@metamask/snaps-controllers 4.1.0 → 5.0.1

package/dist/esm/snaps/SnapController.js

@@ -64,20 +64,17 @@ function _define_property(obj, key, value) {
 import { BaseController } from '@metamask/base-controller';
 import { SubjectType } from '@metamask/permission-controller';
 import { rpcErrors } from '@metamask/rpc-errors';
-import { WALLET_SNAP_PERMISSION_KEY } from '@metamask/snaps-rpc-methods';
+import { WALLET_SNAP_PERMISSION_KEY, getMaxRequestTimeCaveat, handlerEndowments, SnapEndowments, getKeyringCaveatOrigins, getRpcCaveatOrigins, processSnapPermissions } from '@metamask/snaps-rpc-methods';
 import { AuxiliaryFileEncoding, getErrorMessage } from '@metamask/snaps-sdk';
-import { validateComponentLinks, assertIsSnapManifest, assertIsValidSnapId, DEFAULT_ENDOWMENTS, DEFAULT_REQUESTED_SNAP_VERSION, encodeAuxiliaryFile, HandlerType, isOriginAllowed, logError, normalizeRelative, OnTransactionResponseStruct, OnSignatureResponseStruct, resolveVersionRange, SnapCaveatType, SnapStatus, SnapStatusEvents, unwrapError, OnHomePageResponseStruct, getValidatedLocalizationFiles, VirtualFile, NpmSnapFileNames } from '@metamask/snaps-utils';
+import { assertIsSnapManifest, assertIsValidSnapId, DEFAULT_ENDOWMENTS, DEFAULT_REQUESTED_SNAP_VERSION, encodeAuxiliaryFile, HandlerType, isOriginAllowed, logError, normalizeRelative, OnTransactionResponseStruct, OnSignatureResponseStruct, resolveVersionRange, SnapCaveatType, SnapStatus, SnapStatusEvents, unwrapError, OnHomePageResponseStruct, getValidatedLocalizationFiles, VirtualFile, NpmSnapFileNames, OnNameLookupResponseStruct, getLocalizedSnapManifest } from '@metamask/snaps-utils';
 import { assert, assertIsJsonRpcRequest, assertStruct, Duration, gtRange, gtVersion, hasProperty, inMilliseconds, isNonEmptyArray, isValidSemVerRange, satisfiesVersionRange, timeSince } from '@metamask/utils';
 import { createMachine, interpret } from '@xstate/fsm';
 import { nanoid } from 'nanoid';
 import { forceStrict, validateMachine } from '../fsm';
 import { log } from '../logging';
 import { fetchSnap, hasTimedOut, setDiff, withTimeout } from '../utils';
-import { handlerEndowments, SnapEndowments } from './endowments';
-import { getKeyringCaveatOrigins } from './endowments/keyring';
-import { getRpcCaveatOrigins } from './endowments/rpc';
+import { ALLOWED_PERMISSIONS } from './constants';
 import { detectSnapLocation } from './location';
-import { processSnapPermissions } from './permissions';
 import { SnapsRegistryStatus } from './registry';
 import { RequestQueue } from './RequestQueue';
 import { Timer } from './Timer';
@@ -164,11 +161,19 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    * @param args - The add snap args.
    * @returns The resulting snap object.
    */ _set = /*#__PURE__*/ new WeakSet(), _validateSnapPermissions = /*#__PURE__*/ new WeakSet(), /**
+   * Determine the execution timeout for a given handler permission.
+   *
+   * If no permission is specified or the permission itself has no execution timeout defined
+   * the constructor argument `maxRequestTime` will be used.
+   *
+   * @param permission - An optional permission constraint for the handler being called.
+   * @returns The execution timeout for the given handler.
+   */ _getExecutionTimeout = /*#__PURE__*/ new WeakSet(), /**
    * Gets the RPC message handler for the given snap.
    *
    * @param snapId - The id of the Snap whose message handler to get.
    * @returns The RPC handler for the given snap.
-   */ _getRpcRequestHandler = /*#__PURE__*/ new WeakSet(), _triggerPhishingListUpdate = /*#__PURE__*/ new WeakSet(), _checkPhishingList = /*#__PURE__*/ new WeakSet(), _assertSnapRpcRequestResult = /*#__PURE__*/ new WeakSet(), _executeWithTimeout = /*#__PURE__*/ new WeakSet(), _recordSnapRpcRequestStart = /*#__PURE__*/ new WeakSet(), _recordSnapRpcRequestFinish = /*#__PURE__*/ new WeakSet(), /**
+   */ _getRpcRequestHandler = /*#__PURE__*/ new WeakSet(), _createInterface = /*#__PURE__*/ new WeakSet(), _assertInterfaceExists = /*#__PURE__*/ new WeakSet(), _transformSnapRpcRequestResult = /*#__PURE__*/ new WeakSet(), _assertSnapRpcRequestResult = /*#__PURE__*/ new WeakSet(), _executeWithTimeout = /*#__PURE__*/ new WeakSet(), _recordSnapRpcRequestStart = /*#__PURE__*/ new WeakSet(), _recordSnapRpcRequestFinish = /*#__PURE__*/ new WeakSet(), /**
    * Retrieves the rollback snapshot of a snap.
    *
    * @param snapId - The snap id.
@@ -765,7 +770,8 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
             }
             await _class_private_method_get(this, _assertIsInstallAllowed, assertIsInstallAllowed).call(this, snapId, {
                 version: newVersion,
-                checksum: manifest.source.shasum
+                checksum: manifest.source.shasum,
+                permissions: manifest.initialPermissions
             });
             const processedPermissions = processSnapPermissions(manifest.initialPermissions);
             _class_private_method_get(this, _validateSnapPermissions, validateSnapPermissions).call(this, processedPermissions);
@@ -912,29 +918,32 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
         };
         assertIsJsonRpcRequest(request);
         const permissionName = handlerEndowments[handlerType];
-        const hasPermission = this.messagingSystem.call('PermissionController:hasPermission', snapId, permissionName);
-        if (!hasPermission) {
+        assert(typeof permissionName === 'string' || permissionName === null, "'permissionName' must be either a string or null.");
+        const permissions = this.messagingSystem.call('PermissionController:getPermissions', snapId);
+        // If permissionName is null, the handler does not require a permission.
+        if (permissionName !== null && (!permissions || !hasProperty(permissions, permissionName))) {
             throw new Error(`Snap "${snapId}" is not permitted to use "${permissionName}".`);
         }
+        const handlerPermissions = permissionName ? permissions[permissionName] : undefined;
         if (permissionName === SnapEndowments.Rpc || permissionName === SnapEndowments.Keyring) {
-            const subject = this.messagingSystem.call('SubjectMetadataController:getSubjectMetadata', origin);
-            const permissions = this.messagingSystem.call('PermissionController:getPermissions', snapId);
-            const handlerPermissions = permissions?.[permissionName];
             assert(handlerPermissions);
+            const subject = this.messagingSystem.call('SubjectMetadataController:getSubjectMetadata', origin);
             const origins = permissionName === SnapEndowments.Rpc ? getRpcCaveatOrigins(handlerPermissions) : getKeyringCaveatOrigins(handlerPermissions);
             assert(origins);
             if (!isOriginAllowed(origins, subject?.subjectType ?? SubjectType.Website, origin)) {
                 throw new Error(`Snap "${snapId}" is not permitted to handle requests from "${origin}".`);
             }
         }
-        const handler = await _class_private_method_get(this, _getRpcRequestHandler, getRpcRequestHandler).call(this, snapId);
+        const handler = _class_private_method_get(this, _getRpcRequestHandler, getRpcRequestHandler).call(this, snapId);
         if (!handler) {
             throw new Error(`Snap RPC message handler not found for snap "${snapId}".`);
         }
+        const timeout = _class_private_method_get(this, _getExecutionTimeout, getExecutionTimeout).call(this, handlerPermissions);
         return handler({
             origin,
             handler: handlerType,
-            request
+            request,
+            timeout
         });
     }
     constructor({ closeAllConnections, messenger, state, dynamicPermissions = [
@@ -1025,12 +1034,28 @@ _initializeStateMachine = /*#__PURE__*/ new WeakSet(), /**
    */ _class_private_method_init(this, _getEndowments);
         _class_private_method_init(this, _set);
         _class_private_method_init(this, _validateSnapPermissions);
+        _class_private_method_init(this, _getExecutionTimeout);
         _class_private_method_init(this, _getRpcRequestHandler);
-        _class_private_method_init(this, _triggerPhishingListUpdate);
-        _class_private_method_init(this, _checkPhishingList);
         /**
-   * Asserts that the returned result of a Snap RPC call is the expected shape.
+   * Create a dynamic interface in the SnapInterfaceController.
+   *
+   * @param snapId - The snap ID.
+   * @param content - The initial interface content.
+   * @returns An identifier that can be used to identify the interface.
+   */ _class_private_method_init(this, _createInterface);
+        _class_private_method_init(this, _assertInterfaceExists);
+        /**
+   * Transform a RPC request result if necessary.
    *
+   * @param snapId - The snap ID of the snap that produced the result.
+   * @param handlerType - The handler type that produced the result.
+   * @param result - The result.
+   * @returns The transformed result if applicable, otherwise the original result.
+   */ _class_private_method_init(this, _transformSnapRpcRequestResult);
+        /**
+   * Assert that the returned result of a Snap RPC call is the expected shape.
+   *
+   * @param snapId - The snap ID.
    * @param handlerType - The handler type of the RPC Request.
    * @param result - The result of the RPC request.
    */ _class_private_method_init(this, _assertSnapRpcRequestResult);
@@ -1343,7 +1368,9 @@ async function assertIsInstallAllowed(snapId, snapInfo) {
     const result = results[snapId];
     if (result.status === SnapsRegistryStatus.Blocked) {
         throw new Error(`Cannot install version "${snapInfo.version}" of snap "${snapId}": The version is blocked. ${result.reason?.explanation ?? ''}`);
-    } else if (_class_private_field_get(this, _featureFlags).requireAllowlist && result.status !== SnapsRegistryStatus.Verified) {
+    }
+    const isAllowlistingRequired = Object.keys(snapInfo.permissions).some((permission)=>!ALLOWED_PERMISSIONS.includes(permission));
+    if (_class_private_field_get(this, _featureFlags).requireAllowlist && isAllowlistingRequired && result.status !== SnapsRegistryStatus.Verified) {
         throw new Error(`Cannot install version "${snapInfo.version}" of snap "${snapId}": The snap is not on the allowlist.`);
     }
 }
@@ -1474,7 +1501,8 @@ async function add(args) {
             }
             await _class_private_method_get(this, _assertIsInstallAllowed, assertIsInstallAllowed).call(this, snapId, {
                 version: manifest.version,
-                checksum: manifest.source.shasum
+                checksum: manifest.source.shasum,
+                permissions: manifest.initialPermissions
             });
             return _class_private_method_get(this, _set, set).call(this, {
                 ...args,
@@ -1544,7 +1572,7 @@ function set(args) {
     const { id: snapId, origin, files, isUpdate = false, removable, preinstalled } = args;
     const { manifest, sourceCode: sourceCodeFile, svgIcon, auxiliaryFiles: rawAuxiliaryFiles, localizationFiles } = files;
     assertIsSnapManifest(manifest.result);
-    const { version, proposedName } = manifest.result;
+    const { version } = manifest.result;
     const sourceCode = sourceCodeFile.toString();
     assert(typeof sourceCode === 'string' && sourceCode.length > 0, `Invalid source code for snap "${snapId}".`);
     const auxiliaryFiles = rawAuxiliaryFiles.map((file)=>{
@@ -1565,6 +1593,7 @@ function set(args) {
             origin
         }
     ];
+    const localizedFiles = localizationFiles.map((file)=>file.result);
     const snap = {
         // Restore relevant snap state if it exists
         ...existingSnap,
@@ -1582,7 +1611,7 @@ function set(args) {
         version,
         versionHistory,
         auxiliaryFiles,
-        localizationFiles: localizationFiles.map((file)=>file.result)
+        localizationFiles: localizedFiles
     };
     // If the snap was blocked, it isn't any longer
     delete snap.blockInformation;
@@ -1598,6 +1627,9 @@ function set(args) {
             rollbackSnapshot.statePatches = inversePatches;
         }
     }
+    // In case the Snap uses a localized manifest, we need to get the
+    // proposed name from the localized manifest.
+    const { proposedName } = getLocalizedSnapManifest(manifest.result, 'en', localizedFiles);
     this.messagingSystem.call('SubjectMetadataController:addSubjectMetadata', {
         subjectType: SubjectType.Snap,
         name: proposedName,
@@ -1613,7 +1645,7 @@ function set(args) {
 function validateSnapPermissions(processedPermissions) {
     const permissionKeys = Object.keys(processedPermissions);
     const handlerPermissions = Array.from(new Set(Object.values(handlerEndowments)));
-    assert(permissionKeys.some((key)=>handlerPermissions.includes(key)), `A snap must request at least one of the following permissions: ${handlerPermissions.join(', ')}.`);
+    assert(permissionKeys.some((key)=>handlerPermissions.includes(key)), `A snap must request at least one of the following permissions: ${handlerPermissions.filter((handler)=>handler !== null).join(', ')}.`);
     const excludedPermissionErrors = permissionKeys.reduce((errors, permission)=>{
         if (hasProperty(_class_private_field_get(this, _excludedPermissions), permission)) {
             errors.push(_class_private_field_get(this, _excludedPermissions)[permission]);
@@ -1622,6 +1654,9 @@ function validateSnapPermissions(processedPermissions) {
     }, []);
     assert(excludedPermissionErrors.length === 0, `One or more permissions are not allowed:\n${excludedPermissionErrors.join('\n')}`);
 }
+function getExecutionTimeout(permission) {
+    return getMaxRequestTimeCaveat(permission) ?? this.maxRequestTime;
+}
 function getRpcRequestHandler(snapId) {
     const runtime = _class_private_method_get(this, _getRuntimeExpect, getRuntimeExpect).call(this, snapId);
     const existingHandler = runtime.rpcHandler;
@@ -1632,7 +1667,7 @@ function getRpcRequestHandler(snapId) {
     // We need to set up this promise map to map snapIds to their respective startPromises,
     // because otherwise we would lose context on the correct startPromise.
     const startPromises = new Map();
-    const rpcHandler = async ({ origin, handler: handlerType, request })=>{
+    const rpcHandler = async ({ origin, handler: handlerType, request, timeout })=>{
         if (this.state.snaps[snapId].enabled === false) {
             throw new Error(`Snap "${snapId}" is disabled.`);
         }
@@ -1658,7 +1693,7 @@ function getRpcRequestHandler(snapId) {
                 }
             }
         }
-        const timer = new Timer(this.maxRequestTime);
+        const timer = new Timer(timeout);
         _class_private_method_get(this, _recordSnapRpcRequestStart, recordSnapRpcRequestStart).call(this, snapId, request.id, timer);
         const handleRpcRequestPromise = this.messagingSystem.call('ExecutionService:handleRpcRequest', snapId, {
             origin,
@@ -1668,8 +1703,8 @@ function getRpcRequestHandler(snapId) {
         // This will either get the result or reject due to the timeout.
         try {
             const result = await _class_private_method_get(this, _executeWithTimeout, executeWithTimeout).call(this, handleRpcRequestPromise, timer);
-            await _class_private_method_get(this, _assertSnapRpcRequestResult, assertSnapRpcRequestResult).call(this, handlerType, result);
-            return result;
+            await _class_private_method_get(this, _assertSnapRpcRequestResult, assertSnapRpcRequestResult).call(this, snapId, handlerType, result);
+            return _class_private_method_get(this, _transformSnapRpcRequestResult, transformSnapRpcRequestResult).call(this, snapId, handlerType, result);
         } catch (error) {
             const [jsonRpcError, handled] = unwrapError(error);
             if (!handled) {
@@ -1683,40 +1718,64 @@ function getRpcRequestHandler(snapId) {
     runtime.rpcHandler = rpcHandler;
     return rpcHandler;
 }
-async function triggerPhishingListUpdate() {
-    return this.messagingSystem.call('PhishingController:maybeUpdateState');
+async function createInterface(snapId, content) {
+    return this.messagingSystem.call('SnapInterfaceController:createInterface', snapId, content);
 }
-function checkPhishingList(origin) {
-    return this.messagingSystem.call('PhishingController:testOrigin', origin).result;
+function assertInterfaceExists(snapId, id) {
+    // This will throw if the interface isn't accessible, but we assert nevertheless.
+    assert(this.messagingSystem.call('SnapInterfaceController:getInterface', snapId, id));
 }
-async function assertSnapRpcRequestResult(handlerType, result) {
+async function transformSnapRpcRequestResult(snapId, handlerType, result) {
+    switch(handlerType){
+        case HandlerType.OnTransaction:
+        case HandlerType.OnSignature:
+        case HandlerType.OnHomePage:
+            {
+                // Since this type has been asserted earlier we can cast
+                const castResult = result;
+                // If a handler returns static content, we turn it into a dynamic UI
+                if (castResult && hasProperty(castResult, 'content')) {
+                    const { content, ...rest } = castResult;
+                    const id = await _class_private_method_get(this, _createInterface, createInterface).call(this, snapId, content);
+                    return {
+                        ...rest,
+                        id
+                    };
+                }
+                return result;
+            }
+        default:
+            return result;
+    }
+}
+async function assertSnapRpcRequestResult(snapId, handlerType, result) {
     switch(handlerType){
         case HandlerType.OnTransaction:
             {
                 assertStruct(result, OnTransactionResponseStruct);
-                // Null is an allowed return value here
-                if (result === null) {
-                    return;
+                if (result && hasProperty(result, 'id')) {
+                    _class_private_method_get(this, _assertInterfaceExists, assertInterfaceExists).call(this, snapId, result.id);
                 }
-                await _class_private_method_get(this, _triggerPhishingListUpdate, triggerPhishingListUpdate).call(this);
-                validateComponentLinks(result.content, _class_private_method_get(this, _checkPhishingList, checkPhishingList).bind(this));
                 break;
             }
         case HandlerType.OnSignature:
             {
                 assertStruct(result, OnSignatureResponseStruct);
-                // Null is an allowed return value here
-                if (result === null) {
-                    return;
+                if (result && hasProperty(result, 'id')) {
+                    _class_private_method_get(this, _assertInterfaceExists, assertInterfaceExists).call(this, snapId, result.id);
                 }
-                await _class_private_method_get(this, _triggerPhishingListUpdate, triggerPhishingListUpdate).call(this);
-                validateComponentLinks(result.content, _class_private_method_get(this, _checkPhishingList, checkPhishingList).bind(this));
                 break;
             }
         case HandlerType.OnHomePage:
-            assertStruct(result, OnHomePageResponseStruct);
-            await _class_private_method_get(this, _triggerPhishingListUpdate, triggerPhishingListUpdate).call(this);
-            validateComponentLinks(result.content, _class_private_method_get(this, _checkPhishingList, checkPhishingList).bind(this));
+            {
+                assertStruct(result, OnHomePageResponseStruct);
+                if (result && hasProperty(result, 'id')) {
+                    _class_private_method_get(this, _assertInterfaceExists, assertInterfaceExists).call(this, snapId, result.id);
+                }
+                break;
+            }
+        case HandlerType.OnNameLookup:
+            assertStruct(result, OnNameLookupResponseStruct);
             break;
         default:
             break;
@@ -1869,6 +1928,7 @@ function isValidUpdate(snapId, newVersionRange) {
 }
 async function callLifecycleHook(snapId, handler) {
     const permissionName = handlerEndowments[handler];
+    assert(permissionName, 'Lifecycle hook must have an endowment.');
     const hasPermission = this.messagingSystem.call('PermissionController:hasPermission', snapId, permissionName);
     if (!hasPermission) {
         return;