[WIP] feat: support "permissions" in config file

cli/config_file.rs

@@ -16,6 +16,9 @@ use deno_core::serde_json;
 use deno_core::serde_json::json;
 use deno_core::serde_json::Value;
 use deno_core::ModuleSpecifier;
+use deno_runtime::permissions::create_permissions_from_config;
+use deno_runtime::permissions::ChildPermissionsArg;
+use deno_runtime::permissions::Permissions;
 use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::collections::HashSet;
@@ -531,6 +534,7 @@ pub struct ConfigFileJson {
   pub lint: Option<Value>,
   pub fmt: Option<Value>,
   pub tasks: Option<Value>,
+  pub permissions: Option<Value>,
 }
 
 #[derive(Clone, Debug)]
@@ -649,6 +653,24 @@ impl ConfigFile {
     }
   }
 
+  pub fn to_permissions(
+    &self,
+    prompt: bool,
+  ) -> Result<Option<Permissions>, AnyError> {
+    if let Some(config) = self.json.permissions.clone() {
+      let permissions: ChildPermissionsArg = serde_json::from_value(config)
+        .context("Failed to parse \"permissions\" configuration")?;
+
+      if self.specifier.scheme() != "file" {
+        return Err(anyhow!("Specifying permissions in remote configuration files is currently not supported."));
+      }
+
+      Ok(Some(create_permissions_from_config(permissions, prompt)))
+    } else {
+      Ok(None)
+    }
+  }
+
   /// Return any tasks that are defined in the configuration file as a sequence
   /// of JSON objects providing the name of the task and the arguments of the
   /// task in a detail field.
@@ -743,6 +765,10 @@ impl ConfigFile {
 mod tests {
   use super::*;
   use deno_core::serde_json::json;
+  use deno_runtime::permissions::PermissionState;
+  use deno_runtime::permissions::RunDescriptor;
+  use std::collections::HashSet;
+  use std::str::FromStr;
 
   #[test]
   fn read_config_file_relative() {
@@ -821,6 +847,14 @@ mod tests {
       "tasks": {
         "build": "deno run --allow-read --allow-write build.ts",
         "server": "deno run --allow-net --allow-read server.ts"
+      },
+      "permissions": {
+        "read": true,
+        "write": ["some/dir", "file.ts"],
+        "env": false,
+        "ffi": false,
+        "run": ["deno", "echo"],
+        "hrtime": true
       }
     }"#;
     let config_dir = ModuleSpecifier::parse("file:///deno/").unwrap();
@@ -888,6 +922,33 @@ mod tests {
       tasks_config["server"],
       "deno run --allow-net --allow-read server.ts"
     );
+
+    let permissions = config_file.to_permissions(false).unwrap().unwrap();
+    assert!(!permissions.read.prompt);
+    assert_eq!(permissions.read.global_state, PermissionState::Granted,);
+    assert!(!permissions.env.prompt);
+    assert_eq!(permissions.env.global_state, PermissionState::Denied,);
+    assert!(!permissions.ffi.prompt);
+    assert_eq!(permissions.ffi.global_state, PermissionState::Denied,);
+    assert!(!permissions.run.prompt);
+    assert_eq!(
+      permissions.run.granted_list,
+      HashSet::from([
+        RunDescriptor::from_str("deno").unwrap(),
+        RunDescriptor::from_str("echo").unwrap()
+      ]),
+    );
+    assert!(!permissions.hrtime.prompt);
+    assert_eq!(permissions.hrtime.state, PermissionState::Granted,);
+    assert!(!permissions.write.prompt);
+    // FIXME(bartlomieju): order is not guaranteed, so this test is flaky
+    // let items = permissions
+    //   .write
+    //   .granted_list
+    //   .into_iter()
+    //   .collect::<Vec<_>>();
+    // assert!(items[0].0.ends_with("some/dir"));
+    // assert!(items[1].0.ends_with("file.ts"));
   }
 
   #[test]

cli/flags.rs

@@ -453,6 +453,16 @@ impl Flags {
     }
   }
 
+  pub fn has_any_permission_flag(&self) -> bool {
+    self.allow_env.is_some()
+      || self.allow_net.is_some()
+      || self.allow_ffi.is_some()
+      || self.allow_read.is_some()
+      || self.allow_run.is_some()
+      || self.allow_write.is_some()
+      || self.allow_hrtime
+  }
+
   pub fn permissions_options(&self) -> PermissionsOptions {
     PermissionsOptions {
       allow_env: self.allow_env.clone(),

cli/main.rs

@@ -1201,7 +1201,20 @@ async fn run_command(
   // probably call `ProcState::resolve` instead
   let main_module = resolve_url_or_path(&run_flags.script)?;
   let ps = ProcState::build(Arc::new(flags)).await?;
-  let permissions = Permissions::from_options(&ps.flags.permissions_options());
+
+  let mut permissions =
+    Permissions::from_options(&ps.flags.permissions_options());
+
+  if let Some(config_file) = &ps.maybe_config_file {
+    if let Some(cf_perms) = config_file.to_permissions(!ps.flags.no_prompt)? {
+      if ps.flags.has_any_permission_flag() {
+        log::warn!("⚠️ Config file contains \"permissions\" object and --allow-* flags were passed on the CLI.
+The flags will be ignored.")
+      }
+      permissions = cf_perms;
+    }
+  }
+
   let mut worker = create_main_worker(
     &ps,
     main_module.clone(),

runtime/permissions.rs

@@ -1669,6 +1669,118 @@ impl<'de> Deserialize<'de> for ChildPermissionsArg {
   }
 }
 
+pub fn create_permissions_from_config(
+  child_permissions_arg: ChildPermissionsArg,
+  prompt: bool,
+) -> Permissions {
+  let mut worker_perms = Permissions::default();
+
+  match child_permissions_arg.env {
+    ChildUnaryPermissionArg::Granted => {
+      worker_perms.env.global_state = PermissionState::Granted;
+    }
+    ChildUnaryPermissionArg::NotGranted => {
+      worker_perms.env.global_state = PermissionState::Denied;
+    }
+    ChildUnaryPermissionArg::GrantedList(granted_list) => {
+      worker_perms.env.granted_list =
+        Permissions::new_env(&Some(granted_list), false).granted_list;
+    }
+    _ => {}
+  }
+  worker_perms.env.prompt = prompt;
+  match child_permissions_arg.hrtime {
+    ChildUnitPermissionArg::Granted => {
+      worker_perms.hrtime.state = PermissionState::Granted;
+    }
+    ChildUnitPermissionArg::NotGranted => {
+      worker_perms.hrtime.state = PermissionState::Denied;
+    }
+    _ => {}
+  }
+  worker_perms.hrtime.prompt = prompt;
+  match child_permissions_arg.net {
+    ChildUnaryPermissionArg::Granted => {
+      worker_perms.net.global_state = PermissionState::Granted;
+    }
+    ChildUnaryPermissionArg::NotGranted => {
+      worker_perms.net.global_state = PermissionState::Denied;
+    }
+    ChildUnaryPermissionArg::GrantedList(granted_list) => {
+      worker_perms.net.granted_list =
+        Permissions::new_net(&Some(granted_list), false).granted_list;
+    }
+    _ => {}
+  }
+  worker_perms.net.prompt = prompt;
+  match child_permissions_arg.ffi {
+    ChildUnaryPermissionArg::Granted => {
+      worker_perms.ffi.global_state = PermissionState::Granted;
+    }
+    ChildUnaryPermissionArg::NotGranted => {
+      worker_perms.ffi.global_state = PermissionState::Denied;
+    }
+    ChildUnaryPermissionArg::GrantedList(granted_list) => {
+      worker_perms.ffi.granted_list = Permissions::new_ffi(
+        &Some(granted_list.iter().map(PathBuf::from).collect()),
+        false,
+      )
+      .granted_list;
+    }
+    _ => {}
+  }
+  worker_perms.ffi.prompt = prompt;
+  match child_permissions_arg.read {
+    ChildUnaryPermissionArg::Granted => {
+      worker_perms.read.global_state = PermissionState::Granted;
+    }
+    ChildUnaryPermissionArg::NotGranted => {
+      worker_perms.read.global_state = PermissionState::Denied;
+    }
+    ChildUnaryPermissionArg::GrantedList(granted_list) => {
+      worker_perms.read.granted_list = Permissions::new_read(
+        &Some(granted_list.iter().map(PathBuf::from).collect()),
+        false,
+      )
+      .granted_list;
+    }
+    _ => {}
+  }
+  worker_perms.read.prompt = prompt;
+  match child_permissions_arg.run {
+    ChildUnaryPermissionArg::Granted => {
+      worker_perms.run.global_state = PermissionState::Granted;
+    }
+    ChildUnaryPermissionArg::NotGranted => {
+      worker_perms.run.global_state = PermissionState::Denied;
+    }
+    ChildUnaryPermissionArg::GrantedList(granted_list) => {
+      worker_perms.run.granted_list =
+        Permissions::new_run(&Some(granted_list), false).granted_list;
+    }
+    _ => {}
+  }
+  worker_perms.run.prompt = prompt;
+  match child_permissions_arg.write {
+    ChildUnaryPermissionArg::Granted => {
+      worker_perms.write.global_state = PermissionState::Granted;
+    }
+    ChildUnaryPermissionArg::NotGranted => {
+      worker_perms.write.global_state = PermissionState::Denied;
+    }
+    ChildUnaryPermissionArg::GrantedList(granted_list) => {
+      worker_perms.write.granted_list = Permissions::new_write(
+        &Some(granted_list.iter().map(PathBuf::from).collect()),
+        false,
+      )
+      .granted_list;
+    }
+    _ => {}
+  }
+  worker_perms.write.prompt = prompt;
+  worker_perms
+}
+
 pub fn create_child_permissions(
   main_perms: &mut Permissions,
   child_permissions_arg: ChildPermissionsArg,