Add per-build type LavaMoat policies (#12702)

This PR adds one LavaMoat background script policy or each build type. It also renames the build system policy directory from `node` to `build-system` to make its purpose more clear. Each build type has the original `policy-override.json` for `main` builds. The `.prettierignore` file has been updated to match the locations of the new auto-generated policy files. We need to maintain separate policies for each build type because each type will produce different bundles with different internal and external modules. Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2024-11-22 09:57:02 +01:00 · 2021-11-15 14:23:46 -08:00 · 2021-11-15 14:23:46 -08:00 · d4c71b8683
commit d4c71b8683
parent 0cf7455e18
13 changed files with 9693 additions and 12 deletions
--- a/.prettierignore
+++ b/.prettierignore
@ -1,5 +1,5 @@
 node_modules/**
-lavamoat/*/policy.json
+lavamoat/**/policy.json
 dist/**
 builds/**
 test-*/**
--- a/README.md
+++ b/README.md
@ -67,9 +67,17 @@ Whenever you change dependencies (adding, removing, or updating, either in `pack
 * The `allow-scripts` configuration in `package.json`
  * Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run. Review each new package to determine whether the install script needs to run or not, testing if necessary.
  * Unfortunately, `yarn allow-scripts auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
-* The LavaMoat auto-generated policy in `lavamoat/node/policy.json`
+* The LavaMoat policy files. The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details. Continue reading for more information.
-  * Run `yarn lavamoat:auto` to re-generate this policy file. Review the changes to determine whether the access granted to each package seems appropriate.
+  * There are two sets of LavaMoat policy files:
-  * Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
+    * The production LavaMoat policy files (`lavamoat/browserify/*/policy.json`), which are re-generated using `yarn lavamoat:background:auto`.
      * These should be regenerated whenever the production dependencies for the background change.
    * The build system LavaMoat policy file (`lavamoat/build-system/policy.json`), which is re-generated using `yarn lavamoat:build:auto`.
      * This should be regenerated whenever the dependencies used by the build system itself change.
  * Whenever you regenerate a policy file, review the changes to determine whether the access granted to each package seems appropriate.
  * Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms.
  macOS and Windows users may see extraneous changes relating to optional dependencies.
  * Keep in mind that any kind of dynamic import or dynamic use of globals may elude LavaMoat's static analysis.
  Refer to the LavaMoat documentation or ask for help if you run into any issues.
 ## Architecture
--- a/development/build/scripts.js
+++ b/development/build/scripts.js
@ -358,10 +358,14 @@ function createFactoredBuild({
    // lavamoat will add lavapack but it will be removed by bify-module-groups
    // we will re-add it later by installing a lavapack runtime
    const lavamoatOpts = {
-      policy: path.resolve(__dirname, '../../lavamoat/browserify/policy.json'),
+      policy: path.resolve(
        __dirname,
        `../../lavamoat/browserify/${buildType}/policy.json`,
      ),
      policyName: buildType,
      policyOverride: path.resolve(
        __dirname,
-        '../../lavamoat/browserify/policy-override.json',
+        `../../lavamoat/browserify/${buildType}/policy-override.json`,
      ),
      writeAutoPolicy: process.env.WRITE_AUTO_POLICY,
    };
--- a/development/generate-lavamoat-policies.sh
+++ b/development/generate-lavamoat-policies.sh
@ -0,0 +1,13 @@
 #!/usr/bin/env bash
 set -e
 set -u
 set -o pipefail
 # Generate LavaMoat policies for the extension background script for each build
 # type.
 # ATTN: This may tax your device when running it locally.
 concurrently --kill-others-on-fail -n main,beta,flask \
  "WRITE_AUTO_POLICY=1 yarn dist" \
  "WRITE_AUTO_POLICY=1 yarn dist --build-type beta" \
  "WRITE_AUTO_POLICY=1 yarn dist --build-type flask"
--- a/lavamoat/browserify/beta/policy-override.json
+++ b/lavamoat/browserify/beta/policy-override.json
--- a/lavamoat/browserify/beta/policy.json
+++ b/lavamoat/browserify/beta/policy.json
--- a/lavamoat/browserify/flask/policy-override.json
+++ b/lavamoat/browserify/flask/policy-override.json
@ -0,0 +1,55 @@
 {
  "resources": {
    "browser-resolve": {
      "packages": {
        "core-js": true
      }
    },
    "babel-runtime": {
      "packages": {
        "@babel/runtime": true
      }
    },
    "node-fetch": {
      "globals": {
        "fetch": true
      }
    },
    "lodash": {
      "globals": {
        "setTimeout": true,
        "clearTimeout": true
      }
    },
    "@ethersproject/random": {
      "globals": {
        "crypto.getRandomValues": true
      }
    },
    "browser-passworder": {
      "globals": {
        "crypto": true
      }
    },
    "randombytes": {
      "globals": {
        "crypto.getRandomValues": true
      }
    },
    "extensionizer": {
      "globals": {
        "console": true
      }
    },
    "web3": {
      "globals": {
        "XMLHttpRequest": true
      }
    },
    "storage": {
      "globals": {
        "localStorage": true
      }
    }
  }
 }
--- a/lavamoat/browserify/flask/policy.json
+++ b/lavamoat/browserify/flask/policy.json
--- a/lavamoat/browserify/main/policy-override.json
+++ b/lavamoat/browserify/main/policy-override.json
@ -0,0 +1,55 @@
 {
  "resources": {
    "browser-resolve": {
      "packages": {
        "core-js": true
      }
    },
    "babel-runtime": {
      "packages": {
        "@babel/runtime": true
      }
    },
    "node-fetch": {
      "globals": {
        "fetch": true
      }
    },
    "lodash": {
      "globals": {
        "setTimeout": true,
        "clearTimeout": true
      }
    },
    "@ethersproject/random": {
      "globals": {
        "crypto.getRandomValues": true
      }
    },
    "browser-passworder": {
      "globals": {
        "crypto": true
      }
    },
    "randombytes": {
      "globals": {
        "crypto.getRandomValues": true
      }
    },
    "extensionizer": {
      "globals": {
        "console": true
      }
    },
    "web3": {
      "globals": {
        "XMLHttpRequest": true
      }
    },
    "storage": {
      "globals": {
        "localStorage": true
      }
    }
  }
 }
--- a/lavamoat/browserify/main/policy.json
+++ b/lavamoat/browserify/main/policy.json
--- a/lavamoat/build-system/policy-override.json
+++ b/lavamoat/build-system/policy-override.json
--- a/lavamoat/build-system/policy.json
+++ b/lavamoat/build-system/policy.json
--- a/package.json
+++ b/package.json
@ -12,7 +12,7 @@
    "start": "yarn build:dev dev",
    "start:lavamoat": "yarn build dev",
    "dist": "yarn build prod",
-    "build": "lavamoat development/build/index.js",
+    "build": "yarn lavamoat:build",
    "build:dev": "node development/build/index.js",
    "start:test": "yarn build testDev",
    "benchmark:chrome": "SELENIUM_BROWSER=chrome node test/e2e/benchmark.js",
@ -41,8 +41,9 @@
    "test:coverage:path": "nyc --check-coverage yarn test:unit:path",
    "ganache:start": "./development/run-ganache.sh",
    "sentry:publish": "node ./development/sentry-publish.js",
-    "lint": "prettier --check '**/*.json' && eslint . --ext js,snap --cache && yarn lint:styles",
+    "lint:prettier": "prettier '**/*.json'",
-    "lint:fix": "prettier --write '**/*.json' && eslint . --ext js --cache --fix",
+    "lint": "yarn lint:prettier --check '**/*.json' && eslint . --ext js,snap --cache && yarn lint:styles",
    "lint:fix": "yarn lint:prettier --write '**/*.json' && eslint . --ext js --cache --fix",
    "lint:changed": "{ git ls-files --others --exclude-standard ; git diff-index --name-only --diff-filter=d HEAD ; } | grep --regexp='[.]js$' | tr '\\n' '\\0' | xargs -0 eslint",
    "lint:changed:fix": "{ git ls-files --others --exclude-standard ; git diff-index --name-only --diff-filter=d HEAD ; } | grep --regexp='[.]js$' | tr '\\n' '\\0' | xargs -0 eslint --fix",
    "lint:changelog": "auto-changelog validate",
@ -63,9 +64,10 @@
    "storybook:deploy": "storybook-to-ghpages --existing-output-dir storybook-build --remote storybook --branch master",
    "update-changelog": "auto-changelog update",
    "generate:migration": "./development/generate-migration.sh",
-    "lavamoat:build:auto": "lavamoat ./development/build/index.js --writeAutoPolicy",
+    "lavamoat:build": "lavamoat development/build/index.js --policy lavamoat/build-system/policy.json --policyOverride lavamoat/build-system/policy-override.json",
-    "lavamoat:debug:build": "lavamoat ./development/build/index.js --writeAutoPolicyDebug",
+    "lavamoat:build:auto": "yarn lavamoat:build --writeAutoPolicy",
-    "lavamoat:background:auto": "WRITE_AUTO_POLICY=1 yarn build prod",
+    "lavamoat:debug:build": "yarn lavamoat:build --writeAutoPolicyDebug --policydebug lavamoat/build-system/policy-debug.json",
    "lavamoat:background:auto": "./development/generate-lavamoat-policies.sh",
    "lavamoat:auto": "yarn lavamoat:build:auto && yarn lavamoat:background:auto"
  },
  "resolutions": {