add partial denied

Author: dsherret

ext/os/lib.rs

@@ -14,6 +14,7 @@ use deno_core::op2;
 use deno_core::v8;
 use deno_path_util::normalize_path;
 use deno_permissions::PermissionCheckError;
+use deno_permissions::PermissionState;
 use deno_permissions::PermissionsContainer;
 use serde::Serialize;
 
@@ -181,7 +182,9 @@ fn check_env_with_maybe_exit(
 ) -> Result<ControlFlow<()>, PermissionCheckError> {
   match state.borrow_mut::<PermissionsContainer>().check_env(key) {
     Ok(()) => Ok(ControlFlow::Continue(())),
-    Err(PermissionCheckError::PermissionDenied(err)) if err.is_ignored => {
+    Err(PermissionCheckError::PermissionDenied(err))
+      if err.state == PermissionState::Ignored =>
+    {
       Ok(ControlFlow::Break(()))
     }
     Err(err) => Err(err),
@@ -203,24 +206,33 @@ fn op_env(
   let permissions_container = state.borrow_mut::<PermissionsContainer>();
   let grant_all = match permissions_container.check_env_all() {
     Ok(()) => true,
-    Err(PermissionCheckError::PermissionDenied(err)) if err.is_ignored => false,
+    Err(PermissionCheckError::PermissionDenied(err)) => match err.state {
+      PermissionState::Granted
+      | PermissionState::Prompt
+      | PermissionState::Denied => return Err(err.into()),
+      PermissionState::GrantedPartial
+      | PermissionState::DeniedPartial
+      | PermissionState::Ignored => false,
+    },
     Err(err) => return Err(err),
   };
   Ok(
     env::vars_os()
       .filter_map(|kv| {
         let (k, v) = map_kv(kv)?;
         let state = if grant_all {
-          deno_permissions::PermissionState::Granted
+          PermissionState::Granted
         } else {
           permissions_container.query_env(Some(&k))
         };
         match state {
-          deno_permissions::PermissionState::Granted
-          | deno_permissions::PermissionState::GrantedPartial => Some((k, v)),
-          deno_permissions::PermissionState::Ignored
-          | deno_permissions::PermissionState::Prompt
-          | deno_permissions::PermissionState::Denied => None,
+          PermissionState::Granted | PermissionState::GrantedPartial => {
+            Some((k, v))
+          }
+          PermissionState::Ignored
+          | PermissionState::Prompt
+          | PermissionState::Denied
+          | PermissionState::DeniedPartial => None,
         }
       })
       .collect(),

runtime/ops/permissions.rs

@@ -37,7 +37,9 @@ impl From<PermissionState> for PermissionStatus {
     PermissionStatus {
       state: match state {
         PermissionState::GrantedPartial => PermissionState::Granted.to_string(),
-        PermissionState::Ignored => PermissionState::Denied.to_string(),
+        PermissionState::Ignored | PermissionState::DeniedPartial => {
+          PermissionState::Denied.to_string()
+        }
         PermissionState::Granted
         | PermissionState::Prompt
         | PermissionState::Denied => state.to_string(),

runtime/permissions/lib.rs

@@ -62,7 +62,7 @@ pub struct PermissionDeniedError {
   pub access: String,
   pub name: &'static str,
   pub custom_message: Option<String>,
-  pub is_ignored: bool,
+  pub state: PermissionState,
 }
 
 fn format_permission_error(name: &'static str) -> String {
@@ -134,7 +134,8 @@ pub enum PermissionState {
   #[default]
   Prompt = 2,
   Denied = 3,
-  Ignored = 4,
+  DeniedPartial = 4,
+  Ignored = 5,
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
@@ -446,12 +447,13 @@ impl PermissionState {
   fn permission_denied_error(
     name: &'static str,
     info: Option<&str>,
+    state: PermissionState,
   ) -> PermissionDeniedError {
     PermissionDeniedError {
       access: Self::fmt_access(name, info),
       name,
       custom_message: None,
-      is_ignored: false,
+      state,
     }
   }
 
@@ -474,9 +476,14 @@ impl PermissionState {
         Self::log_perm_access(name, || info.map(|i| i.to_string()));
         (Ok(()), true)
       }
-      PromptResponse::Deny => {
-        (Err(Self::permission_denied_error(name, info)), false)
-      }
+      PromptResponse::Deny => (
+        Err(Self::permission_denied_error(
+          name,
+          info,
+          PermissionState::Denied,
+        )),
+        false,
+      ),
     }
   }
 
@@ -501,7 +508,7 @@ impl PermissionState {
               access: Self::fmt_access(name, info().as_deref()),
               name,
               custom_message: message,
-              is_ignored: false,
+              state: PermissionState::Denied,
             }),
             false,
             false,
@@ -535,9 +542,8 @@ impl PermissionState {
         });
         (result, true, is_allow_all)
       }
-      _ => {
-        let mut err = Self::permission_denied_error(name, info().as_deref());
-        err.is_ignored = matches!(self, PermissionState::Ignored);
+      state => {
+        let err = Self::permission_denied_error(name, info().as_deref(), state);
         (Err(err), false, false)
       }
     }
@@ -550,7 +556,9 @@ impl fmt::Display for PermissionState {
       PermissionState::Granted => f.pad("granted"),
       PermissionState::GrantedPartial => f.pad("granted-partial"),
       PermissionState::Prompt => f.pad("prompt"),
-      PermissionState::Denied => f.pad("denied"),
+      PermissionState::Denied | PermissionState::DeniedPartial => {
+        f.pad("denied")
+      }
       PermissionState::Ignored => f.pad("ignored"),
     }
   }
@@ -852,7 +860,7 @@ impl<
         AllowPartial::TreatAsGranted => PermissionState::Granted,
         AllowPartial::TreatAsDenied => {
           if self.is_partial_flag_denied(desc) {
-            PermissionState::Denied
+            PermissionState::DeniedPartial
           } else {
             PermissionState::Granted
           }
@@ -870,7 +878,7 @@ impl<
     } else if matches!(allow_partial, AllowPartial::TreatAsDenied)
       && self.is_partial_flag_denied(desc)
     {
-      PermissionState::Denied
+      PermissionState::DeniedPartial
     } else {
       PermissionState::Prompt
     }
@@ -3780,6 +3788,7 @@ impl PermissionsContainer {
         PermissionState::permission_denied_error(
           "all",
           Some(display_name.as_ref()),
+          PermissionState::Denied,
         )
         .into(),
       )

tests/specs/permission/ignore_env/__test__.jsonc

@@ -15,7 +15,7 @@
     },
     "some_allow_env": {
       "args": "run --ignore-env=VAR1 --allow-env main.ts",
-      "output": "undefined\n2\n"
+      "output": "undefined\n2\n[WILDCARD]"
     }
   }
 }

tests/specs/permission/ignore_env/main.ts

@@ -1,3 +1,7 @@
 console.log(Deno.env.get("VAR1"));
 console.log(Deno.env.get("VAR2"));
-console.log(Deno.env.toObject());
+const object = Deno.env.toObject();
+console.log(object);
+if ("VAR1" in object) {
+  throw "FAILED";
+}