feat(webpack): ability to inline lockdown

packages/webpack/src/buildtime/emitSes.js

@@ -1,40 +1,79 @@
 const { readFileSync } = require('node:fs')
+const path = require('node:path')
 const {
-  sources: { RawSource },
+  sources: { RawSource, ConcatSource },
 } = require('webpack')
 
+const lockdownSource = readFileSync(
+  path.join(require.resolve('ses'), '../lockdown.umd.min.js'),
+  'utf-8'
+)
+const lockdownSourcePrefix = `;(function(){\n${lockdownSource}\n})();\n`
+
 module.exports = {
+  /**
+   * @param {object} options
+   * @param {import('webpack').Compilation} options.compilation
+   * @param {string[]} options.inlineLockdown
+   * @returns {() => void}
+   */
+  sesPrefixFiles:
+    ({ compilation, inlineLockdown: files }) =>
+    () => {
+      files.forEach((file) => {
+        const asset = compilation.assets[file]
+        if (!asset) {
+          throw new Error(
+            `LavaMoatPlugin: file specified in inlineLockdown not found in compilation: ${file}`
+          )
+        }
+        compilation.assets[file] = new ConcatSource(lockdownSourcePrefix, asset)
+      })
+    },
+  /**
+   * @param {object} options
+   * @param {import('webpack').Compilation} options.compilation
+   * @param {import('webpack').WebpackPluginInstance} [options.HtmlWebpackPluginInUse]
+   * @param {boolean} [options.HtmlWebpackPluginInterop]
+   * @returns {() => void}
+   */
   sesEmitHook:
     ({ compilation, HtmlWebpackPluginInUse, HtmlWebpackPluginInterop }) =>
     () => {
-      const sesFile = readFileSync(require.resolve('ses'), 'utf-8')
       // TODO: to consider: instead manually copy to compiler.options.output.path
-      const asset = new RawSource(sesFile)
+      const asset = new RawSource(lockdownSource)
 
       compilation.emitAsset('lockdown', asset)
 
       if (HtmlWebpackPluginInUse && HtmlWebpackPluginInterop) {
         HtmlWebpackPluginInUse.constructor
+          // @ts-expect-error - incomplete types
           .getHooks(compilation)
-          .beforeEmit.tapAsync('LavaMoatWebpackPlugin-lockdown', (data, cb) => {
-            const scriptTag = '<script src="./lockdown"></script>'
-            const headTagRegex = /<head[^>]*>/iu
-            const scriptTagRegex = /<script/iu
+          .beforeEmit.tapAsync(
+            'LavaMoatWebpackPlugin-lockdown',
+            (
+              /** @type {{ html: string }} */ data,
+              /** @type {(arg0: null, arg1: any) => void} */ cb
+            ) => {
+              const scriptTag = '<script src="./lockdown"></script>'
+              const headTagRegex = /<head[^>]*>/iu
+              const scriptTagRegex = /<script/iu
 
-            if (headTagRegex.test(data.html)) {
-              data.html = data.html.replace(headTagRegex, `$&${scriptTag}`)
-            } else if (scriptTagRegex.test(data.html)) {
-              data.html = data.html.replace(
-                scriptTagRegex,
-                `${scriptTag}<script`
-              )
-            } else {
-              throw Error(
-                'LavaMoat: Could not insert lockdown script tag, no suitable location found in the html template'
-              )
+              if (headTagRegex.test(data.html)) {
+                data.html = data.html.replace(headTagRegex, `$&${scriptTag}`)
+              } else if (scriptTagRegex.test(data.html)) {
+                data.html = data.html.replace(
+                  scriptTagRegex,
+                  `${scriptTag}<script`
+                )
+              } else {
+                throw Error(
+                  'LavaMoat: Could not insert lockdown script tag, no suitable location found in the html template'
+                )
+              }
+              cb(null, data)
             }
-            cb(null, data)
-          })
+          )
       }
     },
 }

packages/webpack/src/plugin.js

@@ -25,7 +25,7 @@ const JAVASCRIPT_MODULE_TYPE_ESM = 'javascript/esm'
 // @ts-ignore
 const { RUNTIME_KEY } = require('./ENUM.json')
 const { wrapGeneratorMaker } = require('./buildtime/generator.js')
-const { sesEmitHook } = require('./buildtime/emitSes.js')
+const { sesEmitHook, sesPrefixFiles } = require('./buildtime/emitSes.js')
 const EXCLUDE_LOADER = path.join(__dirname, './excludeLoader.js')
 
 class VirtualRuntimeModule extends RuntimeModule {
@@ -63,13 +63,17 @@ class LavaMoatPlugin {
    * @param {import('./types.js').LavaMoatPluginOptions} [options]
    */
   constructor(options = {}) {
-    if (!options.lockdown) {
-      options.lockdown = lockdownDefaults
+    /**
+     * @type {import('./types.js').LavaMoatPluginOptions & {
+     *   policyLocation: string
+     *   lockdown: object
+     * }}
+     */
+    this.options = {
+      lockdown: lockdownDefaults,
+      policyLocation: path.join('.', 'lavamoat', 'webpack'),
+      ...options,
     }
-    if (!options.policyLocation) {
-      options.policyLocation = path.join('.', 'lavamoat', 'webpack')
-    }
-    this.options = options
 
     diag.level = options.diagnosticsVerbosity || 0
   }
@@ -429,22 +433,38 @@ class LavaMoatPlugin {
           }
         )
 
-        const HtmlWebpackPluginInUse = compiler.options.plugins.find(
-          (plugin) => plugin && plugin.constructor.name === 'HtmlWebpackPlugin'
-        )
-
-        // TODO: avoid minification
-        compilation.hooks.processAssets.tap(
-          {
-            name: PLUGIN_NAME,
-            stage: Compilation.PROCESS_ASSETS_STAGE_ADDITIONAL,
-          },
-          sesEmitHook({
-            compilation,
-            HtmlWebpackPluginInUse,
-            HtmlWebpackPluginInterop: options.HtmlWebpackPluginInterop,
-          })
-        )
+        if (options.inlineLockdown) {
+          compilation.hooks.processAssets.tap(
+            {
+              name: PLUGIN_NAME,
+              stage: Compilation.PROCESS_ASSETS_STAGE_OPTIMIZE_INLINE,
+            },
+            sesPrefixFiles({
+              compilation,
+              inlineLockdown: options.inlineLockdown,
+            })
+          )
+        } else {
+          const HtmlWebpackPluginInUse = compiler.options.plugins.find(
+            /**
+             * @param {unknown} plugin
+             * @returns {plugin is import('webpack').WebpackPluginInstance}
+             */
+            (plugin) =>
+              !!plugin && plugin.constructor.name === 'HtmlWebpackPlugin'
+          )
+          compilation.hooks.processAssets.tap(
+            {
+              name: PLUGIN_NAME,
+              stage: Compilation.PROCESS_ASSETS_STAGE_ADDITIONAL,
+            },
+            sesEmitHook({
+              compilation,
+              HtmlWebpackPluginInUse,
+              HtmlWebpackPluginInterop: !!options.HtmlWebpackPluginInterop,
+            })
+          )
+        }
 
         // TODO: add later hooks to optionally verify correctness and totality
         // of wrapping for the paranoid mode.

packages/webpack/src/types.js

@@ -23,6 +23,8 @@
  * @property {Policy} [policy] - LavaMoat policy object - if programmaticly
  *   created
  * @property {Object} [lockdown] - Options to pass to lockdown
+ * @property {string[]} [inlineLockdown] - Prefix the listed files with lockdown
+ *   code
  */
 
 /**

packages/webpack/test/e2e-lockdown-inline.spec.js

@@ -0,0 +1,29 @@
+const test = require('ava')
+const { scaffold, runScript } = require('./scaffold.js')
+const { makeConfig } = require('./fixtures/main/webpack.config.js')
+
+test.before(async (t) => {
+  const webpackConfig = makeConfig({
+    inlineLockdown: ['app.js'],
+  })
+  await t.notThrowsAsync(async () => {
+    t.context.build = await scaffold(webpackConfig)
+  }, 'Expected the build to succeed')
+  t.context.bundle = t.context.build.snapshot['/dist/app.js']
+})
+
+test('webpack/lockdown-inline - bundle runs under lockdown', (t) => {
+  t.notThrows(() => {
+    runScript(
+      t.context.bundle +
+        `
+    ;;
+    if (!Object.isFrozen(Object.prototype)) {
+      throw Error('expected Object.prototype to be frozen');
+    }
+    if (!Compartment || !harden) {
+      throw Error('expected SES globals to be available');
+    }`
+    )
+  })
+})