1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-11-22 01:47:00 +01:00

Add per-build type LavaMoat policies (#12702)

This PR adds one LavaMoat background script policy or each build type. It also renames the build system policy directory from `node` to `build-system` to make its purpose more clear. Each build type has the original `policy-override.json` for `main` builds. The `.prettierignore` file has been updated to match the locations of the new auto-generated policy files.

We need to maintain separate policies for each build type because each type will produce different bundles with different internal and external modules.

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
This commit is contained in:
Erik Marks 2021-11-15 14:23:46 -08:00 committed by GitHub
parent 0cf7455e18
commit d4c71b8683
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 9693 additions and 12 deletions

View File

@ -1,5 +1,5 @@
node_modules/**
lavamoat/*/policy.json
lavamoat/**/policy.json
dist/**
builds/**
test-*/**

View File

@ -67,9 +67,17 @@ Whenever you change dependencies (adding, removing, or updating, either in `pack
* The `allow-scripts` configuration in `package.json`
* Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run. Review each new package to determine whether the install script needs to run or not, testing if necessary.
* Unfortunately, `yarn allow-scripts auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
* The LavaMoat auto-generated policy in `lavamoat/node/policy.json`
* Run `yarn lavamoat:auto` to re-generate this policy file. Review the changes to determine whether the access granted to each package seems appropriate.
* Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
* The LavaMoat policy files. The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details. Continue reading for more information.
* There are two sets of LavaMoat policy files:
* The production LavaMoat policy files (`lavamoat/browserify/*/policy.json`), which are re-generated using `yarn lavamoat:background:auto`.
* These should be regenerated whenever the production dependencies for the background change.
* The build system LavaMoat policy file (`lavamoat/build-system/policy.json`), which is re-generated using `yarn lavamoat:build:auto`.
* This should be regenerated whenever the dependencies used by the build system itself change.
* Whenever you regenerate a policy file, review the changes to determine whether the access granted to each package seems appropriate.
* Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms.
macOS and Windows users may see extraneous changes relating to optional dependencies.
* Keep in mind that any kind of dynamic import or dynamic use of globals may elude LavaMoat's static analysis.
Refer to the LavaMoat documentation or ask for help if you run into any issues.
## Architecture

View File

@ -358,10 +358,14 @@ function createFactoredBuild({
// lavamoat will add lavapack but it will be removed by bify-module-groups
// we will re-add it later by installing a lavapack runtime
const lavamoatOpts = {
policy: path.resolve(__dirname, '../../lavamoat/browserify/policy.json'),
policy: path.resolve(
__dirname,
`../../lavamoat/browserify/${buildType}/policy.json`,
),
policyName: buildType,
policyOverride: path.resolve(
__dirname,
'../../lavamoat/browserify/policy-override.json',
`../../lavamoat/browserify/${buildType}/policy-override.json`,
),
writeAutoPolicy: process.env.WRITE_AUTO_POLICY,
};

View File

@ -0,0 +1,13 @@
#!/usr/bin/env bash
set -e
set -u
set -o pipefail
# Generate LavaMoat policies for the extension background script for each build
# type.
# ATTN: This may tax your device when running it locally.
concurrently --kill-others-on-fail -n main,beta,flask \
"WRITE_AUTO_POLICY=1 yarn dist" \
"WRITE_AUTO_POLICY=1 yarn dist --build-type beta" \
"WRITE_AUTO_POLICY=1 yarn dist --build-type flask"

View File

@ -0,0 +1,55 @@
{
"resources": {
"browser-resolve": {
"packages": {
"core-js": true
}
},
"babel-runtime": {
"packages": {
"@babel/runtime": true
}
},
"node-fetch": {
"globals": {
"fetch": true
}
},
"lodash": {
"globals": {
"setTimeout": true,
"clearTimeout": true
}
},
"@ethersproject/random": {
"globals": {
"crypto.getRandomValues": true
}
},
"browser-passworder": {
"globals": {
"crypto": true
}
},
"randombytes": {
"globals": {
"crypto.getRandomValues": true
}
},
"extensionizer": {
"globals": {
"console": true
}
},
"web3": {
"globals": {
"XMLHttpRequest": true
}
},
"storage": {
"globals": {
"localStorage": true
}
}
}
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,55 @@
{
"resources": {
"browser-resolve": {
"packages": {
"core-js": true
}
},
"babel-runtime": {
"packages": {
"@babel/runtime": true
}
},
"node-fetch": {
"globals": {
"fetch": true
}
},
"lodash": {
"globals": {
"setTimeout": true,
"clearTimeout": true
}
},
"@ethersproject/random": {
"globals": {
"crypto.getRandomValues": true
}
},
"browser-passworder": {
"globals": {
"crypto": true
}
},
"randombytes": {
"globals": {
"crypto.getRandomValues": true
}
},
"extensionizer": {
"globals": {
"console": true
}
},
"web3": {
"globals": {
"XMLHttpRequest": true
}
},
"storage": {
"globals": {
"localStorage": true
}
}
}
}

File diff suppressed because it is too large Load Diff

View File

@ -12,7 +12,7 @@
"start": "yarn build:dev dev",
"start:lavamoat": "yarn build dev",
"dist": "yarn build prod",
"build": "lavamoat development/build/index.js",
"build": "yarn lavamoat:build",
"build:dev": "node development/build/index.js",
"start:test": "yarn build testDev",
"benchmark:chrome": "SELENIUM_BROWSER=chrome node test/e2e/benchmark.js",
@ -41,8 +41,9 @@
"test:coverage:path": "nyc --check-coverage yarn test:unit:path",
"ganache:start": "./development/run-ganache.sh",
"sentry:publish": "node ./development/sentry-publish.js",
"lint": "prettier --check '**/*.json' && eslint . --ext js,snap --cache && yarn lint:styles",
"lint:fix": "prettier --write '**/*.json' && eslint . --ext js --cache --fix",
"lint:prettier": "prettier '**/*.json'",
"lint": "yarn lint:prettier --check '**/*.json' && eslint . --ext js,snap --cache && yarn lint:styles",
"lint:fix": "yarn lint:prettier --write '**/*.json' && eslint . --ext js --cache --fix",
"lint:changed": "{ git ls-files --others --exclude-standard ; git diff-index --name-only --diff-filter=d HEAD ; } | grep --regexp='[.]js$' | tr '\\n' '\\0' | xargs -0 eslint",
"lint:changed:fix": "{ git ls-files --others --exclude-standard ; git diff-index --name-only --diff-filter=d HEAD ; } | grep --regexp='[.]js$' | tr '\\n' '\\0' | xargs -0 eslint --fix",
"lint:changelog": "auto-changelog validate",
@ -63,9 +64,10 @@
"storybook:deploy": "storybook-to-ghpages --existing-output-dir storybook-build --remote storybook --branch master",
"update-changelog": "auto-changelog update",
"generate:migration": "./development/generate-migration.sh",
"lavamoat:build:auto": "lavamoat ./development/build/index.js --writeAutoPolicy",
"lavamoat:debug:build": "lavamoat ./development/build/index.js --writeAutoPolicyDebug",
"lavamoat:background:auto": "WRITE_AUTO_POLICY=1 yarn build prod",
"lavamoat:build": "lavamoat development/build/index.js --policy lavamoat/build-system/policy.json --policyOverride lavamoat/build-system/policy-override.json",
"lavamoat:build:auto": "yarn lavamoat:build --writeAutoPolicy",
"lavamoat:debug:build": "yarn lavamoat:build --writeAutoPolicyDebug --policydebug lavamoat/build-system/policy-debug.json",
"lavamoat:background:auto": "./development/generate-lavamoat-policies.sh",
"lavamoat:auto": "yarn lavamoat:build:auto && yarn lavamoat:background:auto"
},
"resolutions": {