feat: permission stack traces in ops

Cargo.toml

@@ -46,7 +46,7 @@ repository = "https://github.com/denoland/deno"
 
 [workspace.dependencies]
 deno_ast = { version = "=0.43.3", features = ["transpiling"] }
-deno_core = { version = "0.318.0" }
+deno_core = { version = "0.319.0" }
 
 deno_bench_util = { version = "0.170.0", path = "./bench_util" }
 deno_lockfile = "=0.23.1"

cli/file_fetcher.rs

@@ -656,12 +656,14 @@ impl FileFetcher {
         permissions.check_specifier(
           specifier,
           deno_runtime::deno_permissions::CheckSpecifierKind::Static,
+          None,
         )?;
       }
       FetchPermissionsOptionRef::DynamicContainer(permissions) => {
         permissions.check_specifier(
           specifier,
           deno_runtime::deno_permissions::CheckSpecifierKind::Dynamic,
+          None,
         )?;
       }
     }

cli/module_loader.rs

@@ -1065,14 +1065,17 @@ impl<TGraphContainer: ModuleGraphContainer> NodeRequireLoader
     &self,
     permissions: &mut dyn deno_runtime::deno_node::NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<std::borrow::Cow<'a, Path>, AnyError> {
     if let Ok(url) = deno_path_util::url_from_file_path(path) {
       // allow reading if it's in the module graph
       if self.graph_container.graph().get(&url).is_some() {
         return Ok(std::borrow::Cow::Borrowed(path));
       }
     }
-    self.npm_resolver.ensure_read_permission(permissions, path)
+    self
+      .npm_resolver
+      .ensure_read_permission(permissions, path, stack)
   }
 
   fn load_text_file_lossy(&self, path: &Path) -> Result<String, AnyError> {

cli/npm/byonm.rs

@@ -84,12 +84,13 @@ impl CliNpmResolver for CliByonmNpmResolver {
     &self,
     permissions: &mut dyn NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, Path>, AnyError> {
     if !path
       .components()
       .any(|c| c.as_os_str().to_ascii_lowercase() == "node_modules")
     {
-      permissions.check_read_path(path).map_err(Into::into)
+      permissions.check_read_path(path, stack).map_err(Into::into)
     } else {
       Ok(Cow::Borrowed(path))
     }

cli/npm/managed/mod.rs

@@ -704,8 +704,11 @@ impl CliNpmResolver for ManagedCliNpmResolver {
     &self,
     permissions: &mut dyn NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, Path>, AnyError> {
-    self.fs_resolver.ensure_read_permission(permissions, path)
+    self
+      .fs_resolver
+      .ensure_read_permission(permissions, path, stack)
   }
 
   fn check_state_hash(&self) -> Option<u64> {

cli/npm/managed/resolvers/common.rs

@@ -64,6 +64,7 @@ pub trait NpmPackageFsResolver: Send + Sync {
     &self,
     permissions: &mut dyn NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, Path>, AnyError>;
 }
 
@@ -87,6 +88,7 @@ impl RegistryReadPermissionChecker {
     &self,
     permissions: &mut dyn NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, Path>, AnyError> {
     if permissions.query_read_all() {
       return Ok(Cow::Borrowed(path)); // skip permissions checks below
@@ -133,7 +135,7 @@ impl RegistryReadPermissionChecker {
       }
     }
 
-    permissions.check_read_path(path).map_err(Into::into)
+    permissions.check_read_path(path, stack).map_err(Into::into)
   }
 }
 

cli/npm/managed/resolvers/global.rs

@@ -182,10 +182,11 @@ impl NpmPackageFsResolver for GlobalNpmPackageResolver {
     &self,
     permissions: &mut dyn NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, Path>, AnyError> {
     self
       .registry_read_permission_checker
-      .ensure_registry_read_permission(permissions, path)
+      .ensure_registry_read_permission(permissions, path, stack)
   }
 }
 

cli/npm/managed/resolvers/local.rs

@@ -257,10 +257,11 @@ impl NpmPackageFsResolver for LocalNpmPackageResolver {
     &self,
     permissions: &mut dyn NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, Path>, AnyError> {
     self
       .registry_read_permission_checker
-      .ensure_registry_read_permission(permissions, path)
+      .ensure_registry_read_permission(permissions, path, stack)
   }
 }
 

cli/npm/mod.rs

@@ -131,6 +131,7 @@ pub trait CliNpmResolver: NpmResolver {
     &self,
     permissions: &mut dyn NodePermissions,
     path: &'a Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, Path>, AnyError>;
 
   /// Returns a hash returning the state of the npm resolver

cli/ops/bench.rs

@@ -7,6 +7,7 @@ use std::time;
 use deno_core::error::generic_error;
 use deno_core::error::type_error;
 use deno_core::error::AnyError;
+use deno_core::error::JsStackFrame;
 use deno_core::op2;
 use deno_core::v8;
 use deno_core::ModuleSpecifier;
@@ -51,15 +52,17 @@ fn op_bench_get_origin(state: &mut OpState) -> String {
 #[derive(Clone)]
 struct PermissionsHolder(Uuid, PermissionsContainer);
 
-#[op2]
+#[op2(reentrant)]
 #[serde]
 pub fn op_pledge_test_permissions(
   state: &mut OpState,
   #[serde] args: ChildPermissionsArg,
+  #[stack_trace] stack: Option<Vec<JsStackFrame>>,
 ) -> Result<Uuid, deno_runtime::deno_permissions::ChildPermissionError> {
   let token = Uuid::new_v4();
   let parent_permissions = state.borrow_mut::<PermissionsContainer>();
-  let worker_permissions = parent_permissions.create_child_permissions(args)?;
+  let worker_permissions =
+    parent_permissions.create_child_permissions(args, stack)?;
   let parent_permissions = parent_permissions.clone();
 
   if state.try_take::<PermissionsHolder>().is_some() {

cli/ops/testing.rs

@@ -46,15 +46,17 @@ deno_core::extension!(deno_test,
 #[derive(Clone)]
 struct PermissionsHolder(Uuid, PermissionsContainer);
 
-#[op2]
+#[op2(reentrant)]
 #[serde]
 pub fn op_pledge_test_permissions(
   state: &mut OpState,
   #[serde] args: ChildPermissionsArg,
+  #[stack_trace] stack: Option<Vec<deno_core::error::JsStackFrame>>,
 ) -> Result<Uuid, deno_runtime::deno_permissions::ChildPermissionError> {
   let token = Uuid::new_v4();
   let parent_permissions = state.borrow_mut::<PermissionsContainer>();
-  let worker_permissions = parent_permissions.create_child_permissions(args)?;
+  let worker_permissions =
+    parent_permissions.create_child_permissions(args, stack)?;
   let parent_permissions = parent_permissions.clone();
 
   if state.try_take::<PermissionsHolder>().is_some() {

cli/standalone/mod.rs

@@ -411,6 +411,7 @@ impl NodeRequireLoader for EmbeddedModuleLoader {
     &self,
     permissions: &mut dyn deno_runtime::deno_node::NodePermissions,
     path: &'a std::path::Path,
+    stack: Option<Vec<deno_core::error::JsStackFrame>>,
   ) -> Result<Cow<'a, std::path::Path>, AnyError> {
     if self.shared.modules.has_file(path) {
       // allow reading if the file is in the snapshot
@@ -420,7 +421,7 @@ impl NodeRequireLoader for EmbeddedModuleLoader {
     self
       .shared
       .npm_resolver
-      .ensure_read_permission(permissions, path)
+      .ensure_read_permission(permissions, path, stack)
   }
 
   fn load_text_file_lossy(

cli/worker.rs

@@ -596,6 +596,9 @@ impl CliMainWorkerFactory {
       origin_storage_dir,
       stdio,
       skip_op_registration: shared.options.skip_op_registration,
+      enable_stack_trace_arg_in_ops: crate::args::has_flag_env_var(
+        "DENO_TRACE_PERMISSIONS",
+      ),
     };
 
     let mut worker = MainWorker::bootstrap_from_options(
@@ -792,6 +795,9 @@ fn create_web_worker_callback(
       strace_ops: shared.options.strace_ops.clone(),
       close_on_idle: args.close_on_idle,
       maybe_worker_metadata: args.maybe_worker_metadata,
+      enable_stack_trace_arg_in_ops: crate::args::has_flag_env_var(
+        "DENO_TRACE_PERMISSIONS",
+      ),
     };
 
     WebWorker::bootstrap_from_options(services, options)