mirror of
https://github.com/kremalicious/metamask-extension.git
synced 2024-11-22 01:47:00 +01:00
Add per-build type LavaMoat policies (#12702)
This PR adds one LavaMoat background script policy or each build type. It also renames the build system policy directory from `node` to `build-system` to make its purpose more clear. Each build type has the original `policy-override.json` for `main` builds. The `.prettierignore` file has been updated to match the locations of the new auto-generated policy files. We need to maintain separate policies for each build type because each type will produce different bundles with different internal and external modules. Co-authored-by: Mark Stacey <markjstacey@gmail.com>
This commit is contained in:
parent
0cf7455e18
commit
d4c71b8683
@ -1,5 +1,5 @@
|
||||
node_modules/**
|
||||
lavamoat/*/policy.json
|
||||
lavamoat/**/policy.json
|
||||
dist/**
|
||||
builds/**
|
||||
test-*/**
|
||||
|
14
README.md
14
README.md
@ -67,9 +67,17 @@ Whenever you change dependencies (adding, removing, or updating, either in `pack
|
||||
* The `allow-scripts` configuration in `package.json`
|
||||
* Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run. Review each new package to determine whether the install script needs to run or not, testing if necessary.
|
||||
* Unfortunately, `yarn allow-scripts auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
|
||||
* The LavaMoat auto-generated policy in `lavamoat/node/policy.json`
|
||||
* Run `yarn lavamoat:auto` to re-generate this policy file. Review the changes to determine whether the access granted to each package seems appropriate.
|
||||
* Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
|
||||
* The LavaMoat policy files. The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details. Continue reading for more information.
|
||||
* There are two sets of LavaMoat policy files:
|
||||
* The production LavaMoat policy files (`lavamoat/browserify/*/policy.json`), which are re-generated using `yarn lavamoat:background:auto`.
|
||||
* These should be regenerated whenever the production dependencies for the background change.
|
||||
* The build system LavaMoat policy file (`lavamoat/build-system/policy.json`), which is re-generated using `yarn lavamoat:build:auto`.
|
||||
* This should be regenerated whenever the dependencies used by the build system itself change.
|
||||
* Whenever you regenerate a policy file, review the changes to determine whether the access granted to each package seems appropriate.
|
||||
* Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms.
|
||||
macOS and Windows users may see extraneous changes relating to optional dependencies.
|
||||
* Keep in mind that any kind of dynamic import or dynamic use of globals may elude LavaMoat's static analysis.
|
||||
Refer to the LavaMoat documentation or ask for help if you run into any issues.
|
||||
|
||||
## Architecture
|
||||
|
||||
|
@ -358,10 +358,14 @@ function createFactoredBuild({
|
||||
// lavamoat will add lavapack but it will be removed by bify-module-groups
|
||||
// we will re-add it later by installing a lavapack runtime
|
||||
const lavamoatOpts = {
|
||||
policy: path.resolve(__dirname, '../../lavamoat/browserify/policy.json'),
|
||||
policy: path.resolve(
|
||||
__dirname,
|
||||
`../../lavamoat/browserify/${buildType}/policy.json`,
|
||||
),
|
||||
policyName: buildType,
|
||||
policyOverride: path.resolve(
|
||||
__dirname,
|
||||
'../../lavamoat/browserify/policy-override.json',
|
||||
`../../lavamoat/browserify/${buildType}/policy-override.json`,
|
||||
),
|
||||
writeAutoPolicy: process.env.WRITE_AUTO_POLICY,
|
||||
};
|
||||
|
13
development/generate-lavamoat-policies.sh
Executable file
13
development/generate-lavamoat-policies.sh
Executable file
@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
set -u
|
||||
set -o pipefail
|
||||
|
||||
# Generate LavaMoat policies for the extension background script for each build
|
||||
# type.
|
||||
# ATTN: This may tax your device when running it locally.
|
||||
concurrently --kill-others-on-fail -n main,beta,flask \
|
||||
"WRITE_AUTO_POLICY=1 yarn dist" \
|
||||
"WRITE_AUTO_POLICY=1 yarn dist --build-type beta" \
|
||||
"WRITE_AUTO_POLICY=1 yarn dist --build-type flask"
|
55
lavamoat/browserify/flask/policy-override.json
Normal file
55
lavamoat/browserify/flask/policy-override.json
Normal file
@ -0,0 +1,55 @@
|
||||
{
|
||||
"resources": {
|
||||
"browser-resolve": {
|
||||
"packages": {
|
||||
"core-js": true
|
||||
}
|
||||
},
|
||||
"babel-runtime": {
|
||||
"packages": {
|
||||
"@babel/runtime": true
|
||||
}
|
||||
},
|
||||
"node-fetch": {
|
||||
"globals": {
|
||||
"fetch": true
|
||||
}
|
||||
},
|
||||
"lodash": {
|
||||
"globals": {
|
||||
"setTimeout": true,
|
||||
"clearTimeout": true
|
||||
}
|
||||
},
|
||||
"@ethersproject/random": {
|
||||
"globals": {
|
||||
"crypto.getRandomValues": true
|
||||
}
|
||||
},
|
||||
"browser-passworder": {
|
||||
"globals": {
|
||||
"crypto": true
|
||||
}
|
||||
},
|
||||
"randombytes": {
|
||||
"globals": {
|
||||
"crypto.getRandomValues": true
|
||||
}
|
||||
},
|
||||
"extensionizer": {
|
||||
"globals": {
|
||||
"console": true
|
||||
}
|
||||
},
|
||||
"web3": {
|
||||
"globals": {
|
||||
"XMLHttpRequest": true
|
||||
}
|
||||
},
|
||||
"storage": {
|
||||
"globals": {
|
||||
"localStorage": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
4772
lavamoat/browserify/flask/policy.json
Normal file
4772
lavamoat/browserify/flask/policy.json
Normal file
File diff suppressed because it is too large
Load Diff
55
lavamoat/browserify/main/policy-override.json
Normal file
55
lavamoat/browserify/main/policy-override.json
Normal file
@ -0,0 +1,55 @@
|
||||
{
|
||||
"resources": {
|
||||
"browser-resolve": {
|
||||
"packages": {
|
||||
"core-js": true
|
||||
}
|
||||
},
|
||||
"babel-runtime": {
|
||||
"packages": {
|
||||
"@babel/runtime": true
|
||||
}
|
||||
},
|
||||
"node-fetch": {
|
||||
"globals": {
|
||||
"fetch": true
|
||||
}
|
||||
},
|
||||
"lodash": {
|
||||
"globals": {
|
||||
"setTimeout": true,
|
||||
"clearTimeout": true
|
||||
}
|
||||
},
|
||||
"@ethersproject/random": {
|
||||
"globals": {
|
||||
"crypto.getRandomValues": true
|
||||
}
|
||||
},
|
||||
"browser-passworder": {
|
||||
"globals": {
|
||||
"crypto": true
|
||||
}
|
||||
},
|
||||
"randombytes": {
|
||||
"globals": {
|
||||
"crypto.getRandomValues": true
|
||||
}
|
||||
},
|
||||
"extensionizer": {
|
||||
"globals": {
|
||||
"console": true
|
||||
}
|
||||
},
|
||||
"web3": {
|
||||
"globals": {
|
||||
"XMLHttpRequest": true
|
||||
}
|
||||
},
|
||||
"storage": {
|
||||
"globals": {
|
||||
"localStorage": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
4772
lavamoat/browserify/main/policy.json
Normal file
4772
lavamoat/browserify/main/policy.json
Normal file
File diff suppressed because it is too large
Load Diff
14
package.json
14
package.json
@ -12,7 +12,7 @@
|
||||
"start": "yarn build:dev dev",
|
||||
"start:lavamoat": "yarn build dev",
|
||||
"dist": "yarn build prod",
|
||||
"build": "lavamoat development/build/index.js",
|
||||
"build": "yarn lavamoat:build",
|
||||
"build:dev": "node development/build/index.js",
|
||||
"start:test": "yarn build testDev",
|
||||
"benchmark:chrome": "SELENIUM_BROWSER=chrome node test/e2e/benchmark.js",
|
||||
@ -41,8 +41,9 @@
|
||||
"test:coverage:path": "nyc --check-coverage yarn test:unit:path",
|
||||
"ganache:start": "./development/run-ganache.sh",
|
||||
"sentry:publish": "node ./development/sentry-publish.js",
|
||||
"lint": "prettier --check '**/*.json' && eslint . --ext js,snap --cache && yarn lint:styles",
|
||||
"lint:fix": "prettier --write '**/*.json' && eslint . --ext js --cache --fix",
|
||||
"lint:prettier": "prettier '**/*.json'",
|
||||
"lint": "yarn lint:prettier --check '**/*.json' && eslint . --ext js,snap --cache && yarn lint:styles",
|
||||
"lint:fix": "yarn lint:prettier --write '**/*.json' && eslint . --ext js --cache --fix",
|
||||
"lint:changed": "{ git ls-files --others --exclude-standard ; git diff-index --name-only --diff-filter=d HEAD ; } | grep --regexp='[.]js$' | tr '\\n' '\\0' | xargs -0 eslint",
|
||||
"lint:changed:fix": "{ git ls-files --others --exclude-standard ; git diff-index --name-only --diff-filter=d HEAD ; } | grep --regexp='[.]js$' | tr '\\n' '\\0' | xargs -0 eslint --fix",
|
||||
"lint:changelog": "auto-changelog validate",
|
||||
@ -63,9 +64,10 @@
|
||||
"storybook:deploy": "storybook-to-ghpages --existing-output-dir storybook-build --remote storybook --branch master",
|
||||
"update-changelog": "auto-changelog update",
|
||||
"generate:migration": "./development/generate-migration.sh",
|
||||
"lavamoat:build:auto": "lavamoat ./development/build/index.js --writeAutoPolicy",
|
||||
"lavamoat:debug:build": "lavamoat ./development/build/index.js --writeAutoPolicyDebug",
|
||||
"lavamoat:background:auto": "WRITE_AUTO_POLICY=1 yarn build prod",
|
||||
"lavamoat:build": "lavamoat development/build/index.js --policy lavamoat/build-system/policy.json --policyOverride lavamoat/build-system/policy-override.json",
|
||||
"lavamoat:build:auto": "yarn lavamoat:build --writeAutoPolicy",
|
||||
"lavamoat:debug:build": "yarn lavamoat:build --writeAutoPolicyDebug --policydebug lavamoat/build-system/policy-debug.json",
|
||||
"lavamoat:background:auto": "./development/generate-lavamoat-policies.sh",
|
||||
"lavamoat:auto": "yarn lavamoat:build:auto && yarn lavamoat:background:auto"
|
||||
},
|
||||
"resolutions": {
|
||||
|
Loading…
Reference in New Issue
Block a user