feat(permissions): add "--deny-*" flags (#19070)

This commit adds new "--deny-*" permission flags. These are complimentary to
"--allow-*" flags.

These flags can be used to restrict access to certain resources, even if they
were granted using "--allow-*" flags or the "--allow-all" ("-A") flag.

Eg. specifying "--allow-read --deny-read" will result in a permission error,
while "--allow-read --deny-read=/etc" will allow read access to all FS but the
"/etc" directory.

Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly
by adding, a new "PermissionStatus.partial" field. This field denotes that
while permission might be granted to requested resource, it's only partial (ie.
a "--deny-*" flag was specified that excludes some of the requested resources).
Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for
permissions like "Deno.permissions.query({ name: "read", path: "foo/" })"
will return "PermissionStatus { state: "granted", onchange: null, partial: true }",
denoting that some of the subpaths don't have read access.

Closes #18804.

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>

1 files changed, 27 insertions, 6 deletions

diff --git a/runtime/ops/permissions.rs b/runtime/ops/permissions.rs
index 663b1d240..e5c55076c 100644
--- a/runtime/ops/permissions.rs
+++ b/runtime/ops/permissions.rs
@@ -1,6 +1,7 @@
 // Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.
 
 use crate::permissions::parse_sys_kind;
+use crate::permissions::PermissionState;
 use crate::permissions::PermissionsContainer;
 use deno_core::error::custom_error;
 use deno_core::error::uri_error;
@@ -9,6 +10,7 @@ use deno_core::op;
 use deno_core::url;
 use deno_core::OpState;
 use serde::Deserialize;
+use serde::Serialize;
 use std::path::Path;
 
 deno_core::extension!(
@@ -30,11 +32,30 @@ pub struct PermissionArgs {
   command: Option<String>,
 }
 
+#[derive(Serialize)]
+pub struct PermissionStatus {
+  state: String,
+  partial: bool,
+}
+
+impl From<PermissionState> for PermissionStatus {
+  fn from(state: PermissionState) -> Self {
+    PermissionStatus {
+      state: if state == PermissionState::GrantedPartial {
+        PermissionState::Granted.to_string()
+      } else {
+        state.to_string()
+      },
+      partial: state == PermissionState::GrantedPartial,
+    }
+  }
+}
+
 #[op]
 pub fn op_query_permission(
   state: &mut OpState,
   args: PermissionArgs,
-) -> Result<String, AnyError> {
+) -> Result<PermissionStatus, AnyError> {
   let permissions = state.borrow::<PermissionsContainer>().0.lock();
   let path = args.path.as_deref();
   let perm = match args.name.as_ref() {
@@ -61,14 +82,14 @@ pub fn op_query_permission(
       ))
     }
   };
-  Ok(perm.to_string())
+  Ok(PermissionStatus::from(perm))
 }
 
 #[op]
 pub fn op_revoke_permission(
   state: &mut OpState,
   args: PermissionArgs,
-) -> Result<String, AnyError> {
+) -> Result<PermissionStatus, AnyError> {
   let mut permissions = state.borrow_mut::<PermissionsContainer>().0.lock();
   let path = args.path.as_deref();
   let perm = match args.name.as_ref() {
@@ -95,14 +116,14 @@ pub fn op_revoke_permission(
       ))
     }
   };
-  Ok(perm.to_string())
+  Ok(PermissionStatus::from(perm))
 }
 
 #[op]
 pub fn op_request_permission(
   state: &mut OpState,
   args: PermissionArgs,
-) -> Result<String, AnyError> {
+) -> Result<PermissionStatus, AnyError> {
   let mut permissions = state.borrow_mut::<PermissionsContainer>().0.lock();
   let path = args.path.as_deref();
   let perm = match args.name.as_ref() {
@@ -129,7 +150,7 @@ pub fn op_request_permission(
       ))
     }
   };
-  Ok(perm.to_string())
+  Ok(PermissionStatus::from(perm))
 }
 
 fn parse_host(host_str: &str) -> Result<(String, Option<u16>), AnyError> {