/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * This file defines the add-on sync functionality. * * There are currently a number of known limitations: * - We only sync XPI extensions and themes available from addons.mozilla.org. * We hope to expand support for other add-ons eventually. * - We only attempt syncing of add-ons between applications of the same type. * This means add-ons will not synchronize between Firefox desktop and * Firefox mobile, for example. This is because of significant add-on * incompatibility between application types. * * Add-on records exist for each known {add-on, app-id} pair in the Sync client * set. Each record has a randomly chosen GUID. The records then contain * basic metadata about the add-on. * * We currently synchronize: * * - Installations * - Uninstallations * - User enabling and disabling * * Synchronization is influenced by the following preferences: * * - services.sync.addons.ignoreUserEnabledChanges * - services.sync.addons.trustedSourceHostnames * * and also influenced by whether addons have repository caching enabled and * whether they allow installation of addons from insecure options (both of * which are themselves influenced by the "extensions." pref branch) * * See the documentation in all.js for the behavior of these prefs. */ "use strict"; const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm"); const { Preferences } = ChromeUtils.import( "resource://gre/modules/Preferences.jsm" ); const { AddonUtils } = ChromeUtils.import( "resource://services-sync/addonutils.js" ); const { AddonsReconciler } = ChromeUtils.import( "resource://services-sync/addonsreconciler.js" ); const { Store, SyncEngine, LegacyTracker } = ChromeUtils.import( "resource://services-sync/engines.js" ); const { CryptoWrapper } = ChromeUtils.import( "resource://services-sync/record.js" ); const { Svc, Utils } = ChromeUtils.import("resource://services-sync/util.js"); const { SCORE_INCREMENT_XLARGE } = ChromeUtils.import( "resource://services-sync/constants.js" ); const { CollectionValidator } = ChromeUtils.import( "resource://services-sync/collection_validator.js" ); ChromeUtils.defineModuleGetter( this, "AddonManager", "resource://gre/modules/AddonManager.jsm" ); ChromeUtils.defineModuleGetter( this, "AddonRepository", "resource://gre/modules/addons/AddonRepository.jsm" ); var EXPORTED_SYMBOLS = ["AddonsEngine", "AddonValidator"]; // 7 days in milliseconds. const PRUNE_ADDON_CHANGES_THRESHOLD = 60 * 60 * 24 * 7 * 1000; /** * AddonRecord represents the state of an add-on in an application. * * Each add-on has its own record for each application ID it is installed * on. * * The ID of add-on records is a randomly-generated GUID. It is random instead * of deterministic so the URIs of the records cannot be guessed and so * compromised server credentials won't result in disclosure of the specific * add-ons present in a Sync account. * * The record contains the following fields: * * addonID * ID of the add-on. This correlates to the "id" property on an Addon type. * * applicationID * The application ID this record is associated with. * * enabled * Boolean stating whether add-on is enabled or disabled by the user. * * source * String indicating where an add-on is from. Currently, we only support * the value "amo" which indicates that the add-on came from the official * add-ons repository, addons.mozilla.org. In the future, we may support * installing add-ons from other sources. This provides a future-compatible * mechanism for clients to only apply records they know how to handle. */ function AddonRecord(collection, id) { CryptoWrapper.call(this, collection, id); } AddonRecord.prototype = { __proto__: CryptoWrapper.prototype, _logName: "Record.Addon", }; Utils.deferGetSet(AddonRecord, "cleartext", [ "addonID", "applicationID", "enabled", "source", ]); /** * The AddonsEngine handles synchronization of add-ons between clients. * * The engine maintains an instance of an AddonsReconciler, which is the entity * maintaining state for add-ons. It provides the history and tracking APIs * that AddonManager doesn't. * * The engine instance overrides a handful of functions on the base class. The * rationale for each is documented by that function. */ function AddonsEngine(service) { SyncEngine.call(this, "Addons", service); this._reconciler = new AddonsReconciler(this._tracker.asyncObserver); } AddonsEngine.prototype = { __proto__: SyncEngine.prototype, _storeObj: AddonsStore, _trackerObj: AddonsTracker, _recordObj: AddonRecord, version: 1, syncPriority: 5, _reconciler: null, async initialize() { await SyncEngine.prototype.initialize.call(this); await this._reconciler.ensureStateLoaded(); }, /** * Override parent method to find add-ons by their public ID, not Sync GUID. */ async _findDupe(item) { let id = item.addonID; // The reconciler should have been updated at the top of the sync, so we // can assume it is up to date when this function is called. let addons = this._reconciler.addons; if (!(id in addons)) { return null; } let addon = addons[id]; if (addon.guid != item.id) { return addon.guid; } return null; }, /** * Override getChangedIDs to pull in tracker changes plus changes from the * reconciler log. */ async getChangedIDs() { let changes = {}; const changedIDs = await this._tracker.getChangedIDs(); for (let [id, modified] of Object.entries(changedIDs)) { changes[id] = modified; } let lastSync = await this.getLastSync(); let lastSyncDate = new Date(lastSync * 1000); // The reconciler should have been refreshed at the beginning of a sync and // we assume this function is only called from within a sync. let reconcilerChanges = this._reconciler.getChangesSinceDate(lastSyncDate); let addons = this._reconciler.addons; for (let change of reconcilerChanges) { let changeTime = change[0]; let id = change[2]; if (!(id in addons)) { continue; } // Keep newest modified time. if (id in changes && changeTime < changes[id]) { continue; } if (!(await this.isAddonSyncable(addons[id]))) { continue; } this._log.debug("Adding changed add-on from changes log: " + id); let addon = addons[id]; changes[addon.guid] = changeTime.getTime() / 1000; } return changes; }, /** * Override start of sync function to refresh reconciler. * * Many functions in this class assume the reconciler is refreshed at the * top of a sync. If this ever changes, those functions should be revisited. * * Technically speaking, we don't need to refresh the reconciler on every * sync since it is installed as an AddonManager listener. However, add-ons * are complicated and we force a full refresh, just in case the listeners * missed something. */ async _syncStartup() { // We refresh state before calling parent because syncStartup in the parent // looks for changed IDs, which is dependent on add-on state being up to // date. await this._refreshReconcilerState(); return SyncEngine.prototype._syncStartup.call(this); }, /** * Override end of sync to perform a little housekeeping on the reconciler. * * We prune changes to prevent the reconciler state from growing without * bound. Even if it grows unbounded, there would have to be many add-on * changes (thousands) for it to slow things down significantly. This is * highly unlikely to occur. Still, we exercise defense just in case. */ async _syncCleanup() { let lastSync = await this.getLastSync(); let ms = 1000 * lastSync - PRUNE_ADDON_CHANGES_THRESHOLD; this._reconciler.pruneChangesBeforeDate(new Date(ms)); return SyncEngine.prototype._syncCleanup.call(this); }, /** * Helper function to ensure reconciler is up to date. * * This will load the reconciler's state from the file * system (if needed) and refresh the state of the reconciler. */ async _refreshReconcilerState() { this._log.debug("Refreshing reconciler state"); return this._reconciler.refreshGlobalState(); }, // Returns a promise isAddonSyncable(addon, ignoreRepoCheck) { return this._store.isAddonSyncable(addon, ignoreRepoCheck); }, }; /** * This is the primary interface between Sync and the Addons Manager. * * In addition to the core store APIs, we provide convenience functions to wrap * Add-on Manager APIs with Sync-specific semantics. */ function AddonsStore(name, engine) { Store.call(this, name, engine); } AddonsStore.prototype = { __proto__: Store.prototype, // Define the add-on types (.type) that we support. _syncableTypes: ["extension", "theme"], _extensionsPrefs: new Preferences("extensions."), get reconciler() { return this.engine._reconciler; }, /** * Override applyIncoming to filter out records we can't handle. */ async applyIncoming(record) { // The fields we look at aren't present when the record is deleted. if (!record.deleted) { // Ignore records not belonging to our application ID because that is the // current policy. if (record.applicationID != Services.appinfo.ID) { this._log.info( "Ignoring incoming record from other App ID: " + record.id ); return; } // Ignore records that aren't from the official add-on repository, as that // is our current policy. if (record.source != "amo") { this._log.info( "Ignoring unknown add-on source (" + record.source + ")" + " for " + record.id ); return; } } // Ignore incoming records for which an existing non-syncable addon // exists. Note that we do not insist that the addon manager already have // metadata for this addon - it's possible our reconciler previously saw the // addon but the addon-manager cache no longer has it - which is fine for a // new incoming addon. // (Note that most other cases where the addon-manager cache is invalid // doesn't get this treatment because that cache self-repairs after some // time - but it only re-populates addons which are currently installed.) let existingMeta = this.reconciler.addons[record.addonID]; if ( existingMeta && !(await this.isAddonSyncable(existingMeta, /* ignoreRepoCheck */ true)) ) { this._log.info( "Ignoring incoming record for an existing but non-syncable addon", record.addonID ); return; } await Store.prototype.applyIncoming.call(this, record); }, /** * Provides core Store API to create/install an add-on from a record. */ async create(record) { // This will throw if there was an error. This will get caught by the sync // engine and the record will try to be applied later. const results = await AddonUtils.installAddons([ { id: record.addonID, syncGUID: record.id, enabled: record.enabled, requireSecureURI: this._extensionsPrefs.get( "install.requireSecureOrigin", true ), }, ]); if (results.skipped.includes(record.addonID)) { this._log.info("Add-on skipped: " + record.addonID); // Just early-return for skipped addons - we don't want to arrange to // try again next time because the condition that caused up to skip // will remain true for this addon forever. return; } let addon; for (let a of results.addons) { if (a.id == record.addonID) { addon = a; break; } } // This should never happen, but is present as a fail-safe. if (!addon) { throw new Error("Add-on not found after install: " + record.addonID); } this._log.info("Add-on installed: " + record.addonID); }, /** * Provides core Store API to remove/uninstall an add-on from a record. */ async remove(record) { // If this is called, the payload is empty, so we have to find by GUID. let addon = await this.getAddonByGUID(record.id); if (!addon) { // We don't throw because if the add-on could not be found then we assume // it has already been uninstalled and there is nothing for this function // to do. return; } this._log.info("Uninstalling add-on: " + addon.id); await AddonUtils.uninstallAddon(addon); }, /** * Provides core Store API to update an add-on from a record. */ async update(record) { let addon = await this.getAddonByID(record.addonID); // update() is called if !this.itemExists. And, since itemExists consults // the reconciler only, we need to take care of some corner cases. // // First, the reconciler could know about an add-on that was uninstalled // and no longer present in the add-ons manager. if (!addon) { await this.create(record); return; } // It's also possible that the add-on is non-restartless and has pending // install/uninstall activity. // // We wouldn't get here if the incoming record was for a deletion. So, // check for pending uninstall and cancel if necessary. if (addon.pendingOperations & AddonManager.PENDING_UNINSTALL) { addon.cancelUninstall(); // We continue with processing because there could be state or ID change. } await this.updateUserDisabled(addon, !record.enabled); }, /** * Provide core Store API to determine if a record exists. */ async itemExists(guid) { let addon = this.reconciler.getAddonStateFromSyncGUID(guid); return !!addon; }, /** * Create an add-on record from its GUID. * * @param guid * Add-on GUID (from extensions DB) * @param collection * Collection to add record to. * * @return AddonRecord instance */ async createRecord(guid, collection) { let record = new AddonRecord(collection, guid); record.applicationID = Services.appinfo.ID; let addon = this.reconciler.getAddonStateFromSyncGUID(guid); // If we don't know about this GUID or if it has been uninstalled, we mark // the record as deleted. if (!addon || !addon.installed) { record.deleted = true; return record; } record.modified = addon.modified.getTime() / 1000; record.addonID = addon.id; record.enabled = addon.enabled; // This needs to be dynamic when add-ons don't come from AddonRepository. record.source = "amo"; return record; }, /** * Changes the id of an add-on. * * This implements a core API of the store. */ async changeItemID(oldID, newID) { // We always update the GUID in the reconciler because it will be // referenced later in the sync process. let state = this.reconciler.getAddonStateFromSyncGUID(oldID); if (state) { state.guid = newID; await this.reconciler.saveState(); } let addon = await this.getAddonByGUID(oldID); if (!addon) { this._log.debug( "Cannot change item ID (" + oldID + ") in Add-on " + "Manager because old add-on not present: " + oldID ); return; } addon.syncGUID = newID; }, /** * Obtain the set of all syncable add-on Sync GUIDs. * * This implements a core Store API. */ async getAllIDs() { let ids = {}; let addons = this.reconciler.addons; for (let id in addons) { let addon = addons[id]; if (await this.isAddonSyncable(addon)) { ids[addon.guid] = true; } } return ids; }, /** * Wipe engine data. * * This uninstalls all syncable addons from the application. In case of * error, it logs the error and keeps trying with other add-ons. */ async wipe() { this._log.info("Processing wipe."); await this.engine._refreshReconcilerState(); // We only wipe syncable add-ons. Wipe is a Sync feature not a security // feature. let ids = await this.getAllIDs(); for (let guid in ids) { let addon = await this.getAddonByGUID(guid); if (!addon) { this._log.debug( "Ignoring add-on because it couldn't be obtained: " + guid ); continue; } this._log.info("Uninstalling add-on as part of wipe: " + addon.id); await Utils.catch.call(this, () => addon.uninstall())(); } }, /** ************************************************************************* * Functions below are unique to this store and not part of the Store API * ***************************************************************************/ /** * Obtain an add-on from its public ID. * * @param id * Add-on ID * @return Addon or undefined if not found */ async getAddonByID(id) { return AddonManager.getAddonByID(id); }, /** * Obtain an add-on from its Sync GUID. * * @param guid * Add-on Sync GUID * @return DBAddonInternal or null */ async getAddonByGUID(guid) { return AddonManager.getAddonBySyncGUID(guid); }, /** * Determines whether an add-on is suitable for Sync. * * @param addon * Addon instance * @param ignoreRepoCheck * Should we skip checking the Addons repository (primarially useful * for testing and validation). * @return Boolean indicating whether it is appropriate for Sync */ async isAddonSyncable(addon, ignoreRepoCheck = false) { // Currently, we limit syncable add-ons to those that are: // 1) In a well-defined set of types // 2) Installed in the current profile // 3) Not installed by a foreign entity (i.e. installed by the app) // since they act like global extensions. // 4) Is not a hotfix. // 5) The addons XPIProvider doesn't veto it (i.e not being installed in // the profile directory, or any other reasons it says the addon can't // be synced) // 6) Are installed from AMO // We could represent the test as a complex boolean expression. We go the // verbose route so the failure reason is logged. if (!addon) { this._log.debug("Null object passed to isAddonSyncable."); return false; } if (!this._syncableTypes.includes(addon.type)) { this._log.debug( addon.id + " not syncable: type not in whitelist: " + addon.type ); return false; } if (!(addon.scope & AddonManager.SCOPE_PROFILE)) { this._log.debug(addon.id + " not syncable: not installed in profile."); return false; } // If the addon manager says it's not syncable, we skip it. if (!addon.isSyncable) { this._log.debug(addon.id + " not syncable: vetoed by the addon manager."); return false; } // This may be too aggressive. If an add-on is downloaded from AMO and // manually placed in the profile directory, foreignInstall will be set. // Arguably, that add-on should be syncable. // TODO Address the edge case and come up with more robust heuristics. if (addon.foreignInstall) { this._log.debug(addon.id + " not syncable: is foreign install."); return false; } // If the AddonRepository's cache isn't enabled (which it typically isn't // in tests), getCachedAddonByID always returns null - so skip the check // in that case. We also provide a way to specifically opt-out of the check // even if the cache is enabled, which is used by the validators. if (ignoreRepoCheck || !AddonRepository.cacheEnabled) { return true; } let result = await new Promise(res => { AddonRepository.getCachedAddonByID(addon.id, res); }); if (!result) { this._log.debug( addon.id + " not syncable: add-on not found in add-on repository." ); return false; } return this.isSourceURITrusted(result.sourceURI); }, /** * Determine whether an add-on's sourceURI field is trusted and the add-on * can be installed. * * This function should only ever be called from isAddonSyncable(). It is * exposed as a separate function to make testing easier. * * @param uri * nsIURI instance to validate * @return bool */ isSourceURITrusted: function isSourceURITrusted(uri) { // For security reasons, we currently limit synced add-ons to those // installed from trusted hostname(s). We additionally require TLS with // the add-ons site to help prevent forgeries. let trustedHostnames = Svc.Prefs.get( "addons.trustedSourceHostnames", "" ).split(","); if (!uri) { this._log.debug("Undefined argument to isSourceURITrusted()."); return false; } // Scheme is validated before the hostname because uri.host may not be // populated for certain schemes. It appears to always be populated for // https, so we avoid the potential NS_ERROR_FAILURE on field access. if (uri.scheme != "https") { this._log.debug("Source URI not HTTPS: " + uri.spec); return false; } if (!trustedHostnames.includes(uri.host)) { this._log.debug("Source hostname not trusted: " + uri.host); return false; } return true; }, /** * Update the userDisabled flag on an add-on. * * This will enable or disable an add-on. It has no return value and does * not catch or handle exceptions thrown by the addon manager. If no action * is needed it will return immediately. * * @param addon * Addon instance to manipulate. * @param value * Boolean to which to set userDisabled on the passed Addon. */ async updateUserDisabled(addon, value) { if (addon.userDisabled == value) { return; } // A pref allows changes to the enabled flag to be ignored. if (Svc.Prefs.get("addons.ignoreUserEnabledChanges", false)) { this._log.info( "Ignoring enabled state change due to preference: " + addon.id ); return; } AddonUtils.updateUserDisabled(addon, value); // updating this flag doesn't send a notification for appDisabled addons, // meaning the reconciler will not update its state and may resync the // addon - so explicitly rectify the state (bug 1366994) if (addon.appDisabled) { await this.reconciler.rectifyStateFromAddon(addon); } }, }; /** * The add-ons tracker keeps track of real-time changes to add-ons. * * It hooks up to the reconciler and receives notifications directly from it. */ function AddonsTracker(name, engine) { LegacyTracker.call(this, name, engine); } AddonsTracker.prototype = { __proto__: LegacyTracker.prototype, get reconciler() { return this.engine._reconciler; }, get store() { return this.engine._store; }, /** * This callback is executed whenever the AddonsReconciler sends out a change * notification. See AddonsReconciler.addChangeListener(). */ async changeListener(date, change, addon) { this._log.debug("changeListener invoked: " + change + " " + addon.id); // Ignore changes that occur during sync. if (this.ignoreAll) { return; } if (!(await this.store.isAddonSyncable(addon))) { this._log.debug( "Ignoring change because add-on isn't syncable: " + addon.id ); return; } const added = await this.addChangedID(addon.guid, date.getTime() / 1000); if (added) { this.score += SCORE_INCREMENT_XLARGE; } }, onStart() { this.reconciler.startListening(); this.reconciler.addChangeListener(this); }, onStop() { this.reconciler.removeChangeListener(this); this.reconciler.stopListening(); }, }; class AddonValidator extends CollectionValidator { constructor(engine = null) { super("addons", "id", ["addonID", "enabled", "applicationID", "source"]); this.engine = engine; } async getClientItems() { return AddonManager.getAllAddons(); } normalizeClientItem(item) { let enabled = !item.userDisabled; if (item.pendingOperations & AddonManager.PENDING_ENABLE) { enabled = true; } else if (item.pendingOperations & AddonManager.PENDING_DISABLE) { enabled = false; } return { enabled, id: item.syncGUID, addonID: item.id, applicationID: Services.appinfo.ID, source: "amo", // check item.foreignInstall? original: item, }; } async normalizeServerItem(item) { let guid = await this.engine._findDupe(item); if (guid) { item.id = guid; } return item; } clientUnderstands(item) { return item.applicationID === Services.appinfo.ID; } async syncedByClient(item) { return ( !item.original.hidden && !item.original.isSystem && !(item.original.pendingOperations & AddonManager.PENDING_UNINSTALL) && // No need to await the returned promise explicitely: // |expr1 && expr2| evaluates to expr2 if expr1 is true. this.engine.isAddonSyncable(item.original, true) ); } }