refactor(permissions): split up Descriptor into Allow, Deny, and Query (#25508)

This makes the permission system more versatile.

2 files changed, 40 insertions, 3 deletions

diff --git a/tests/unit/os_test.ts b/tests/unit/os_test.ts
index 4f760ecf8..a70796505 100644
--- a/tests/unit/os_test.ts
+++ b/tests/unit/os_test.ts
@@ -79,7 +79,9 @@ Deno.test(
     ) => {
       const src = `
       console.log(
-        ${JSON.stringify(Object.keys(expectedEnv))}.map(k => Deno.env.get(k))
+        ${
+        JSON.stringify(Object.keys(expectedEnv))
+      }.map(k => Deno.env.get(k) ?? null)
       )`;
       const { success, stdout } = await new Deno.Command(Deno.execPath(), {
         args: ["eval", src],
diff --git a/tests/unit/worker_test.ts b/tests/unit/worker_test.ts
index 88c6ca4c6..42c257282 100644
--- a/tests/unit/worker_test.ts
+++ b/tests/unit/worker_test.ts
@@ -5,6 +5,7 @@
 // Requires to be run with `--allow-net` flag
 
 import { assert, assertEquals, assertMatch, assertThrows } from "@std/assert";
+import { toFileUrl } from "@std/path/to-file-url";
 
 function resolveWorker(worker: string): string {
   return import.meta.resolve(`../testdata/workers/${worker}`);
@@ -442,7 +443,31 @@ Deno.test("Worker limit children permissions", async function () {
   worker.terminate();
 });
 
+function setupReadCheckGranularWorkerTest() {
+  const tempDir = Deno.realPathSync(Deno.makeTempDirSync());
+  const initialPath = Deno.env.get("PATH")!;
+  const initialCwd = Deno.cwd();
+  Deno.chdir(tempDir);
+  const envSep = Deno.build.os === "windows" ? ";" : ":";
+  Deno.env.set("PATH", initialPath + envSep + tempDir);
+
+  // create executables that will be resolved when doing `which`
+  const ext = Deno.build.os === "windows" ? ".exe" : "";
+  Deno.copyFileSync(Deno.execPath(), tempDir + "/bar" + ext);
+
+  return {
+    tempDir,
+    runFooFilePath: tempDir + "/foo" + ext,
+    [Symbol.dispose]() {
+      Deno.removeSync(tempDir, { recursive: true });
+      Deno.env.set("PATH", initialPath);
+      Deno.chdir(initialCwd);
+    },
+  };
+}
+
 Deno.test("Worker limit children permissions granularly", async function () {
+  const ctx = setupReadCheckGranularWorkerTest();
   const workerUrl = resolveWorker("read_check_granular_worker.js");
   const worker = new Worker(
     workerUrl,
@@ -453,8 +478,13 @@ Deno.test("Worker limit children permissions granularly", async function () {
           env: ["foo"],
           net: ["foo", "bar:8000"],
           ffi: [new URL("foo", workerUrl), "bar"],
-          read: [new URL("foo", workerUrl), "bar"],
-          run: [new URL("foo", workerUrl), "bar", "./baz"],
+          read: [new URL("foo", workerUrl), "bar", ctx.tempDir],
+          run: [
+            toFileUrl(ctx.runFooFilePath),
+            "bar",
+            "./baz",
+            "unresolved-exec",
+          ],
           write: [new URL("foo", workerUrl), "bar"],
         },
       },
@@ -482,8 +512,10 @@ Deno.test("Worker limit children permissions granularly", async function () {
     readAbsent: "prompt",
     runGlobal: "prompt",
     runFoo: "granted",
+    runFooPath: "granted",
     runBar: "granted",
     runBaz: "granted",
+    runUnresolved: "prompt", // unresolved binaries remain as "prompt"
     runAbsent: "prompt",
     writeGlobal: "prompt",
     writeFoo: "granted",
@@ -494,6 +526,7 @@ Deno.test("Worker limit children permissions granularly", async function () {
 });
 
 Deno.test("Nested worker limit children permissions", async function () {
+  const _cleanup = setupReadCheckGranularWorkerTest();
   /** This worker has permissions but doesn't grant them to its children */
   const worker = new Worker(
     resolveWorker("parent_read_check_worker.js"),
@@ -521,8 +554,10 @@ Deno.test("Nested worker limit children permissions", async function () {
     readAbsent: "prompt",
     runGlobal: "prompt",
     runFoo: "prompt",
+    runFooPath: "prompt",
     runBar: "prompt",
     runBaz: "prompt",
+    runUnresolved: "prompt",
     runAbsent: "prompt",
     writeGlobal: "prompt",
     writeFoo: "prompt",