foster/denoland-deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-21 15:04:11 -05:00
Code Issues Packages 1 Wiki Activity

refactor: remove PermissionsContainer in deno_runtime (#24119)

Browse source 
Also removes permissions being passed in for node resolution. It was
completely useless because we only checked it for reading package.json
files, but Deno reading package.json files for resolution is perfectly
fine.

My guess is this is also a perf improvement because Deno is doing less
work.
This commit is contained in:
David Sherret 2024-06-06 23:37:53 -04:00 committed by GitHub
parent a17794d5cf
commit 386d5c8310
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
69 changed files with 428 additions and 564 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
Cargo.lock generated
View file

@ -1432,6 +1432,7 @@ dependencies = [
"bytes",
"data-url",
"deno_core",
"deno_permissions",
"deno_tls",
"dyn-clone",
"http 0.2.12",
@ -1447,6 +1448,7 @@ name = "deno_ffi"
version = "0.142.0"
dependencies = [
"deno_core",
"deno_permissions",
"dlopen2",
"dynasmrt",
"libffi",
@ -1466,6 +1468,7 @@ dependencies = [
"base32",
"deno_core",
"deno_io",
"deno_permissions",
"filetime",
"junction",
"libc",
@ -1572,6 +1575,7 @@ dependencies = [
"deno_core",
"deno_fetch",
"deno_node",
"deno_permissions",
"deno_tls",
"denokv_proto",
"denokv_remote",
@ -1631,6 +1635,7 @@ name = "deno_napi"
version = "0.85.0"
dependencies = [
"deno_core",
"deno_permissions",
"libloading 0.7.4",
]
@ -1652,6 +1657,7 @@ name = "deno_net"
version = "0.147.0"
dependencies = [
"deno_core",
"deno_permissions",
"deno_tls",
"pin-project",
"rustls-tokio-stream",
@ -1928,6 +1934,7 @@ dependencies = [
"deno_bench_util",
"deno_console",
"deno_core",
"deno_permissions",
"deno_url",
"deno_webidl",
"encoding_rs",
@ -1965,6 +1972,7 @@ dependencies = [
"bytes",
"deno_core",
"deno_net",
"deno_permissions",
"deno_tls",
"fastwebsockets",
"h2 0.4.4",

4
cli/args/flags.rs
View file

@ -17,8 +17,8 @@ use deno_core::error::AnyError;
use deno_core::resolve_url_or_path;
use deno_core::url::Url;
use deno_graph::GraphKind;
use deno_runtime::permissions::parse_sys_kind;
use deno_runtime::permissions::PermissionsOptions;
use deno_runtime::deno_permissions::parse_sys_kind;
use deno_runtime::deno_permissions::PermissionsOptions;
use log::debug;
use log::Level;
use serde::Deserialize;

2
cli/args/import_map.rs
View file

@ -4,7 +4,7 @@ use deno_core::anyhow::Context;
use deno_core::error::AnyError;
use deno_core::serde_json;
use deno_core::url::Url;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use import_map::ImportMap;
use import_map::ImportMapDiagnostic;
use log::warn;

2
cli/args/mod.rs
View file

@ -47,13 +47,13 @@ use deno_core::parking_lot::Mutex;
use deno_core::serde_json;
use deno_core::url::Url;
use deno_runtime::deno_node::PackageJson;
use deno_runtime::deno_permissions::PermissionsOptions;
use deno_runtime::deno_tls::deno_native_certs::load_native_certs;
use deno_runtime::deno_tls::rustls;
use deno_runtime::deno_tls::rustls::RootCertStore;
use deno_runtime::deno_tls::rustls_pemfile;
use deno_runtime::deno_tls::webpki_roots;
use deno_runtime::inspector_server::InspectorServer;
use deno_runtime::permissions::PermissionsOptions;
use deno_terminal::colors;
use dotenvy::from_filename;
use once_cell::sync::Lazy;

2
cli/cache/mod.rs vendored
View file

@ -17,7 +17,7 @@ use deno_graph::source::CacheInfo;
use deno_graph::source::LoadFuture;
use deno_graph::source::LoadResponse;
use deno_graph::source::Loader;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use std::collections::HashMap;
use std::path::Path;
use std::path::PathBuf;

2
cli/file_fetcher.rs
View file

@ -22,8 +22,8 @@ use deno_core::url::Url;
use deno_core::ModuleSpecifier;
use deno_graph::source::LoaderChecksum;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::deno_web::BlobStore;
use deno_runtime::permissions::PermissionsContainer;
use log::debug;
use std::borrow::Cow;
use std::collections::HashMap;

2
cli/graph_container.rs
View file

@ -8,7 +8,7 @@ use deno_core::parking_lot::RwLock;
use deno_core::resolve_url_or_path;
use deno_graph::ModuleGraph;
use deno_runtime::colors;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use crate::args::CliOptions;
use crate::module_loader::ModuleLoadPreparer;

2
cli/graph_util.rs
View file

@ -41,7 +41,7 @@ use deno_graph::ResolutionError;
use deno_graph::SpecifierError;
use deno_runtime::deno_fs::FileSystem;
use deno_runtime::deno_node;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_semver::package::PackageNv;
use deno_semver::package::PackageReq;
use import_map::ImportMapError;

2
cli/jsr.rs
View file

@ -10,7 +10,7 @@ use deno_core::ModuleSpecifier;
use deno_graph::packages::JsrPackageInfo;
use deno_graph::packages::JsrPackageVersionInfo;
use deno_lockfile::Lockfile;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_semver::jsr::JsrPackageReqReference;
use deno_semver::package::PackageNv;
use deno_semver::package::PackageReq;

2
cli/lsp/config.rs
View file

@ -29,8 +29,8 @@ use deno_lint::linter::LintConfig;
use deno_lockfile::Lockfile;
use deno_npm::npm_rc::ResolvedNpmRc;
use deno_runtime::deno_node::PackageJson;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::fs_util::specifier_to_file_path;
use deno_runtime::permissions::PermissionsContainer;
use import_map::ImportMap;
use lsp::Url;
use lsp_types::ClientCapabilities;

2
cli/lsp/jsr.rs
View file

@ -7,7 +7,7 @@ use dashmap::DashMap;
use deno_core::anyhow::anyhow;
use deno_core::error::AnyError;
use deno_core::serde_json;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_semver::package::PackageNv;
use deno_semver::Version;
use serde::Deserialize;

2
cli/lsp/npm.rs
View file

@ -4,7 +4,7 @@ use dashmap::DashMap;
use deno_core::anyhow::anyhow;
use deno_core::error::AnyError;
use deno_core::serde_json;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_semver::package::PackageNv;
use deno_semver::Version;
use serde::Deserialize;

2
cli/lsp/registries.rs
View file

@ -30,7 +30,7 @@ use deno_core::url::Position;
use deno_core::url::Url;
use deno_core::ModuleSpecifier;
use deno_graph::Dependency;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use log::error;
use once_cell::sync::Lazy;
use std::collections::HashMap;

14
cli/lsp/resolver.rs
View file

@ -38,7 +38,6 @@ use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::deno_node::NodeResolver;
use deno_runtime::deno_node::PackageJson;
use deno_runtime::fs_util::specifier_to_file_path;
use deno_runtime::permissions::PermissionsContainer;
use deno_semver::jsr::JsrPackageReqReference;
use deno_semver::npm::NpmPackageReqReference;
use deno_semver::package::PackageNv;
@ -247,12 +246,7 @@ impl LspResolver {
let node_resolver = self.node_resolver.as_ref()?;
Some(NodeResolution::into_specifier_and_media_type(
node_resolver
.resolve_req_reference(
req_ref,
&PermissionsContainer::allow_all(),
referrer,
NodeResolutionMode::Types,
)
.resolve_req_reference(req_ref, referrer, NodeResolutionMode::Types)
.ok(),
))
}
@ -282,8 +276,10 @@ impl LspResolver {
let Some(node_resolver) = self.node_resolver.as_ref() else {
return Ok(None);
};
node_resolver
.get_closest_package_json(referrer, &PermissionsContainer::allow_all())
node_resolver.get_closest_package_json(
referrer,
&mut deno_runtime::deno_node::AllowAllNodePermissions,
)
}
pub fn resolve_redirects(

2
cli/lsp/testing/execution.rs
View file

@ -26,7 +26,7 @@ use deno_core::parking_lot::RwLock;
use deno_core::unsync::spawn;
use deno_core::unsync::spawn_blocking;
use deno_core::ModuleSpecifier;
use deno_runtime::permissions::Permissions;
use deno_runtime::deno_permissions::Permissions;
use deno_runtime::tokio_util::create_and_run_current_thread;
use indexmap::IndexMap;
use std::collections::HashMap;

2
cli/main.rs
View file

@ -318,7 +318,7 @@ pub fn main() {
util::windows::ensure_stdio_open();
#[cfg(windows)]
colors::enable_ansi(); // For Windows 10
deno_runtime::permissions::set_prompt_callbacks(
deno_runtime::deno_permissions::set_prompt_callbacks(
Box::new(util::draw_thread::DrawThread::hide),
Box::new(util::draw_thread::DrawThread::show),
);

29
cli/module_loader.rs
View file

@ -68,7 +68,7 @@ use deno_graph::Resolution;
use deno_lockfile::Lockfile;
use deno_runtime::code_cache;
use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_semver::npm::NpmPackageReqReference;
pub async fn load_top_level_deps(factory: &CliFactory) -> Result<(), AnyError> {
@ -104,7 +104,7 @@ pub async fn load_top_level_deps(factory: &CliFactory) -> Result<(), AnyError> {
&roots,
false,
factory.cli_options().ts_type_lib_window(),
deno_runtime::permissions::PermissionsContainer::allow_all(),
deno_runtime::deno_permissions::PermissionsContainer::allow_all(),
)
.await?;
}
@ -348,18 +348,12 @@ impl<TGraphContainer: ModuleGraphContainer>
&self,
specifier: &ModuleSpecifier,
maybe_referrer: Option<&ModuleSpecifier>,
is_dynamic: bool,
requested_module_type: RequestedModuleType,
) -> Result<ModuleSource, AnyError> {
let permissions = if is_dynamic {
&self.dynamic_permissions
} else {
&self.root_permissions
};
let code_source = if let Some(result) = self
.shared
.npm_module_loader
.load_if_in_npm_package(specifier, maybe_referrer, permissions)
.load_if_in_npm_package(specifier, maybe_referrer)
.await
{
result?
@ -448,19 +442,11 @@ impl<TGraphContainer: ModuleGraphContainer>
&self,
specifier: &str,
referrer: &ModuleSpecifier,
kind: ResolutionKind,
) -> Result<ModuleSpecifier, AnyError> {
let permissions = if matches!(kind, ResolutionKind::DynamicImport) {
&self.dynamic_permissions
} else {
&self.root_permissions
};
if let Some(result) = self.shared.node_resolver.resolve_if_in_npm_package(
specifier,
referrer,
NodeResolutionMode::Execution,
permissions,
) {
return match result? {
Some(res) => Ok(res.into_url()),
@ -505,7 +491,6 @@ impl<TGraphContainer: ModuleGraphContainer>
.node_resolver
.resolve_req_reference(
&reference,
permissions,
referrer,
NodeResolutionMode::Execution,
)
@ -530,7 +515,6 @@ impl<TGraphContainer: ModuleGraphContainer>
module.nv_reference.sub_path(),
referrer,
NodeResolutionMode::Execution,
permissions,
)
.with_context(|| {
format!("Could not resolve '{}'.", module.nv_reference)
@ -720,7 +704,7 @@ impl<TGraphContainer: ModuleGraphContainer> ModuleLoader
&self,
specifier: &str,
referrer: &str,
kind: ResolutionKind,
_kind: ResolutionKind,
) -> Result<ModuleSpecifier, AnyError> {
fn ensure_not_jsr_non_jsr_remote_import(
specifier: &ModuleSpecifier,
@ -736,7 +720,7 @@ impl<TGraphContainer: ModuleGraphContainer> ModuleLoader
}
let referrer = self.0.resolve_referrer(referrer)?;
let specifier = self.0.inner_resolve(specifier, &referrer, kind)?;
let specifier = self.0.inner_resolve(specifier, &referrer)?;
ensure_not_jsr_non_jsr_remote_import(&specifier, &referrer)?;
Ok(specifier)
}
@ -745,7 +729,7 @@ impl<TGraphContainer: ModuleGraphContainer> ModuleLoader
&self,
specifier: &ModuleSpecifier,
maybe_referrer: Option<&ModuleSpecifier>,
is_dynamic: bool,
_is_dynamic: bool,
requested_module_type: RequestedModuleType,
) -> deno_core::ModuleLoadResponse {
let inner = self.0.clone();
@ -757,7 +741,6 @@ impl<TGraphContainer: ModuleGraphContainer> ModuleLoader
.load_inner(
&specifier,
maybe_referrer.as_ref(),
is_dynamic,
requested_module_type,
)
.await

2
cli/npm/byonm.rs
View file

@ -160,7 +160,7 @@ impl NpmResolver for ByonmCliNpmResolver {
fn ensure_read_permission(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: &Path,
) -> Result<(), AnyError> {
if !path

2
cli/npm/managed/mod.rs
View file

@ -550,7 +550,7 @@ impl NpmResolver for ManagedCliNpmResolver {
fn ensure_read_permission(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: &Path,
) -> Result<(), AnyError> {
self.fs_resolver.ensure_read_permission(permissions, path)

4
cli/npm/managed/resolvers/common.rs
View file

@ -53,7 +53,7 @@ pub trait NpmPackageFsResolver: Send + Sync {
fn ensure_read_permission(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: &Path,
) -> Result<(), AnyError>;
}
@ -76,7 +76,7 @@ impl RegistryReadPermissionChecker {
pub fn ensure_registry_read_permission(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: &Path,
) -> Result<(), AnyError> {
// allow reading if it's in the node_modules

2
cli/npm/managed/resolvers/global.rs
View file

@ -146,7 +146,7 @@ impl NpmPackageFsResolver for GlobalNpmPackageResolver {
fn ensure_read_permission(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: &Path,
) -> Result<(), AnyError> {
self

2
cli/npm/managed/resolvers/local.rs
View file

@ -243,7 +243,7 @@ impl NpmPackageFsResolver for LocalNpmPackageResolver {
fn ensure_read_permission(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: &Path,
) -> Result<(), AnyError> {
self

2
cli/npm/mod.rs
View file

@ -14,7 +14,7 @@ use deno_core::error::AnyError;
use deno_core::serde_json;
use deno_npm::registry::NpmPackageInfo;
use deno_runtime::deno_node::NpmResolver;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_semver::package::PackageNv;
use deno_semver::package::PackageReq;

8
cli/ops/bench.rs
View file

@ -11,9 +11,9 @@ use deno_core::op2;
use deno_core::v8;
use deno_core::ModuleSpecifier;
use deno_core::OpState;
use deno_runtime::permissions::create_child_permissions;
use deno_runtime::permissions::ChildPermissionsArg;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::create_child_permissions;
use deno_runtime::deno_permissions::ChildPermissionsArg;
use deno_runtime::deno_permissions::PermissionsContainer;
use tokio::sync::mpsc::UnboundedSender;
use uuid::Uuid;
@ -61,7 +61,7 @@ pub fn op_pledge_test_permissions(
let token = Uuid::new_v4();
let parent_permissions = state.borrow_mut::<PermissionsContainer>();
let worker_permissions = {
let mut parent_permissions = parent_permissions.0 .0.lock();
let mut parent_permissions = parent_permissions.0.lock();
let perms = create_child_permissions(&mut parent_permissions, args)?;
PermissionsContainer::new(perms)
};

8
cli/ops/testing.rs
View file

@ -16,9 +16,9 @@ use deno_core::op2;
use deno_core::v8;
use deno_core::ModuleSpecifier;
use deno_core::OpState;
use deno_runtime::permissions::create_child_permissions;
use deno_runtime::permissions::ChildPermissionsArg;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::create_child_permissions;
use deno_runtime::deno_permissions::ChildPermissionsArg;
use deno_runtime::deno_permissions::PermissionsContainer;
use serde::Serialize;
use std::sync::atomic::AtomicUsize;
use std::sync::atomic::Ordering;
@ -57,7 +57,7 @@ pub fn op_pledge_test_permissions(
let token = Uuid::new_v4();
let parent_permissions = state.borrow_mut::<PermissionsContainer>();
let worker_permissions = {
let mut parent_permissions = parent_permissions.0 .0.lock();
let mut parent_permissions = parent_permissions.0.lock();
let perms = create_child_permissions(&mut parent_permissions, args)?;
PermissionsContainer::new(perms)
};

42
cli/resolver.rs
View file

@ -30,7 +30,6 @@ use deno_runtime::deno_node::NodeResolver;
use deno_runtime::deno_node::NpmResolver as DenoNodeNpmResolver;
use deno_runtime::deno_node::PackageJson;
use deno_runtime::fs_util::specifier_to_file_path;
use deno_runtime::permissions::PermissionsContainer;
use deno_semver::npm::NpmPackageReqReference;
use deno_semver::package::PackageReq;
use import_map::ImportMap;
@ -100,7 +99,7 @@ impl CliNodeResolver {
pub fn get_closest_package_json(
&self,
referrer: &ModuleSpecifier,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
) -> Result<Option<Rc<PackageJson>>, AnyError> {
self
.node_resolver
@ -112,11 +111,10 @@ impl CliNodeResolver {
specifier: &str,
referrer: &ModuleSpecifier,
mode: NodeResolutionMode,
permissions: &PermissionsContainer,
) -> Option<Result<Option<NodeResolution>, AnyError>> {
if self.in_npm_package(referrer) {
// we're in an npm package, so use node resolution
Some(self.resolve(specifier, referrer, mode, permissions))
Some(self.resolve(specifier, referrer, mode))
} else {
None
}
@ -127,20 +125,15 @@ impl CliNodeResolver {
specifier: &str,
referrer: &ModuleSpecifier,
mode: NodeResolutionMode,
permissions: &PermissionsContainer,
) -> Result<Option<NodeResolution>, AnyError> {
self.handle_node_resolve_result(self.node_resolver.resolve(
specifier,
referrer,
mode,
permissions,
))
self.handle_node_resolve_result(
self.node_resolver.resolve(specifier, referrer, mode),
)
}
pub fn resolve_req_reference(
&self,
req_ref: &NpmPackageReqReference,
permissions: &PermissionsContainer,
referrer: &ModuleSpecifier,
mode: NodeResolutionMode,
) -> Result<NodeResolution, AnyError> {
@ -152,7 +145,6 @@ impl CliNodeResolver {
req_ref.sub_path(),
referrer,
mode,
permissions,
)?;
match maybe_resolution {
Some(resolution) => Ok(resolution),
@ -181,7 +173,6 @@ impl CliNodeResolver {
sub_path: Option<&str>,
referrer: &ModuleSpecifier,
mode: NodeResolutionMode,
permissions: &PermissionsContainer,
) -> Result<Option<NodeResolution>, AnyError> {
self.handle_node_resolve_result(
self.node_resolver.resolve_package_subpath_from_deno_module(
@ -189,7 +180,6 @@ impl CliNodeResolver {
sub_path,
referrer,
mode,
permissions,
),
)
}
@ -278,10 +268,9 @@ impl NpmModuleLoader {
&self,
specifier: &ModuleSpecifier,
maybe_referrer: Option<&ModuleSpecifier>,
permissions: &PermissionsContainer,
) -> Option<Result<ModuleCodeStringSource, AnyError>> {
if self.node_resolver.in_npm_package(specifier) {
Some(self.load(specifier, maybe_referrer, permissions).await)
Some(self.load(specifier, maybe_referrer).await)
} else {
None
}
@ -291,7 +280,6 @@ impl NpmModuleLoader {
&self,
specifier: &ModuleSpecifier,
maybe_referrer: Option<&ModuleSpecifier>,
permissions: &PermissionsContainer,
) -> Result<ModuleCodeStringSource, AnyError> {
let file_path = specifier.to_file_path().unwrap();
let code = self
@ -336,7 +324,7 @@ impl NpmModuleLoader {
ModuleSourceCode::String(
self
.node_code_translator
.translate_cjs_to_esm(specifier, Some(code), permissions)
.translate_cjs_to_esm(specifier, Some(code))
.await?
.into(),
)
@ -638,12 +626,7 @@ impl Resolver for CliGraphResolver {
{
let node_resolver = self.node_resolver.as_ref().unwrap();
return node_resolver
.resolve_req_reference(
&npm_req_ref,
&PermissionsContainer::allow_all(),
referrer,
to_node_mode(mode),
)
.resolve_req_reference(&npm_req_ref, referrer, to_node_mode(mode))
.map(|res| res.into_url())
.map_err(|err| err.into());
}
@ -651,12 +634,8 @@ impl Resolver for CliGraphResolver {
Err(_) => {
if referrer.scheme() == "file" {
if let Some(node_resolver) = &self.node_resolver {
let node_result = node_resolver.resolve(
specifier,
referrer,
to_node_mode(mode),
&PermissionsContainer::allow_all(),
);
let node_result =
node_resolver.resolve(specifier, referrer, to_node_mode(mode));
match node_result {
Ok(Some(res)) => {
return Ok(res.into_url());
@ -694,7 +673,6 @@ impl Resolver for CliGraphResolver {
specifier,
referrer,
to_node_mode(mode),
&PermissionsContainer::allow_all(),
);
if let Some(Ok(Some(res))) = node_result {
return Ok(res.into_url());

20
cli/standalone/mod.rs
View file

@ -53,10 +53,10 @@ use deno_runtime::deno_fs;
use deno_runtime::deno_node::analyze::NodeCodeTranslator;
use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::deno_node::NodeResolver;
use deno_runtime::deno_permissions::Permissions;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::deno_tls::rustls::RootCertStore;
use deno_runtime::deno_tls::RootCertStoreProvider;
use deno_runtime::permissions::Permissions;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::WorkerExecutionMode;
use deno_runtime::WorkerLogLevel;
use deno_semver::npm::NpmPackageReqReference;
@ -112,16 +112,10 @@ impl ModuleLoader for EmbeddedModuleLoader {
})?
};
let permissions = if matches!(kind, ResolutionKind::DynamicImport) {
&self.dynamic_permissions
} else {
&self.root_permissions
};
if let Some(result) = self.shared.node_resolver.resolve_if_in_npm_package(
specifier,
&referrer,
NodeResolutionMode::Execution,
permissions,
) {
return match result? {
Some(res) => Ok(res.into_url()),
@ -146,7 +140,6 @@ impl ModuleLoader for EmbeddedModuleLoader {
.node_resolver
.resolve_req_reference(
&reference,
permissions,
&referrer,
NodeResolutionMode::Execution,
)
@ -174,7 +167,7 @@ impl ModuleLoader for EmbeddedModuleLoader {
&self,
original_specifier: &ModuleSpecifier,
maybe_referrer: Option<&ModuleSpecifier>,
is_dynamic: bool,
_is_dynamic: bool,
_requested_module_type: RequestedModuleType,
) -> deno_core::ModuleLoadResponse {
if original_specifier.scheme() == "data" {
@ -203,15 +196,10 @@ impl ModuleLoader for EmbeddedModuleLoader {
let npm_module_loader = self.shared.npm_module_loader.clone();
let original_specifier = original_specifier.clone();
let maybe_referrer = maybe_referrer.cloned();
let permissions = if is_dynamic {
self.dynamic_permissions.clone()
} else {
self.root_permissions.clone()
};
return deno_core::ModuleLoadResponse::Async(
async move {
let code_source = npm_module_loader
.load(&original_specifier, maybe_referrer.as_ref(), &permissions)
.load(&original_specifier, maybe_referrer.as_ref())
.await?;
Ok(deno_core::ModuleSource::new_with_redirect(
match code_source.media_type {

4
cli/tools/bench/mod.rs
View file

@ -31,8 +31,8 @@ use deno_core::unsync::spawn_blocking;
use deno_core::v8;
use deno_core::ModuleSpecifier;
use deno_core::PollEventLoopOptions;
use deno_runtime::permissions::Permissions;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::Permissions;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::tokio_util::create_and_run_current_thread;
use deno_runtime::WorkerExecutionMode;
use indexmap::IndexMap;

4
cli/tools/jupyter/mod.rs
View file

@ -18,8 +18,8 @@ use deno_core::serde_json;
use deno_core::url::Url;
use deno_runtime::deno_io::Stdio;
use deno_runtime::deno_io::StdioPipe;
use deno_runtime::permissions::Permissions;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::Permissions;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::WorkerExecutionMode;
use deno_terminal::colors;

4
cli/tools/repl/mod.rs
View file

@ -13,8 +13,8 @@ use deno_core::error::AnyError;
use deno_core::futures::StreamExt;
use deno_core::serde_json;
use deno_core::unsync::spawn_blocking;
use deno_runtime::permissions::Permissions;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::Permissions;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::WorkerExecutionMode;
use rustyline::error::ReadlineError;

4
cli/tools/run/mod.rs
View file

@ -3,8 +3,8 @@
use std::io::Read;
use deno_core::error::AnyError;
use deno_runtime::permissions::Permissions;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::Permissions;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::WorkerExecutionMode;
use crate::args::EvalFlags;

4
cli/tools/test/mod.rs
View file

@ -54,9 +54,9 @@ use deno_core::OpState;
use deno_core::PollEventLoopOptions;
use deno_runtime::deno_io::Stdio;
use deno_runtime::deno_io::StdioPipe;
use deno_runtime::deno_permissions::Permissions;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::fmt_errors::format_js_error;
use deno_runtime::permissions::Permissions;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::tokio_util::create_and_run_current_thread;
use deno_runtime::worker::MainWorker;
use deno_runtime::WorkerExecutionMode;

10
cli/tsc/mod.rs
View file

@ -33,7 +33,6 @@ use deno_graph::ResolutionResolved;
use deno_runtime::deno_node::NodeResolution;
use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::deno_node::NodeResolver;
use deno_runtime::permissions::PermissionsContainer;
use deno_semver::npm::NpmPackageReqReference;
use lsp_types::Url;
use once_cell::sync::Lazy;
@ -742,7 +741,6 @@ fn resolve_graph_specifier_types(
module.nv_reference.sub_path(),
referrer,
NodeResolutionMode::Types,
&PermissionsContainer::allow_all(),
)?;
Ok(Some(NodeResolution::into_specifier_and_media_type(
maybe_resolution,
@ -779,12 +777,7 @@ fn resolve_non_graph_specifier_types(
// we're in an npm package, so use node resolution
Ok(Some(NodeResolution::into_specifier_and_media_type(
node_resolver
.resolve(
specifier,
referrer,
NodeResolutionMode::Types,
&PermissionsContainer::allow_all(),
)
.resolve(specifier, referrer, NodeResolutionMode::Types)
.ok()
.flatten(),
)))
@ -802,7 +795,6 @@ fn resolve_non_graph_specifier_types(
npm_req_ref.sub_path(),
referrer,
NodeResolutionMode::Types,
&PermissionsContainer::allow_all(),
)?;
Ok(Some(NodeResolution::into_specifier_and_media_type(
maybe_resolution,

23
cli/worker.rs
View file

@ -28,12 +28,12 @@ use deno_runtime::deno_node;
use deno_runtime::deno_node::NodeResolution;
use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::deno_node::NodeResolver;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::deno_tls::RootCertStoreProvider;
use deno_runtime::deno_web::BlobStore;
use deno_runtime::fmt_errors::format_js_error;
use deno_runtime::inspector_server::InspectorServer;
use deno_runtime::ops::worker_host::CreateWebWorkerCb;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::web_worker::WebWorker;
use deno_runtime::web_worker::WebWorkerOptions;
use deno_runtime::worker::MainWorker;
@ -522,11 +522,8 @@ impl CliMainWorkerFactory {
package_ref.req(),
&referrer,
)?;
let node_resolution = self.resolve_binary_entrypoint(
&package_folder,
package_ref.sub_path(),
&permissions,
)?;
let node_resolution = self
.resolve_binary_entrypoint(&package_folder, package_ref.sub_path())?;
let is_main_cjs = matches!(node_resolution, NodeResolution::CommonJs(_));
if let Some(lockfile) = &shared.maybe_lockfile {
@ -636,6 +633,7 @@ impl CliMainWorkerFactory {
strace_ops: shared.options.strace_ops.clone(),
module_loader,
fs: shared.fs.clone(),
node_resolver: Some(shared.node_resolver.clone()),
npm_resolver: Some(shared.npm_resolver.clone().into_npm_resolver()),
get_error_class_fn: Some(&errors::get_error_class_name),
cache_storage_dir,
@ -687,7 +685,6 @@ impl CliMainWorkerFactory {
&self,
package_folder: &Path,
sub_path: Option<&str>,
permissions: &PermissionsContainer,
) -> Result<NodeResolution, AnyError> {
match self
.shared
@ -697,11 +694,8 @@ impl CliMainWorkerFactory {
Ok(node_resolution) => Ok(node_resolution),
Err(original_err) => {
// if the binary entrypoint was not found, fallback to regular node resolution
let result = self.resolve_binary_entrypoint_fallback(
package_folder,
sub_path,
permissions,
);
let result =
self.resolve_binary_entrypoint_fallback(package_folder, sub_path);
match result {
Ok(Some(resolution)) => Ok(resolution),
Ok(None) => Err(original_err),
@ -718,7 +712,6 @@ impl CliMainWorkerFactory {
&self,
package_folder: &Path,
sub_path: Option<&str>,
permissions: &PermissionsContainer,
) -> Result<Option<NodeResolution>, AnyError> {
// only fallback if the user specified a sub path
if sub_path.is_none() {
@ -739,7 +732,6 @@ impl CliMainWorkerFactory {
sub_path,
&referrer,
NodeResolutionMode::Execution,
permissions,
)?
else {
return Ok(None);
@ -843,6 +835,7 @@ fn create_web_worker_callback(
source_map_getter,
module_loader,
fs: shared.fs.clone(),
node_resolver: Some(shared.node_resolver.clone()),
npm_resolver: Some(shared.npm_resolver.clone().into_npm_resolver()),
worker_type: args.worker_type,
maybe_inspector_server,
@ -877,7 +870,7 @@ fn create_web_worker_callback(
mod tests {
use super::*;
use deno_core::resolve_path;
use deno_runtime::permissions::Permissions;
use deno_runtime::deno_permissions::Permissions;
fn create_test_worker() -> MainWorker {
let main_module =

1
ext/fetch/Cargo.toml
View file

@ -17,6 +17,7 @@ path = "lib.rs"
bytes.workspace = true
data-url.workspace = true
deno_core.workspace = true
deno_permissions.workspace = true
deno_tls.workspace = true
dyn-clone = "1"
http_v02.workspace = true

20
ext/fetch/lib.rs
View file

@ -281,6 +281,26 @@ pub trait FetchPermissions {
fn check_read(&mut self, _p: &Path, api_name: &str) -> Result<(), AnyError>;
}
impl FetchPermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check_net_url(
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_net_url(self, url, api_name)
}
#[inline(always)]
fn check_read(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_read(self, path, api_name)
}
}
#[op2]
#[serde]
#[allow(clippy::too_many_arguments)]

1
ext/ffi/Cargo.toml
View file

@ -15,6 +15,7 @@ path = "lib.rs"
[dependencies]
deno_core.workspace = true
deno_permissions.workspace = true
dlopen2.workspace = true
dynasmrt = "1.2.3"
libffi = "=3.2.0"

7
ext/ffi/lib.rs
View file

@ -53,6 +53,13 @@ pub trait FfiPermissions {
fn check_partial(&mut self, path: Option<&Path>) -> Result<(), AnyError>;
}
impl FfiPermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check_partial(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_ffi_partial(self, path)
}
}
deno_core::extension!(deno_ffi,
deps = [ deno_web ],
parameters = [P: FfiPermissions],

1
ext/fs/Cargo.toml
View file

@ -21,6 +21,7 @@ async-trait.workspace = true
base32.workspace = true
deno_core.workspace = true
deno_io.workspace = true
deno_permissions.workspace = true
filetime.workspace = true
libc.workspace = true
rand.workspace = true

89
ext/fs/lib.rs
View file

@ -23,9 +23,10 @@ use crate::ops::*;
use deno_core::error::AnyError;
use deno_core::OpState;
use deno_io::fs::FsError;
use std::borrow::Cow;
use std::path::Path;
pub trait FsPermissions: Send + Sync {
pub trait FsPermissions {
fn check_open<'a>(
&mut self,
resolved: bool,
@ -78,6 +79,92 @@ pub trait FsPermissions: Send + Sync {
}
}
impl FsPermissions for deno_permissions::PermissionsContainer {
fn check_open<'a>(
&mut self,
resolved: bool,
read: bool,
write: bool,
path: &'a Path,
api_name: &str,
) -> Result<Cow<'a, Path>, FsError> {
if resolved {
self.check_special_file(path, api_name).map_err(|_| {
std::io::Error::from(std::io::ErrorKind::PermissionDenied)
})?;
return Ok(Cow::Borrowed(path));
}
// If somehow read or write aren't specified, use read
let read = read || !write;
if read {
FsPermissions::check_read(self, path, api_name)
.map_err(|_| FsError::PermissionDenied("read"))?;
}
if write {
FsPermissions::check_write(self, path, api_name)
.map_err(|_| FsError::PermissionDenied("write"))?;
}
Ok(Cow::Borrowed(path))
}
fn check_read(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_read(self, path, api_name)
}
fn check_read_blind(
&mut self,
path: &Path,
display: &str,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_read_blind(
self, path, display, api_name,
)
}
fn check_write(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_write(self, path, api_name)
}
fn check_write_partial(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_write_partial(
self, path, api_name,
)
}
fn check_write_blind(
&mut self,
p: &Path,
display: &str,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_write_blind(
self, p, display, api_name,
)
}
fn check_read_all(&mut self, api_name: &str) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_read_all(self, api_name)
}
fn check_write_all(&mut self, api_name: &str) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_write_all(self, api_name)
}
}
pub const UNSTABLE_FEATURE_NAME: &str = "fs";
/// Helper for checking unstable features. Used for sync ops.

1
ext/kv/Cargo.toml
View file

@ -21,6 +21,7 @@ chrono = { workspace = true, features = ["now"] }
deno_core.workspace = true
deno_fetch.workspace = true
deno_node.workspace = true
deno_permissions.workspace = true
deno_tls.workspace = true
denokv_proto.workspace = true
denokv_remote.workspace = true

16
ext/kv/remote.rs
View file

@ -48,6 +48,22 @@ pub trait RemoteDbHandlerPermissions {
) -> Result<(), AnyError>;
}
impl RemoteDbHandlerPermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check_env(&mut self, var: &str) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_env(self, var)
}
#[inline(always)]
fn check_net_url(
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_net_url(self, url, api_name)
}
}
pub struct RemoteDbHandler<P: RemoteDbHandlerPermissions + 'static> {
http_options: HttpOptions,
_p: std::marker::PhantomData<P>,

12
ext/kv/sqlite.rs
View file

@ -40,6 +40,18 @@ pub trait SqliteDbHandlerPermissions {
fn check_write(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError>;
}
impl SqliteDbHandlerPermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check_read(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_read(self, p, api_name)
}
#[inline(always)]
fn check_write(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_write(self, p, api_name)
}
}
impl<P: SqliteDbHandlerPermissions> SqliteDbHandler<P> {
pub fn new(
default_storage_dir: Option<PathBuf>,

1
ext/napi/Cargo.toml
View file

@ -15,4 +15,5 @@ path = "lib.rs"
[dependencies]
deno_core.workspace = true
deno_permissions.workspace = true
libloading = { version = "0.7" }

9
ext/napi/lib.rs
View file

@ -432,6 +432,15 @@ pub trait NapiPermissions {
-> std::result::Result<(), AnyError>;
}
// NOTE(bartlomieju): for now, NAPI uses `--allow-ffi` flag, but that might
// change in the future.
impl NapiPermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_ffi(self, path)
}
}
/// # Safety
///
/// This function is unsafe because it dereferences raw pointer Env.

1
ext/net/Cargo.toml
View file

@ -15,6 +15,7 @@ path = "lib.rs"
[dependencies]
deno_core.workspace = true
deno_permissions.workspace = true
deno_tls.workspace = true
pin-project.workspace = true
rustls-tokio-stream.workspace = true

29
ext/net/lib.rs
View file

@ -30,6 +30,35 @@ pub trait NetPermissions {
-> Result<(), AnyError>;
}
impl NetPermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check_net<T: AsRef<str>>(
&mut self,
host: &(T, Option<u16>),
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_net(self, host, api_name)
}
#[inline(always)]
fn check_read(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_read(self, path, api_name)
}
#[inline(always)]
fn check_write(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_write(self, path, api_name)
}
}
/// Helper for checking unstable features. Used for sync ops.
fn check_unstable(state: &OpState, api_name: &str) {
// TODO(bartlomieju): replace with `state.feature_checker.check_or_exit`

12
ext/node/analyze.rs
View file

@ -17,8 +17,8 @@ use deno_core::error::AnyError;
use crate::path::to_file_specifier;
use crate::resolution::NodeResolverRc;
use crate::AllowAllNodePermissions;
use crate::NodeModuleKind;
use crate::NodePermissions;
use crate::NodeResolutionMode;
use crate::NpmResolverRc;
use crate::PackageJson;
@ -87,7 +87,6 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
&self,
entry_specifier: &ModuleSpecifier,
source: Option<String>,
permissions: &dyn NodePermissions,
) -> Result<String, AnyError> {
let mut temp_var_count = 0;
@ -115,7 +114,6 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
.analyze_reexports(
entry_specifier,
analysis.reexports,
permissions,
&mut all_exports,
&mut errors,
)
@ -161,7 +159,6 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
&'a self,
entry_specifier: &url::Url,
reexports: Vec<String>,
permissions: &dyn NodePermissions,
all_exports: &mut HashSet<String>,
// this goes through the modules concurrently, so collect
// the errors in order to be deterministic
@ -194,7 +191,6 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
// should be `deno-require`, because `deno` is already used in `esm_resolver.rs`
&["deno", "require", "default"],
NodeResolutionMode::Execution,
permissions,
);
let reexport_specifier = match result {
Ok(specifier) => specifier,
@ -287,7 +283,6 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
referrer: &ModuleSpecifier,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<ModuleSpecifier, AnyError> {
if specifier.starts_with('/') {
todo!();
@ -319,7 +314,7 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
let package_json = PackageJson::load(
&*self.fs,
&*self.npm_resolver,
permissions,
&mut AllowAllNodePermissions,
package_json_path.clone(),
)?;
if package_json.exists {
@ -332,7 +327,6 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
NodeModuleKind::Esm,
conditions,
mode,
permissions,
);
}
@ -345,7 +339,7 @@ impl<TCjsCodeAnalyzer: CjsCodeAnalyzer> NodeCodeTranslator<TCjsCodeAnalyzer> {
let package_json = PackageJson::load(
&*self.fs,
&*self.npm_resolver,
permissions,
&mut AllowAllNodePermissions,
package_json_path,
)?;
if package_json.exists {

5
ext/node/global.rs
View file

@ -1,13 +1,12 @@
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
use std::mem::MaybeUninit;
use std::rc::Rc;
use deno_core::v8;
use deno_core::v8::GetPropertyNamesArgs;
use deno_core::v8::MapFnTo;
use crate::NodeResolver;
use crate::resolution::NodeResolverRc;
// NOTE(bartlomieju): somehow calling `.map_fn_to()` multiple times on a function
// returns two different pointers. That shouldn't be the case as `.map_fn_to()`
@ -271,7 +270,7 @@ fn current_mode(scope: &mut v8::HandleScope) -> Mode {
};
let op_state = deno_core::JsRuntime::op_state_from(scope);
let op_state = op_state.borrow();
let Some(node_resolver) = op_state.try_borrow::<Rc<NodeResolver>>() else {
let Some(node_resolver) = op_state.try_borrow::<NodeResolverRc>() else {
return Mode::Deno;
};
let mut buffer = [MaybeUninit::uninit(); 2048];

78
ext/node/lib.rs
View file

@ -6,7 +6,6 @@
use std::collections::HashSet;
use std::path::Path;
use std::path::PathBuf;
use std::rc::Rc;
use deno_core::error::AnyError;
use deno_core::located_script_name;
@ -46,6 +45,7 @@ pub use resolution::NodeModuleKind;
pub use resolution::NodeResolution;
pub use resolution::NodeResolutionMode;
pub use resolution::NodeResolver;
use resolution::NodeResolverRc;
use crate::global::global_object_middleware;
use crate::global::global_template_middleware;
@ -57,23 +57,23 @@ pub trait NodePermissions {
api_name: &str,
) -> Result<(), AnyError>;
#[inline(always)]
fn check_read(&self, path: &Path) -> Result<(), AnyError> {
fn check_read(&mut self, path: &Path) -> Result<(), AnyError> {
self.check_read_with_api_name(path, None)
}
fn check_read_with_api_name(
&self,
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError>;
fn check_sys(&self, kind: &str, api_name: &str) -> Result<(), AnyError>;
fn check_sys(&mut self, kind: &str, api_name: &str) -> Result<(), AnyError>;
fn check_write_with_api_name(
&self,
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError>;
}
pub(crate) struct AllowAllNodePermissions;
pub struct AllowAllNodePermissions;
impl NodePermissions for AllowAllNodePermissions {
fn check_net_url(
@ -84,24 +84,65 @@ impl NodePermissions for AllowAllNodePermissions {
Ok(())
}
fn check_read_with_api_name(
&self,
&mut self,
_path: &Path,
_api_name: Option<&str>,
) -> Result<(), AnyError> {
Ok(())
}
fn check_write_with_api_name(
&self,
&mut self,
_path: &Path,
_api_name: Option<&str>,
) -> Result<(), AnyError> {
Ok(())
}
fn check_sys(&self, _kind: &str, _api_name: &str) -> Result<(), AnyError> {
fn check_sys(
&mut self,
_kind: &str,
_api_name: &str,
) -> Result<(), AnyError> {
Ok(())
}
}
impl NodePermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check_net_url(
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_net_url(self, url, api_name)
}
#[inline(always)]
fn check_read_with_api_name(
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_read_with_api_name(
self, path, api_name,
)
}
#[inline(always)]
fn check_write_with_api_name(
&mut self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_write_with_api_name(
self, path, api_name,
)
}
fn check_sys(&mut self, kind: &str, api_name: &str) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_sys(self, kind, api_name)
}
}
#[allow(clippy::disallowed_types)]
pub type NpmResolverRc = deno_fs::sync::MaybeArc<dyn NpmResolver>;
@ -146,7 +187,7 @@ pub trait NpmResolver: std::fmt::Debug + MaybeSend + MaybeSync {
fn ensure_read_permission(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: &Path,
) -> Result<(), AnyError>;
}
@ -582,18 +623,21 @@ deno_core::extension!(deno_node,
"node:zlib" = "zlib.ts",
],
options = {
maybe_node_resolver: Option<NodeResolverRc>,
maybe_npm_resolver: Option<NpmResolverRc>,
fs: deno_fs::FileSystemRc,
},
state = |state, options| {
let fs = options.fs;
state.put(fs.clone());
if let Some(npm_resolver) = options.maybe_npm_resolver {
// you should provide both of these or neither
debug_assert_eq!(options.maybe_node_resolver.is_some(), options.maybe_npm_resolver.is_some());
state.put(options.fs.clone());
if let Some(node_resolver) = &options.maybe_node_resolver {
state.put(node_resolver.clone());
}
if let Some(npm_resolver) = &options.maybe_npm_resolver {
state.put(npm_resolver.clone());
state.put(Rc::new(NodeResolver::new(
fs,
npm_resolver,
)))
}
},
global_template_middleware = global_template_middleware,

37
ext/node/ops/require.rs
View file

@ -16,10 +16,11 @@ use std::path::PathBuf;
use std::rc::Rc;
use crate::resolution;
use crate::resolution::NodeResolverRc;
use crate::AllowAllNodePermissions;
use crate::NodeModuleKind;
use crate::NodePermissions;
use crate::NodeResolutionMode;
use crate::NodeResolver;
use crate::NpmResolverRc;
use crate::PackageJson;
@ -30,8 +31,8 @@ fn ensure_read_permission<P>(
where
P: NodePermissions + 'static,
{
let resolver = state.borrow::<NpmResolverRc>();
let permissions = state.borrow::<P>();
let resolver = state.borrow::<NpmResolverRc>().clone();
let permissions = state.borrow_mut::<P>();
resolver.ensure_read_permission(permissions, file_path)
}
@ -386,12 +387,11 @@ where
return Ok(None);
}
let node_resolver = state.borrow::<Rc<NodeResolver>>();
let permissions = state.borrow::<P>();
let node_resolver = state.borrow::<NodeResolverRc>();
let pkg = node_resolver
.get_closest_package_json(
&Url::from_file_path(parent_path.unwrap()).unwrap(),
permissions,
&mut AllowAllNodePermissions,
)
.ok()
.flatten();
@ -428,7 +428,6 @@ where
NodeModuleKind::Cjs,
resolution::REQUIRE_CONDITIONS,
NodeResolutionMode::Execution,
permissions,
)?;
Ok(Some(if r.scheme() == "file" {
url_to_file_path_string(&r)?
@ -483,8 +482,7 @@ where
{
let fs = state.borrow::<FileSystemRc>();
let npm_resolver = state.borrow::<NpmResolverRc>();
let node_resolver = state.borrow::<Rc<NodeResolver>>();
let permissions = state.borrow::<P>();
let node_resolver = state.borrow::<NodeResolverRc>();
let pkg_path = if npm_resolver
.in_npm_package_at_file_path(&PathBuf::from(&modules_path))
@ -501,7 +499,7 @@ where
}
};
let pkg = node_resolver.load_package_json(
permissions,
&mut AllowAllNodePermissions,
PathBuf::from(&pkg_path).join("package.json"),
)?;
@ -515,7 +513,6 @@ where
NodeModuleKind::Cjs,
resolution::REQUIRE_CONDITIONS,
NodeResolutionMode::Execution,
permissions,
)?;
Ok(Some(if r.scheme() == "file" {
url_to_file_path_string(&r)?
@ -540,8 +537,8 @@ where
state,
PathBuf::from(&filename).parent().unwrap(),
)?;
let node_resolver = state.borrow::<Rc<NodeResolver>>();
let permissions = state.borrow::<P>();
let node_resolver = state.borrow::<NodeResolverRc>().clone();
let permissions = state.borrow_mut::<P>();
node_resolver
.get_closest_package_json(
&Url::from_file_path(filename).unwrap(),
@ -559,8 +556,8 @@ pub fn op_require_read_package_scope<P>(
where
P: NodePermissions + 'static,
{
let node_resolver = state.borrow::<Rc<NodeResolver>>();
let permissions = state.borrow::<P>();
let node_resolver = state.borrow::<NodeResolverRc>().clone();
let permissions = state.borrow_mut::<P>();
let package_json_path = PathBuf::from(package_json_path);
node_resolver
.load_package_json(permissions, package_json_path)
@ -580,10 +577,11 @@ where
{
let referrer_path = PathBuf::from(&referrer_filename);
ensure_read_permission::<P>(state, &referrer_path)?;
let node_resolver = state.borrow::<Rc<NodeResolver>>();
let permissions = state.borrow::<P>();
let Some(pkg) = node_resolver
.get_closest_package_json_from_path(&referrer_path, permissions)?
let node_resolver = state.borrow::<NodeResolverRc>();
let Some(pkg) = node_resolver.get_closest_package_json_from_path(
&referrer_path,
&mut AllowAllNodePermissions,
)?
else {
return Ok(None);
};
@ -598,7 +596,6 @@ where
Some(&pkg),
resolution::REQUIRE_CONDITIONS,
NodeResolutionMode::Execution,
permissions,
)?;
Ok(Some(url_to_file_path_string(&url)?))
} else {

9
ext/node/ops/worker_threads.rs
View file

@ -8,11 +8,10 @@ use deno_core::OpState;
use deno_fs::FileSystemRc;
use std::path::Path;
use std::path::PathBuf;
use std::rc::Rc;
use crate::resolution;
use crate::resolution::NodeResolverRc;
use crate::NodePermissions;
use crate::NodeResolver;
use crate::NpmResolverRc;
fn ensure_read_permission<P>(
@ -22,8 +21,8 @@ fn ensure_read_permission<P>(
where
P: NodePermissions + 'static,
{
let resolver = state.borrow::<NpmResolverRc>();
let permissions = state.borrow::<P>();
let resolver = state.borrow::<NpmResolverRc>().clone();
let permissions = state.borrow_mut::<P>();
resolver.ensure_read_permission(permissions, file_path)
}
@ -63,7 +62,7 @@ where
if !fs.exists_sync(&url_path) {
return Err(generic_error(format!("File not found [{:?}]", url_path)));
}
let node_resolver = state.borrow::<Rc<NodeResolver>>();
let node_resolver = state.borrow::<NodeResolverRc>();
match node_resolver.url_to_node_resolution(url)? {
resolution::NodeResolution::Esm(u) => Ok(u.to_string()),
resolution::NodeResolution::CommonJs(u) => wrap_cjs(u),

2
ext/node/package_json.rs
View file

@ -65,7 +65,7 @@ impl PackageJson {
pub fn load(
fs: &dyn deno_fs::FileSystem,
resolver: &dyn NpmResolver,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
path: PathBuf,
) -> Result<Rc<PackageJson>, AnyError> {
resolver.ensure_read_permission(permissions, &path)?;

106
ext/node/resolution.rs
View file

@ -154,7 +154,6 @@ impl NodeResolver {
specifier: &str,
referrer: &ModuleSpecifier,
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<Option<NodeResolution>, AnyError> {
// Note: if we are here, then the referrer is an esm module
// TODO(bartlomieju): skipped "policy" part as we don't plan to support it
@ -187,13 +186,8 @@ impl NodeResolver {
}
}
let url = self.module_resolve(
specifier,
referrer,
DEFAULT_CONDITIONS,
mode,
permissions,
)?;
let url =
self.module_resolve(specifier, referrer, DEFAULT_CONDITIONS, mode)?;
let url = match url {
Some(url) => url,
None => return Ok(None),
@ -204,12 +198,8 @@ impl NodeResolver {
let path = url.to_file_path().unwrap();
// todo(16370): the module kind is not correct here. I think we need
// typescript to tell us if the referrer is esm or cjs
let maybe_decl_url = self.path_to_declaration_url(
path,
referrer,
NodeModuleKind::Esm,
permissions,
)?;
let maybe_decl_url =
self.path_to_declaration_url(path, referrer, NodeModuleKind::Esm)?;
match maybe_decl_url {
Some(url) => url,
None => return Ok(None),
@ -229,7 +219,6 @@ impl NodeResolver {
referrer: &ModuleSpecifier,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<Option<ModuleSpecifier>, AnyError> {
// note: if we're here, the referrer is an esm module
let url = if should_be_treated_as_relative_or_absolute_path(specifier) {
@ -242,13 +231,13 @@ impl NodeResolver {
file_path,
referrer,
NodeModuleKind::Esm,
permissions,
)?
} else {
Some(resolved_specifier)
}
} else if specifier.starts_with('#') {
let pkg_config = self.get_closest_package_json(referrer, permissions)?;
let pkg_config = self
.get_closest_package_json(referrer, &mut AllowAllNodePermissions)?;
Some(self.package_imports_resolve(
specifier,
referrer,
@ -256,7 +245,6 @@ impl NodeResolver {
pkg_config.as_deref(),
conditions,
mode,
permissions,
)?)
} else if let Ok(resolved) = Url::parse(specifier) {
Some(resolved)
@ -267,7 +255,6 @@ impl NodeResolver {
NodeModuleKind::Esm,
conditions,
mode,
permissions,
)?
};
Ok(match url {
@ -337,11 +324,12 @@ impl NodeResolver {
package_subpath: Option<&str>,
referrer: &ModuleSpecifier,
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<Option<NodeResolution>, AnyError> {
let package_json_path = package_dir.join("package.json");
let package_json =
self.load_package_json(permissions, package_json_path.clone())?;
let package_json = self.load_package_json(
&mut AllowAllNodePermissions,
package_json_path.clone(),
)?;
let node_module_kind = NodeModuleKind::Esm;
let package_subpath = package_subpath
.map(|s| format!("./{s}"))
@ -354,7 +342,6 @@ impl NodeResolver {
node_module_kind,
DEFAULT_CONDITIONS,
mode,
permissions,
)
.with_context(|| {
format!(
@ -376,7 +363,6 @@ impl NodeResolver {
path,
referrer,
node_module_kind,
permissions,
)? {
Some(url) => url,
None => return Ok(None),
@ -397,8 +383,10 @@ impl NodeResolver {
package_folder: &Path,
) -> Result<Vec<String>, AnyError> {
let package_json_path = package_folder.join("package.json");
let package_json = self
.load_package_json(&AllowAllNodePermissions, package_json_path.clone())?;
let package_json = self.load_package_json(
&mut AllowAllNodePermissions,
package_json_path.clone(),
)?;
Ok(match &package_json.bin {
Some(Value::String(_)) => {
@ -420,8 +408,10 @@ impl NodeResolver {
sub_path: Option<&str>,
) -> Result<NodeResolution, AnyError> {
let package_json_path = package_folder.join("package.json");
let package_json = self
.load_package_json(&AllowAllNodePermissions, package_json_path.clone())?;
let package_json = self.load_package_json(
&mut AllowAllNodePermissions,
package_json_path.clone(),
)?;
let bin_entry = resolve_bin_entry_value(&package_json, sub_path)?;
let url = to_file_specifier(&package_folder.join(bin_entry));
@ -440,7 +430,7 @@ impl NodeResolver {
Ok(NodeResolution::Esm(url))
} else if url_str.ends_with(".js") || url_str.ends_with(".d.ts") {
let maybe_package_config =
self.get_closest_package_json(&url, &AllowAllNodePermissions)?;
self.get_closest_package_json(&url, &mut AllowAllNodePermissions)?;
match maybe_package_config {
Some(c) if c.typ == "module" => Ok(NodeResolution::Esm(url)),
Some(_) => Ok(NodeResolution::CommonJs(url)),
@ -467,7 +457,6 @@ impl NodeResolver {
path: PathBuf,
referrer: &ModuleSpecifier,
referrer_kind: NodeModuleKind,
permissions: &dyn NodePermissions,
) -> Result<Option<ModuleSpecifier>, AnyError> {
fn probe_extensions(
fs: &dyn deno_fs::FileSystem,
@ -528,7 +517,7 @@ impl NodeResolver {
if self.fs.is_dir_sync(&path) {
let package_json_path = path.join("package.json");
if let Ok(pkg_json) =
self.load_package_json(permissions, package_json_path)
self.load_package_json(&mut AllowAllNodePermissions, package_json_path)
{
let maybe_resolution = self.resolve_package_subpath(
&pkg_json,
@ -540,7 +529,6 @@ impl NodeResolver {
NodeModuleKind::Cjs => REQUIRE_CONDITIONS,
},
NodeResolutionMode::Types,
permissions,
)?;
if let Some(resolution) = maybe_resolution {
return Ok(Some(resolution));
@ -572,7 +560,6 @@ impl NodeResolver {
referrer_pkg_json: Option<&PackageJson>,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<ModuleSpecifier, AnyError> {
if name == "#" || name.starts_with("#/") || name.ends_with('/') {
let reason = "is not a valid internal imports specifier name";
@ -601,7 +588,6 @@ impl NodeResolver {
true,
conditions,
mode,
permissions,
)?;
if let Some(resolved) = maybe_resolved {
return Ok(resolved);
@ -644,7 +630,6 @@ impl NodeResolver {
true,
conditions,
mode,
permissions,
)?;
if let Some(resolved) = maybe_resolved {
return Ok(resolved);
@ -675,7 +660,6 @@ impl NodeResolver {
internal: bool,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<ModuleSpecifier, AnyError> {
if !subpath.is_empty() && !pattern && !target.ends_with('/') {
return Err(throw_invalid_package_target(
@ -715,7 +699,6 @@ impl NodeResolver {
referrer_kind,
conditions,
mode,
permissions,
) {
Ok(Some(url)) => Ok(url),
Ok(None) => Err(generic_error("not found")),
@ -804,7 +787,6 @@ impl NodeResolver {
internal: bool,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<Option<ModuleSpecifier>, AnyError> {
if let Some(target) = target.as_str() {
let url = self.resolve_package_target_string(
@ -818,16 +800,10 @@ impl NodeResolver {
internal,
conditions,
mode,
permissions,
)?;
if mode.is_types() && url.scheme() == "file" {
let path = url.to_file_path().unwrap();
return self.path_to_declaration_url(
path,
referrer,
referrer_kind,
permissions,
);
return self.path_to_declaration_url(path, referrer, referrer_kind);
} else {
return Ok(Some(url));
}
@ -849,7 +825,6 @@ impl NodeResolver {
internal,
conditions,
mode,
permissions,
);
match resolved_result {
@ -898,7 +873,6 @@ impl NodeResolver {
internal,
conditions,
mode,
permissions,
)?;
match resolved {
Some(resolved) => return Ok(Some(resolved)),
@ -931,7 +905,6 @@ impl NodeResolver {
referrer_kind: NodeModuleKind,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<ModuleSpecifier, AnyError> {
if package_exports.contains_key(package_subpath)
&& package_subpath.find('*').is_none()
@ -949,7 +922,6 @@ impl NodeResolver {
false,
conditions,
mode,
permissions,
)?;
return match resolved {
Some(resolved) => Ok(resolved),
@ -1009,7 +981,6 @@ impl NodeResolver {
false,
conditions,
mode,
permissions,
)?;
if let Some(resolved) = maybe_resolved {
return Ok(resolved);
@ -1038,13 +1009,12 @@ impl NodeResolver {
referrer_kind: NodeModuleKind,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<Option<ModuleSpecifier>, AnyError> {
let (package_name, package_subpath, _is_scoped) =
parse_npm_pkg_name(specifier, referrer)?;
let Some(package_config) =
self.get_closest_package_json(referrer, permissions)?
self.get_closest_package_json(referrer, &mut AllowAllNodePermissions)?
else {
return Ok(None);
};
@ -1062,7 +1032,6 @@ impl NodeResolver {
referrer_kind,
conditions,
mode,
permissions,
)
.map(Some);
}
@ -1087,8 +1056,8 @@ impl NodeResolver {
// ))
// Package match.
let package_json =
self.load_package_json(permissions, package_json_path)?;
let package_json = self
.load_package_json(&mut AllowAllNodePermissions, package_json_path)?;
self.resolve_package_subpath(
&package_json,
&package_subpath,
@ -1096,7 +1065,6 @@ impl NodeResolver {
referrer_kind,
conditions,
mode,
permissions,
)
}
@ -1109,7 +1077,6 @@ impl NodeResolver {
referrer_kind: NodeModuleKind,
conditions: &[&str],
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<Option<ModuleSpecifier>, AnyError> {
if let Some(exports) = &package_json.exports {
let result = self.package_exports_resolve(
@ -1120,7 +1087,6 @@ impl NodeResolver {
referrer_kind,
conditions,
mode,
permissions,
);
match result {
Ok(found) => return Ok(Some(found)),
@ -1131,7 +1097,6 @@ impl NodeResolver {
referrer,
referrer_kind,
mode,
permissions,
);
}
return Err(exports_err);
@ -1144,18 +1109,12 @@ impl NodeResolver {
referrer,
referrer_kind,
mode,
permissions,
);
}
let file_path = package_json.path.parent().unwrap().join(package_subpath);
if mode.is_types() {
self.path_to_declaration_url(
file_path,
referrer,
referrer_kind,
permissions,
)
self.path_to_declaration_url(file_path, referrer, referrer_kind)
} else {
Ok(Some(to_file_specifier(&file_path)))
}
@ -1164,7 +1123,7 @@ impl NodeResolver {
pub fn get_closest_package_json(
&self,
url: &ModuleSpecifier,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
) -> Result<Option<Rc<PackageJson>>, AnyError> {
let Ok(file_path) = url.to_file_path() else {
return Ok(None);
@ -1175,7 +1134,7 @@ impl NodeResolver {
pub fn get_closest_package_json_from_path(
&self,
file_path: &Path,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
) -> Result<Option<Rc<PackageJson>>, AnyError> {
let Some(package_json_path) =
self.get_closest_package_json_path(file_path)?
@ -1212,7 +1171,7 @@ impl NodeResolver {
pub(super) fn load_package_json(
&self,
permissions: &dyn NodePermissions,
permissions: &mut dyn NodePermissions,
package_json_path: PathBuf,
) -> Result<Rc<PackageJson>, AnyError> {
PackageJson::load(
@ -1229,7 +1188,6 @@ impl NodeResolver {
referrer: &ModuleSpecifier,
referrer_kind: NodeModuleKind,
mode: NodeResolutionMode,
permissions: &dyn NodePermissions,
) -> Result<Option<ModuleSpecifier>, AnyError> {
let maybe_main = if mode.is_types() {
match package_json.types.as_ref() {
@ -1239,12 +1197,8 @@ impl NodeResolver {
// a corresponding declaration file
if let Some(main) = package_json.main(referrer_kind) {
let main = package_json.path.parent().unwrap().join(main).clean();
let maybe_decl_url = self.path_to_declaration_url(
main,
referrer,
referrer_kind,
permissions,
)?;
let maybe_decl_url =
self.path_to_declaration_url(main, referrer, referrer_kind)?;
if let Some(path) = maybe_decl_url {
return Ok(Some(path));
}

1
ext/web/Cargo.toml
View file

@ -18,6 +18,7 @@ async-trait.workspace = true
base64-simd = "0.8"
bytes.workspace = true
deno_core.workspace = true
deno_permissions.workspace = true
encoding_rs.workspace = true
flate2 = { workspace = true, features = ["default"] }
futures.workspace = true

7
ext/web/timers.rs
View file

@ -10,6 +10,13 @@ pub trait TimersPermission {
fn allow_hrtime(&mut self) -> bool;
}
impl TimersPermission for deno_permissions::PermissionsContainer {
#[inline(always)]
fn allow_hrtime(&mut self) -> bool {
deno_permissions::PermissionsContainer::allow_hrtime(self)
}
}
pub type StartTime = Instant;
// Returns a milliseconds and nanoseconds subsec

1
ext/websocket/Cargo.toml
View file

@ -17,6 +17,7 @@ path = "lib.rs"
bytes.workspace = true
deno_core.workspace = true
deno_net.workspace = true
deno_permissions.workspace = true
deno_tls.workspace = true
fastwebsockets.workspace = true
h2.workspace = true

11
ext/websocket/lib.rs
View file

@ -99,6 +99,17 @@ pub trait WebSocketPermissions {
) -> Result<(), AnyError>;
}
impl WebSocketPermissions for deno_permissions::PermissionsContainer {
#[inline(always)]
fn check_net_url(
&mut self,
url: &url::Url,
api_name: &str,
) -> Result<(), AnyError> {
deno_permissions::PermissionsContainer::check_net_url(self, url, api_name)
}
}
/// `UnsafelyIgnoreCertificateErrors` is a wrapper struct so it can be placed inside `GothamState`;
/// using type alias for a `Option<Vec<String>>` could work, but there's a high chance
/// that there might be another type alias pointing to a `Option<Vec<String>>`, which

2
runtime/examples/extension/main.rs
View file

@ -10,7 +10,7 @@ use deno_core::error::AnyError;
use deno_core::op2;
use deno_core::FsModuleLoader;
use deno_core::ModuleSpecifier;
use deno_runtime::permissions::PermissionsContainer;
use deno_runtime::deno_permissions::PermissionsContainer;
use deno_runtime::worker::MainWorker;
use deno_runtime::worker::WorkerOptions;

1
runtime/lib.rs
View file

@ -33,7 +33,6 @@ pub mod fs_util;
pub mod inspector_server;
pub mod js;
pub mod ops;
pub mod permissions;
pub mod snapshot;
pub mod tokio_util;
pub mod web_worker;

2
runtime/ops/fs_events.rs
View file

@ -1,6 +1,5 @@
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
use crate::permissions::PermissionsContainer;
use deno_core::error::AnyError;
use deno_core::parking_lot::Mutex;
use deno_core::AsyncRefCell;
@ -13,6 +12,7 @@ use deno_core::ResourceId;
use deno_core::op2;
use deno_permissions::PermissionsContainer;
use notify::event::Event as NotifyEvent;
use notify::Error as NotifyError;
use notify::EventKind;

2
runtime/ops/os/mod.rs
View file

@ -1,7 +1,6 @@
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
use super::utils::into_string;
use crate::permissions::PermissionsContainer;
use crate::worker::ExitCode;
use deno_core::error::type_error;
use deno_core::error::AnyError;
@ -10,6 +9,7 @@ use deno_core::url::Url;
use deno_core::v8;
use deno_core::OpState;
use deno_node::NODE_ENV_VAR_ALLOWLIST;
use deno_permissions::PermissionsContainer;
use serde::Serialize;
use std::collections::HashMap;
use std::env;

2
runtime/ops/process.rs
View file

@ -1,7 +1,6 @@
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
use super::check_unstable;
use crate::permissions::PermissionsContainer;
use deno_core::anyhow::Context;
use deno_core::error::type_error;
use deno_core::error::AnyError;
@ -18,6 +17,7 @@ use deno_io::fs::FileResource;
use deno_io::ChildStderrResource;
use deno_io::ChildStdinResource;
use deno_io::ChildStdoutResource;
use deno_permissions::PermissionsContainer;
use serde::Deserialize;
use serde::Serialize;
use std::borrow::Cow;

2
runtime/ops/runtime.rs
View file

@ -1,10 +1,10 @@
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
use crate::permissions::PermissionsContainer;
use deno_core::error::AnyError;
use deno_core::op2;
use deno_core::ModuleSpecifier;
use deno_core::OpState;
use deno_permissions::PermissionsContainer;
deno_core::extension!(
deno_runtime,

8
runtime/ops/worker_host.rs
View file

@ -1,9 +1,6 @@
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
use crate::ops::TestingFeaturesEnabled;
use crate::permissions::create_child_permissions;
use crate::permissions::ChildPermissionsArg;
use crate::permissions::PermissionsContainer;
use crate::web_worker::run_web_worker;
use crate::web_worker::SendableWebWorkerHandle;
use crate::web_worker::WebWorker;
@ -20,6 +17,9 @@ use deno_core::CancelFuture;
use deno_core::CancelHandle;
use deno_core::ModuleSpecifier;
use deno_core::OpState;
use deno_permissions::create_child_permissions;
use deno_permissions::ChildPermissionsArg;
use deno_permissions::PermissionsContainer;
use deno_web::deserialize_js_transferables;
use deno_web::JsMessageData;
use log::debug;
@ -156,7 +156,7 @@ fn op_create_worker(
let parent_permissions = state.borrow_mut::<PermissionsContainer>();
let worker_permissions = if let Some(child_permissions_arg) = args.permissions
{
let mut parent_permissions = parent_permissions.0 .0.lock();
let mut parent_permissions = parent_permissions.0.lock();
let perms =
create_child_permissions(&mut parent_permissions, child_permissions_arg)?;
PermissionsContainer::new(perms)

268
runtime/permissions.rs
View file

@ -1,268 +0,0 @@
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
use std::borrow::Cow;
use std::path::Path;
use deno_core::error::AnyError;
use deno_core::url::Url;
pub use deno_io::fs::FsError;
pub use deno_permissions::create_child_permissions;
pub use deno_permissions::parse_sys_kind;
pub use deno_permissions::set_prompt_callbacks;
pub use deno_permissions::ChildPermissionsArg;
pub use deno_permissions::Permissions;
pub use deno_permissions::PermissionsOptions;
// NOTE: Temporary permissions container to satisfy traits. We are migrating to the deno_permissions
// crate.
#[derive(Debug, Clone)]
pub struct PermissionsContainer(pub deno_permissions::PermissionsContainer);
impl PermissionsContainer {
pub fn new(permissions: deno_permissions::Permissions) -> Self {
Self(deno_permissions::PermissionsContainer::new(permissions))
}
pub fn allow_all() -> Self {
Self(deno_permissions::PermissionsContainer::allow_all())
}
}
impl std::ops::Deref for PermissionsContainer {
type Target = deno_permissions::PermissionsContainer;
fn deref(&self) -> &Self::Target {
&self.0
}
}
impl std::ops::DerefMut for PermissionsContainer {
fn deref_mut(&mut self) -> &mut Self::Target {
&mut self.0
}
}
impl deno_node::NodePermissions for PermissionsContainer {
#[inline(always)]
fn check_net_url(
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_net_url(url, api_name)
}
#[inline(always)]
fn check_read_with_api_name(
&self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
self.0.check_read_with_api_name(path, api_name)
}
#[inline(always)]
fn check_write_with_api_name(
&self,
path: &Path,
api_name: Option<&str>,
) -> Result<(), AnyError> {
self.0.check_write_with_api_name(path, api_name)
}
fn check_sys(&self, kind: &str, api_name: &str) -> Result<(), AnyError> {
self.0.check_sys(kind, api_name)
}
}
impl deno_fetch::FetchPermissions for PermissionsContainer {
#[inline(always)]
fn check_net_url(
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_net_url(url, api_name)
}
#[inline(always)]
fn check_read(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_read(path, api_name)
}
}
impl deno_net::NetPermissions for PermissionsContainer {
#[inline(always)]
fn check_net<T: AsRef<str>>(
&mut self,
host: &(T, Option<u16>),
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_net(host, api_name)
}
#[inline(always)]
fn check_read(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_read(path, api_name)
}
#[inline(always)]
fn check_write(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_write(path, api_name)
}
}
impl deno_web::TimersPermission for PermissionsContainer {
#[inline(always)]
fn allow_hrtime(&mut self) -> bool {
self.0.allow_hrtime()
}
}
impl deno_websocket::WebSocketPermissions for PermissionsContainer {
#[inline(always)]
fn check_net_url(
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_net_url(url, api_name)
}
}
impl deno_fs::FsPermissions for PermissionsContainer {
fn check_open<'a>(
&mut self,
resolved: bool,
read: bool,
write: bool,
path: &'a Path,
api_name: &str,
) -> Result<Cow<'a, Path>, FsError> {
if resolved {
self.check_special_file(path, api_name).map_err(|_| {
std::io::Error::from(std::io::ErrorKind::PermissionDenied)
})?;
return Ok(Cow::Borrowed(path));
}
// If somehow read or write aren't specified, use read
let read = read || !write;
if read {
deno_fs::FsPermissions::check_read(self, path, api_name)
.map_err(|_| FsError::PermissionDenied("read"))?;
}
if write {
deno_fs::FsPermissions::check_write(self, path, api_name)
.map_err(|_| FsError::PermissionDenied("write"))?;
}
Ok(Cow::Borrowed(path))
}
fn check_read(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_read(path, api_name)
}
fn check_read_blind(
&mut self,
path: &Path,
display: &str,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_read_blind(path, display, api_name)
}
fn check_write(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_write(path, api_name)
}
fn check_write_partial(
&mut self,
path: &Path,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_write_partial(path, api_name)
}
fn check_write_blind(
&mut self,
p: &Path,
display: &str,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_write_blind(p, display, api_name)
}
fn check_read_all(&mut self, api_name: &str) -> Result<(), AnyError> {
self.0.check_read_all(api_name)
}
fn check_write_all(&mut self, api_name: &str) -> Result<(), AnyError> {
self.0.check_write_all(api_name)
}
}
// NOTE(bartlomieju): for now, NAPI uses `--allow-ffi` flag, but that might
// change in the future.
impl deno_napi::NapiPermissions for PermissionsContainer {
#[inline(always)]
fn check(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
self.0.check_ffi(path)
}
}
impl deno_ffi::FfiPermissions for PermissionsContainer {
#[inline(always)]
fn check_partial(&mut self, path: Option<&Path>) -> Result<(), AnyError> {
self.0.check_ffi_partial(path)
}
}
impl deno_kv::sqlite::SqliteDbHandlerPermissions for PermissionsContainer {
#[inline(always)]
fn check_read(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError> {
self.0.check_read(p, api_name)
}
#[inline(always)]
fn check_write(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError> {
self.0.check_write(p, api_name)
}
}
impl deno_kv::remote::RemoteDbHandlerPermissions for PermissionsContainer {
#[inline(always)]
fn check_env(&mut self, var: &str) -> Result<(), AnyError> {
self.0.check_env(var)
}
#[inline(always)]
fn check_net_url(
&mut self,
url: &Url,
api_name: &str,
) -> Result<(), AnyError> {
self.0.check_net_url(url, api_name)
}
}

8
runtime/snapshot.rs
View file

@ -81,21 +81,21 @@ impl deno_node::NodePermissions for Permissions {
unreachable!("snapshotting!")
}
fn check_read_with_api_name(
&self,
&mut self,
_p: &Path,
_api_name: Option<&str>,
) -> Result<(), deno_core::error::AnyError> {
unreachable!("snapshotting!")
}
fn check_write_with_api_name(
&self,
&mut self,
_p: &Path,
_api_name: Option<&str>,
) -> Result<(), deno_core::error::AnyError> {
unreachable!("snapshotting!")
}
fn check_sys(
&self,
&mut self,
_kind: &str,
_api_name: &str,
) -> Result<(), deno_core::error::AnyError> {
@ -254,7 +254,7 @@ pub fn create_runtime_snapshot(
deno_http::deno_http::init_ops_and_esm::<DefaultHttpPropertyExtractor>(),
deno_io::deno_io::init_ops_and_esm(Default::default()),
deno_fs::deno_fs::init_ops_and_esm::<Permissions>(fs.clone()),
deno_node::deno_node::init_ops_and_esm::<Permissions>(None, fs),
deno_node::deno_node::init_ops_and_esm::<Permissions>(None, None, fs),
runtime::init_ops_and_esm(),
ops::runtime::deno_runtime::init_ops("deno:runtime".parse().unwrap()),
ops::worker_host::deno_worker_host::init_ops(

6
runtime/web_worker.rs
View file

@ -2,7 +2,6 @@
use crate::inspector_server::InspectorServer;
use crate::ops;
use crate::ops::worker_host::WorkersTable;
use crate::permissions::PermissionsContainer;
use crate::shared::maybe_transpile_source;
use crate::shared::runtime;
use crate::tokio_util::create_and_run_current_thread;
@ -45,6 +44,8 @@ use deno_fs::FileSystem;
use deno_http::DefaultHttpPropertyExtractor;
use deno_io::Stdio;
use deno_kv::dynamic::MultiBackendDbHandler;
use deno_node::NodeResolver;
use deno_permissions::PermissionsContainer;
use deno_terminal::colors;
use deno_tls::RootCertStoreProvider;
use deno_tls::TlsKeys;
@ -364,6 +365,7 @@ pub struct WebWorkerOptions {
pub seed: Option<u64>,
pub fs: Arc<dyn FileSystem>,
pub module_loader: Rc<dyn ModuleLoader>,
pub node_resolver: Option<Arc<NodeResolver>>,
pub npm_resolver: Option<Arc<dyn deno_node::NpmResolver>>,
pub create_web_worker_cb: Arc<ops::worker_host::CreateWebWorkerCb>,
pub format_js_error_fn: Option<Arc<FormatJsErrorFn>>,
@ -411,7 +413,6 @@ impl WebWorker {
enable_testing_features: bool,
},
state = |state, options| {
state.put::<deno_permissions::PermissionsContainer>(options.permissions.0.clone());
state.put::<PermissionsContainer>(options.permissions);
state.put(ops::TestingFeaturesEnabled(options.enable_testing_features));
},
@ -491,6 +492,7 @@ impl WebWorker {
options.fs.clone(),
),
deno_node::deno_node::init_ops_and_esm::<PermissionsContainer>(
options.node_resolver,
options.npm_resolver,
options.fs,
),

8
runtime/worker.rs
View file

@ -39,6 +39,7 @@ use deno_fs::FileSystem;
use deno_http::DefaultHttpPropertyExtractor;
use deno_io::Stdio;
use deno_kv::dynamic::MultiBackendDbHandler;
use deno_permissions::PermissionsContainer;
use deno_tls::RootCertStoreProvider;
use deno_tls::TlsKeys;
use deno_web::BlobStore;
@ -48,7 +49,6 @@ use crate::code_cache::CodeCache;
use crate::code_cache::CodeCacheType;
use crate::inspector_server::InspectorServer;
use crate::ops;
use crate::permissions::PermissionsContainer;
use crate::shared::maybe_transpile_source;
use crate::shared::runtime;
use crate::BootstrapOptions;
@ -156,6 +156,7 @@ pub struct WorkerOptions {
/// If not provided runtime will error if code being
/// executed tries to load modules.
pub module_loader: Rc<dyn ModuleLoader>,
pub node_resolver: Option<Arc<deno_node::NodeResolver>>,
pub npm_resolver: Option<Arc<dyn deno_node::NpmResolver>>,
// Callbacks invoked when creating new instance of WebWorker
pub create_web_worker_cb: Arc<ops::worker_host::CreateWebWorkerCb>,
@ -227,6 +228,7 @@ impl Default for WorkerOptions {
broadcast_channel: Default::default(),
source_map_getter: Default::default(),
root_cert_store_provider: Default::default(),
node_resolver: Default::default(),
npm_resolver: Default::default(),
blob_store: Default::default(),
extensions: Default::default(),
@ -329,9 +331,6 @@ impl MainWorker {
enable_testing_features: bool,
},
state = |state, options| {
// Save the permissions container and the wrapper.
state.put::<deno_permissions::PermissionsContainer>(options.permissions.0.clone());
// This is temporary until we migrate all exts/ to the deno_permissions crate.
state.put::<PermissionsContainer>(options.permissions);
state.put(ops::TestingFeaturesEnabled(options.enable_testing_features));
},
@ -419,6 +418,7 @@ impl MainWorker {
options.fs.clone(),
),
deno_node::deno_node::init_ops_and_esm::<PermissionsContainer>(
options.node_resolver,
options.npm_resolver,
options.fs,
),