firefox: add extension permissions (#7402)

Adds extension permissions as suggested in https://github.com/nix-community/home-manager/issues/7001. Adds the 'profiles.<name>.extensions.settings.<name>.permissions' to Firefox derivatives. If set, this option adds an assertion that fails if an extension package requests permissions that weren't added to the permissions option. In order to not require 'profiles.<name>.extensions.force' to be set when only permissions, but no extension settings were defined, the relevant assertions were changed. They now check whether any 'extensions.settings.<name>.settings' was set instead of checking whether 'extensions.settings' was set. --------- Co-authored-by: Robert Helgesson <robert@rycee.net> Co-authored-by: awwpotato <awwpotato@voidq.com>
2025-07-10 20:33:18 +00:00 · 2025-07-10 20:33:18 +00:00 · d52da303ef
commit d52da303ef
parent fb12dbbce3
3 changed files with 214 additions and 102 deletions
--- a/tests/modules/programs/firefox/common.nix
+++ b/tests/modules/programs/firefox/common.nix
@ -19,6 +19,7 @@ builtins.mapAttrs
    "${name}-profiles-containers-id-out-of-range" = ./profiles/containers/id-out-of-range.nix;
    "${name}-profiles-duplicate-ids" = ./profiles/duplicate-ids.nix;
    "${name}-profiles-extensions" = ./profiles/extensions;
+    "${name}-profiles-extensions-assertions" = ./profiles/extensions/assertions.nix;
    "${name}-profiles-overwrite" = ./profiles/overwrite;
    "${name}-profiles-search" = ./profiles/search;
    "${name}-profiles-settings" = ./profiles/settings;
--- a/tests/modules/programs/firefox/profiles/extensions/assertions.nix
+++ b/tests/modules/programs/firefox/profiles/extensions/assertions.nix
@ -0,0 +1,74 @@
+modulePath:
+{ config, lib, ... }:
+
+let
+
+  firefoxMockOverlay = import ../../setup-firefox-mock-overlay.nix modulePath;
+
+  uBlockStubPkg = config.lib.test.mkStubPackage {
+    name = "ublock-origin-dummy";
+    extraAttrs = {
+      addonId = "uBlock0@raymondhill.net";
+      meta.mozPermissions = [
+        "privacy"
+        "storage"
+        "tabs"
+        "<all_urls>"
+        "http://*/*"
+        "https://github.com/*"
+      ];
+    };
+  };
+in
+{
+  imports = [ firefoxMockOverlay ];
+
+  config = lib.mkIf config.test.enableBig (
+    lib.setAttrByPath modulePath {
+      enable = true;
+      profiles.extensions = {
+        extensions = {
+          packages = [ uBlockStubPkg ];
+          settings = {
+            "uBlock0@raymondhill.net" = {
+              settings = {
+                selectedFilterLists = [
+                  "ublock-filters"
+                  "ublock-badware"
+                  "ublock-privacy"
+                  "ublock-unbreak"
+                  "ublock-quick-fixes"
+                ];
+              };
+              permissions = [
+                "alarms"
+                "tabs"
+                "https://github.com/*"
+              ];
+            };
+            "unknown@example.com".permissions = [ ];
+          };
+        };
+      };
+    }
+    // {
+      test.asserts.assertions.expected = [
+        ''
+          Using '${lib.showOption modulePath}.profiles.extensions.extensions.settings' will override all
+          previous extensions settings. Enable
+          '${lib.showOption modulePath}.profiles.extensions.extensions.force' to acknowledge this.
+        ''
+        ''
+          Extension uBlock0@raymondhill.net requests permissions that weren't
+          authorized: ["privacy","storage","<all_urls>","http://*/*"].
+          Consider adding the missing permissions to
+          '${lib.showOption modulePath}.profiles.extensions.extensions."uBlock0@raymondhill.net".permissions'.
+        ''
+        ''
+          Must have exactly one extension with addonId 'unknown@example.com'
+          in '${lib.showOption modulePath}.profiles.extensions.extensions.packages' but found 0.
+        ''
+      ];
+    }
+  );
+}