The needsPermission function returns a middleware that handles the request before it reaches your test.get function. That middleware checks if the user making the request has the required permission.
You don't have to predefined the permission anywhere. As long as the permission string takes the form XYZ.read or XYZ.write then it will work as expected.
As per the docs users either have the permission read or *. If it is read then they are allowed to access anything with a XYZ.read permission. If it's * then they can access everything.
The reason for the XYZ part of the permission is to identify the type of resource being accessed - which allows for some finer-grained permissions. For example, a user couple have a permission of ["read", "inject.write"] - this would allow them read-only access to the editor, but would be able to trigger any inject nodes.
