Merge pull request #1491 from endojs/naugtur-policy-attenuate-globals

feat(compartment-mapper): globals attenuation enabling LavaMoat feature parity

Author: naugtur

packages/compartment-mapper/demo/policy/app.js

@@ -1,7 +1,11 @@
 /* global require Buffer module */
+require('@endo/compartment-mapper-demo-polyfill1');
 const Poet = require('entropoetry');
 const fs = require('fs');
 
+// eslint-disable-next-line no-undef
+console.log({ answerPolyfill });
+
 fs.existsSync('/notthere');
 
 const p = new Poet();

packages/compartment-mapper/demo/policy/att1/index.js

@@ -1,9 +1,12 @@
 console.log('Attenuator imported');
-export const attenuate = (params, originalModuleNamespace) => {
+const attenuate = (params, originalObject) => {
   console.log('Attenuator called', params);
   const ns = params.reduce((acc, k) => {
-    acc[k] = originalModuleNamespace[k];
+    acc[k] = originalObject[k];
     return acc;
   }, {});
   return ns;
 };
+
+export const attenuateGlobals = attenuate;
+export const attenuateModule = attenuate;

packages/compartment-mapper/demo/policy/att2/index.js

@@ -0,0 +1,43 @@
+console.log('Attenuator2 imported');
+
+const { create, assign, fromEntries, entries, defineProperties } = Object;
+
+// minimal implementation of LavaMoat-style globals attenuator with write propagation
+let globalOverrides = create(null);
+export const attenuateGlobals = (params, originalObject, globalThis) => {
+  const policy = params[0];
+  console.log('Attenuator2 called', params);
+  if (policy === 'root') {
+    assign(globalThis, originalObject);
+    // This assumes that the root compartment is the first to be attenuated
+    globalOverrides = globalThis;
+    return;
+  }
+  defineProperties(
+    globalThis,
+    fromEntries(
+      entries(policy)
+        .map(([key, policyValue]) => {
+          if (policyValue) {
+            const spec = {
+              configurable: false,
+              enumerable: true,
+              get() {
+                console.log('- get', key);
+                return globalOverrides[key] || originalObject[key];
+              },
+            };
+            if (policyValue === 'write') {
+              spec.set = value => {
+                console.log('- set', key);
+                globalOverrides[key] = value;
+              };
+            }
+            return [key, spec];
+          }
+          return null;
+        })
+        .filter(a => a),
+    ),
+  );
+};

packages/compartment-mapper/demo/policy/att2/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "@endo/compartment-mapper-demo-lavamoat-style-attenuator",
+  "version": "1.0.0",
+  "main": "index.js",
+  "type": "module",
+  "scripts": {
+    "preinstall": "echo DO NOT CALL INSTALL SCRIPTS; exit -1"
+  }
+}

packages/compartment-mapper/demo/policy/index.mjs

@@ -25,8 +25,11 @@ const ApiSubsetOfBuffer = harden({ from: Buffer.from });
 
 const options = {
   policy: {
+    defaultAttenuator:
+      '@endo/compartment-mapper-demo-lavamoat-style-attenuator',
     entry: {
-      globals: 'any',
+      globals: ['root'],
+      noGlobalFreeze: true,
       packages: 'any',
       builtins: {
         fs: {
@@ -36,10 +39,13 @@ const options = {
       },
     },
     resources: {
-      '@endo/compartment-mapper-demo-policy-attenuator1': {
-        globals: {
-          console: true,
-        },
+      '@endo/compartment-mapper-demo-polyfill1': {
+        globals: [
+          {
+            console: true,
+            answerPolyfill: 'write',
+          },
+        ],
       },
       dotenv: {
         builtins: {
@@ -51,8 +57,9 @@ const options = {
           path: true,
         },
         globals: {
-          console: true,
-          process: true,
+          // one attenuator implementation can be used for builtins and globals
+          attenuate: '@endo/compartment-mapper-demo-policy-attenuator1',
+          params: ['console', 'process'],
         },
       },
       entropoetry: {
@@ -72,8 +79,16 @@ const options = {
         builtins: {
           buffer: true,
         },
+        globals: 'any',
+      },
+      '@endo/compartment-mapper-demo-policy-attenuator1': {
         globals: {
-          Buffer: true,
+          console: true,
+        },
+      },
+      '@endo/compartment-mapper-demo-lavamoat-style-attenuator': {
+        globals: {
+          console: true,
         },
       },
     },
@@ -105,19 +120,20 @@ console.log('\n\n________________________________________________ Location\n');
 
 console.log('\n\n________________________________________________ Archive\n');
 {
+  console.log('>----------start -> makeArchive');
   const archive = await makeArchive(readPower, entrypointPath, {
     modules: options.modules,
     policy: options.policy,
   });
-  console.log('>----------makeArchive');
+  console.log('>----------makeArchive -> parseArchive');
   const application = await parseArchive(archive, '<unknown>', {
     modules: options.modules,
   });
-  console.log('>----------parseArchive');
+  console.log('>----------parseArchive -> import');
   const { namespace } = await application.import({
     globals: options.globals,
     modules: options.modules,
   });
-  console.log('>----------import');
+  console.log('>----------import -> end');
   console.log(2, namespace.poem);
 }

packages/compartment-mapper/demo/policy/package.json

@@ -8,7 +8,9 @@
     "preinstall": "echo DO NOT CALL INSTALL SCRIPTS; exit -1"
   },
   "dependencies": {
+    "@endo/compartment-mapper-demo-lavamoat-style-attenuator": "file:att2",
     "@endo/compartment-mapper-demo-policy-attenuator1": "file:att1",
+    "@endo/compartment-mapper-demo-polyfill1": "file:polyfill",
     "dotenv": "16.0.1",
     "entropoetry": "2.0.0-alpha4"
   }

packages/compartment-mapper/demo/policy/polyfill/index.js

@@ -0,0 +1,9 @@
+(function polyfill() {
+  if (typeof globalThis !== 'undefined') {
+    // eslint-disable-next-line no-undef
+    globalThis.answerPolyfill = 42;
+  } else {
+    this.answerPolyfill = 42;
+  }
+  console.log('answerPolyfill added');
+})();

packages/compartment-mapper/demo/policy/polyfill/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "@endo/compartment-mapper-demo-polyfill1",
+  "version": "1.0.0",
+  "main": "index.js",
+  "type": "module",
+  "scripts": {
+    "preinstall": "echo DO NOT CALL INSTALL SCRIPTS; exit -1"
+  }
+}

packages/compartment-mapper/src/compartment-map.js

@@ -1,6 +1,8 @@
 // @ts-check
 /// <reference types="ses"/>
 
+import { assertPackagePolicy } from './policy-format.js';
+
 // TODO convert to the new `||` assert style.
 // Deferred because this file pervasively uses simple template strings rather than
 // template strings tagged with `assert.details` (aka `X`), and uses
@@ -378,14 +380,7 @@ const assertPolicy = (
   path,
   url = '<unknown-compartment-map.json>',
 ) => {
-  const policy = Object(allegedPolicy);
-  assert(
-    allegedPolicy === undefined ||
-      (allegedPolicy === policy && !Array.isArray(policy)),
-    `${path}.policy must be undefined or an object, got ${allegedPolicy} in ${q(
-      url,
-    )}`,
-  );
+  assertPackagePolicy(allegedPolicy, `${path}.policy`, url);
 };
 
 /**

packages/compartment-mapper/src/import-archive.js

@@ -269,7 +269,7 @@ export const parseArchive = async (
     // must be given a module namespace object that passes a brand check.
     // We don't have module instances for the preload phase, so we supply fake
     // namespaces.
-    const { compartment } = link(compartmentMap, {
+    const { compartment, pendingJobsPromise } = link(compartmentMap, {
       makeImportHook,
       parserForLanguage,
       modules: Object.fromEntries(
@@ -280,6 +280,8 @@ export const parseArchive = async (
       Compartment,
     });
 
+    await pendingJobsPromise;
+
     await compartment.load(moduleSpecifier);
     unseen.size === 0 ||
       Fail`Archive contains extraneous files: ${q([...unseen])} in ${q(
@@ -288,7 +290,7 @@ export const parseArchive = async (
   }
 
   /** @type {ExecuteFn} */
-  const execute = options => {
+  const execute = async options => {
     const { globals, modules, transforms, __shimTransforms__, Compartment } =
       options || {};
     const makeImportHook = makeArchiveImportHookMaker(
@@ -298,7 +300,7 @@ export const parseArchive = async (
       computeSha512,
       computeSourceLocation,
     );
-    const { compartment } = link(compartmentMap, {
+    const { compartment, pendingJobsPromise } = link(compartmentMap, {
       makeImportHook,
       parserForLanguage,
       globals,
@@ -307,6 +309,9 @@ export const parseArchive = async (
       __shimTransforms__,
       Compartment,
     });
+
+    await pendingJobsPromise;
+
     // eslint-disable-next-line dot-notation
     return compartment['import'](moduleSpecifier);
   };

packages/compartment-mapper/src/import-hook.js

@@ -11,7 +11,7 @@
 /** @typedef {import('./types.js').CompartmentDescriptor} CompartmentDescriptor */
 /** @typedef {import('./types.js').ImportHookMaker} ImportHookMaker */
 
-import { assertModulePolicy } from './policy.js';
+import { enforceModulePolicy } from './policy.js';
 import { unpackReadPowers } from './powers.js';
 
 // q, as in quote, for quoting strings in error messages.
@@ -146,7 +146,7 @@ export const makeImportHookMaker = (
       // The `moduleMapHook` captures all third-party dependencies.
       if (moduleSpecifier !== '.' && !moduleSpecifier.startsWith('./')) {
         if (has(exitModules, moduleSpecifier)) {
-          assertModulePolicy(moduleSpecifier, compartmentDescriptor.policy, {
+          enforceModulePolicy(moduleSpecifier, compartmentDescriptor.policy, {
             exit: true,
           });
           packageSources[moduleSpecifier] = {

packages/compartment-mapper/src/import.js

@@ -81,7 +81,7 @@ export const loadLocation = async (readPowers, moduleLocation, options) => {
       undefined,
       searchSuffixes,
     );
-    const { compartment } = link(compartmentMap, {
+    const { compartment, pendingJobsPromise } = link(compartmentMap, {
       makeImportHook,
       parserForLanguage,
       globals,
@@ -93,6 +93,8 @@ export const loadLocation = async (readPowers, moduleLocation, options) => {
       Compartment,
     });
 
+    await pendingJobsPromise;
+
     return compartment.import(moduleSpecifier);
   };