{Path, PathBuf},