refactor(permissions): split up Descriptor into Allow, Deny, and Query #25508

dsherret · 2024-09-08T02:08:26Z

This makes the permission system more versatile.

lowlighter · 2024-09-08T02:16:22Z

Any chance taking a look at #14668 during this refactor ?

dsherret · 2024-09-08T02:18:25Z

@lowlighter no, that would be too many changes for this PR.

cli/args/mod.rs

cli/factory.rs

cli/file_fetcher.rs

cli/lsp/registries.rs

ext/fetch/lib.rs

bartlomieju · 2024-09-08T22:04:20Z

runtime/ops/permissions.rs

+  // todo(dsherret): don't have this function use the properties of
+  // permission container
+  let permissions_container = state.borrow_mut::<PermissionsContainer>();


What's wrong with that?

It's exposing a mutex, it's having code that shouldn't be done/exposed at this level (parsing descriptors), and it's coupling what could be its private api to this part of the code.

Open an issue to keep track of it? Or are you planning to address it before landing?

runtime/permissions/lib.rs

ext/fetch/lib.rs

runtime/ops/process.rs

runtime/web_worker.rs

runtime/worker.rs

bartlomieju

I want to give runtime/permissions/lib.rs one more pass tomorrow

bartlomieju · 2024-09-14T22:19:50Z

runtime/permissions/lib.rs

+pub trait QueryDescriptor: Debug {
+  type AllowDesc: AllowDescriptor<Query = Self>;
+  type DenyDesc: DenyDescriptor<Query = Self>;


This is a bit confusing - effectively there are circular dependencies between these three types. Do you see any chance we could decouple that with a helper type?

Also could you add some docstrings around these traits?

I got rid of the additional traits and now there's only a QueryDescriptor.

bartlomieju · 2024-09-14T22:23:17Z

runtime/permissions/lib.rs

+  fn is_granted(&self, desc: Option<&TQuery>) -> bool {
+    match desc {
+      Some(desc) => {
+        self.granted_global || self.granted_list.iter().any(|v| v.matches(desc))


Why are we using .matches() instead of .stronger_than() now?

There are multiple specific methods. I've grouped them all on query now.

bartlomieju · 2024-09-14T22:25:45Z

runtime/permissions/lib.rs

+  /// This variant can't be used to grant permissions. It's mostly
+  /// used so that prompts and everything works the same way as when
+  /// the command is resolved, meaning that a script can't tell
+  /// if a command is resolved or not based on how long something
+  /// takes to ask for permissions.


Could you reword this docstring? I'm having trouble understanding it - what does "This variant can't be used to grant permissions" mean?

I updated it a bit. The variant gets created when the command path can't be resolved, so it will prompt the users for permissions about it, but it doesn't actually do anything when the user grants permissions. It's to prevent someone trying to probe for permissions to find out what's on the path.

bartlomieju · 2024-09-14T22:27:23Z

runtime/permissions/lib.rs

+  // todo(dsherret): make both of these private as the functionality
+  // can just be methods on PermissionsContainer. Additionally, a separate
+  // struct should be created in here that handles creating child permissions
+  // so that the code is not so verbose elsewhere.
+  pub descriptor_parser: Arc<dyn PermissionDescriptorParser>,


Can you open an issue about this one?

I put it in #25634

runtime/permissions/lib.rs

satyarohith · 2024-09-16T07:30:13Z

tests/unit/os_test.ts

-        ${JSON.stringify(Object.keys(expectedEnv))}.map(k => Deno.env.get(k))
+        ${
+        JSON.stringify(Object.keys(expectedEnv))
+      }.map(k => Deno.env.get(k) ?? null)


why is this change required? I assume it's unrelated?

undefined isn't valid JSON, but null is (it does a JSON.parse below). I ran into this issue while developing where I introduced a bug, then it was undefined, then the error message was not great.

lucacasonato

Did you benchmark these changes?

From what I can tell, we do a lot more canonicalization for FS ops now (maybe including more getcwd calls?) - I wonder if sync FS ops will slow down due to this. From my reading of the code, this difference would only be visible in non --allow-all contexts.

runtime/permissions.rs

lucacasonato · 2024-09-16T09:04:36Z

runtime/permissions/lib.rs

  ) -> Result<(), AnyError> {
-    skip_check_if_is_permission_fully_granted!(self);
    let (result, prompted, is_allow_all) = self


In a follow up we should change the return value here to an enum or struct. This is unreadable.

runtime/permissions/lib.rs

dsherret · 2024-09-16T09:46:55Z

From what I can tell, we do a lot more canonicalization for FS ops now (maybe including more getcwd calls?)

It should be doing the same or less now with --allow-all. It doesn't canonicalize like before.

lucacasonato · 2024-09-16T09:52:50Z

I meant without --allow-all

dsherret · 2024-09-16T09:56:09Z

Yeah should be the same without allow-run. It was doing the cwd call before as well.

dsherret · 2024-09-16T12:17:07Z

Some benchmarks:

$ cat main.ts
for (var i = 0; i < 100_000; i++) {
  const text = Deno.readTextFileSync("./main.ts");
  console.log(text.length);
}
$ hyperfine --warmup=3 "./deno_main run --allow-read=main.ts main.ts" "./deno_new run --allow-read=main.ts main.ts"
Benchmark 1: ./deno_main run --allow-read=main.ts main.ts
  Time (mean ± σ):      1.955 s ±  0.018 s    [User: 0.513 s, System: 1.446 s]
  Range (min … max):    1.931 s …  1.989 s    10 runs
 
Benchmark 2: ./deno_new run --allow-read=main.ts main.ts
  Time (mean ± σ):      1.932 s ±  0.011 s    [User: 0.495 s, System: 1.441 s]
  Range (min … max):    1.920 s …  1.953 s    10 runs
 
Summary
  ./deno_new run --allow-read=main.ts main.ts ran
    1.01 ± 0.01 times faster than ./deno_main run --allow-read=main.ts main.ts
$ hyperfine --warmup=3 "./deno_main run --allow-all main.ts" "./deno_new run --allow-all main.ts"
Benchmark 1: ./deno_main run --allow-all main.ts
  Time (mean ± σ):      1.907 s ±  0.015 s    [User: 0.468 s, System: 1.442 s]
  Range (min … max):    1.882 s …  1.933 s    10 runs
 
Benchmark 2: ./deno_new run --allow-all main.ts
  Time (mean ± σ):      1.893 s ±  0.014 s    [User: 0.462 s, System: 1.435 s]
  Range (min … max):    1.876 s …  1.914 s    10 runs
 
Summary
  ./deno_new run --allow-all main.ts ran
    1.01 ± 0.01 times faster than ./deno_main run --allow-all main.ts

bartlomieju

LGTM

dsherret added 8 commits September 6, 2024 16:09

refactor: split up Descriptor into Allow, Deny, and Query

95a96a7

more work

e546ad1

before revert to store more in permissions container

883e04a

update

ac63de1

start moving to parser being in permissions container

4987a2b

More progress

6e33f81

more work

05a9176

compiling

90c5446

dsherret added 5 commits September 7, 2024 23:16

some fixes

9e5647c

Add way to prompt for name, but not really

6f8a564

match names for deny queries

5a29cba

fixed more runtime/permissions tests

25203ec

fixes and more tests

8ca817a