refactor: remove `PermissionsContainer` in deno_runtime (#24119)

Also removes permissions being passed in for node resolution. It was
completely useless because we only checked it for reading package.json
files, but Deno reading package.json files for resolution is perfectly
fine.

My guess is this is also a perf improvement because Deno is doing less
work.

11 files changed, 21 insertions, 288 deletions

diff --git a/runtime/examples/extension/main.rs b/runtime/examples/extension/main.rs
index 0d7c4efb0..4339bdf67 100644
--- a/runtime/examples/extension/main.rs
+++ b/runtime/examples/extension/main.rs
@@ -10,7 +10,7 @@ use deno_core::error::AnyError;
 use deno_core::op2;
 use deno_core::FsModuleLoader;
 use deno_core::ModuleSpecifier;
-use deno_runtime::permissions::PermissionsContainer;
+use deno_runtime::deno_permissions::PermissionsContainer;
 use deno_runtime::worker::MainWorker;
 use deno_runtime::worker::WorkerOptions;
 
diff --git a/runtime/lib.rs b/runtime/lib.rs
index ec751f207..c92f5aea2 100644
--- a/runtime/lib.rs
+++ b/runtime/lib.rs
@@ -33,7 +33,6 @@ pub mod fs_util;
 pub mod inspector_server;
 pub mod js;
 pub mod ops;
-pub mod permissions;
 pub mod snapshot;
 pub mod tokio_util;
 pub mod web_worker;
diff --git a/runtime/ops/fs_events.rs b/runtime/ops/fs_events.rs
index 1e8fab936..367866162 100644
--- a/runtime/ops/fs_events.rs
+++ b/runtime/ops/fs_events.rs
@@ -1,6 +1,5 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
-use crate::permissions::PermissionsContainer;
 use deno_core::error::AnyError;
 use deno_core::parking_lot::Mutex;
 use deno_core::AsyncRefCell;
@@ -13,6 +12,7 @@ use deno_core::ResourceId;
 
 use deno_core::op2;
 
+use deno_permissions::PermissionsContainer;
 use notify::event::Event as NotifyEvent;
 use notify::Error as NotifyError;
 use notify::EventKind;
diff --git a/runtime/ops/os/mod.rs b/runtime/ops/os/mod.rs
index f6f55f68f..c2611f869 100644
--- a/runtime/ops/os/mod.rs
+++ b/runtime/ops/os/mod.rs
@@ -1,7 +1,6 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
 use super::utils::into_string;
-use crate::permissions::PermissionsContainer;
 use crate::worker::ExitCode;
 use deno_core::error::type_error;
 use deno_core::error::AnyError;
@@ -10,6 +9,7 @@ use deno_core::url::Url;
 use deno_core::v8;
 use deno_core::OpState;
 use deno_node::NODE_ENV_VAR_ALLOWLIST;
+use deno_permissions::PermissionsContainer;
 use serde::Serialize;
 use std::collections::HashMap;
 use std::env;
diff --git a/runtime/ops/process.rs b/runtime/ops/process.rs
index bda6045ac..b894b35db 100644
--- a/runtime/ops/process.rs
+++ b/runtime/ops/process.rs
@@ -1,7 +1,6 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
 use super::check_unstable;
-use crate::permissions::PermissionsContainer;
 use deno_core::anyhow::Context;
 use deno_core::error::type_error;
 use deno_core::error::AnyError;
@@ -18,6 +17,7 @@ use deno_io::fs::FileResource;
 use deno_io::ChildStderrResource;
 use deno_io::ChildStdinResource;
 use deno_io::ChildStdoutResource;
+use deno_permissions::PermissionsContainer;
 use serde::Deserialize;
 use serde::Serialize;
 use std::borrow::Cow;
diff --git a/runtime/ops/runtime.rs b/runtime/ops/runtime.rs
index 5b0b092c1..306e6ce8f 100644
--- a/runtime/ops/runtime.rs
+++ b/runtime/ops/runtime.rs
@@ -1,10 +1,10 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
-use crate::permissions::PermissionsContainer;
 use deno_core::error::AnyError;
 use deno_core::op2;
 use deno_core::ModuleSpecifier;
 use deno_core::OpState;
+use deno_permissions::PermissionsContainer;
 
 deno_core::extension!(
   deno_runtime,
diff --git a/runtime/ops/worker_host.rs b/runtime/ops/worker_host.rs
index e3360b830..19475fedf 100644
--- a/runtime/ops/worker_host.rs
+++ b/runtime/ops/worker_host.rs
@@ -1,9 +1,6 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
 use crate::ops::TestingFeaturesEnabled;
-use crate::permissions::create_child_permissions;
-use crate::permissions::ChildPermissionsArg;
-use crate::permissions::PermissionsContainer;
 use crate::web_worker::run_web_worker;
 use crate::web_worker::SendableWebWorkerHandle;
 use crate::web_worker::WebWorker;
@@ -20,6 +17,9 @@ use deno_core::CancelFuture;
 use deno_core::CancelHandle;
 use deno_core::ModuleSpecifier;
 use deno_core::OpState;
+use deno_permissions::create_child_permissions;
+use deno_permissions::ChildPermissionsArg;
+use deno_permissions::PermissionsContainer;
 use deno_web::deserialize_js_transferables;
 use deno_web::JsMessageData;
 use log::debug;
@@ -156,7 +156,7 @@ fn op_create_worker(
   let parent_permissions = state.borrow_mut::<PermissionsContainer>();
   let worker_permissions = if let Some(child_permissions_arg) = args.permissions
   {
-    let mut parent_permissions = parent_permissions.0 .0.lock();
+    let mut parent_permissions = parent_permissions.0.lock();
     let perms =
       create_child_permissions(&mut parent_permissions, child_permissions_arg)?;
     PermissionsContainer::new(perms)
diff --git a/runtime/permissions.rs b/runtime/permissions.rs
deleted file mode 100644
index edd03e1d5..000000000
--- a/runtime/permissions.rs
+++ /dev/null
@@ -1,268 +0,0 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
-
-use std::borrow::Cow;
-use std::path::Path;
-
-use deno_core::error::AnyError;
-use deno_core::url::Url;
-pub use deno_io::fs::FsError;
-pub use deno_permissions::create_child_permissions;
-pub use deno_permissions::parse_sys_kind;
-pub use deno_permissions::set_prompt_callbacks;
-pub use deno_permissions::ChildPermissionsArg;
-pub use deno_permissions::Permissions;
-pub use deno_permissions::PermissionsOptions;
-
-// NOTE: Temporary permissions container to satisfy traits. We are migrating to the deno_permissions
-// crate.
-#[derive(Debug, Clone)]
-
-pub struct PermissionsContainer(pub deno_permissions::PermissionsContainer);
-
-impl PermissionsContainer {
-  pub fn new(permissions: deno_permissions::Permissions) -> Self {
-    Self(deno_permissions::PermissionsContainer::new(permissions))
-  }
-
-  pub fn allow_all() -> Self {
-    Self(deno_permissions::PermissionsContainer::allow_all())
-  }
-}
-
-impl std::ops::Deref for PermissionsContainer {
-  type Target = deno_permissions::PermissionsContainer;
-
-  fn deref(&self) -> &Self::Target {
-    &self.0
-  }
-}
-
-impl std::ops::DerefMut for PermissionsContainer {
-  fn deref_mut(&mut self) -> &mut Self::Target {
-    &mut self.0
-  }
-}
-
-impl deno_node::NodePermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check_net_url(
-    &mut self,
-    url: &Url,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_net_url(url, api_name)
-  }
-
-  #[inline(always)]
-  fn check_read_with_api_name(
-    &self,
-    path: &Path,
-    api_name: Option<&str>,
-  ) -> Result<(), AnyError> {
-    self.0.check_read_with_api_name(path, api_name)
-  }
-
-  #[inline(always)]
-  fn check_write_with_api_name(
-    &self,
-    path: &Path,
-    api_name: Option<&str>,
-  ) -> Result<(), AnyError> {
-    self.0.check_write_with_api_name(path, api_name)
-  }
-
-  fn check_sys(&self, kind: &str, api_name: &str) -> Result<(), AnyError> {
-    self.0.check_sys(kind, api_name)
-  }
-}
-
-impl deno_fetch::FetchPermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check_net_url(
-    &mut self,
-    url: &Url,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_net_url(url, api_name)
-  }
-
-  #[inline(always)]
-  fn check_read(
-    &mut self,
-    path: &Path,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_read(path, api_name)
-  }
-}
-
-impl deno_net::NetPermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check_net<T: AsRef<str>>(
-    &mut self,
-    host: &(T, Option<u16>),
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_net(host, api_name)
-  }
-
-  #[inline(always)]
-  fn check_read(
-    &mut self,
-    path: &Path,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_read(path, api_name)
-  }
-
-  #[inline(always)]
-  fn check_write(
-    &mut self,
-    path: &Path,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_write(path, api_name)
-  }
-}
-
-impl deno_web::TimersPermission for PermissionsContainer {
-  #[inline(always)]
-  fn allow_hrtime(&mut self) -> bool {
-    self.0.allow_hrtime()
-  }
-}
-
-impl deno_websocket::WebSocketPermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check_net_url(
-    &mut self,
-    url: &Url,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_net_url(url, api_name)
-  }
-}
-
-impl deno_fs::FsPermissions for PermissionsContainer {
-  fn check_open<'a>(
-    &mut self,
-    resolved: bool,
-    read: bool,
-    write: bool,
-    path: &'a Path,
-    api_name: &str,
-  ) -> Result<Cow<'a, Path>, FsError> {
-    if resolved {
-      self.check_special_file(path, api_name).map_err(|_| {
-        std::io::Error::from(std::io::ErrorKind::PermissionDenied)
-      })?;
-      return Ok(Cow::Borrowed(path));
-    }
-
-    // If somehow read or write aren't specified, use read
-    let read = read || !write;
-    if read {
-      deno_fs::FsPermissions::check_read(self, path, api_name)
-        .map_err(|_| FsError::PermissionDenied("read"))?;
-    }
-    if write {
-      deno_fs::FsPermissions::check_write(self, path, api_name)
-        .map_err(|_| FsError::PermissionDenied("write"))?;
-    }
-    Ok(Cow::Borrowed(path))
-  }
-
-  fn check_read(
-    &mut self,
-    path: &Path,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_read(path, api_name)
-  }
-
-  fn check_read_blind(
-    &mut self,
-    path: &Path,
-    display: &str,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_read_blind(path, display, api_name)
-  }
-
-  fn check_write(
-    &mut self,
-    path: &Path,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_write(path, api_name)
-  }
-
-  fn check_write_partial(
-    &mut self,
-    path: &Path,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_write_partial(path, api_name)
-  }
-
-  fn check_write_blind(
-    &mut self,
-    p: &Path,
-    display: &str,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_write_blind(p, display, api_name)
-  }
-
-  fn check_read_all(&mut self, api_name: &str) -> Result<(), AnyError> {
-    self.0.check_read_all(api_name)
-  }
-
-  fn check_write_all(&mut self, api_name: &str) -> Result<(), AnyError> {
-    self.0.check_write_all(api_name)
-  }
-}
-
-// NOTE(bartlomieju): for now, NAPI uses `--allow-ffi` flag, but that might
-// change in the future.
-impl deno_napi::NapiPermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
-    self.0.check_ffi(path)
-  }
-}
-
-impl deno_ffi::FfiPermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check_partial(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
-    self.0.check_ffi_partial(path)
-  }
-}
-
-impl deno_kv::sqlite::SqliteDbHandlerPermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check_read(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError> {
-    self.0.check_read(p, api_name)
-  }
-
-  #[inline(always)]
-  fn check_write(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError> {
-    self.0.check_write(p, api_name)
-  }
-}
-
-impl deno_kv::remote::RemoteDbHandlerPermissions for PermissionsContainer {
-  #[inline(always)]
-  fn check_env(&mut self, var: &str) -> Result<(), AnyError> {
-    self.0.check_env(var)
-  }
-
-  #[inline(always)]
-  fn check_net_url(
-    &mut self,
-    url: &Url,
-    api_name: &str,
-  ) -> Result<(), AnyError> {
-    self.0.check_net_url(url, api_name)
-  }
-}
diff --git a/runtime/snapshot.rs b/runtime/snapshot.rs
index 923ea0b75..7ae5e3ae5 100644
--- a/runtime/snapshot.rs
+++ b/runtime/snapshot.rs
@@ -81,21 +81,21 @@ impl deno_node::NodePermissions for Permissions {
     unreachable!("snapshotting!")
   }
   fn check_read_with_api_name(
-    &self,
+    &mut self,
     _p: &Path,
     _api_name: Option<&str>,
   ) -> Result<(), deno_core::error::AnyError> {
     unreachable!("snapshotting!")
   }
   fn check_write_with_api_name(
-    &self,
+    &mut self,
     _p: &Path,
     _api_name: Option<&str>,
   ) -> Result<(), deno_core::error::AnyError> {
     unreachable!("snapshotting!")
   }
   fn check_sys(
-    &self,
+    &mut self,
     _kind: &str,
     _api_name: &str,
   ) -> Result<(), deno_core::error::AnyError> {
@@ -254,7 +254,7 @@ pub fn create_runtime_snapshot(
     deno_http::deno_http::init_ops_and_esm::<DefaultHttpPropertyExtractor>(),
     deno_io::deno_io::init_ops_and_esm(Default::default()),
     deno_fs::deno_fs::init_ops_and_esm::<Permissions>(fs.clone()),
-    deno_node::deno_node::init_ops_and_esm::<Permissions>(None, fs),
+    deno_node::deno_node::init_ops_and_esm::<Permissions>(None, None, fs),
     runtime::init_ops_and_esm(),
     ops::runtime::deno_runtime::init_ops("deno:runtime".parse().unwrap()),
     ops::worker_host::deno_worker_host::init_ops(
diff --git a/runtime/web_worker.rs b/runtime/web_worker.rs
index 836035694..07a955efb 100644
--- a/runtime/web_worker.rs
+++ b/runtime/web_worker.rs
@@ -2,7 +2,6 @@
 use crate::inspector_server::InspectorServer;
 use crate::ops;
 use crate::ops::worker_host::WorkersTable;
-use crate::permissions::PermissionsContainer;
 use crate::shared::maybe_transpile_source;
 use crate::shared::runtime;
 use crate::tokio_util::create_and_run_current_thread;
@@ -45,6 +44,8 @@ use deno_fs::FileSystem;
 use deno_http::DefaultHttpPropertyExtractor;
 use deno_io::Stdio;
 use deno_kv::dynamic::MultiBackendDbHandler;
+use deno_node::NodeResolver;
+use deno_permissions::PermissionsContainer;
 use deno_terminal::colors;
 use deno_tls::RootCertStoreProvider;
 use deno_tls::TlsKeys;
@@ -364,6 +365,7 @@ pub struct WebWorkerOptions {
   pub seed: Option<u64>,
   pub fs: Arc<dyn FileSystem>,
   pub module_loader: Rc<dyn ModuleLoader>,
+  pub node_resolver: Option<Arc<NodeResolver>>,
   pub npm_resolver: Option<Arc<dyn deno_node::NpmResolver>>,
   pub create_web_worker_cb: Arc<ops::worker_host::CreateWebWorkerCb>,
   pub format_js_error_fn: Option<Arc<FormatJsErrorFn>>,
@@ -411,7 +413,6 @@ impl WebWorker {
         enable_testing_features: bool,
       },
       state = |state, options| {
-        state.put::<deno_permissions::PermissionsContainer>(options.permissions.0.clone());
         state.put::<PermissionsContainer>(options.permissions);
         state.put(ops::TestingFeaturesEnabled(options.enable_testing_features));
       },
@@ -491,6 +492,7 @@ impl WebWorker {
         options.fs.clone(),
       ),
       deno_node::deno_node::init_ops_and_esm::<PermissionsContainer>(
+        options.node_resolver,
         options.npm_resolver,
         options.fs,
       ),
diff --git a/runtime/worker.rs b/runtime/worker.rs
index 09faa6e08..4e16afeeb 100644
--- a/runtime/worker.rs
+++ b/runtime/worker.rs
@@ -39,6 +39,7 @@ use deno_fs::FileSystem;
 use deno_http::DefaultHttpPropertyExtractor;
 use deno_io::Stdio;
 use deno_kv::dynamic::MultiBackendDbHandler;
+use deno_permissions::PermissionsContainer;
 use deno_tls::RootCertStoreProvider;
 use deno_tls::TlsKeys;
 use deno_web::BlobStore;
@@ -48,7 +49,6 @@ use crate::code_cache::CodeCache;
 use crate::code_cache::CodeCacheType;
 use crate::inspector_server::InspectorServer;
 use crate::ops;
-use crate::permissions::PermissionsContainer;
 use crate::shared::maybe_transpile_source;
 use crate::shared::runtime;
 use crate::BootstrapOptions;
@@ -156,6 +156,7 @@ pub struct WorkerOptions {
   /// If not provided runtime will error if code being
   /// executed tries to load modules.
   pub module_loader: Rc<dyn ModuleLoader>,
+  pub node_resolver: Option<Arc<deno_node::NodeResolver>>,
   pub npm_resolver: Option<Arc<dyn deno_node::NpmResolver>>,
   // Callbacks invoked when creating new instance of WebWorker
   pub create_web_worker_cb: Arc<ops::worker_host::CreateWebWorkerCb>,
@@ -227,6 +228,7 @@ impl Default for WorkerOptions {
       broadcast_channel: Default::default(),
       source_map_getter: Default::default(),
       root_cert_store_provider: Default::default(),
+      node_resolver: Default::default(),
       npm_resolver: Default::default(),
       blob_store: Default::default(),
       extensions: Default::default(),
@@ -329,9 +331,6 @@ impl MainWorker {
         enable_testing_features: bool,
       },
       state = |state, options| {
-        // Save the permissions container and the wrapper.
-        state.put::<deno_permissions::PermissionsContainer>(options.permissions.0.clone());
-        // This is temporary until we migrate all exts/ to the deno_permissions crate.
         state.put::<PermissionsContainer>(options.permissions);
         state.put(ops::TestingFeaturesEnabled(options.enable_testing_features));
       },
@@ -419,6 +418,7 @@ impl MainWorker {
         options.fs.clone(),
       ),
       deno_node::deno_node::init_ops_and_esm::<PermissionsContainer>(
+        options.node_resolver,
         options.npm_resolver,
         options.fs,
       ),