extension_host: Refactor capability checks (#35139)

This PR refactors the extension capability checks to be centralized in the `CapabilityGranter`. Release Notes: - N/A
2025-07-26 16:53:19 -04:00 · 2025-07-26 16:53:19 -04:00 · d7b403e981
commit d7b403e981
parent 290f84a9e1
6 changed files with 193 additions and 41 deletions
--- a/crates/extension_host/src/wasm_host.rs
+++ b/crates/extension_host/src/wasm_host.rs
@ -1,13 +1,15 @@
 pub mod wit;

 use crate::ExtensionManifest;
+use crate::capability_granter::CapabilityGranter;
 use anyhow::{Context as _, Result, anyhow, bail};
 use async_trait::async_trait;
 use dap::{DebugRequest, StartDebuggingRequestArgumentsRequest};
 use extension::{
    CodeLabel, Command, Completion, ContextServerConfiguration, DebugAdapterBinary,
-    DebugTaskDefinition, ExtensionHostProxy, KeyValueStoreDelegate, ProjectDelegate, SlashCommand,
-    SlashCommandArgumentCompletion, SlashCommandOutput, Symbol, WorktreeDelegate,
+    DebugTaskDefinition, ExtensionCapability, ExtensionHostProxy, KeyValueStoreDelegate,
+    ProcessExecCapability, ProjectDelegate, SlashCommand, SlashCommandArgumentCompletion,
+    SlashCommandOutput, Symbol, WorktreeDelegate,
 };
 use fs::{Fs, normalize_path};
 use futures::future::LocalBoxFuture;
@ -50,6 +52,8 @@ pub struct WasmHost {
    pub(crate) proxy: Arc<ExtensionHostProxy>,
    fs: Arc<dyn Fs>,
    pub work_dir: PathBuf,
+    /// The capabilities granted to extensions running on the host.
+    pub(crate) granted_capabilities: Vec<ExtensionCapability>,
    _main_thread_message_task: Task<()>,
    main_thread_message_tx: mpsc::UnboundedSender<MainThreadCall>,
 }
@ -486,6 +490,7 @@ pub struct WasmState {
    pub table: ResourceTable,
    ctx: wasi::WasiCtx,
    pub host: Arc<WasmHost>,
+    pub(crate) capability_granter: CapabilityGranter,
 }

 type MainThreadCall = Box<dyn Send + for<'a> FnOnce(&'a mut AsyncApp) -> LocalBoxFuture<'a, ()>>;
@ -571,6 +576,10 @@ impl WasmHost {
            node_runtime,
            proxy,
            release_channel: ReleaseChannel::global(cx),
+            granted_capabilities: vec![ExtensionCapability::ProcessExec(ProcessExecCapability {
+                command: "*".to_string(),
+                args: vec!["**".to_string()],
+            })],
            _main_thread_message_task: task,
            main_thread_message_tx: tx,
        })
@ -597,6 +606,10 @@ impl WasmHost {
                    manifest: manifest.clone(),
                    table: ResourceTable::new(),
                    host: this.clone(),
+                    capability_granter: CapabilityGranter::new(
+                        this.granted_capabilities.clone(),
+                        manifest.clone(),
+                    ),
                },
            );
            // Store will yield after 1 tick, and get a new deadline of 1 tick after each yield.