refactor(permissions): split up Descriptor into Allow, Deny, and Query (#25508)

This makes the permission system more versatile.

1 files changed, 140 insertions, 20 deletions

diff --git a/runtime/ops/permissions.rs b/runtime/ops/permissions.rs
index e6974efad..9b46dd019 100644
--- a/runtime/ops/permissions.rs
+++ b/runtime/ops/permissions.rs
@@ -1,7 +1,7 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
 use ::deno_permissions::parse_sys_kind;
-use ::deno_permissions::NetDescriptor;
+use ::deno_permissions::PermissionDescriptorParser;
 use ::deno_permissions::PermissionState;
 use ::deno_permissions::PermissionsContainer;
 use deno_core::error::custom_error;
@@ -10,7 +10,7 @@ use deno_core::op2;
 use deno_core::OpState;
 use serde::Deserialize;
 use serde::Serialize;
-use std::path::Path;
+use std::sync::Arc;
 
 deno_core::extension!(
   deno_permissions,
@@ -19,6 +19,12 @@ deno_core::extension!(
     op_revoke_permission,
     op_request_permission,
   ],
+  options = {
+    permission_desc_parser: Arc<dyn PermissionDescriptorParser>,
+  },
+  state = |state, options| {
+    state.put(options.permission_desc_parser);
+  },
 );
 
 #[derive(Deserialize)]
@@ -56,15 +62,37 @@ pub fn op_query_permission(
   state: &mut OpState,
   #[serde] args: PermissionArgs,
 ) -> Result<PermissionStatus, AnyError> {
-  let permissions = state.borrow::<PermissionsContainer>().0.lock();
+  let permissions_container = state.borrow::<PermissionsContainer>();
+  // todo(dsherret): don't have this function use the properties of
+  // permission container
+  let desc_parser = &permissions_container.descriptor_parser;
+  let permissions = permissions_container.inner.lock();
   let path = args.path.as_deref();
   let perm = match args.name.as_ref() {
-    "read" => permissions.read.query(path.map(Path::new)),
-    "write" => permissions.write.query(path.map(Path::new)),
+    "read" => permissions.read.query(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_read(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
+    "write" => permissions.write.query(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_write(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
     "net" => permissions.net.query(
       match args.host.as_deref() {
         None => None,
-        Some(h) => Some(NetDescriptor::parse(h)?),
+        Some(h) => Some(desc_parser.parse_net_descriptor(h)?),
       }
       .as_ref(),
     ),
@@ -72,8 +100,24 @@ pub fn op_query_permission(
     "sys" => permissions
       .sys
       .query(args.kind.as_deref().map(parse_sys_kind).transpose()?),
-    "run" => permissions.run.query(args.command.as_deref()),
-    "ffi" => permissions.ffi.query(args.path.as_deref().map(Path::new)),
+    "run" => permissions.run.query(
+      args
+        .command
+        .as_deref()
+        .map(|request| desc_parser.parse_run_query(request))
+        .transpose()?
+        .as_ref(),
+    ),
+    "ffi" => permissions.ffi.query(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_ffi(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
     n => {
       return Err(custom_error(
         "ReferenceError",
@@ -90,15 +134,37 @@ pub fn op_revoke_permission(
   state: &mut OpState,
   #[serde] args: PermissionArgs,
 ) -> Result<PermissionStatus, AnyError> {
-  let mut permissions = state.borrow_mut::<PermissionsContainer>().0.lock();
+  // todo(dsherret): don't have this function use the properties of
+  // permission container
+  let permissions_container = state.borrow_mut::<PermissionsContainer>();
+  let desc_parser = &permissions_container.descriptor_parser;
+  let mut permissions = permissions_container.inner.lock();
   let path = args.path.as_deref();
   let perm = match args.name.as_ref() {
-    "read" => permissions.read.revoke(path.map(Path::new)),
-    "write" => permissions.write.revoke(path.map(Path::new)),
+    "read" => permissions.read.revoke(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_read(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
+    "write" => permissions.write.revoke(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_write(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
     "net" => permissions.net.revoke(
       match args.host.as_deref() {
         None => None,
-        Some(h) => Some(NetDescriptor::parse(h)?),
+        Some(h) => Some(desc_parser.parse_net_descriptor(h)?),
       }
       .as_ref(),
     ),
@@ -106,8 +172,24 @@ pub fn op_revoke_permission(
     "sys" => permissions
       .sys
       .revoke(args.kind.as_deref().map(parse_sys_kind).transpose()?),
-    "run" => permissions.run.revoke(args.command.as_deref()),
-    "ffi" => permissions.ffi.revoke(args.path.as_deref().map(Path::new)),
+    "run" => permissions.run.revoke(
+      args
+        .command
+        .as_deref()
+        .map(|request| desc_parser.parse_run_query(request))
+        .transpose()?
+        .as_ref(),
+    ),
+    "ffi" => permissions.ffi.revoke(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_ffi(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
     n => {
       return Err(custom_error(
         "ReferenceError",
@@ -124,15 +206,37 @@ pub fn op_request_permission(
   state: &mut OpState,
   #[serde] args: PermissionArgs,
 ) -> Result<PermissionStatus, AnyError> {
-  let mut permissions = state.borrow_mut::<PermissionsContainer>().0.lock();
+  // todo(dsherret): don't have this function use the properties of
+  // permission container
+  let permissions_container = state.borrow_mut::<PermissionsContainer>();
+  let desc_parser = &permissions_container.descriptor_parser;
+  let mut permissions = permissions_container.inner.lock();
   let path = args.path.as_deref();
   let perm = match args.name.as_ref() {
-    "read" => permissions.read.request(path.map(Path::new)),
-    "write" => permissions.write.request(path.map(Path::new)),
+    "read" => permissions.read.request(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_read(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
+    "write" => permissions.write.request(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_write(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
     "net" => permissions.net.request(
       match args.host.as_deref() {
         None => None,
-        Some(h) => Some(NetDescriptor::parse(h)?),
+        Some(h) => Some(desc_parser.parse_net_descriptor(h)?),
       }
       .as_ref(),
     ),
@@ -140,8 +244,24 @@ pub fn op_request_permission(
     "sys" => permissions
       .sys
       .request(args.kind.as_deref().map(parse_sys_kind).transpose()?),
-    "run" => permissions.run.request(args.command.as_deref()),
-    "ffi" => permissions.ffi.request(args.path.as_deref().map(Path::new)),
+    "run" => permissions.run.request(
+      args
+        .command
+        .as_deref()
+        .map(|request| desc_parser.parse_run_query(request))
+        .transpose()?
+        .as_ref(),
+    ),
+    "ffi" => permissions.ffi.request(
+      path
+        .map(|path| {
+          Result::<_, AnyError>::Ok(
+            desc_parser.parse_path_query(path)?.into_ffi(),
+          )
+        })
+        .transpose()?
+        .as_ref(),
+    ),
     n => {
       return Err(custom_error(
         "ReferenceError",