npm - @metamask/snaps-controllers - Versions diffs - 4.0.0 → 4.1.0 - Mend

@metamask/snaps-controllers 4.0.0 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/dist/esm/snaps/SnapController.js CHANGED Viewed

@@ -66,13 +66,13 @@ import { SubjectType } from '@metamask/permission-controller';
 import { rpcErrors } from '@metamask/rpc-errors';
 import { WALLET_SNAP_PERMISSION_KEY } from '@metamask/snaps-rpc-methods';
 import { AuxiliaryFileEncoding, getErrorMessage } from '@metamask/snaps-sdk';
-import { validateComponentLinks, assertIsSnapManifest, assertIsValidSnapId, DEFAULT_ENDOWMENTS, DEFAULT_REQUESTED_SNAP_VERSION, encodeAuxiliaryFile, HandlerType, isOriginAllowed, logError, normalizeRelative, OnTransactionResponseStruct, resolveVersionRange, SnapCaveatType, SnapStatus, SnapStatusEvents, validateFetchedSnap, unwrapError, OnHomePageResponseStruct, getValidatedLocalizationFiles, encodeBase64 } from '@metamask/snaps-utils';
+import { validateComponentLinks, assertIsSnapManifest, assertIsValidSnapId, DEFAULT_ENDOWMENTS, DEFAULT_REQUESTED_SNAP_VERSION, encodeAuxiliaryFile, HandlerType, isOriginAllowed, logError, normalizeRelative, OnTransactionResponseStruct, OnSignatureResponseStruct, resolveVersionRange, SnapCaveatType, SnapStatus, SnapStatusEvents, unwrapError, OnHomePageResponseStruct, getValidatedLocalizationFiles, VirtualFile, NpmSnapFileNames } from '@metamask/snaps-utils';
 import { assert, assertIsJsonRpcRequest, assertStruct, Duration, gtRange, gtVersion, hasProperty, inMilliseconds, isNonEmptyArray, isValidSemVerRange, satisfiesVersionRange, timeSince } from '@metamask/utils';
 import { createMachine, interpret } from '@xstate/fsm';
 import { nanoid } from 'nanoid';
 import { forceStrict, validateMachine } from '../fsm';
 import { log } from '../logging';
-import { getSnapFiles, hasTimedOut, setDiff, withTimeout } from '../utils';
+import { fetchSnap, hasTimedOut, setDiff, withTimeout } from '../utils';
 import { handlerEndowments, SnapEndowments } from './endowments';
 import { getKeyringCaveatOrigins } from './endowments/keyring';
 import { getRpcCaveatOrigins } from './endowments/rpc';
@@ -125,7 +125,7 @@ var _closeAllConnections = /*#__PURE__*/ new WeakMap(), _dynamicPermissions = /*
 _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    * Constructor helper for registering the controller's messaging system
    * actions.
-   */ _registerMessageHandlers = /*#__PURE__*/ new WeakSet(), _pollForLastRequestStatus = /*#__PURE__*/ new WeakSet(), _blockSnap = /*#__PURE__*/ new WeakSet(), /**
+   */ _registerMessageHandlers = /*#__PURE__*/ new WeakSet(), _handlePreinstalledSnaps = /*#__PURE__*/ new WeakSet(), _pollForLastRequestStatus = /*#__PURE__*/ new WeakSet(), _blockSnap = /*#__PURE__*/ new WeakSet(), /**
    * Unblocks a snap so that it can be enabled and started again. Emits
    * {@link SnapUnblocked}. Does nothing if the snap is not installed or already
    * unblocked.
@@ -142,7 +142,7 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    *
    * @param snapId - The id of the snap to transition.
    * @param event - The event enum to use to transition.
-   */ _transition = /*#__PURE__*/ new WeakSet(), _terminateSnap = /*#__PURE__*/ new WeakSet(), /**
+   */ _transition = /*#__PURE__*/ new WeakSet(), _terminateSnap = /*#__PURE__*/ new WeakSet(), _handleInitialConnections = /*#__PURE__*/ new WeakSet(), _addSnapToSubject = /*#__PURE__*/ new WeakSet(), /**
    * Removes a snap's permission (caveat) from all subjects.
    *
    * @param snapId - The id of the Snap.
@@ -163,7 +163,7 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    *
    * @param args - The add snap args.
    * @returns The resulting snap object.
-   */ _set = /*#__PURE__*/ new WeakSet(), _fetchSnap = /*#__PURE__*/ new WeakSet(), _validateSnapPermissions = /*#__PURE__*/ new WeakSet(), /**
+   */ _set = /*#__PURE__*/ new WeakSet(), _validateSnapPermissions = /*#__PURE__*/ new WeakSet(), /**
    * Gets the RPC message handler for the given snap.
    *
    * @param snapId - The id of the Snap whose message handler to get.
@@ -181,6 +181,16 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    * @throws {@link Error}. If the snap exists before creation or if creation fails.
    * @returns A `RollbackSnapshot`.
    */ _createRollbackSnapshot = /*#__PURE__*/ new WeakSet(), _rollbackSnap = /*#__PURE__*/ new WeakSet(), _rollbackSnaps = /*#__PURE__*/ new WeakSet(), _getRuntime = /*#__PURE__*/ new WeakSet(), _getRuntimeExpect = /*#__PURE__*/ new WeakSet(), _setupRuntime = /*#__PURE__*/ new WeakSet(), _calculatePermissionsChange = /*#__PURE__*/ new WeakSet(), /**
+   * Updates the permissions for a snap following an install, update or rollback.
+   *
+   * Grants newly requested permissions and revokes unused/revoked permissions.
+   *
+   * @param args - An options bag.
+   * @param args.snapId - The snap ID.
+   * @param args.newPermissions - New permissions to be granted.
+   * @param args.unusedPermissions - Unused permissions to be revoked.
+   * @param args.requestData - Optional request data from an approval.
+   */ _updatePermissions = /*#__PURE__*/ new WeakSet(), /**
    * Checks if a snap will pass version validation checks
    * with the new version range that is requested. The first
    * check that is done is to check if the existing snap version
@@ -471,6 +481,10 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
         if (!Array.isArray(snapIds)) {
             throw new Error('Expected array of snap ids.');
         }
+        snapIds.forEach((snapId)=>{
+            const snap = this.getExpect(snapId);
+            assert(snap.removable !== false, `${snapId} is not removable.`);
+        });
         await Promise.all(snapIds.map(async (snapId)=>{
             const snap = this.getExpect(snapId);
             const truncated = this.getTruncatedExpect(snapId);
@@ -664,6 +678,7 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
             snapId,
             type: SNAP_APPROVAL_INSTALL
         });
+        this.messagingSystem.publish('SnapController:snapInstallStarted', snapId, origin, false);
         // Existing snaps must be stopped before overwriting
         if (existingSnap && this.isRunning(snapId)) {
             await this.stopSnap(snapId, SnapStatusEvents.Stop);
@@ -697,11 +712,13 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
             return truncated;
         } catch (error) {
             logError(`Error when adding ${snapId}.`, error);
+            const errorString = error instanceof Error ? error.message : error.toString();
             _class_private_method_get(this, _updateApproval, updateApproval).call(this, pendingApproval.id, {
                 loading: false,
                 type: SNAP_APPROVAL_INSTALL,
-                error: error instanceof Error ? error.message : error.toString()
+                error: errorString
             });
+            this.messagingSystem.publish('SnapController:snapInstallFailed', snapId, origin, false, errorString);
             throw error;
         }
     }
@@ -733,9 +750,11 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
             type: SNAP_APPROVAL_UPDATE
         });
         try {
+            this.messagingSystem.publish('SnapController:snapInstallStarted', snapId, origin, true);
             const snap = this.getExpect(snapId);
-            const newSnap = await _class_private_method_get(this, _fetchSnap, fetchSnap).call(this, snapId, location);
-            const { sourceCode: sourceCodeFile, manifest: manifestFile } = newSnap.files;
+            const oldManifest = snap.manifest;
+            const newSnap = await fetchSnap(snapId, location);
+            const { sourceCode: sourceCodeFile, manifest: manifestFile } = newSnap;
             const manifest = manifestFile.result;
             const newVersion = manifest.version;
             if (!gtVersion(newVersion, snap.version)) {
@@ -772,28 +791,22 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
             _class_private_method_get(this, _set, set).call(this, {
                 origin,
                 id: snapId,
-                files: newSnap.files,
+                files: newSnap,
                 isUpdate: true
             });
-            const unusedPermissionsKeys = Object.keys(unusedPermissions);
-            if (isNonEmptyArray(unusedPermissionsKeys)) {
-                this.messagingSystem.call('PermissionController:revokePermissions', {
-                    [snapId]: unusedPermissionsKeys
-                });
-            }
-            if (isNonEmptyArray(Object.keys(approvedNewPermissions))) {
-                this.messagingSystem.call('PermissionController:grantPermissions', {
-                    approvedPermissions: approvedNewPermissions,
-                    subject: {
-                        origin: snapId
-                    },
-                    requestData
-                });
+            _class_private_method_get(this, _updatePermissions, updatePermissions).call(this, {
+                snapId,
+                unusedPermissions,
+                newPermissions: approvedNewPermissions,
+                requestData
+            });
+            if (manifest.initialConnections) {
+                _class_private_method_get(this, _handleInitialConnections, handleInitialConnections).call(this, snapId, oldManifest.initialConnections ?? null, manifest.initialConnections);
             }
             const rollbackSnapshot = _class_private_method_get(this, _getRollbackSnapshot, getRollbackSnapshot).call(this, snapId);
             if (rollbackSnapshot !== undefined) {
                 rollbackSnapshot.permissions.revoked = unusedPermissions;
-                rollbackSnapshot.permissions.granted = Object.keys(approvedNewPermissions);
+                rollbackSnapshot.permissions.granted = approvedNewPermissions;
                 rollbackSnapshot.permissions.requestData = requestData;
             }
             const sourceCode = sourceCodeFile.toString();
@@ -817,11 +830,13 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
             return truncatedSnap;
         } catch (error) {
             logError(`Error when updating ${snapId},`, error);
+            const errorString = error instanceof Error ? error.message : error.toString();
             _class_private_method_get(this, _updateApproval, updateApproval).call(this, pendingApproval.id, {
                 loading: false,
-                error: error instanceof Error ? error.message : error.toString(),
+                error: errorString,
                 type: SNAP_APPROVAL_UPDATE
             });
+            this.messagingSystem.publish('SnapController:snapInstallFailed', snapId, origin, true, errorString);
             throw error;
         }
     }
@@ -856,14 +871,13 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
                 permissions: processedPermissions
             });
             const { permissions: approvedPermissions, ...requestData } = await pendingApproval.promise;
-            if (isNonEmptyArray(Object.keys(approvedPermissions))) {
-                this.messagingSystem.call('PermissionController:grantPermissions', {
-                    approvedPermissions,
-                    subject: {
-                        origin: snapId
-                    },
-                    requestData
-                });
+            _class_private_method_get(this, _updatePermissions, updatePermissions).call(this, {
+                snapId,
+                newPermissions: approvedPermissions,
+                requestData
+            });
+            if (snap.manifest.initialConnections) {
+                _class_private_method_get(this, _handleInitialConnections, handleInitialConnections).call(this, snapId, null, snap.manifest.initialConnections);
             }
         } finally{
             const runtime = _class_private_method_get(this, _getRuntimeExpect, getRuntimeExpect).call(this, snapId);
@@ -925,7 +939,7 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
     }
     constructor({ closeAllConnections, messenger, state, dynamicPermissions = [
         'eth_accounts'
-    ], environmentEndowmentPermissions = [], excludedPermissions = {}, idleTimeCheckInterval = inMilliseconds(5, Duration.Second), maxIdleTime = inMilliseconds(30, Duration.Second), maxRequestTime = inMilliseconds(60, Duration.Second), fetchFunction = globalThis.fetch.bind(globalThis), featureFlags = {}, detectSnapLocation: detectSnapLocationFunction = detectSnapLocation }){
+    ], environmentEndowmentPermissions = [], excludedPermissions = {}, idleTimeCheckInterval = inMilliseconds(5, Duration.Second), maxIdleTime = inMilliseconds(30, Duration.Second), maxRequestTime = inMilliseconds(60, Duration.Second), fetchFunction = globalThis.fetch.bind(globalThis), featureFlags = {}, detectSnapLocation: detectSnapLocationFunction = detectSnapLocation, preinstalledSnaps }){
         super({
             messenger,
             metadata: {
@@ -963,6 +977,7 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
         });
         _class_private_method_init(this, _initializeStateMachine);
         _class_private_method_init(this, _registerMessageHandlers);
+        _class_private_method_init(this, _handlePreinstalledSnaps);
         _class_private_method_init(this, _pollForLastRequestStatus);
         /**
    * Blocks an installed snap and prevents it from being started again. Emits
@@ -980,6 +995,8 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    *
    * @param snapId - The snap to terminate.
    */ _class_private_method_init(this, _terminateSnap);
+        _class_private_method_init(this, _handleInitialConnections);
+        _class_private_method_init(this, _addSnapToSubject);
         _class_private_method_init(this, _removeSnapFromSubjects);
         _class_private_method_init(this, _revokeAllSnapPermissions);
         _class_private_method_init(this, _createApproval);
@@ -1007,13 +1024,6 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    * @returns An array of the names of the endowments.
    */ _class_private_method_init(this, _getEndowments);
         _class_private_method_init(this, _set);
-        /**
-   * Fetches the manifest and source code of a snap.
-   *
-   * @param snapId - The id of the Snap.
-   * @param location - Source from which snap will be fetched.
-   * @returns A tuple of the Snap manifest object and the Snap source code.
-   */ _class_private_method_init(this, _fetchSnap);
         _class_private_method_init(this, _validateSnapPermissions);
         _class_private_method_init(this, _getRpcRequestHandler);
         _class_private_method_init(this, _triggerPhishingListUpdate);
@@ -1058,6 +1068,7 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
         _class_private_method_init(this, _getRuntimeExpect);
         _class_private_method_init(this, _setupRuntime);
         _class_private_method_init(this, _calculatePermissionsChange);
+        _class_private_method_init(this, _updatePermissions);
         _class_private_method_init(this, _isValidUpdate);
         /**
    * Call a lifecycle hook on a snap, if the snap has the
@@ -1154,7 +1165,10 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
         });
         _class_private_method_get(this, _initializeStateMachine, initializeStateMachine).call(this);
         _class_private_method_get(this, _registerMessageHandlers, registerMessageHandlers).call(this);
-        Object.values(state?.snaps ?? {}).forEach((snap)=>_class_private_method_get(this, _setupRuntime, setupRuntime).call(this, snap.id));
+        if (preinstalledSnaps) {
+            _class_private_method_get(this, _handlePreinstalledSnaps, handlePreinstalledSnaps).call(this, preinstalledSnaps);
+        }
+        Object.values(this.state?.snaps ?? {}).forEach((snap)=>_class_private_method_get(this, _setupRuntime, setupRuntime).call(this, snap.id));
     }
 }
 function initializeStateMachine() {
@@ -1231,6 +1245,63 @@ function registerMessageHandlers() {
     this.messagingSystem.registerActionHandler(`${controllerName}:revokeDynamicPermissions`, (...args)=>this.revokeDynamicSnapPermissions(...args));
     this.messagingSystem.registerActionHandler(`${controllerName}:getFile`, async (...args)=>this.getSnapFile(...args));
 }
+function handlePreinstalledSnaps(preinstalledSnaps) {
+    for (const { snapId, manifest, files, removable } of preinstalledSnaps){
+        const existingSnap = this.get(snapId);
+        const isAlreadyInstalled = existingSnap !== undefined;
+        const isUpdate = isAlreadyInstalled && gtVersion(manifest.version, existingSnap.version);
+        // Disallow downgrades and overwriting non preinstalled snaps
+        if (isAlreadyInstalled && (!isUpdate || existingSnap.preinstalled !== true)) {
+            continue;
+        }
+        const manifestFile = new VirtualFile({
+            path: NpmSnapFileNames.Manifest,
+            value: JSON.stringify(manifest),
+            result: manifest
+        });
+        const virtualFiles = files.map(({ path, value })=>new VirtualFile({
+                value,
+                path
+            }));
+        const { filePath, iconPath } = manifest.source.location.npm;
+        const sourceCode = virtualFiles.find((file)=>file.path === filePath);
+        const svgIcon = iconPath ? virtualFiles.find((file)=>file.path === iconPath) : undefined;
+        assert(sourceCode, 'Source code not provided for preinstalled snap.');
+        assert(!iconPath || iconPath && svgIcon, 'Icon not provided for preinstalled snap.');
+        assert(manifest.source.files === undefined, 'Auxiliary files are not currently supported for preinstalled snaps.');
+        const localizationFiles = manifest.source.locales?.map((path)=>virtualFiles.find((file)=>file.path === path)) ?? [];
+        const validatedLocalizationFiles = getValidatedLocalizationFiles(localizationFiles.filter(Boolean));
+        assert(localizationFiles.length === validatedLocalizationFiles.length, 'Missing localization files for preinstalled snap.');
+        const filesObject = {
+            manifest: manifestFile,
+            sourceCode,
+            svgIcon,
+            auxiliaryFiles: [],
+            localizationFiles: validatedLocalizationFiles
+        };
+        // Add snap to the SnapController state
+        _class_private_method_get(this, _set, set).call(this, {
+            id: snapId,
+            origin: 'metamask',
+            files: filesObject,
+            removable,
+            preinstalled: true
+        });
+        // Setup permissions
+        const processedPermissions = processSnapPermissions(manifest.initialPermissions);
+        _class_private_method_get(this, _validateSnapPermissions, validateSnapPermissions).call(this, processedPermissions);
+        const { newPermissions, unusedPermissions } = _class_private_method_get(this, _calculatePermissionsChange, calculatePermissionsChange).call(this, snapId, processedPermissions);
+        _class_private_method_get(this, _updatePermissions, updatePermissions).call(this, {
+            snapId,
+            newPermissions,
+            unusedPermissions
+        });
+        // Set status
+        this.update((state)=>{
+            state.snaps[snapId].status = SnapStatus.Stopped;
+        });
+    }
+}
 function pollForLastRequestStatus() {
     _class_private_field_set(this, _timeoutForLastRequestStatus, setTimeout(()=>{
         _class_private_method_get(this, _stopSnapsLastRequestPastMax, stopSnapsLastRequestPastMax).call(this).catch((error)=>{
@@ -1293,6 +1364,52 @@ async function terminateSnap(snapId) {
     await this.messagingSystem.call('ExecutionService:terminateSnap', snapId);
     this.messagingSystem.publish('SnapController:snapTerminated', this.getTruncatedExpect(snapId));
 }
+function handleInitialConnections(snapId, previousInitialConnections, initialConnections) {
+    if (previousInitialConnections) {
+        const revokedInitialConnections = setDiff(previousInitialConnections, initialConnections);
+        for (const origin of Object.keys(revokedInitialConnections)){
+            this.removeSnapFromSubject(origin, snapId);
+        }
+    }
+    for (const origin of Object.keys(initialConnections)){
+        _class_private_method_get(this, _addSnapToSubject, addSnapToSubject).call(this, origin, snapId);
+    }
+}
+function addSnapToSubject(origin, snapId) {
+    const subjectPermissions = this.messagingSystem.call('PermissionController:getPermissions', origin);
+    const existingCaveat = subjectPermissions?.[WALLET_SNAP_PERMISSION_KEY]?.caveats?.find((caveat)=>caveat.type === SnapCaveatType.SnapIds);
+    const subjectHasSnap = Boolean((existingCaveat?.value)?.[snapId]);
+    // If the subject is already connected to the snap, this is a no-op.
+    if (subjectHasSnap) {
+        return;
+    }
+    // If an existing caveat exists, we add the snap to that.
+    if (existingCaveat) {
+        this.messagingSystem.call('PermissionController:updateCaveat', origin, WALLET_SNAP_PERMISSION_KEY, SnapCaveatType.SnapIds, {
+            ...existingCaveat,
+            [snapId]: {}
+        });
+        return;
+    }
+    const approvedPermissions = {
+        [WALLET_SNAP_PERMISSION_KEY]: {
+            caveats: [
+                {
+                    type: SnapCaveatType.SnapIds,
+                    value: {
+                        [snapId]: {}
+                    }
+                }
+            ]
+        }
+    };
+    this.messagingSystem.call('PermissionController:grantPermissions', {
+        approvedPermissions,
+        subject: {
+            origin
+        }
+    });
+}
 function removeSnapFromSubjects(snapId) {
     const subjects = this.messagingSystem.call('PermissionController:getSubjectNames');
     for (const subject of subjects){
@@ -1350,8 +1467,8 @@ async function add(args) {
         // If fetching and setting the snap succeeds, this property will be set
         // to null in the authorize() method.
         runtime.installPromise = (async ()=>{
-            const fetchedSnap = await _class_private_method_get(this, _fetchSnap, fetchSnap).call(this, snapId, location);
-            const manifest = fetchedSnap.files.manifest.result;
+            const fetchedSnap = await fetchSnap(snapId, location);
+            const manifest = fetchedSnap.manifest.result;
             if (!satisfiesVersionRange(manifest.version, versionRange)) {
                 throw new Error(`Version mismatch. Manifest for "${snapId}" specifies version "${manifest.version}" which doesn't satisfy requested version range "${versionRange}".`);
             }
@@ -1361,7 +1478,7 @@ async function add(args) {
             });
             return _class_private_method_get(this, _set, set).call(this, {
                 ...args,
-                ...fetchedSnap,
+                files: fetchedSnap,
                 id: snapId
             });
         })();
@@ -1424,7 +1541,7 @@ async function getEndowments(snapId) {
     return dedupedEndowments;
 }
 function set(args) {
-    const { id: snapId, origin, files, isUpdate = false } = args;
+    const { id: snapId, origin, files, isUpdate = false, removable, preinstalled } = args;
     const { manifest, sourceCode: sourceCodeFile, svgIcon, auxiliaryFiles: rawAuxiliaryFiles, localizationFiles } = files;
     assertIsSnapManifest(manifest.result);
     const { version, proposedName } = manifest.result;
@@ -1455,6 +1572,8 @@ function set(args) {
         // previous state.
         blocked: false,
         enabled: true,
+        removable,
+        preinstalled,
         id: snapId,
         initialPermissions: manifest.result.initialPermissions,
         manifest: manifest.result,
@@ -1491,36 +1610,6 @@ function set(args) {
         sourceCode
     };
 }
-async function fetchSnap(snapId, location) {
-    try {
-        const manifest = await location.manifest();
-        const sourceCode = await location.fetch(manifest.result.source.location.npm.filePath);
-        const { iconPath } = manifest.result.source.location.npm;
-        const svgIcon = iconPath ? await location.fetch(iconPath) : undefined;
-        const auxiliaryFiles = await getSnapFiles(location, manifest.result.source.files);
-        await Promise.all(auxiliaryFiles.map(async (file)=>{
-            // This should still be safe
-            // eslint-disable-next-line require-atomic-updates
-            file.data.base64 = await encodeBase64(file);
-        }));
-        const localizationFiles = await getSnapFiles(location, manifest.result.source.locales);
-        const validatedLocalizationFiles = getValidatedLocalizationFiles(localizationFiles);
-        const files = {
-            manifest,
-            sourceCode,
-            svgIcon,
-            auxiliaryFiles,
-            localizationFiles: validatedLocalizationFiles
-        };
-        await validateFetchedSnap(files);
-        return {
-            files,
-            location
-        };
-    } catch (error) {
-        throw new Error(`Failed to fetch snap "${snapId}": ${getErrorMessage(error)}.`);
-    }
-}
 function validateSnapPermissions(processedPermissions) {
     const permissionKeys = Object.keys(processedPermissions);
     const handlerPermissions = Array.from(new Set(Object.values(handlerEndowments)));
@@ -1613,6 +1702,17 @@ async function assertSnapRpcRequestResult(handlerType, result) {
                 validateComponentLinks(result.content, _class_private_method_get(this, _checkPhishingList, checkPhishingList).bind(this));
                 break;
             }
+        case HandlerType.OnSignature:
+            {
+                assertStruct(result, OnSignatureResponseStruct);
+                // Null is an allowed return value here
+                if (result === null) {
+                    return;
+                }
+                await _class_private_method_get(this, _triggerPhishingListUpdate, triggerPhishingListUpdate).call(this);
+                validateComponentLinks(result.content, _class_private_method_get(this, _checkPhishingList, checkPhishingList).bind(this));
+                break;
+            }
         case HandlerType.OnHomePage:
             assertStruct(result, OnHomePageResponseStruct);
             await _class_private_method_get(this, _triggerPhishingListUpdate, triggerPhishingListUpdate).call(this);
@@ -1651,11 +1751,7 @@ function createRollbackSnapshot(snapId) {
     assert(_class_private_field_get(this, _rollbackSnapshots).get(snapId) === undefined, new Error(`Snap "${snapId}" rollback snapshot already exists.`));
     _class_private_field_get(this, _rollbackSnapshots).set(snapId, {
         statePatches: [],
-        permissions: {
-            revoked: null,
-            granted: [],
-            requestData: null
-        },
+        permissions: {},
         newVersion: ''
     });
     const newRollbackSnapshot = _class_private_field_get(this, _rollbackSnapshots).get(snapId);
@@ -1683,20 +1779,12 @@ async function rollbackSnap(snapId) {
             state.snaps[snapId].status = SnapStatus.Stopped;
         });
     }
-    if (permissions.revoked && Object.keys(permissions.revoked).length) {
-        this.messagingSystem.call('PermissionController:grantPermissions', {
-            approvedPermissions: permissions.revoked,
-            subject: {
-                origin: snapId
-            },
-            requestData: permissions.requestData
-        });
-    }
-    if (permissions.granted?.length) {
-        this.messagingSystem.call('PermissionController:revokePermissions', {
-            [snapId]: permissions.granted
-        });
-    }
+    _class_private_method_get(this, _updatePermissions, updatePermissions).call(this, {
+        snapId,
+        unusedPermissions: permissions.granted,
+        newPermissions: permissions.revoked,
+        requestData: permissions.requestData
+    });
     const truncatedSnap = this.getTruncatedExpect(snapId);
     this.messagingSystem.publish('SnapController:snapRolledback', truncatedSnap, rollbackSnapshot.newVersion);
     _class_private_field_get(this, _rollbackSnapshots).delete(snapId);
@@ -1752,6 +1840,23 @@ function calculatePermissionsChange(snapId, desiredPermissionsSet) {
         approvedPermissions
     };
 }
+function updatePermissions({ snapId, unusedPermissions = {}, newPermissions = {}, requestData }) {
+    const unusedPermissionsKeys = Object.keys(unusedPermissions);
+    if (isNonEmptyArray(unusedPermissionsKeys)) {
+        this.messagingSystem.call('PermissionController:revokePermissions', {
+            [snapId]: unusedPermissionsKeys
+        });
+    }
+    if (isNonEmptyArray(Object.keys(newPermissions))) {
+        this.messagingSystem.call('PermissionController:grantPermissions', {
+            approvedPermissions: newPermissions,
+            subject: {
+                origin: snapId
+            },
+            requestData
+        });
+    }
+}
 function isValidUpdate(snapId, newVersionRange) {
     const existingSnap = this.getExpect(snapId);
     if (satisfiesVersionRange(existingSnap.version, newVersionRange)) {