script/dom/

permissions.rs

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */

use std::rc::Rc;

use dom_struct::dom_struct;
use embedder_traits::{self, AllowOrDeny, EmbedderMsg, PermissionFeature};
use js::conversions::ConversionResult;
use js::jsapi::JSObject;
use js::jsval::{ObjectValue, UndefinedValue};
use script_bindings::inheritance::Castable;
use script_bindings::reflector::{Reflector, reflect_dom_object};
use servo_base::generic_channel;
use servo_config::pref;

use super::window::Window;
use crate::conversions::Convert;
use crate::dom::bindings::codegen::Bindings::PermissionStatusBinding::{
    PermissionDescriptor, PermissionName, PermissionState, PermissionStatusMethods,
};
use crate::dom::bindings::codegen::Bindings::PermissionsBinding::PermissionsMethods;
use crate::dom::bindings::codegen::Bindings::WindowBinding::Window_Binding::WindowMethods;
use crate::dom::bindings::error::Error;
use crate::dom::bindings::reflector::DomGlobal;
use crate::dom::bindings::root::DomRoot;
#[cfg(feature = "bluetooth")]
use crate::dom::bluetooth::Bluetooth;
#[cfg(feature = "bluetooth")]
use crate::dom::bluetoothpermissionresult::BluetoothPermissionResult;
use crate::dom::globalscope::GlobalScope;
use crate::dom::permissionstatus::PermissionStatus;
use crate::dom::promise::Promise;
use crate::realms::{AlreadyInRealm, InRealm};
use crate::script_runtime::CanGc;

pub(crate) trait PermissionAlgorithm {
    type Descriptor;
    #[cfg_attr(crown, crown::unrooted_must_root_lint::must_root)]
    type Status;
    fn create_descriptor(
        cx: &mut js::context::JSContext,
        permission_descriptor_obj: *mut JSObject,
    ) -> Result<Self::Descriptor, Error>;
    fn permission_query(
        cx: &mut js::context::JSContext,
        promise: &Rc<Promise>,
        descriptor: &Self::Descriptor,
        status: &Self::Status,
    );
    fn permission_request(
        cx: &mut js::context::JSContext,
        promise: &Rc<Promise>,
        descriptor: &Self::Descriptor,
        status: &Self::Status,
    );
    fn permission_revoke(
        cx: &mut js::context::JSContext,
        descriptor: &Self::Descriptor,
        status: &Self::Status,
    );
}

enum Operation {
    Query,
    Request,
    Revoke,
}

// https://w3c.github.io/permissions/#permissions
#[dom_struct]
pub(crate) struct Permissions {
    reflector_: Reflector,
}

impl Permissions {
    pub(crate) fn new_inherited() -> Permissions {
        Permissions {
            reflector_: Reflector::new(),
        }
    }

    pub(crate) fn new(global: &GlobalScope, can_gc: CanGc) -> DomRoot<Permissions> {
        reflect_dom_object(Box::new(Permissions::new_inherited()), global, can_gc)
    }

    // https://w3c.github.io/permissions/#dom-permissions-query
    // https://w3c.github.io/permissions/#dom-permissions-request
    // https://w3c.github.io/permissions/#dom-permissions-revoke
    #[expect(non_snake_case)]
    fn manipulate(
        &self,
        cx: &mut js::context::JSContext,
        op: Operation,
        permissionDesc: *mut JSObject,
        promise: Option<Rc<Promise>>,
    ) -> Rc<Promise> {
        // (Query, Request) Step 3.
        let p = match promise {
            Some(promise) => promise,
            None => {
                let in_realm_proof = AlreadyInRealm::assert::<crate::DomTypeHolder>();
                Promise::new_in_current_realm(InRealm::Already(&in_realm_proof), CanGc::from_cx(cx))
            },
        };

        // (Query, Request, Revoke) Step 1.
        let root_desc = match Permissions::create_descriptor(cx, permissionDesc) {
            Ok(descriptor) => descriptor,
            Err(error) => {
                p.reject_error(error, CanGc::from_cx(cx));
                return p;
            },
        };

        // (Query, Request) Step 5.
        let status = PermissionStatus::new(&self.global(), &root_desc, CanGc::from_cx(cx));

        // (Query, Request, Revoke) Step 2.
        match root_desc.name {
            #[cfg(feature = "bluetooth")]
            PermissionName::Bluetooth => {
                let bluetooth_desc = match Bluetooth::create_descriptor(cx, permissionDesc) {
                    Ok(descriptor) => descriptor,
                    Err(error) => {
                        p.reject_error(error, CanGc::from_cx(cx));
                        return p;
                    },
                };

                // (Query, Request) Step 5.
                let result = BluetoothPermissionResult::new(cx, &self.global(), &status);

                match op {
                    // (Request) Step 6 - 8.
                    Operation::Request => {
                        Bluetooth::permission_request(cx, &p, &bluetooth_desc, &result)
                    },

                    // (Query) Step 6 - 7.
                    Operation::Query => {
                        Bluetooth::permission_query(cx, &p, &bluetooth_desc, &result)
                    },

                    Operation::Revoke => {
                        // (Revoke) Step 3.
                        let globalscope = self.global();
                        globalscope
                            .permission_state_invocation_results()
                            .borrow_mut()
                            .remove(&root_desc.name);

                        // (Revoke) Step 4.
                        Bluetooth::permission_revoke(cx, &bluetooth_desc, &result)
                    },
                }
            },
            _ => {
                match op {
                    Operation::Request => {
                        // (Request) Step 6.
                        Permissions::permission_request(cx, &p, &root_desc, &status);

                        // (Request) Step 7. The default algorithm always resolve

                        // (Request) Step 8.
                        p.resolve_native(&status, CanGc::from_cx(cx));
                    },
                    Operation::Query => {
                        // (Query) Step 6.
                        Permissions::permission_query(cx, &p, &root_desc, &status);

                        // (Query) Step 7.
                        p.resolve_native(&status, CanGc::from_cx(cx));
                    },

                    Operation::Revoke => {
                        // (Revoke) Step 3.
                        let globalscope = self.global();
                        globalscope
                            .permission_state_invocation_results()
                            .borrow_mut()
                            .remove(&root_desc.name);

                        // (Revoke) Step 4.
                        Permissions::permission_revoke(cx, &root_desc, &status);
                    },
                }
            },
        };
        match op {
            // (Revoke) Step 5.
            Operation::Revoke => self.manipulate(cx, Operation::Query, permissionDesc, Some(p)),

            // (Query, Request) Step 4.
            _ => p,
        }
    }
}

#[expect(non_snake_case)]
impl PermissionsMethods<crate::DomTypeHolder> for Permissions {
    /// <https://w3c.github.io/permissions/#dom-permissions-query>
    fn Query(&self, cx: &mut js::context::JSContext, permissionDesc: *mut JSObject) -> Rc<Promise> {
        self.manipulate(cx, Operation::Query, permissionDesc, None)
    }

    /// <https://w3c.github.io/permissions/#dom-permissions-request>
    fn Request(
        &self,
        cx: &mut js::context::JSContext,
        permissionDesc: *mut JSObject,
    ) -> Rc<Promise> {
        self.manipulate(cx, Operation::Request, permissionDesc, None)
    }

    /// <https://w3c.github.io/permissions/#dom-permissions-revoke>
    fn Revoke(
        &self,
        cx: &mut js::context::JSContext,
        permissionDesc: *mut JSObject,
    ) -> Rc<Promise> {
        self.manipulate(cx, Operation::Revoke, permissionDesc, None)
    }
}

impl PermissionAlgorithm for Permissions {
    type Descriptor = PermissionDescriptor;
    type Status = PermissionStatus;

    fn create_descriptor(
        cx: &mut js::context::JSContext,
        permission_descriptor_obj: *mut JSObject,
    ) -> Result<PermissionDescriptor, Error> {
        rooted!(&in(cx) let mut property = UndefinedValue());
        property
            .handle_mut()
            .set(ObjectValue(permission_descriptor_obj));
        match PermissionDescriptor::new(cx.into(), property.handle(), CanGc::from_cx(cx)) {
            Ok(ConversionResult::Success(descriptor)) => Ok(descriptor),
            Ok(ConversionResult::Failure(error)) => Err(Error::Type(error.into_owned())),
            Err(_) => Err(Error::JSFailed),
        }
    }

    /// <https://w3c.github.io/permissions/#dfn-permission-query-algorithm>
    ///
    /// > permission query algorithm:
    /// > Takes an instance of the permission descriptor type and a new or existing instance of
    /// > the permission result type, and updates the permission result type instance with the
    /// > query result. Used by Permissions' query(permissionDesc) method and the
    /// > PermissionStatus update steps. If unspecified, this defaults to the default permission
    /// > query algorithm.
    ///
    /// > The default permission query algorithm, given a PermissionDescriptor
    /// > permissionDesc and a PermissionStatus status, runs the following steps:
    fn permission_query(
        _cx: &mut js::context::JSContext,
        _promise: &Rc<Promise>,
        _descriptor: &PermissionDescriptor,
        status: &PermissionStatus,
    ) {
        // Step 1. Set status's state to permissionDesc's permission state.
        status.set_state(descriptor_permission_state(status.get_query(), None));
    }

    /// <https://w3c.github.io/permissions/#boolean-permission-request-algorithm>
    fn permission_request(
        cx: &mut js::context::JSContext,
        promise: &Rc<Promise>,
        descriptor: &PermissionDescriptor,
        status: &PermissionStatus,
    ) {
        // Step 1.
        Permissions::permission_query(cx, promise, descriptor, status);

        match status.State() {
            // Step 3.
            PermissionState::Prompt => {
                let permission_name = status.get_query();
                let globalscope = GlobalScope::current().expect("No current global object");
                request_permission_to_use(permission_name, &globalscope);
            },

            // Step 2.
            _ => return,
        }

        // Step 4.
        Permissions::permission_query(cx, promise, descriptor, status);
    }

    fn permission_revoke(
        _cx: &mut js::context::JSContext,
        _descriptor: &PermissionDescriptor,
        _status: &PermissionStatus,
    ) {
    }
}

/// <https://w3c.github.io/permissions/#dfn-permission-state>
pub(crate) fn descriptor_permission_state(
    feature: PermissionName,
    env_settings_obj: Option<&GlobalScope>,
) -> PermissionState {
    // Step 1. If settings wasn't passed, set it to the current settings object.
    let global_scope = match env_settings_obj {
        Some(env_settings_obj) => DomRoot::from_ref(env_settings_obj),
        None => GlobalScope::current().expect("No current global object"),
    };

    // Step 2. If settings is a non-secure context, return "denied".
    if !global_scope.is_secure_context() {
        if pref!(dom_permissions_testing_allowed_in_nonsecure_contexts) {
            return PermissionState::Granted;
        }
        return PermissionState::Denied;
    }

    // Step 3. Let feature be descriptor's name.
    // The caller has already converted the descriptor into a name.

    // Step 4. If there exists a policy-controlled feature for feature and settings'
    // relevant global object has an associated Document run the following step:
    //   1. Let document be settings' relevant global object's associated Document.
    //   2. If document is not allowed to use feature, return "denied".
    if let Some(window) = global_scope.downcast::<Window>() &&
        !window.Document().allowed_to_use_feature(feature)
    {
        return PermissionState::Denied;
    }

    // Step 5. Let key be the result of generating a permission key for descriptor with settings.
    // Step 6. Let entry be the result of getting a permission store entry with descriptor and key.
    // Step 7. If entry is not null, return a PermissionState enum value from entry's state.
    //
    // TODO: We aren't making a key based on the descriptor, but on the descriptor's name. This really
    // only matters for WebBluetooth, which adds more fields to the descriptor beyond the name.
    if let Some(entry) = global_scope
        .permission_state_invocation_results()
        .borrow()
        .get(&feature)
    {
        return *entry;
    }

    // Step 8. Return the PermissionState enum value that represents the permission state
    // of feature, taking into account any permission state constraints for descriptor's
    // name.
    PermissionState::Prompt
}

/// <https://w3c.github.io/permissions/#request-permission-to-use>
pub(crate) fn request_permission_to_use(
    name: PermissionName,
    global_scope: &GlobalScope,
) -> PermissionState {
    let state = descriptor_permission_state(name, Some(global_scope));
    if state != PermissionState::Prompt {
        return state;
    }

    let state = prompt_user_from_embedder(name, global_scope);
    global_scope
        .permission_state_invocation_results()
        .borrow_mut()
        .insert(name, state);
    descriptor_permission_state(name, Some(global_scope))
}

fn prompt_user_from_embedder(name: PermissionName, global_scope: &GlobalScope) -> PermissionState {
    let Some(webview_id) = global_scope.webview_id() else {
        warn!("Requesting permissions from non-webview-associated global scope");
        return PermissionState::Denied;
    };
    let (sender, receiver) = generic_channel::channel().expect("Failed to create IPC channel!");
    global_scope.send_to_embedder(EmbedderMsg::PromptPermission(
        webview_id,
        name.convert(),
        sender,
    ));

    match receiver.recv() {
        Ok(AllowOrDeny::Allow) => PermissionState::Granted,
        Ok(AllowOrDeny::Deny) => PermissionState::Denied,
        Err(e) => {
            warn!(
                "Failed to receive permission state from embedder ({:?}).",
                e
            );
            PermissionState::Denied
        },
    }
}

impl Convert<PermissionFeature> for PermissionName {
    fn convert(self) -> PermissionFeature {
        match self {
            PermissionName::Geolocation => PermissionFeature::Geolocation,
            PermissionName::Notifications => PermissionFeature::Notifications,
            PermissionName::Push => PermissionFeature::Push,
            PermissionName::Midi => PermissionFeature::Midi,
            PermissionName::Camera => PermissionFeature::Camera,
            PermissionName::Microphone => PermissionFeature::Microphone,
            PermissionName::Speaker => PermissionFeature::Speaker,
            PermissionName::Device_info => PermissionFeature::DeviceInfo,
            PermissionName::Background_sync => PermissionFeature::BackgroundSync,
            PermissionName::Bluetooth => PermissionFeature::Bluetooth,
            PermissionName::Persistent_storage => PermissionFeature::PersistentStorage,
            PermissionName::Screen_wake_lock => PermissionFeature::ScreenWakeLock,
        }
    }
}