More permissions prompt options (#1926)

src/compiler.rs

@@ -3,7 +3,7 @@ use crate::isolate::Buf;
 use crate::isolate::IsolateState;
 use crate::isolate_init;
 use crate::msg;
-use crate::permissions::DenoPermissions;
+use crate::permissions::{DenoPermissions, PermissionAccessor};
 use crate::resources;
 use crate::resources::Resource;
 use crate::resources::ResourceId;
@@ -12,7 +12,6 @@ use crate::workers;
 use futures::Future;
 use serde_json;
 use std::str;
-use std::sync::atomic::AtomicBool;
 use std::sync::Arc;
 use std::sync::Mutex;
 
@@ -53,11 +52,9 @@ fn lazy_start(parent_state: &Arc<IsolateState>) -> Resource {
   let mut cell = C_RID.lock().unwrap();
   let isolate_init = isolate_init::compiler_isolate_init();
   let permissions = DenoPermissions {
-    allow_read: AtomicBool::new(true),
+    allow_read: PermissionAccessor::from(true),
-    allow_write: AtomicBool::new(true),
+    allow_write: PermissionAccessor::from(true),
-    allow_env: AtomicBool::new(false),
+    allow_net: PermissionAccessor::from(true),
-    allow_net: AtomicBool::new(true),
-    allow_run: AtomicBool::new(false),
     ..Default::default()
   };
   let rid = cell.get_or_insert_with(|| {

src/ops.rs

@@ -39,7 +39,6 @@ use std::net::Shutdown;
 use std::path::Path;
 use std::path::PathBuf;
 use std::process::Command;
-use std::sync::atomic::Ordering;
 use std::sync::Arc;
 use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
 use tokio;
@@ -373,19 +372,19 @@ fn op_fetch_module_meta_data(
   let referrer = inner.referrer().unwrap();
 
   // Check for allow read since this operation could be used to read from the file system.
-  if !isolate.permissions.allow_read.load(Ordering::SeqCst) {
+  if !isolate.permissions.allows_read() {
     debug!("No read permission for fetch_module_meta_data");
     return odd_future(permission_denied());
   }
 
   // Check for allow write since this operation could be used to write to the file system.
-  if !isolate.permissions.allow_write.load(Ordering::SeqCst) {
+  if !isolate.permissions.allows_write() {
     debug!("No network permission for fetch_module_meta_data");
     return odd_future(permission_denied());
   }
 
   // Check for allow net since this operation could be used to make https/http requests.
-  if !isolate.permissions.allow_net.load(Ordering::SeqCst) {
+  if !isolate.permissions.allows_net() {
     debug!("No network permission for fetch_module_meta_data");
     return odd_future(permission_denied());
   }
@@ -1887,18 +1886,16 @@ mod tests {
   use super::*;
   use crate::isolate::{Isolate, IsolateState};
   use crate::isolate_init::IsolateInit;
-  use crate::permissions::DenoPermissions;
+  use crate::permissions::{DenoPermissions, PermissionAccessor};
-  use std::sync::atomic::AtomicBool;
 
   #[test]
   fn fetch_module_meta_fails_without_read() {
     let state = IsolateState::mock();
     let permissions = DenoPermissions {
-      allow_read: AtomicBool::new(false),
+      allow_write: PermissionAccessor::from(true),
-      allow_write: AtomicBool::new(true),
+      allow_env: PermissionAccessor::from(true),
-      allow_env: AtomicBool::new(true),
+      allow_net: PermissionAccessor::from(true),
-      allow_net: AtomicBool::new(true),
+      allow_run: PermissionAccessor::from(true),
-      allow_run: AtomicBool::new(true),
       ..Default::default()
     };
     let isolate = Isolate::new(
@@ -1940,11 +1937,10 @@ mod tests {
   fn fetch_module_meta_fails_without_write() {
     let state = IsolateState::mock();
     let permissions = DenoPermissions {
-      allow_read: AtomicBool::new(true),
+      allow_read: PermissionAccessor::from(true),
-      allow_write: AtomicBool::new(false),
+      allow_env: PermissionAccessor::from(true),
-      allow_env: AtomicBool::new(true),
+      allow_net: PermissionAccessor::from(true),
-      allow_net: AtomicBool::new(true),
+      allow_run: PermissionAccessor::from(true),
-      allow_run: AtomicBool::new(true),
       ..Default::default()
     };
     let isolate = Isolate::new(
@@ -1986,11 +1982,10 @@ mod tests {
   fn fetch_module_meta_fails_without_net() {
     let state = IsolateState::mock();
     let permissions = DenoPermissions {
-      allow_read: AtomicBool::new(true),
+      allow_read: PermissionAccessor::from(true),
-      allow_write: AtomicBool::new(true),
+      allow_write: PermissionAccessor::from(true),
-      allow_env: AtomicBool::new(true),
+      allow_env: PermissionAccessor::from(true),
-      allow_net: AtomicBool::new(false),
+      allow_run: PermissionAccessor::from(true),
-      allow_run: AtomicBool::new(true),
       ..Default::default()
     };
     let isolate = Isolate::new(
@@ -2032,11 +2027,9 @@ mod tests {
   fn fetch_module_meta_not_permission_denied_with_permissions() {
     let state = IsolateState::mock();
     let permissions = DenoPermissions {
-      allow_read: AtomicBool::new(true),
+      allow_read: PermissionAccessor::from(true),
-      allow_write: AtomicBool::new(true),
+      allow_write: PermissionAccessor::from(true),
-      allow_env: AtomicBool::new(false),
+      allow_net: PermissionAccessor::from(true),
-      allow_net: AtomicBool::new(true),
-      allow_run: AtomicBool::new(false),
       ..Default::default()
     };
     let isolate = Isolate::new(

src/permissions.rs

@@ -6,179 +6,338 @@ use crate::flags::DenoFlags;
 use ansi_term::Style;
 use crate::errors::permission_denied;
 use crate::errors::DenoResult;
+use std::fmt;
 use std::io;
-use std::sync::atomic::{AtomicBool, Ordering};
+use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering};
+use std::sync::Arc;
+
+/// Tri-state value for storing permission state
+pub enum PermissionAccessorState {
+  Allow = 0,
+  Ask = 1,
+  Deny = 2,
+}
+
+impl From<usize> for PermissionAccessorState {
+  fn from(val: usize) -> Self {
+    match val {
+      0 => PermissionAccessorState::Allow,
+      1 => PermissionAccessorState::Ask,
+      2 => PermissionAccessorState::Deny,
+      _ => unreachable!(),
+    }
+  }
+}
+
+impl From<bool> for PermissionAccessorState {
+  fn from(val: bool) -> Self {
+    match val {
+      true => PermissionAccessorState::Allow,
+      false => PermissionAccessorState::Ask,
+    }
+  }
+}
+
+impl fmt::Display for PermissionAccessorState {
+  fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+    match self {
+      PermissionAccessorState::Allow => f.pad("Allow"),
+      PermissionAccessorState::Ask => f.pad("Ask"),
+      PermissionAccessorState::Deny => f.pad("Deny"),
+    }
+  }
+}
+
+#[derive(Debug)]
+pub struct PermissionAccessor {
+  state: Arc<AtomicUsize>,
+}
+
+impl PermissionAccessor {
+  pub fn new(state: PermissionAccessorState) -> Self {
+    Self {
+      state: Arc::new(AtomicUsize::new(state as usize)),
+    }
+  }
+
+  pub fn is_allow(&self) -> bool {
+    match self.get_state() {
+      PermissionAccessorState::Allow => true,
+      _ => false,
+    }
+  }
+
+  /// If the state is "Allow" walk it back to the default "Ask"
+  /// Don't do anything if state is "Deny"
+  pub fn revoke(&self) {
+    if self.is_allow() {
+      self.ask();
+    }
+  }
+
+  pub fn allow(&self) {
+    self.set_state(PermissionAccessorState::Allow)
+  }
+
+  pub fn ask(&self) {
+    self.set_state(PermissionAccessorState::Ask)
+  }
+
+  pub fn deny(&self) {
+    self.set_state(PermissionAccessorState::Deny)
+  }
+
+  /// Update this accessors state based on a PromptResult value
+  /// This will only update the state if the PromptResult value
+  /// is one of the "Always" values
+  pub fn update_with_prompt_result(&self, prompt_result: &PromptResult) {
+    match prompt_result {
+      PromptResult::AllowAlways => self.allow(),
+      PromptResult::DenyAlways => self.deny(),
+      _ => {}
+    }
+  }
+
+  #[inline]
+  pub fn get_state(&self) -> PermissionAccessorState {
+    self.state.load(Ordering::SeqCst).into()
+  }
+  fn set_state(&self, state: PermissionAccessorState) {
+    self.state.store(state as usize, Ordering::SeqCst)
+  }
+}
+
+impl From<bool> for PermissionAccessor {
+  fn from(val: bool) -> Self {
+    Self::new(PermissionAccessorState::from(val))
+  }
+}
+
+impl Default for PermissionAccessor {
+  fn default() -> Self {
+    Self {
+      state: Arc::new(AtomicUsize::new(PermissionAccessorState::Ask as usize)),
+    }
+  }
+}
 
 #[cfg_attr(feature = "cargo-clippy", allow(stutter))]
 #[derive(Debug, Default)]
 pub struct DenoPermissions {
   // Keep in sync with src/permissions.ts
-  pub allow_read: AtomicBool,
+  pub allow_read: PermissionAccessor,
-  pub allow_write: AtomicBool,
+  pub allow_write: PermissionAccessor,
-  pub allow_net: AtomicBool,
+  pub allow_net: PermissionAccessor,
-  pub allow_env: AtomicBool,
+  pub allow_env: PermissionAccessor,
-  pub allow_run: AtomicBool,
+  pub allow_run: PermissionAccessor,
   pub no_prompts: AtomicBool,
 }
 
 impl DenoPermissions {
   pub fn from_flags(flags: &DenoFlags) -> Self {
     Self {
-      allow_read: AtomicBool::new(flags.allow_read),
+      allow_read: PermissionAccessor::from(flags.allow_read),
-      allow_write: AtomicBool::new(flags.allow_write),
+      allow_write: PermissionAccessor::from(flags.allow_write),
-      allow_env: AtomicBool::new(flags.allow_env),
+      allow_env: PermissionAccessor::from(flags.allow_env),
-      allow_net: AtomicBool::new(flags.allow_net),
+      allow_net: PermissionAccessor::from(flags.allow_net),
-      allow_run: AtomicBool::new(flags.allow_run),
+      allow_run: PermissionAccessor::from(flags.allow_run),
       no_prompts: AtomicBool::new(flags.no_prompts),
     }
   }
 
   pub fn check_run(&self) -> DenoResult<()> {
-    if self.allow_run.load(Ordering::SeqCst) {
+    match self.allow_run.get_state() {
-      return Ok(());
+      PermissionAccessorState::Allow => Ok(()),
-    };
+      PermissionAccessorState::Ask => {
-    // TODO get location (where access occurred)
+        match self.try_permissions_prompt("access to run a subprocess") {
-    let r = self.try_permissions_prompt("access to run a subprocess");
+          Err(e) => Err(e),
-    if r.is_ok() {
+          Ok(v) => {
-      self.allow_run.store(true, Ordering::SeqCst);
+            self.allow_run.update_with_prompt_result(&v);
+            v.check()?;
+            Ok(())
+          }
+        }
+      }
+      PermissionAccessorState::Deny => Err(permission_denied()),
     }
-    r
   }
 
   pub fn check_read(&self, filename: &str) -> DenoResult<()> {
-    if self.allow_read.load(Ordering::SeqCst) {
+    match self.allow_read.get_state() {
-      return Ok(());
+      PermissionAccessorState::Allow => Ok(()),
-    };
+      PermissionAccessorState::Ask => match self
-    // TODO get location (where access occurred)
+        .try_permissions_prompt(&format!("read access to \"{}\"", filename))
-    let r =
+      {
-      self.try_permissions_prompt(&format!("read access to \"{}\"", filename));;
+        Err(e) => Err(e),
-    if r.is_ok() {
+        Ok(v) => {
-      self.allow_read.store(true, Ordering::SeqCst);
+          self.allow_read.update_with_prompt_result(&v);
+          v.check()?;
+          Ok(())
+        }
+      },
+      PermissionAccessorState::Deny => Err(permission_denied()),
     }
-    r
   }
 
   pub fn check_write(&self, filename: &str) -> DenoResult<()> {
-    if self.allow_write.load(Ordering::SeqCst) {
+    match self.allow_write.get_state() {
-      return Ok(());
+      PermissionAccessorState::Allow => Ok(()),
-    };
+      PermissionAccessorState::Ask => match self
-    // TODO get location (where access occurred)
+        .try_permissions_prompt(&format!("write access to \"{}\"", filename))
-    let r =
+      {
-      self.try_permissions_prompt(&format!("write access to \"{}\"", filename));;
+        Err(e) => Err(e),
-    if r.is_ok() {
+        Ok(v) => {
-      self.allow_write.store(true, Ordering::SeqCst);
+          self.allow_write.update_with_prompt_result(&v);
+          v.check()?;
+          Ok(())
+        }
+      },
+      PermissionAccessorState::Deny => Err(permission_denied()),
     }
-    r
   }
 
   pub fn check_net(&self, domain_name: &str) -> DenoResult<()> {
-    if self.allow_net.load(Ordering::SeqCst) {
+    match self.allow_net.get_state() {
-      return Ok(());
+      PermissionAccessorState::Allow => Ok(()),
-    };
+      PermissionAccessorState::Ask => match self.try_permissions_prompt(
-    // TODO get location (where access occurred)
+        &format!("network access to \"{}\"", domain_name),
-    let r = self.try_permissions_prompt(&format!(
+      ) {
-      "network access to \"{}\"",
+        Err(e) => Err(e),
-      domain_name
+        Ok(v) => {
-    ));
+          self.allow_net.update_with_prompt_result(&v);
-    if r.is_ok() {
+          v.check()?;
-      self.allow_net.store(true, Ordering::SeqCst);
+          Ok(())
+        }
+      },
+      PermissionAccessorState::Deny => Err(permission_denied()),
     }
-    r
   }
 
   pub fn check_env(&self) -> DenoResult<()> {
-    if self.allow_env.load(Ordering::SeqCst) {
+    match self.allow_env.get_state() {
-      return Ok(());
+      PermissionAccessorState::Allow => Ok(()),
-    };
+      PermissionAccessorState::Ask => {
-    // TODO get location (where access occurred)
+        match self.try_permissions_prompt("access to environment variables") {
-    let r = self.try_permissions_prompt(&"access to environment variables");
+          Err(e) => Err(e),
-    if r.is_ok() {
+          Ok(v) => {
-      self.allow_env.store(true, Ordering::SeqCst);
+            self.allow_env.update_with_prompt_result(&v);
+            v.check()?;
+            Ok(())
+          }
+        }
+      }
+      PermissionAccessorState::Deny => Err(permission_denied()),
     }
-    r
   }
 
   /// Try to present the user with a permission prompt
   /// will error with permission_denied if no_prompts is enabled
-  fn try_permissions_prompt(&self, message: &str) -> DenoResult<()> {
+  fn try_permissions_prompt(&self, message: &str) -> DenoResult<PromptResult> {
     if self.no_prompts.load(Ordering::SeqCst) {
       return Err(permission_denied());
     }
+    if !atty::is(atty::Stream::Stdin) || !atty::is(atty::Stream::Stderr) {
+      return Err(permission_denied());
+    };
     permission_prompt(message)
   }
 
   pub fn allows_run(&self) -> bool {
-    return self.allow_run.load(Ordering::SeqCst);
+    return self.allow_run.is_allow();
   }
 
   pub fn allows_read(&self) -> bool {
-    return self.allow_read.load(Ordering::SeqCst);
+    return self.allow_read.is_allow();
   }
 
   pub fn allows_write(&self) -> bool {
-    return self.allow_write.load(Ordering::SeqCst);
+    return self.allow_write.is_allow();
   }
 
   pub fn allows_net(&self) -> bool {
-    return self.allow_net.load(Ordering::SeqCst);
+    return self.allow_net.is_allow();
   }
 
   pub fn allows_env(&self) -> bool {
-    return self.allow_env.load(Ordering::SeqCst);
+    return self.allow_env.is_allow();
   }
 
   pub fn revoke_run(&self) -> DenoResult<()> {
-    self.allow_run.store(false, Ordering::SeqCst);
+    self.allow_run.revoke();
     return Ok(());
   }
 
   pub fn revoke_read(&self) -> DenoResult<()> {
-    self.allow_read.store(false, Ordering::SeqCst);
+    self.allow_read.revoke();
     return Ok(());
   }
 
   pub fn revoke_write(&self) -> DenoResult<()> {
-    self.allow_write.store(false, Ordering::SeqCst);
+    self.allow_write.revoke();
     return Ok(());
   }
 
   pub fn revoke_net(&self) -> DenoResult<()> {
-    self.allow_net.store(false, Ordering::SeqCst);
+    self.allow_net.revoke();
     return Ok(());
   }
 
   pub fn revoke_env(&self) -> DenoResult<()> {
-    self.allow_env.store(false, Ordering::SeqCst);
+    self.allow_env.revoke();
     return Ok(());
   }
+}
 
-  pub fn default() -> Self {
+/// Quad-state value for representing user input on permission prompt
-    Self {
+#[derive(Debug, Clone)]
-      allow_read: AtomicBool::new(false),
+pub enum PromptResult {
-      allow_write: AtomicBool::new(false),
+  AllowAlways = 0,
-      allow_env: AtomicBool::new(false),
+  AllowOnce = 1,
-      allow_net: AtomicBool::new(false),
+  DenyOnce = 2,
-      allow_run: AtomicBool::new(false),
+  DenyAlways = 3,
-      ..Default::default()
+}
+
+impl PromptResult {
+  /// If value is any form of deny this will error with permission_denied
+  pub fn check(&self) -> DenoResult<()> {
+    match self {
+      PromptResult::DenyOnce => Err(permission_denied()),
+      PromptResult::DenyAlways => Err(permission_denied()),
+      _ => Ok(()),
     }
   }
 }
 
-fn permission_prompt(message: &str) -> DenoResult<()> {
+impl fmt::Display for PromptResult {
-  if !atty::is(atty::Stream::Stdin) || !atty::is(atty::Stream::Stderr) {
+  fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-    return Err(permission_denied());
+    match self {
-  };
+      PromptResult::AllowAlways => f.pad("AllowAlways"),
-  let msg = format!("⚠️  Deno requests {}. Grant? [yN] ", message);
+      PromptResult::AllowOnce => f.pad("AllowOnce"),
+      PromptResult::DenyOnce => f.pad("DenyOnce"),
+      PromptResult::DenyAlways => f.pad("DenyAlways"),
+    }
+  }
+}
+
+fn permission_prompt(message: &str) -> DenoResult<PromptResult> {
+  let msg = format!("⚠️  Deno requests {}. Grant? [a/y/n/d (a = allow always, y = allow once, n = deny once, d = deny always)] ", message);
   // print to stderr so that if deno is > to a file this is still displayed.
   eprint!("{}", Style::new().bold().paint(msg));
+  loop {
     let mut input = String::new();
     let stdin = io::stdin();
     let _nread = stdin.read_line(&mut input)?;
     let ch = input.chars().next().unwrap();
-  let is_yes = ch == 'y' || ch == 'Y';
+    match ch.to_ascii_lowercase() {
-  if is_yes {
+      'a' => return Ok(PromptResult::AllowAlways),
-    Ok(())
+      'y' => return Ok(PromptResult::AllowOnce),
-  } else {
+      'n' => return Ok(PromptResult::DenyOnce),
-    Err(permission_denied())
+      'd' => return Ok(PromptResult::DenyAlways),
+      _ => {
+        // If we don't get a recognized option try again.
+        let msg_again = format!("Unrecognized option '{}' [a/y/n/d (a = allow always, y = allow once, n = deny once, d = deny always)] ", ch);
+        eprint!("{}", Style::new().bold().paint(msg_again));
+      }
+    };
   }
 }

tools/permission_prompt_test.py

@@ -5,16 +5,22 @@ import os
 import pty
 import select
 import subprocess
+import sys
+import time
 
-from util import build_path, executable_suffix
+from util import build_path, executable_suffix, green_ok, red_failed
 
 PERMISSIONS_PROMPT_TEST_TS = "tools/permission_prompt_test.ts"
 
+PROMPT_PATTERN = b'⚠️'
+FIRST_CHECK_FAILED_PATTERN = b'First check failed'
+PERMISSION_DENIED_PATTERN = b'PermissionDenied: permission denied'
+
 
 # This function is copied from:
 # https://gist.github.com/hayd/4f46a68fc697ba8888a7b517a414583e
 # https://stackoverflow.com/q/52954248/1240268
-def tty_capture(cmd, bytes_input):
+def tty_capture(cmd, bytes_input, timeout=5):
     """Capture the output of cmd with bytes_input to stdin,
     with stdin, stdout and stderr as TTYs."""
     mo, so = pty.openpty()  # provide tty to enable line-buffering
@@ -22,21 +28,23 @@ def tty_capture(cmd, bytes_input):
     mi, si = pty.openpty()
     fdmap = {mo: 'stdout', me: 'stderr', mi: 'stdin'}
 
+    timeout_exact = time.time() + timeout
     p = subprocess.Popen(
         cmd, bufsize=1, stdin=si, stdout=so, stderr=se, close_fds=True)
     os.write(mi, bytes_input)
 
-    timeout = .04  # seconds
+    select_timeout = .04  #seconds
     res = {'stdout': b'', 'stderr': b''}
     while True:
-        ready, _, _ = select.select([mo, me], [], [], timeout)
+        ready, _, _ = select.select([mo, me], [], [], select_timeout)
         if ready:
             for fd in ready:
                 data = os.read(fd, 512)
                 if not data:
                     break
                 res[fdmap[fd]] += data
-        elif p.poll() is not None:  # select timed-out
+        elif p.poll() is not None or time.time(
+        ) > timeout_exact:  # select timed-out
             break  # p exited
     for fd in [si, so, se, mi, mo, me]:
         os.close(fd)  # can't do it sooner: it leads to errno.EIO error
@@ -44,181 +52,143 @@ def tty_capture(cmd, bytes_input):
     return p.returncode, res['stdout'], res['stderr']
 
 
-class Prompt(object):
+# Wraps a test in debug printouts
-    def __init__(self, deno_exe):
+# so we have visual indicator of what test failed
-        self.deno_exe = deno_exe
+def wrap_test(test_name, test_method, *argv):
+    sys.stdout.write(test_name + " ... ")
+    try:
+        test_method(*argv)
+        print green_ok()
+    except AssertionError:
+        print red_failed()
+        raise
 
-    def run(self,
+
-            arg,
+class Prompt(object):
-            bytes_input,
+    def __init__(self, deno_exe, test_types):
-            allow_read=False,
+        self.deno_exe = deno_exe
-            allow_write=False,
+        self.test_types = test_types
-            allow_net=False,
+
-            allow_env=False,
+    def run(self, args, bytes_input):
-            allow_run=False,
-            no_prompt=False):
         "Returns (return_code, stdout, stderr)."
-        cmd = [self.deno_exe, PERMISSIONS_PROMPT_TEST_TS, arg]
+        cmd = [self.deno_exe, PERMISSIONS_PROMPT_TEST_TS] + args
-        if allow_read:
-            cmd.append("--allow-read")
-        if allow_write:
-            cmd.append("--allow-write")
-        if allow_net:
-            cmd.append("--allow-net")
-        if allow_env:
-            cmd.append("--allow-env")
-        if allow_run:
-            cmd.append("--allow-run")
-        if no_prompt:
-            cmd.append("--no-prompt")
         return tty_capture(cmd, bytes_input)
 
     def warm_up(self):
         # ignore the ts compiling message
-        self.run('needsWrite', b'', allow_write=True)
+        self.run('needsWrite', b'', ["--allow-write"])
 
-    def test_read_yes(self):
+    def test(self):
-        code, stdout, stderr = self.run('needsRead', b'y\n')
+        for test_type in self.test_types:
+            test_name_base = "test_" + test_type
+            wrap_test(test_name_base + "_allow_flag", self.test_allow_flag,
+                      test_type)
+            wrap_test(test_name_base + "_yes_yes", self.test_yes_yes,
+                      test_type)
+            wrap_test(test_name_base + "_yes_no", self.test_yes_no, test_type)
+            wrap_test(test_name_base + "_no_no", self.test_no_no, test_type)
+            wrap_test(test_name_base + "_no_yes", self.test_no_yes, test_type)
+            wrap_test(test_name_base + "_allow", self.test_allow, test_type)
+            wrap_test(test_name_base + "_deny", self.test_deny, test_type)
+            wrap_test(test_name_base + "_unrecognized_option",
+                      self.test_unrecognized_option, test_type)
+            wrap_test(test_name_base + "_no_prompt", self.test_no_prompt,
+                      test_type)
+            wrap_test(test_name_base + "_no_prompt_allow",
+                      self.test_no_prompt_allow, test_type)
+
+    def test_allow_flag(self, test_type):
+        code, stdout, stderr = self.run(
+            ["needs" + test_type.capitalize(), "--allow-" + test_type], b'')
         assert code == 0
-        assert stdout == b''
+        assert not PROMPT_PATTERN in stderr
-        assert b'⚠️  Deno requests read access' in stderr
+        assert not FIRST_CHECK_FAILED_PATTERN in stdout
+        assert not PERMISSION_DENIED_PATTERN in stderr
 
-    def test_read_arg(self):
+    def test_yes_yes(self, test_type):
-        code, stdout, stderr = self.run('needsRead', b'', allow_read=True)
+        code, stdout, stderr = self.run(["needs" + test_type.capitalize()],
+                                        b'y\ny\n')
         assert code == 0
-        assert stdout == b''
+        assert PROMPT_PATTERN in stderr
-        assert stderr == b''
+        assert not FIRST_CHECK_FAILED_PATTERN in stdout
+        assert not PERMISSION_DENIED_PATTERN in stderr
 
-    def test_read_no(self):
+    def test_yes_no(self, test_type):
-        code, _stdout, stderr = self.run('needsRead', b'N\n')
+        code, stdout, stderr = self.run(["needs" + test_type.capitalize()],
+                                        b'y\nn\n')
         assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
+        assert PROMPT_PATTERN in stderr
-        assert b'⚠️  Deno requests read access' in stderr
+        assert not FIRST_CHECK_FAILED_PATTERN in stdout
+        assert PERMISSION_DENIED_PATTERN in stderr
 
-    def test_read_no_prompt(self):
+    def test_no_no(self, test_type):
-        code, _stdout, stderr = self.run('needsRead', b'', no_prompt=True)
+        code, stdout, stderr = self.run(["needs" + test_type.capitalize()],
+                                        b'n\nn\n')
         assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
+        assert PROMPT_PATTERN in stderr
+        assert FIRST_CHECK_FAILED_PATTERN in stdout
+        assert PERMISSION_DENIED_PATTERN in stderr
 
-    def test_write_yes(self):
+    def test_no_yes(self, test_type):
-        code, stdout, stderr = self.run('needsWrite', b'y\n')
+        code, stdout, stderr = self.run(["needs" + test_type.capitalize()],
+                                        b'n\ny\n')
         assert code == 0
-        assert stdout == b''
-        assert b'⚠️  Deno requests write access' in stderr
 
-    def test_write_arg(self):
+        assert PROMPT_PATTERN in stderr
-        code, stdout, stderr = self.run('needsWrite', b'', allow_write=True)
+        assert FIRST_CHECK_FAILED_PATTERN in stdout
+        assert not PERMISSION_DENIED_PATTERN in stderr
+
+    def test_allow(self, test_type):
+        code, stdout, stderr = self.run(["needs" + test_type.capitalize()],
+                                        b'a\n')
         assert code == 0
-        assert stdout == b''
+        assert PROMPT_PATTERN in stderr
-        assert stderr == b''
+        assert not FIRST_CHECK_FAILED_PATTERN in stdout
+        assert not PERMISSION_DENIED_PATTERN in stderr
 
-    def test_write_no(self):
+    def test_deny(self, test_type):
-        code, _stdout, stderr = self.run('needsWrite', b'N\n')
+        code, stdout, stderr = self.run(["needs" + test_type.capitalize()],
+                                        b'd\n')
         assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
+        assert PROMPT_PATTERN in stderr
-        assert b'⚠️  Deno requests write access' in stderr
+        assert FIRST_CHECK_FAILED_PATTERN in stdout
+        assert PERMISSION_DENIED_PATTERN in stderr
 
-    def test_write_no_prompt(self):
+    def test_unrecognized_option(self, test_type):
-        code, _stdout, stderr = self.run('needsWrite', b'', no_prompt=True)
+        code, stdout, stderr = self.run(["needs" + test_type.capitalize()],
-        assert code == 1
+                                        b'e\na\n')
-        assert b'PermissionDenied: permission denied' in stderr
-
-    def test_env_yes(self):
-        code, stdout, stderr = self.run('needsEnv', b'y\n')
         assert code == 0
-        assert stdout == b''
+        assert PROMPT_PATTERN in stderr
-        assert b'⚠️  Deno requests access to environment' in stderr
+        assert not FIRST_CHECK_FAILED_PATTERN in stdout
+        assert not PERMISSION_DENIED_PATTERN in stderr
+        assert b'Unrecognized option' in stderr
 
-    def test_env_arg(self):
+    def test_no_prompt(self, test_type):
-        code, stdout, stderr = self.run('needsEnv', b'', allow_env=True)
+        code, stdout, stderr = self.run(
+            ["needs" + test_type.capitalize(), "--no-prompt"], b'')
+        assert code == 1
+        assert not PROMPT_PATTERN in stderr
+        assert FIRST_CHECK_FAILED_PATTERN in stdout
+        assert PERMISSION_DENIED_PATTERN in stderr
+
+    def test_no_prompt_allow(self, test_type):
+        code, stdout, stderr = self.run([
+            "needs" + test_type.capitalize(), "--no-prompt",
+            "--allow-" + test_type
+        ], b'')
         assert code == 0
-        assert stdout == b''
+        assert not PROMPT_PATTERN in stderr
-        assert stderr == b''
+        assert not FIRST_CHECK_FAILED_PATTERN in stdout
-
+        assert not PERMISSION_DENIED_PATTERN in stderr
-    def test_env_no(self):
-        code, _stdout, stderr = self.run('needsEnv', b'N\n')
-        assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
-        assert b'⚠️  Deno requests access to environment' in stderr
-
-    def test_env_no_prompt(self):
-        code, _stdout, stderr = self.run('needsEnv', b'', no_prompt=True)
-        assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
-
-    def test_net_yes(self):
-        code, stdout, stderr = self.run('needsEnv', b'y\n')
-        assert code == 0
-        assert stdout == b''
-        assert b'⚠️  Deno requests access to environment' in stderr
-
-    def test_net_arg(self):
-        code, stdout, stderr = self.run('needsNet', b'', allow_net=True)
-        assert code == 0
-        assert stdout == b''
-        assert stderr == b''
-
-    def test_net_no(self):
-        code, _stdout, stderr = self.run('needsNet', b'N\n')
-        assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
-        assert b'⚠️  Deno requests network access' in stderr
-
-    def test_net_no_prompt(self):
-        code, _stdout, stderr = self.run('needsNet', b'', no_prompt=True)
-        assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
-
-    def test_run_yes(self):
-        code, stdout, stderr = self.run('needsRun', b'y\n')
-        assert code == 0
-        assert stdout == b'hello'
-        assert b'⚠️  Deno requests access to run' in stderr
-
-    def test_run_arg(self):
-        code, stdout, stderr = self.run('needsRun', b'', allow_run=True)
-        assert code == 0
-        assert stdout == b'hello'
-        assert stderr == b''
-
-    def test_run_no(self):
-        code, _stdout, stderr = self.run('needsRun', b'N\n')
-        assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
-        assert b'⚠️  Deno requests access to run' in stderr
-
-    def test_run_no_prompt(self):
-        code, _stdout, stderr = self.run('needsRun', b'', no_prompt=True)
-        assert code == 1
-        assert b'PermissionDenied: permission denied' in stderr
 
 
 def permission_prompt_test(deno_exe):
-    p = Prompt(deno_exe)
+    p = Prompt(deno_exe, ["read", "write", "env", "net", "run"])
-    p.warm_up()
+    p.test()
-    p.test_read_yes()
-    p.test_read_arg()
-    p.test_read_no()
-    p.test_read_no_prompt()
-    p.test_write_yes()
-    p.test_write_arg()
-    p.test_write_no()
-    p.test_write_no_prompt()
-    p.test_env_yes()
-    p.test_env_arg()
-    p.test_env_no()
-    p.test_env_no_prompt()
-    p.test_net_yes()
-    p.test_net_arg()
-    p.test_net_no()
-    p.test_net_no_prompt()
-    p.test_run_yes()
-    p.test_run_arg()
-    p.test_run_no()
-    p.test_run_no_prompt()
 
 
 def main():
+    print "Permissions prompt tests"
     deno_exe = os.path.join(build_path(), "deno" + executable_suffix)
     permission_prompt_test(deno_exe)
 

tools/permission_prompt_test.ts

@@ -1,21 +1,54 @@
 // Copyright 2018-2019 the Deno authors. All rights reserved. MIT license.
-const { args, listen, env, exit, makeTempDirSync, readFile, run } = Deno;
+const { args, listen, env, exit, makeTempDirSync, readFileSync, run } = Deno;
+
+const firstCheckFailedMessage = "First check failed";
 
 const name = args[1];
 const test = {
-  needsRead: () => {
+  needsRead: async () => {
-    readFile("package.json");
+    try {
+      readFileSync("package.json");
+    } catch (e) {
+      console.log(firstCheckFailedMessage);
+    }
+    readFileSync("package.json");
   },
   needsWrite: () => {
+    try {
+      makeTempDirSync();
+    } catch (e) {
+      console.log(firstCheckFailedMessage);
+    }
     makeTempDirSync();
   },
   needsEnv: () => {
+    try {
+      env().home;
+    } catch (e) {
+      console.log(firstCheckFailedMessage);
+    }
     env().home;
   },
   needsNet: () => {
+    try {
       listen("tcp", "127.0.0.1:4540");
+    } catch (e) {
+      console.log(firstCheckFailedMessage);
+    }
+    listen("tcp", "127.0.0.1:4541");
   },
-  needsRun: async () => {
+  needsRun: () => {
+    try {
+      const process = run({
+        args: [
+          "python",
+          "-c",
+          "import sys; sys.stdout.write('hello'); sys.stdout.flush()"
+        ]
+      });
+    } catch (e) {
+      console.log(firstCheckFailedMessage);
+    }
     const process = run({
       args: [
         "python",
@@ -23,7 +56,6 @@ const test = {
         "import sys; sys.stdout.write('hello'); sys.stdout.flush()"
       ]
     });
-    await process.status();
   }
 }[name];