firefox: new permission checks for extensions

Add two new options to customize how extension permissions are checked: - `extensions.exhaustivePermissions` Ensures that the permissions requested by all extensions managed by home-manager are authorized - `extensions.exactPermissions` When enabled, the user must authorize only the permissions that the extensions requests, not more nor less.
2025-09-27 21:00:42 +07:00 · 2025-09-27 21:00:42 +07:00 · c7f4214fac
commit c7f4214fac
parent b27e551270
4 changed files with 306 additions and 20 deletions
--- a/tests/modules/programs/firefox/common.nix
+++ b/tests/modules/programs/firefox/common.nix
@ -20,6 +20,8 @@ builtins.mapAttrs
    "${name}-profiles-duplicate-ids" = ./profiles/duplicate-ids.nix;
    "${name}-profiles-extensions" = ./profiles/extensions;
    "${name}-profiles-extensions-assertions" = ./profiles/extensions/assertions.nix;
+    "${name}-profiles-extensions-exhaustive" = ./profiles/extensions/exhaustive.nix;
+    "${name}-profiles-extensions-exact" = ./profiles/extensions/exact.nix;
    "${name}-profiles-overwrite" = ./profiles/overwrite;
    "${name}-profiles-search" = ./profiles/search;
    "${name}-profiles-settings" = ./profiles/settings;
--- a/tests/modules/programs/firefox/profiles/extensions/exact.nix
+++ b/tests/modules/programs/firefox/profiles/extensions/exact.nix
@ -0,0 +1,130 @@
+modulePath:
+{ config, lib, ... }:
+
+let
+
+  firefoxMockOverlay = import ../../setup-firefox-mock-overlay.nix modulePath;
+
+  uBlockStubPkg = config.lib.test.mkStubPackage {
+    name = "ublock-origin-dummy";
+    extraAttrs = {
+      addonId = "uBlock0@raymondhill.net";
+      meta.mozPermissions = [
+        "privacy"
+        "storage"
+        "tabs"
+      ];
+    };
+  };
+
+  sponsorBlockStubPkg = config.lib.test.mkStubPackage {
+    name = "sponsorblock";
+    extraAttrs = {
+      addonId = "sponsorBlocker@ajay.app";
+      meta.mozPermissions = [
+        "storage"
+        "scripting"
+        "https://sponsor.ajay.app/*"
+      ];
+    };
+  };
+
+  noscriptStubPkg = config.lib.test.mkStubPackage {
+    name = "noscript";
+    extraAttrs = {
+      addonId = "{73a6fe31-595d-460b-a920-fcc0f8843232}";
+      meta.mozPermissions = [
+        "contextMenus"
+        "storage"
+        "tabs"
+      ];
+    };
+  };
+
+  bitwardenStubPkg = config.lib.test.mkStubPackage {
+    name = "bitwarden";
+    extraAttrs = {
+      addonId = "{446900e4-71c2-419f-a6a7-df9c091e268b}";
+      meta.mozPermissions = [
+        "webNavigation"
+        "webRequest"
+        "webRequestBlocking"
+      ];
+    };
+  };
+in
+{
+  imports = [ firefoxMockOverlay ];
+
+  config = lib.mkIf config.test.enableBig (
+    lib.setAttrByPath modulePath {
+      enable = true;
+      profiles.extensions = {
+        extensions = {
+          packages = [
+            uBlockStubPkg
+            sponsorBlockStubPkg
+            noscriptStubPkg
+            bitwardenStubPkg
+          ];
+          exactPermissions = true;
+          settings = {
+            ${uBlockStubPkg.addonId} = {
+              permissions = [
+                "privacy"
+                "storage"
+              ];
+            };
+            ${sponsorBlockStubPkg.addonId} = {
+              permissions = [
+                "storage"
+                "scripting"
+                "https://sponsor.ajay.app/*"
+                "<all_urls>"
+              ];
+            };
+            ${noscriptStubPkg.addonId} = {
+              permissions = [
+                "storage"
+                "tabs"
+                "https://github.com/*"
+              ];
+            };
+            ${bitwardenStubPkg.addonId} = {
+              permissions = [
+                "webNavigation"
+                "webRequest"
+                "webRequestBlocking"
+              ];
+            };
+          };
+        };
+      };
+    }
+    // {
+      test.asserts.assertions.expected = [
+        ''
+          Extension ${uBlockStubPkg.addonId} requests permissions that weren't
+          authorized: ["tabs"].
+          Consider adding the missing permissions to
+          '${lib.showOption modulePath}.profiles.extensions.extensions."${uBlockStubPkg.addonId}".permissions'.
+        ''
+        ''
+          The following permissions were authorized, but extension
+          ${sponsorBlockStubPkg.addonId} did not request them: ["<all_urls>"].
+          Consider removing the redundant permissions from
+          '${lib.showOption modulePath}.profiles.extensions.extensions."${sponsorBlockStubPkg.addonId}".permissions'.
+        ''
+        ''
+          Extension ${noscriptStubPkg.addonId} requests permissions that weren't
+          authorized: ["contextMenus"].
+          Additionally, the following permissions were authorized,
+          but extension ${noscriptStubPkg.addonId} did not request them:
+          ["https://github.com/*"].
+          Consider adjusting the permissions in
+          '${lib.showOption modulePath}.profiles.extensions.extensions."${noscriptStubPkg.addonId}".permissions'.
+        ''
+      ];
+    }
+  );
+}
--- a/tests/modules/programs/firefox/profiles/extensions/exhaustive.nix
+++ b/tests/modules/programs/firefox/profiles/extensions/exhaustive.nix
@ -0,0 +1,92 @@
+modulePath:
+{ config, lib, ... }:
+
+let
+
+  firefoxMockOverlay = import ../../setup-firefox-mock-overlay.nix modulePath;
+
+  uBlockStubPkg = config.lib.test.mkStubPackage {
+    name = "ublock-origin-dummy";
+    extraAttrs = {
+      addonId = "uBlock0@raymondhill.net";
+      meta.mozPermissions = [
+        "<all_urls>"
+        "http://*/*"
+        "https://github.com/*"
+      ];
+    };
+  };
+
+  sponsorBlockStubPkg = config.lib.test.mkStubPackage {
+    name = "sponsorblock";
+    extraAttrs = {
+      addonId = "sponsorBlocker@ajay.app";
+      meta.mozPermissions = [
+        "storage"
+        "scripting"
+        "https://sponsor.ajay.app/*"
+      ];
+    };
+  };
+
+  noscriptStubPkg = config.lib.test.mkStubPackage {
+    name = "noscript";
+    extraAttrs = {
+      addonId = "{73a6fe31-595d-460b-a920-fcc0f8843232}";
+      meta.mozPermissions = [
+        "contextMenus"
+        "storage"
+        "tabs"
+      ];
+    };
+  };
+in
+{
+  imports = [ firefoxMockOverlay ];
+
+  config = lib.mkIf config.test.enableBig (
+    lib.setAttrByPath modulePath {
+      enable = true;
+      profiles.extensions = {
+        extensions = {
+          packages = [
+            uBlockStubPkg
+            sponsorBlockStubPkg
+            noscriptStubPkg
+          ];
+          exhaustivePermissions = true;
+          settings = {
+            ${uBlockStubPkg.addonId} = {
+              permissions = [
+                "<all_urls>"
+                "http://*/*"
+                "https://github.com/*"
+              ];
+            };
+            ${noscriptStubPkg.addonId} = {
+              permissions = [
+                "contextMenus"
+              ];
+            };
+          };
+        };
+      };
+    }
+    // {
+      test.asserts.assertions.expected = [
+        ''
+          Extension ${sponsorBlockStubPkg.addonId} requests permissions that weren't
+          authorized: ["storage","scripting","https://sponsor.ajay.app/*"].
+          Consider adding the missing permissions to
+          '${lib.showOption modulePath}.profiles.extensions.extensions."${sponsorBlockStubPkg.addonId}".permissions'.
+        ''
+        ''
+          Extension ${noscriptStubPkg.addonId} requests permissions that weren't
+          authorized: ["storage","tabs"].
+          Consider adding the missing permissions to
+          '${lib.showOption modulePath}.profiles.extensions.extensions."${noscriptStubPkg.addonId}".permissions'.
+        ''
+      ];
+    }
+  );
+}