Bug 1885652 - Add Enterprise Policies setting to allow installing XPI files signed using deprecated signatures algorithms. r=mkaply,willdurand

Differential Revision: https://phabricator.services.mozilla.com/D204814
This commit is contained in:
Luca Greco 2024-03-27 20:34:18 +00:00
parent c145757c68
commit 4b62f693f8
4 changed files with 150 additions and 8 deletions

View File

@ -662,6 +662,9 @@
"items": { "items": {
"type": "string" "type": "string"
} }
},
"temporarily_allow_weak_signatures": {
"type": "boolean"
} }
} }
} }
@ -691,6 +694,9 @@
"default_area": { "default_area": {
"type": "string", "type": "string",
"enum": ["navbar", "menupanel"] "enum": ["navbar", "menupanel"]
},
"temporarily_allow_weak_signatures": {
"type": "boolean"
} }
} }
} }

View File

@ -21,7 +21,7 @@ let themeID = "policytheme@mozilla.com";
let fileURL; let fileURL;
add_task(async function setup() { add_setup(async function setup() {
await AddonTestUtils.promiseStartupManager(); await AddonTestUtils.promiseStartupManager();
let webExtensionFile = AddonTestUtils.createTempWebExtensionFile({ let webExtensionFile = AddonTestUtils.createTempWebExtensionFile({
@ -34,6 +34,10 @@ add_task(async function setup() {
}, },
}); });
server.registerFile(
"/data/amosigned-sha1only.xpi",
do_get_file("amosigned-sha1only.xpi")
);
server.registerFile("/data/policy_test.xpi", webExtensionFile); server.registerFile("/data/policy_test.xpi", webExtensionFile);
fileURL = Services.io fileURL = Services.io
.newFileURI(webExtensionFile) .newFileURI(webExtensionFile)
@ -289,3 +293,112 @@ add_task(async function test_addon_normalinstalled_file() {
await addon.uninstall(); await addon.uninstall();
}); });
add_task(async function test_allow_weak_signatures() {
// Make sure weak signatures are restricted.
const resetWeakSignaturePref =
AddonTestUtils.setWeakSignatureInstallAllowed(false);
const id = "amosigned-xpi@tests.mozilla.org";
const perAddonSettings = {
installation_mode: "normal_installed",
install_url: BASE_URL + "/amosigned-sha1only.xpi",
};
info(
"Sanity check: expect install to fail if not allowed through enterprise policy settings"
);
await Promise.all([
AddonTestUtils.promiseInstallEvent("onDownloadFailed"),
setupPolicyEngineWithJson({
policies: {
ExtensionSettings: {
[id]: { ...perAddonSettings },
},
},
}),
]);
let addon = await AddonManager.getAddonByID(id);
equal(addon, null, "Add-on not installed");
info(
"Expect install to be allowed through per-addon enterprise policy settings"
);
await Promise.all([
AddonTestUtils.promiseInstallEvent("onInstallEnded"),
setupPolicyEngineWithJson({
policies: {
ExtensionSettings: {
[id]: {
...perAddonSettings,
temporarily_allow_weak_signatures: true,
},
},
},
}),
]);
addon = await AddonManager.getAddonByID(id);
notEqual(addon, null, "Add-on not installed");
await addon.uninstall();
info(
"Expect install to be allowed through global enterprise policy settings"
);
await Promise.all([
AddonTestUtils.promiseInstallEvent("onInstallEnded"),
setupPolicyEngineWithJson({
policies: {
ExtensionSettings: {
"*": { temporarily_allow_weak_signatures: true },
[id]: { ...perAddonSettings },
},
},
}),
]);
addon = await AddonManager.getAddonByID(id);
notEqual(addon, null, "Add-on installed");
await addon.uninstall();
info(
"Expect install to fail if allowed globally but disallowed by per-addon settings"
);
await Promise.all([
AddonTestUtils.promiseInstallEvent("onDownloadFailed"),
setupPolicyEngineWithJson({
policies: {
ExtensionSettings: {
"*": { temporarily_allow_weak_signatures: true },
[id]: {
...perAddonSettings,
temporarily_allow_weak_signatures: false,
},
},
},
}),
]);
addon = await AddonManager.getAddonByID(id);
equal(addon, null, "Add-on not installed");
info(
"Expect install to be allowed through per addon setting when globally disallowed"
);
await Promise.all([
AddonTestUtils.promiseInstallEvent("onInstallEnded"),
setupPolicyEngineWithJson({
policies: {
ExtensionSettings: {
"*": { temporarily_allow_weak_signatures: false },
[id]: {
...perAddonSettings,
temporarily_allow_weak_signatures: true,
},
},
},
}),
]);
addon = await AddonManager.getAddonByID(id);
notEqual(addon, null, "Add-on installed");
await addon.uninstall();
resetWeakSignaturePref();
});

View File

@ -2,7 +2,10 @@
skip-if = ["os == 'android'"] # bug 1730213 skip-if = ["os == 'android'"] # bug 1730213
firefox-appdir = "browser" firefox-appdir = "browser"
head = "head.js" head = "head.js"
support-files = ["policytest_v0.1.xpi"] support-files = [
"policytest_v0.1.xpi",
"../../../../../toolkit/mozapps/extensions/test/xpinstall/amosigned-sha1only.xpi"
]
["test_3rdparty.js"] ["test_3rdparty.js"]

View File

@ -1655,19 +1655,39 @@ class AddonInstall {
this.addon.signedDate && this.addon.signedDate &&
!hasStrongSignature(this.addon) !hasStrongSignature(this.addon)
) { ) {
// Reject if it is a new install or installing over an existing addon including const addonAllowedByPolicies = Services.policies.getExtensionSettings(
// strong cryptographic signatures. this.addon.id
if (!this.existingAddon || hasStrongSignature(this.existingAddon)) { )?.temporarily_allow_weak_signatures;
const globallyAllowedByPolicies =
Services.policies.getExtensionSettings(
"*"
)?.temporarily_allow_weak_signatures;
const allowedByPolicies =
(globallyAllowedByPolicies &&
(addonAllowedByPolicies || addonAllowedByPolicies == null)) ||
addonAllowedByPolicies;
if (
!allowedByPolicies &&
(!this.existingAddon || hasStrongSignature(this.existingAddon))
) {
// Reject if it is a new install or installing over an existing addon including
// strong cryptographic signatures.
return Promise.reject([ return Promise.reject([
AddonManager.ERROR_CORRUPT_FILE, AddonManager.ERROR_CORRUPT_FILE,
"install rejected due to the package not including a strong cryptographic signature", "install rejected due to the package not including a strong cryptographic signature",
]); ]);
} }
// Still allow installs using weak signatures to install if the existing addon also had a // Still allow installs using weak signatures to install if either:
// weak signature. // - it is explicitly allowed through Enterprise Policies Settings
// - or there is an existing addon with a weak signature.
logger.warn( logger.warn(
`Allow weak signature install over existing "${this.existingAddon.id}" XPI` allowedByPolicies
? `Allow weak signature install for ${this.addon.id} XPI due to Enterprise Policies`
: `Allow weak signature install over existing "${this.existingAddon.id}" XPI`
); );
} }
} }