refactor(acl): permission and capability platforms are optional (#9115)

* refactor(acl): permission and capability platforms are optional

* add iterator version

* fix build

---------

Co-authored-by: Amr Bashir <amr.bashir2015@gmail.com>

Author: lucasfernog

.changes/acl-platform-refactor.md

@@ -0,0 +1,8 @@
+---
+"tauri-utils": patch:enhance
+"tauri": patch:enhance
+"tauri-cli": patch:enhance
+"@tauri-apps/cli": patch:enhance
+---
+
+Changed the permission and capability platforms to be optional.

.changes/capability-builder-platform.md

@@ -0,0 +1,5 @@
+---
+"tauri": patch:feat
+---
+
+Added `CapabilityBuilder::platform` to link the runtime capability with a specific platform.

core/tauri-build/src/acl.rs

@@ -452,7 +452,12 @@ pub fn validate_capabilities(
   let target = tauri_utils::platform::Target::from_triple(&std::env::var("TARGET").unwrap());
 
   for capability in capabilities.values() {
-    if !capability.platforms.contains(&target) {
+    if !capability
+      .platforms
+      .as_ref()
+      .map(|platforms| platforms.contains(&target))
+      .unwrap_or(true)
+    {
       continue;
     }
 

core/tauri-config-schema/schema.json

@@ -1072,8 +1072,7 @@
       "type": "object",
       "required": [
         "identifier",
-        "permissions",
-        "windows"
+        "permissions"
       ],
       "properties": {
         "identifier": {
@@ -1124,14 +1123,10 @@
         },
         "platforms": {
           "description": "Target platforms this capability applies. By default all platforms are affected by this capability.",
-          "default": [
-            "linux",
-            "macOS",
-            "windows",
-            "android",
-            "iOS"
+          "type": [
+            "array",
+            "null"
           ],
-          "type": "array",
           "items": {
             "$ref": "#/definitions/Target"
           }

core/tauri-utils/src/acl/capability.rs

@@ -65,6 +65,7 @@ pub struct Capability {
   /// List of windows that uses this capability. Can be a glob pattern.
   ///
   /// On multiwebview windows, prefer [`Self::webviews`] for a fine grained access control.
+  #[serde(default, skip_serializing_if = "Vec::is_empty")]
   pub windows: Vec<String>,
   /// List of webviews that uses this capability. Can be a glob pattern.
   ///
@@ -75,24 +76,14 @@ pub struct Capability {
   /// List of permissions attached to this capability. Must include the plugin name as prefix in the form of `${plugin-name}:${permission-name}`.
   pub permissions: Vec<PermissionEntry>,
   /// Target platforms this capability applies. By default all platforms are affected by this capability.
-  #[serde(default = "default_platforms", skip_serializing_if = "Vec::is_empty")]
-  pub platforms: Vec<Target>,
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub platforms: Option<Vec<Target>>,
 }
 
 fn default_capability_local() -> bool {
   true
 }
 
-fn default_platforms() -> Vec<Target> {
-  vec![
-    Target::Linux,
-    Target::MacOS,
-    Target::Windows,
-    Target::Android,
-    Target::Ios,
-  ]
-}
-
 /// Configuration for remote URLs that are associated with the capability.
 #[derive(Debug, Default, Clone, Serialize, Deserialize, Eq, PartialEq, PartialOrd, Ord, Hash)]
 #[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
@@ -190,7 +181,7 @@ mod build {
       let local = self.local;
       let windows = vec_lit(&self.windows, str_lit);
       let permissions = vec_lit(&self.permissions, identity);
-      let platforms = vec_lit(&self.platforms, identity);
+      let platforms = opt_vec_lit(self.platforms.as_ref(), identity);
 
       literal_struct!(
         tokens,

core/tauri-utils/src/acl/mod.rs

@@ -176,18 +176,8 @@ pub struct Permission {
   pub scope: Scopes,
 
   /// Target platforms this permission applies. By default all platforms are affected by this permission.
-  #[serde(default = "default_platforms", skip_serializing_if = "Vec::is_empty")]
-  pub platforms: Vec<Target>,
-}
-
-fn default_platforms() -> Vec<Target> {
-  vec![
-    Target::Linux,
-    Target::MacOS,
-    Target::Windows,
-    Target::Android,
-    Target::Ios,
-  ]
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub platforms: Option<Vec<Target>>,
 }
 
 /// A set of direct permissions grouped together under a new name.
@@ -313,7 +303,7 @@ mod build_ {
       let description = opt_str_lit(self.description.as_ref());
       let commands = &self.commands;
       let scope = &self.scope;
-      let platforms = vec_lit(&self.platforms, identity);
+      let platforms = opt_vec_lit(self.platforms.as_ref(), identity);
 
       literal_struct!(
         tokens,

core/tauri-utils/src/acl/resolved.rs

@@ -92,7 +92,12 @@ impl Resolved {
 
     // resolve commands
     for capability in capabilities.values() {
-      if !capability.platforms.contains(&target) {
+      if !capability
+        .platforms
+        .as_ref()
+        .map(|platforms| platforms.contains(&target))
+        .unwrap_or(true)
+      {
         continue;
       }
 
@@ -222,7 +227,12 @@ fn with_resolved_permissions<F: FnMut(ResolvedPermission<'_>) -> Result<(), Erro
 
     let permissions = get_permissions(key, permission_name, acl)?
       .into_iter()
-      .filter(|p| p.platforms.contains(&target))
+      .filter(|p| {
+        p.platforms
+          .as_ref()
+          .map(|platforms| platforms.contains(&target))
+          .unwrap_or(true)
+      })
       .collect::<Vec<_>>();
 
     let mut resolved_scope = Scopes::default();

core/tauri/src/ipc/authority.rs

@@ -19,6 +19,7 @@ use tauri_utils::acl::{
   resolved::{Resolved, ResolvedCommand, ResolvedScope, ScopeKey},
   ExecutionContext, Scopes,
 };
+use tauri_utils::platform::Target;
 
 use url::Url;
 
@@ -93,7 +94,7 @@ impl CapabilityBuilder {
       windows: Vec::new(),
       webviews: Vec::new(),
       permissions: Vec::new(),
-      platforms: Vec::new(),
+      platforms: None,
     })
   }
 
@@ -193,6 +194,30 @@ impl CapabilityBuilder {
       .push(PermissionEntry::ExtendedPermission { identifier, scope });
     self
   }
+
+  /// Adds a target platform for this capability.
+  ///
+  /// By default all platforms are applied.
+  pub fn platform(mut self, platform: Target) -> Self {
+    self
+      .0
+      .platforms
+      .get_or_insert_with(Default::default)
+      .push(platform);
+    self
+  }
+
+  /// Adds target platforms for this capability.
+  ///
+  /// By default all platforms are applied.
+  pub fn platforms(mut self, platforms: impl IntoIterator<Item = Target>) -> Self {
+    self
+      .0
+      .platforms
+      .get_or_insert_with(Default::default)
+      .extend(platforms);
+    self
+  }
 }
 
 impl RuntimeCapability for CapabilityBuilder {

tooling/cli/schema.json

@@ -1072,8 +1072,7 @@
       "type": "object",
       "required": [
         "identifier",
-        "permissions",
-        "windows"
+        "permissions"
       ],
       "properties": {
         "identifier": {
@@ -1124,14 +1123,10 @@
         },
         "platforms": {
           "description": "Target platforms this capability applies. By default all platforms are affected by this capability.",
-          "default": [
-            "linux",
-            "macOS",
-            "windows",
-            "android",
-            "iOS"
+          "type": [
+            "array",
+            "null"
           ],
-          "type": "array",
           "items": {
             "$ref": "#/definitions/Target"
           }

tooling/cli/src/acl/capability/new.rs

@@ -100,7 +100,7 @@ pub fn command(options: Options) -> Result<()> {
         )
       })
       .collect(),
-    platforms: Vec::new(),
+    platforms: None,
   };
 
   let path = match options.out {