refactor(permissions): split up Descriptor into Allow, Deny, and Query (#25508)

This makes the permission system more versatile.

1 files changed, 39 insertions, 14 deletions

diff --git a/cli/factory.rs b/cli/factory.rs
index 1ec2104ed..fe6d5b92a 100644
--- a/cli/factory.rs
+++ b/cli/factory.rs
@@ -65,10 +65,13 @@ use deno_core::FeatureChecker;
 use deno_runtime::deno_fs;
 use deno_runtime::deno_node::DenoFsNodeResolverEnv;
 use deno_runtime::deno_node::NodeResolver;
+use deno_runtime::deno_permissions::Permissions;
+use deno_runtime::deno_permissions::PermissionsContainer;
 use deno_runtime::deno_tls::rustls::RootCertStore;
 use deno_runtime::deno_tls::RootCertStoreProvider;
 use deno_runtime::deno_web::BlobStore;
 use deno_runtime::inspector_server::InspectorServer;
+use deno_runtime::permissions::RuntimePermissionDescriptorParser;
 use log::warn;
 use node_resolver::analyze::NodeCodeTranslator;
 use once_cell::sync::OnceCell;
@@ -181,6 +184,7 @@ struct CliFactoryServices {
   node_code_translator: Deferred<Arc<CliNodeCodeTranslator>>,
   node_resolver: Deferred<Arc<NodeResolver>>,
   npm_resolver: Deferred<Arc<dyn CliNpmResolver>>,
+  permission_desc_parser: Deferred<Arc<RuntimePermissionDescriptorParser>>,
   sloppy_imports_resolver: Deferred<Option<Arc<SloppyImportsResolver>>>,
   text_only_progress_bar: Deferred<ProgressBar>,
   type_checker: Deferred<Arc<TypeChecker>>,
@@ -708,6 +712,15 @@ impl CliFactory {
       .await
   }
 
+  pub fn permission_desc_parser(
+    &self,
+  ) -> Result<&Arc<RuntimePermissionDescriptorParser>, AnyError> {
+    self.services.permission_desc_parser.get_or_try_init(|| {
+      let fs = self.fs().clone();
+      Ok(Arc::new(RuntimePermissionDescriptorParser::new(fs)))
+    })
+  }
+
   pub fn feature_checker(&self) -> Result<&Arc<FeatureChecker>, AnyError> {
     self.services.feature_checker.get_or_try_init(|| {
       let cli_options = self.cli_options()?;
@@ -739,6 +752,17 @@ impl CliFactory {
     ))
   }
 
+  pub fn create_permissions_container(
+    &self,
+  ) -> Result<PermissionsContainer, AnyError> {
+    let desc_parser = self.permission_desc_parser()?.clone();
+    let permissions = Permissions::from_options(
+      desc_parser.as_ref(),
+      &self.cli_options()?.permissions_options(),
+    )?;
+    Ok(PermissionsContainer::new(desc_parser, permissions))
+  }
+
   pub async fn create_cli_main_worker_factory(
     &self,
   ) -> Result<CliMainWorkerFactory, AnyError> {
@@ -754,11 +778,17 @@ impl CliFactory {
     };
 
     Ok(CliMainWorkerFactory::new(
-      StorageKeyResolver::from_options(cli_options),
-      cli_options.sub_command().clone(),
-      npm_resolver.clone(),
-      node_resolver.clone(),
       self.blob_store().clone(),
+      if cli_options.code_cache_enabled() {
+        Some(self.code_cache()?.clone())
+      } else {
+        None
+      },
+      self.feature_checker()?.clone(),
+      self.fs().clone(),
+      maybe_file_watcher_communicator,
+      self.maybe_inspector_server()?.clone(),
+      cli_options.maybe_lockfile().cloned(),
       Box::new(CliModuleLoaderFactory::new(
         cli_options,
         if cli_options.code_cache_enabled() {
@@ -779,17 +809,12 @@ impl CliFactory {
         self.parsed_source_cache().clone(),
         self.resolver().await?.clone(),
       )),
+      node_resolver.clone(),
+      npm_resolver.clone(),
+      self.permission_desc_parser()?.clone(),
       self.root_cert_store_provider().clone(),
-      self.fs().clone(),
-      maybe_file_watcher_communicator,
-      self.maybe_inspector_server()?.clone(),
-      cli_options.maybe_lockfile().cloned(),
-      self.feature_checker()?.clone(),
-      if cli_options.code_cache_enabled() {
-        Some(self.code_cache()?.clone())
-      } else {
-        None
-      },
+      StorageKeyResolver::from_options(cli_options),
+      cli_options.sub_command().clone(),
       self.create_cli_main_worker_options()?,
     ))
   }