Lavamoat build system integration for WebApp

[kumavis]

🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋
the next step in incrementally locking down metamask:
providing the build process with a switch for adding lavamoat to each page
currently does not apply lavamoat to any page
🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋 🦊 🌋

summary of code changes

• in app/*.html include a if-block to optionally apply lavamoat by loading the commonjs or lavamoat runtime. commonjs still needs an external lockdown script
• in build/scripts.js change packer to lavapack, append policy loader, and render html with the useLavamoat switch
• in lavamoat/browserify, add combined background and ui policies (ui policy is not enforced yet)
• in lavamoat/node update policies to include running lavamoat and other added deps
• in package.json add new scripts for generating lavamoat policies and add deps
• in test/e2e/tests/contract-interactions.spec.js add delays to fix race condition
• in yarn.locklavamoat dep additions

summary of work flow changes

• after modifying dependencies or patches used in the background or ui, run yarn lavamoat:auto to update the policies. these policies are not applied yet, but makes PRs consistent with the future requirement where we will soon apply these policies when lavamoat is enabled.

things to be aware of

• there is a change to workflow, see above
• this pr was designed to be minimal and easy to revert
• this version of LavaMoat was prepared to not require eval and requires no change to the manifest.
• while this applies no protection to background or ui, it does changes the runtime of the ui and background (update to lavapack). All non-lavamoat pages now runs in a ses-shim like structure where a with statement is wrapping the globalThis. This is done to have a matching module initialization structure to the lavamoat protected components.
• the application of this structure may have performance impacts, especially on low resource devices. This is already noticed in CI as additional timeouts were necessary. However, in QA on my machines performance has felt normal. Take this with a grain of salt.
• this change is in preparation to applying lavamoat protections and bringing significant supplychain security enhancements to metamask
• I am committed to polishing the developer experience in response to feedback

TODO:

• add debug info for policy validation failure
  ci - improve lavamoat validation debug info #12259
• include lockdown-run.js additions beyond lockdown
  lockdown - breakout making globalThis properties non-writable #12258
• QA popup init time, esp firefox

[metamaskbot]

Builds ready [f80c385]

• builds: chrome, firefox, opera
• build viz: Build System
• code coverage: Report
• storybook: Storybook
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8
  • common: 0, 1, 2, 3
  • content-script: 0
  • contentscript: contentscript
  • disable-console: disable-console
  • inpage: inpage
  • phishing-detect: phishing-detect
  • policy-load: policy-load
  • sentry-install: sentry-install
  • ui: 0, 1, 2, 3, 4, 5

Page Load Metrics (406 ± 49 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	82	547	365	86	41
		domContentLoaded	285	759	387	101	49
		load	307	773	406	102	49
		domInteractive	285	759	387	101	49

[kumavis]

TODO: review lockdown-run.js

[Gudahtt]

It would be nice to pass in useLavamoat as a CLI flag

[kumavis]

im not sure the usecase, can add later. would need to specify it for every entry/webpage

[Gudahtt]

I mean so the Lavamoat build can be tested without modifying this file. You'd have to go through and swap every useLavamoat: false, to useLavamoat: true, right?

[kumavis]

makes sense

[Gudahtt]

Lavamoat policy validation is here: https://github.com/MetaMask/metamask-extension/blob/develop/.circleci/config.yml#L171
Which calls this script: https://github.com/MetaMask/metamask-extension/blob/develop/.circleci/scripts/validate-lavamoat-policy.sh

So because the lavamoat:auto script now automatically updates both, I think this PR works with that CI step already.

[kumavis]

request for QA on firefox esp wrt to popup init perf

[kumavis]

add debugging information if policy fails https://github.com/MetaMask/metamask-extension/blob/develop/.circleci/scripts/validate-lavamoat-policy.sh#L9

[metamaskbot]

Builds ready [e464859]

• builds: chrome, firefox, opera
• build viz: Build System
• code coverage: Report
• storybook: Storybook
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8
  • common: 0, 1, 2, 3
  • content-script: 0
  • contentscript: contentscript
  • disable-console: disable-console
  • inpage: inpage
  • phishing-detect: phishing-detect
  • policy-load: policy-load
  • sentry-install: sentry-install
  • ui: 0, 1, 2, 3, 4, 5

Page Load Metrics (376 ± 44 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	280	582	366	90	43
		domContentLoaded	270	582	356	91	44
		load	287	582	376	92	44
		domInteractive	270	582	356	91	44

[brad-decker]

Other than the popup init time issue I am 👍🏻 on this

[kumavis]

@brad-decker did you see a difference in pop perf time with lavamoat disabled as it is now?

[kumavis]

removing e2e test delays that are likely only required for actually turning lavamoat on

[kumavis]

ive gotten a few QA reports that firefox popup startup perf looks fine

[brad-decker]

With QA and my own testing not finding popup delays I'm good with this 💯

[kumavis]

removing delays failed 😿

[metamaskbot]

Builds ready [0612a3f]

• builds: chrome, firefox, opera
• build viz: Build System
• code coverage: Report
• storybook: Storybook
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8
  • common: 0, 1, 2, 3
  • content-script: 0
  • contentscript: contentscript
  • disable-console: disable-console
  • inpage: inpage
  • phishing-detect: phishing-detect
  • policy-load: policy-load
  • sentry-install: sentry-install
  • ui: 0, 1, 2, 3, 4, 5

Page Load Metrics (371 ± 41 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	70	608	335	89	43
		domContentLoaded	272	611	349	86	41
		load	289	616	371	85	41
		domInteractive	272	611	349	86	41

[brad-decker]

LGTM

[ryanml]

lgtm after testing!