Permissions per modules with importmap like configuration

[imaginamundo]

I've just had an idea to give permission per module, similar to import maps, here it's the demo for import maps:

// importmap.json
{
  "imports": {
    "moment": "./moment.ts",
    "lodash": ["./lodash.ts"]
  }
}

// moment.ts
console.log("I'm remapped moment");

// lodash.ts
console.log("I'm remapped lodash");

// script.ts
import "moment";
import "lodash";
console.log("Import maps in action!");

And like this, we can give access to packages like:

// importpermission.json
{
  "permissions": {
    "moment": ['net', 'read']
  }
}

And then run the project with:

$ deno --importmap=importmap.json --importpermission=importpermission.json script.ts

This way, lodash will have no permissions and moment would have permission to net and read.

The modules that are not listed on permissions file, get the permission from the deno command, if the module is on permission we overwrite the permissions on deno command. If we wanted to deny an permission given on demo command, we could set an empty array on importpermission.json.

[kevinkassimo]

More contexts: #1639

[kitsonk]

As mentioned in #1639, one of the biggest challenges is that determine the caller to enforce permissions is difficult from the runtime. The only straightforward way is likely to have a significant overhead for every call to validate the source/stack and enforce the permissions.

It isn't as much as finding a low overhead ergonomic way to do this as much as funding a realistic way to implement something.

[ry]

@imaginamundo Thanks for the issue - it would certainly be cool to do something like that but as @kitsonk said, it's not at all clear how this would be possible. We need a proof of concept implementation before any other discussions and I have yet to see any way of doing this. Closing this.