-
Notifications
You must be signed in to change notification settings - Fork 65
/
index.js
130 lines (115 loc) · 3.32 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
/**
* Provides Lavamoat policy generation facilities via {@link generatePolicy}
*
* @packageDocumentation
*/
import {
loadCompartmentForArchive,
makeArchiveCompartmentMap,
} from '@endo/compartment-mapper'
import { pathToFileURL } from 'node:url'
import { importHook } from '../import-hook.js'
import { moduleTransforms } from '../module-transforms.js'
import { defaultReadPower } from '../power.js'
import { PolicyGenerator } from './policy-generator.js'
const { fromEntries, entries } = Object
/**
* @typedef {import('type-fest').Merge<
* Omit<import('./policy-generator.js').PolicyGeneratorOptions, 'read'>,
* {
* readPowers?:
* | import('@endo/compartment-mapper').ReadFn
* | import('@endo/compartment-mapper').ReadPowers
* debug?: boolean
* }
* >} GeneratePolicyOptions
*/
/**
* Generates a LavaMoat policy from a given entry point using
* `@endo/compartment-mapper`
*
* @overload
* @param {string | URL} entrypointPath
* @param {GeneratePolicyOptions} [opts]
* @returns {Promise<import('lavamoat-core').LavaMoatPolicy>}
* @public
*/
/**
* Generates a LavaMoat debug policy from a given entry point using
* `@endo/compartment-mapper`
*
* @overload
* @param {string | URL} entrypointPath
* @param {GeneratePolicyOptions & { debug: true }} opts
* @returns {Promise<import('lavamoat-core').LavaMoatPolicyDebug>}
* @public
*/
/**
* Generates a LavaMoat policy or debug policy from a given entry point using
* `@endo/compartment-mapper`
*
* @param {string | URL} entrypointPath
* @param {GeneratePolicyOptions} [opts]
* @returns {Promise<import('lavamoat-core').LavaMoatPolicy>}
* @public
*/
export async function generatePolicy(
entrypointPath,
{ readPowers = defaultReadPower, debug = false, policyOverride } = {}
) {
const { compartmentMap, sources, renames } = await loadCompartmentMap(
entrypointPath,
{
readPowers,
}
)
const read = typeof readPowers === 'function' ? readPowers : readPowers.read
const baseOpts = { read, policyOverride }
// this weird thing is to make TS happy about the overload
const opts = debug ? { debug: true, ...baseOpts } : baseOpts
return await PolicyGenerator.generatePolicy(
compartmentMap,
sources,
renames,
opts
)
}
/**
* Loads compartment map and associated sources.
*
* @param {string | URL} entrypointPath
* @param {{
* readPowers?:
* | import('@endo/compartment-mapper').ReadFn
* | import('@endo/compartment-mapper').ReadPowers
* }} opts
* @internal
*/
export async function loadCompartmentMap(
entrypointPath,
{ readPowers = defaultReadPower } = {}
) {
const url =
entrypointPath instanceof URL
? `${entrypointPath}`
: `${pathToFileURL(entrypointPath)}`
const { compartmentMap, sources } = await loadCompartmentForArchive({
readPowers: readPowers,
moduleLocation: url,
importHook,
moduleTransforms,
dev: true,
})
const { archiveCompartmentMap, archiveSources, compartmentRenames } =
makeArchiveCompartmentMap(compartmentMap, sources)
// `compartmentRenames` is a mapping of filepath to compartment name;
// we need the reverse mapping.
const renames = fromEntries(
entries(compartmentRenames).map(([filepath, id]) => [id, filepath])
)
return {
compartmentMap: archiveCompartmentMap,
sources: archiveSources,
renames,
}
}