Add per-build type LavaMoat policies (#12702)

This PR adds one LavaMoat background script policy or each build type. It also renames the build system policy directory from `node` to `build-system` to make its purpose more clear. Each build type has the original `policy-override.json` for `main` builds. The `.prettierignore` file has been updated to match the locations of the new auto-generated policy files. We need to maintain separate policies for each build type because each type will produce different bundles with different internal and external modules. Co-authored-by: Mark Stacey <[email protected]>
Tungez33 · Nov 15, 2021 · d4c71b8 · d4c71b8
1 parent 0cf7455
commit d4c71b8
Show file tree

Hide file tree

Showing 13 changed files with 9,693 additions and 12 deletions.
diff --git a/.prettierignore b/.prettierignore
@@ -1,5 +1,5 @@
 node_modules/**
-lavamoat/*/policy.json
+lavamoat/**/policy.json
 dist/**
 builds/**
 test-*/**

diff --git a/README.md b/README.md
@@ -67,9 +67,17 @@ Whenever you change dependencies (adding, removing, or updating, either in `pack
 * The `allow-scripts` configuration in `package.json`
   * Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run. Review each new package to determine whether the install script needs to run or not, testing if necessary.
   * Unfortunately, `yarn allow-scripts auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
-* The LavaMoat auto-generated policy in `lavamoat/node/policy.json`
-  * Run `yarn lavamoat:auto` to re-generate this policy file. Review the changes to determine whether the access granted to each package seems appropriate.
-  * Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
+* The LavaMoat policy files. The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details. Continue reading for more information.
+  * There are two sets of LavaMoat policy files:
+    * The production LavaMoat policy files (`lavamoat/browserify/*/policy.json`), which are re-generated using `yarn lavamoat:background:auto`.
+      * These should be regenerated whenever the production dependencies for the background change.
+    * The build system LavaMoat policy file (`lavamoat/build-system/policy.json`), which is re-generated using `yarn lavamoat:build:auto`.
+      * This should be regenerated whenever the dependencies used by the build system itself change.
+  * Whenever you regenerate a policy file, review the changes to determine whether the access granted to each package seems appropriate.
+  * Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms.
+  macOS and Windows users may see extraneous changes relating to optional dependencies.
+  * Keep in mind that any kind of dynamic import or dynamic use of globals may elude LavaMoat's static analysis.
+  Refer to the LavaMoat documentation or ask for help if you run into any issues.
 
 ## Architecture
 

diff --git a/development/build/scripts.js b/development/build/scripts.js
@@ -358,10 +358,14 @@ function createFactoredBuild({
     // lavamoat will add lavapack but it will be removed by bify-module-groups
     // we will re-add it later by installing a lavapack runtime
     const lavamoatOpts = {
-      policy: path.resolve(__dirname, '../../lavamoat/browserify/policy.json'),
+      policy: path.resolve(
+        __dirname,
+        `../../lavamoat/browserify/${buildType}/policy.json`,
+      ),
+      policyName: buildType,
       policyOverride: path.resolve(
         __dirname,
-        '../../lavamoat/browserify/policy-override.json',
+        `../../lavamoat/browserify/${buildType}/policy-override.json`,
       ),
       writeAutoPolicy: process.env.WRITE_AUTO_POLICY,
     };

diff --git a/development/generate-lavamoat-policies.sh b/development/generate-lavamoat-policies.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+
+# Generate LavaMoat policies for the extension background script for each build
+# type.
+# ATTN: This may tax your device when running it locally.
+concurrently --kill-others-on-fail -n main,beta,flask \
+  "WRITE_AUTO_POLICY=1 yarn dist" \
+  "WRITE_AUTO_POLICY=1 yarn dist --build-type beta" \
+  "WRITE_AUTO_POLICY=1 yarn dist --build-type flask"
diff --git a/lavamoat/browserify/policy-override.json → ...moat/browserify/beta/policy-override.json b/lavamoat/browserify/policy-override.json → ...moat/browserify/beta/policy-override.json
diff --git a/lavamoat/browserify/policy.json → lavamoat/browserify/beta/policy.json b/lavamoat/browserify/policy.json → lavamoat/browserify/beta/policy.json
diff --git a/lavamoat/browserify/flask/policy-override.json b/lavamoat/browserify/flask/policy-override.json
@@ -0,0 +1,55 @@
+{
+  "resources": {
+    "browser-resolve": {
+      "packages": {
+        "core-js": true
+      }
+    },
+    "babel-runtime": {
+      "packages": {
+        "@babel/runtime": true
+      }
+    },
+    "node-fetch": {
+      "globals": {
+        "fetch": true
+      }
+    },
+    "lodash": {
+      "globals": {
+        "setTimeout": true,
+        "clearTimeout": true
+      }
+    },
+    "@ethersproject/random": {
+      "globals": {
+        "crypto.getRandomValues": true
+      }
+    },
+    "browser-passworder": {
+      "globals": {
+        "crypto": true
+      }
+    },
+    "randombytes": {
+      "globals": {
+        "crypto.getRandomValues": true
+      }
+    },
+    "extensionizer": {
+      "globals": {
+        "console": true
+      }
+    },
+    "web3": {
+      "globals": {
+        "XMLHttpRequest": true
+      }
+    },
+    "storage": {
+      "globals": {
+        "localStorage": true
+      }
+    }
+  }
+}