quic: support --allow-net permissions

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode:Opus 4.6

Author: jasnell

doc/api/quic.md

@@ -23,6 +23,24 @@ const quic = require('node:quic');
 
 The module is only available under the `node:` scheme.
 
+## Permission model
+
+When using the [Permission Model][], the `--allow-net` flag must be passed to
+allow QUIC network operations. Without it, calling [`quic.connect()`][] or
+[`quic.listen()`][] will throw an `ERR_ACCESS_DENIED` error.
+
+```console
+$ node --permission --allow-fs-read=* --experimental-quic index.mjs
+Error: Access to this API has been restricted. Use --allow-net to manage permissions.
+  code: 'ERR_ACCESS_DENIED',
+  permission: 'Net',
+}
+```
+
+Creating a [`QuicEndpoint`][] instance without connecting or listening
+is permitted even without `--allow-net`, since no network I/O occurs until
+[`quic.connect()`][] or [`quic.listen()`][] is called.
+
 ## `quic.connect(address[, options])`
 
 <!-- YAML
@@ -3492,8 +3510,10 @@ throughput issues caused by flow control.
 [Callback error handling]: #callback-error-handling
 [JSON-SEQ]: https://www.rfc-editor.org/rfc/rfc7464
 [NSS Key Log Format]: https://udn.realityripple.com/docs/Mozilla/Projects/NSS/Key_Log_Format
+[Permission Model]: permissions.md#permission-model
 [`PerformanceEntry`]: perf_hooks.md#class-performanceentry
 [`PerformanceObserver`]: perf_hooks.md#class-performanceobserver
+[`QuicEndpoint`]: #class-quicendpoint
 [`QuicError`]: #class-quicerror
 [`application.enableConnectProtocol`]: #sessionoptionsapplication
 [`application.enableDatagrams`]: #sessionoptionsapplication

src/quic/endpoint.cc

@@ -11,6 +11,7 @@
 #include <node_external_reference.h>
 #include <node_process-inl.h>
 #include <node_sockaddr-inl.h>
+#include <permission/permission.h>
 #include <timer_wrap-inl.h>
 #include <util-inl.h>
 #include <uv.h>
@@ -1745,6 +1746,11 @@ JS_METHOD_IMPL(Endpoint::DoConnect) {
   SocketAddressBase* address;
   ASSIGN_OR_RETURN_UNWRAP(&address, args[0]);
 
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env,
+      permission::PermissionScope::kNet,
+      address->address()->ToString());
+
   DCHECK(args[1]->IsObject());
   Session::Options options;
   if (!Session::Options::From(env, args[1]).To(&options)) {
@@ -1771,6 +1777,9 @@ JS_METHOD_IMPL(Endpoint::DoListen) {
   ASSIGN_OR_RETURN_UNWRAP(&endpoint, args.This());
   auto env = Environment::GetCurrent(args);
 
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kNet, "");
+
   Session::Options options;
   if (Session::Options::From(env, args[0]).To(&options)) {
     endpoint->Listen(options);

test/parallel/test-permission-net-quic.mjs

@@ -0,0 +1,50 @@
+// Flags: --permission --allow-fs-read=* --experimental-quic --no-warnings
+import { hasQuic, skip, mustNotCall } from '../common/index.mjs';
+import assert from 'node:assert';
+import { createPrivateKey } from 'node:crypto';
+import * as fixtures from '../common/fixtures.mjs';
+
+if (!hasQuic) {
+  skip('QUIC is not enabled');
+}
+
+const { connect, listen, QuicEndpoint } = await import('node:quic');
+
+// Verify that the permission system correctly reports no net access.
+assert.ok(!process.permission.has('net'));
+
+const key = createPrivateKey(fixtures.readKey('agent1-key.pem'));
+const cert = fixtures.readKey('agent1-cert.pem');
+
+// Test: connect() should reject with ERR_ACCESS_DENIED
+{
+  await assert.rejects(
+    connect('127.0.0.1:12345', { alpn: 'h3' }),
+    {
+      code: 'ERR_ACCESS_DENIED',
+      permission: 'Net',
+    },
+  );
+}
+
+// Test: listen() should throw ERR_ACCESS_DENIED
+{
+  await assert.rejects(
+    listen(mustNotCall('onsession should not be called'), {
+      alpn: ['h3'],
+      sni: { '*': { keys: [key], certs: [cert] } },
+    }),
+    {
+      code: 'ERR_ACCESS_DENIED',
+      permission: 'Net',
+    },
+  );
+}
+
+// Test: Creating a QuicEndpoint without connect/listen is allowed
+// since no network I/O occurs at construction time.
+{
+  const endpoint = new QuicEndpoint();
+  // The endpoint exists but has not performed any network operations.
+  await endpoint.close();
+}