From 73a7ce9e39b9b681935bb72614b03255dd501dcc Mon Sep 17 00:00:00 2001
From: Erik Marks <25517051+rekmarks@users.noreply.github.com>
Date: Fri, 29 Apr 2022 15:56:30 -0700
Subject: [PATCH] Add applyLavaMoat build flag (#14583)
Adds a new flag, `--apply-lavamoat`, to the main build script. The flag controls whether LavaMoat is actually applied to the output of the build process. The flag defaults to `true`, but we explicitly set it to `false` in the `start` package script. Meanwhile, the `start:lavamoat` script is modified such that it applies LavaMoat to the build output in development mode, but it no longer runs the build process itself under LavaMoat as there aren't very compelling reasons to do so.
This change is motivated by the fact that development builds do not have their own dedicated LavaMoat policies, which causes development builds to fail since #14537. The downside of this change is that LavaMoat-related failures will not be detected when running `yarn start`. @kumavis has plans for fixing this problem in a future major version of the `@lavamoat` suite.
---
app/background.html | 2 +-
app/home.html | 2 +-
app/notification.html | 2 +-
app/popup.html | 2 +-
development/build/index.js | 8 ++++++++
development/build/scripts.js | 21 ++++++++++++---------
package.json | 6 +++---
7 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/app/background.html b/app/background.html
index 447efa60e..6a0150579 100644
--- a/app/background.html
+++ b/app/background.html
@@ -6,7 +6,7 @@
- {{@if(it.useLavamoat)}}
+ {{@if(it.applyLavaMoat)}}
diff --git a/app/home.html b/app/home.html
index d44eb6663..97334c73c 100644
--- a/app/home.html
+++ b/app/home.html
@@ -12,7 +12,7 @@
- {{@if(it.useLavamoat)}}
+ {{@if(it.applyLavaMoat)}}
diff --git a/app/notification.html b/app/notification.html
index 1002a37ef..1f348f680 100644
--- a/app/notification.html
+++ b/app/notification.html
@@ -35,7 +35,7 @@
- {{@if(it.useLavamoat)}}
+ {{@if(it.applyLavaMoat)}}
diff --git a/app/popup.html b/app/popup.html
index e24978ad7..90117fc79 100644
--- a/app/popup.html
+++ b/app/popup.html
@@ -12,7 +12,7 @@
- {{@if(it.useLavamoat)}}
+ {{@if(it.applyLavaMoat)}}
diff --git a/development/build/index.js b/development/build/index.js
index 7e88bcfb2..fd6dd1b76 100755
--- a/development/build/index.js
+++ b/development/build/index.js
@@ -57,6 +57,7 @@ defineAndRunBuildTasks();
function defineAndRunBuildTasks() {
const {
+ applyLavaMoat,
buildType,
entryTask,
isLavaMoat,
@@ -89,6 +90,7 @@ function defineAndRunBuildTasks() {
const styleTasks = createStyleTasks({ livereload });
const scriptTasks = createScriptTasks({
+ applyLavaMoat,
browserPlatforms,
buildType,
ignoredFiles,
@@ -170,6 +172,7 @@ function defineAndRunBuildTasks() {
function parseArgv() {
const NamedArgs = {
+ ApplyLavaMoat: 'apply-lavamoat',
BuildType: 'build-type',
BuildVersion: 'build-version',
LintFenceFiles: 'lint-fence-files',
@@ -180,6 +183,7 @@ function parseArgv() {
const argv = minimist(process.argv.slice(2), {
boolean: [
+ NamedArgs.ApplyLavaMoat,
NamedArgs.LintFenceFiles,
NamedArgs.Lockdown,
NamedArgs.PolicyOnly,
@@ -187,6 +191,7 @@ function parseArgv() {
],
string: [NamedArgs.BuildType, NamedArgs.BuildVersion],
default: {
+ [NamedArgs.ApplyLavaMoat]: true,
[NamedArgs.BuildType]: BuildType.main,
[NamedArgs.BuildVersion]: '0',
[NamedArgs.LintFenceFiles]: true,
@@ -232,8 +237,11 @@ function parseArgv() {
const version = getVersion(buildType, buildVersion);
return {
+ // Should we apply LavaMoat to the build output?
+ applyLavaMoat: argv[NamedArgs.ApplyLavaMoat],
buildType,
entryTask,
+ // Is this process running in lavamoat-node?
isLavaMoat: process.argv[0].includes('lavamoat'),
policyOnly,
shouldIncludeLockdown: argv[NamedArgs.Lockdown],
diff --git a/development/build/scripts.js b/development/build/scripts.js
index f6dc542c4..e1a3a0551 100644
--- a/development/build/scripts.js
+++ b/development/build/scripts.js
@@ -140,6 +140,7 @@ const noopWriteStream = through.obj((_file, _fileEncoding, callback) =>
module.exports = createScriptTasks;
function createScriptTasks({
+ applyLavaMoat,
browserPlatforms,
buildType,
ignoredFiles,
@@ -180,6 +181,7 @@ function createScriptTasks({
const standardSubtask = createTask(
`${taskPrefix}:standardEntryPoints`,
createFactoredBuild({
+ applyLavaMoat,
browserPlatforms,
buildType,
devMode,
@@ -343,6 +345,7 @@ function createScriptTasks({
}
function createFactoredBuild({
+ applyLavaMoat,
browserPlatforms,
buildType,
devMode,
@@ -473,21 +476,21 @@ function createFactoredBuild({
groupSet,
commonSet,
browserPlatforms,
- useLavamoat: true,
+ applyLavaMoat,
});
renderHtmlFile({
htmlName: 'notification',
groupSet,
commonSet,
browserPlatforms,
- useLavamoat: true,
+ applyLavaMoat,
});
renderHtmlFile({
htmlName: 'home',
groupSet,
commonSet,
browserPlatforms,
- useLavamoat: true,
+ applyLavaMoat,
});
break;
}
@@ -497,7 +500,7 @@ function createFactoredBuild({
groupSet,
commonSet,
browserPlatforms,
- useLavamoat: true,
+ applyLavaMoat,
});
break;
}
@@ -507,7 +510,7 @@ function createFactoredBuild({
groupSet,
commonSet,
browserPlatforms,
- useLavamoat: false,
+ applyLavaMoat: false,
});
break;
}
@@ -858,11 +861,11 @@ function renderHtmlFile({
groupSet,
commonSet,
browserPlatforms,
- useLavamoat,
+ applyLavaMoat,
}) {
- if (useLavamoat === undefined) {
+ if (applyLavaMoat === undefined) {
throw new Error(
- 'build/scripts/renderHtmlFile - must specify "useLavamoat" option',
+ 'build/scripts/renderHtmlFile - must specify "applyLavaMoat" option',
);
}
const htmlFilePath = `./app/${htmlName}.html`;
@@ -870,7 +873,7 @@ function renderHtmlFile({
const jsBundles = [...commonSet.values(), ...groupSet.values()].map(
(label) => `./${label}.js`,
);
- const htmlOutput = Sqrl.render(htmlTemplate, { jsBundles, useLavamoat });
+ const htmlOutput = Sqrl.render(htmlTemplate, { jsBundles, applyLavaMoat });
browserPlatforms.forEach((platform) => {
const dest = `./dist/${platform}/${htmlName}.html`;
// we dont have a way of creating async events atm
diff --git a/package.json b/package.json
index b715b0cf1..761761f13 100644
--- a/package.json
+++ b/package.json
@@ -9,11 +9,11 @@
"scripts": {
"setup": "yarn install && yarn setup:postinstall",
"setup:postinstall": "yarn patch-package && yarn allow-scripts",
- "start": "yarn build:dev dev",
- "start:lavamoat": "yarn build dev",
+ "start": "yarn build:dev --apply-lavamoat=false",
+ "start:lavamoat": "yarn build:dev --apply-lavamoat=true",
"dist": "yarn build prod",
"build": "yarn lavamoat:build",
- "build:dev": "node development/build/index.js",
+ "build:dev": "node development/build/index.js dev",
"start:test": "SEGMENT_HOST='https://api.segment.io' SEGMENT_WRITE_KEY='FAKE' yarn build testDev",
"benchmark:chrome": "SELENIUM_BROWSER=chrome node test/e2e/benchmark.js",
"benchmark:firefox": "SELENIUM_BROWSER=firefox node test/e2e/benchmark.js",