Fix WebRTC bug in production installations only, due to config perms

When running locally, or running in an updated server environment, the
webextension folder, including its config, is user writable.
Unfortunately, when running in a fresh production install, that's not
true: the folder is usually administrator/root-owned, and so cannot be
modified by users, so our config injection mechanism didn't work.

To fix this, we now 'install' the webextension on first use, copying it
(~10 files total, 1MB) into a temp directory, which can then be
modified, and deleted again when the app exits.

Author: pimterry

src/interceptors/chromium-based-interceptors.ts

@@ -16,7 +16,7 @@ import { listRunningProcesses, windowsClose, waitForExit } from '../util/process
 import { HideWarningServer } from '../hide-warning-server';
 import { Interceptor } from '.';
 import { reportError } from '../error-tracking';
-import { WEBEXTENSION_PATH } from '../webextension';
+import { WEBEXTENSION_INSTALL } from '../webextension';
 
 const getBrowserDetails = async (config: HtkConfig, variant: string): Promise<Browser | undefined> => {
     const browsers = await getAvailableBrowsers(config.configPath);
@@ -59,12 +59,12 @@ const getChromiumLaunchOptions = async (
             '--disable-background-networking',
             '--disable-component-update',
             '--check-for-update-interval=31536000', // Don't update for a year
-            ...(webExtensionEnabled
+            ...(webExtensionEnabled && WEBEXTENSION_INSTALL
                 // Install HTTP Toolkit's extension, for advanced hook setup. Feature
                 // flagged for now as it's still new & largely untested.
                 ? [
 
-                    `--load-extension=${WEBEXTENSION_PATH}`
+                    `--load-extension=${WEBEXTENSION_INSTALL.path}`
                 ]
                 : []
             )

src/util/fs.ts

@@ -19,6 +19,18 @@ export const writeFile = promisify(fs.writeFile);
 export const renameFile = promisify(fs.rename);
 export const copyFile = promisify(fs.copyFile);
 
+export const copyRecursive = async (from: string, to: string) => {
+    // fs.cp is only available in Node 16.7.0+
+    if (!fs.cp) throw new Error("fs.cp not available");
+
+    return new Promise<void>((resolve, reject) => {
+        fs.cp(from, to, { recursive: true }, (err) => {
+            if (err) reject(err);
+            else resolve();
+        });
+    });
+};
+
 export const canAccess = (path: string) => checkAccess(path).then(() => true).catch(() => false);
 
 // Takes a path, follows any links present (if possible) until we reach a non-link file. This

src/webextension.ts

@@ -1,10 +1,46 @@
 import * as path from 'path';
+import * as os from 'os';
+
+import { deleteFile, mkDir, writeFile, copyRecursive, deleteFolder } from "./util/fs";
+import { addShutdownHandler } from './shutdown';
+
 import { OVERRIDES_DIR } from './interceptors/terminal/terminal-env-overrides';
 
-import { deleteFile, mkDir, writeFile } from "./util/fs";
+const WEBEXTENSION_BASE_PATH = path.join(OVERRIDES_DIR, 'webextension');
+
+// We copy the WebExtension to a temp directory the first time it's activated, so that we can
+// modify the config folder within to easily inject config into the extension. Without this,
+// the extension is usually in the app install directory, which is often not user-writable.
+// We only make one copy for all sessions, but we later inject independent per-session
+// config files, so they can behave independently.
+export let WEBEXTENSION_INSTALL: {
+    path: string;
+    configPath: string;
+} | undefined;
+async function ensureWebExtensionInstalled() {
+    if (WEBEXTENSION_INSTALL) return; // No-op after the first install
+    else {
+        const tmpDir = os.tmpdir();
 
-export const WEBEXTENSION_PATH = path.join(OVERRIDES_DIR, 'webextension');
-const WEBEXTENSION_CONFIG_PATH = path.join(WEBEXTENSION_PATH, 'config');
+        const webExtensionPath = path.join(tmpDir, 'httptoolkit-webextension');
+        const configPath = path.join(webExtensionPath, 'config');
+
+        await copyRecursive(WEBEXTENSION_BASE_PATH, webExtensionPath);
+        await mkDir(configPath);
+
+        WEBEXTENSION_INSTALL = { path: webExtensionPath, configPath };
+        console.log(`Webextension installed at ${WEBEXTENSION_INSTALL.path}`);
+    }
+}
+
+// On shutdown, we delete the webextension install again.
+addShutdownHandler(async () => {
+    if (WEBEXTENSION_INSTALL) {
+        console.log(`Uninstalling webextension from ${WEBEXTENSION_INSTALL.path}`);
+        await deleteFolder(WEBEXTENSION_INSTALL.path);
+        WEBEXTENSION_INSTALL = undefined;
+    }
+});
 
 interface WebExtensionConfig { // Should match config in the WebExtension itself
     mockRtc: {
@@ -17,9 +53,11 @@ const getConfigKey = (proxyPort: number) =>
     `127_0_0_1.${proxyPort}`; // Filename-safe proxy address
 
 const getConfigPath = (proxyPort: number) =>
-    path.join(WEBEXTENSION_CONFIG_PATH, getConfigKey(proxyPort));
+    path.join(WEBEXTENSION_INSTALL!.configPath, getConfigKey(proxyPort));
 
 export function clearWebExtensionConfig(httpProxyPort: number) {
+    if (!WEBEXTENSION_INSTALL) return;
+
     return deleteFile(getConfigPath(httpProxyPort))
         .catch(() => {}); // We ignore errors - nothing we can do, not very important.
 }
@@ -30,6 +68,8 @@ export async function updateWebExtensionConfig(
     webRTCEnabled: boolean
 ) {
     if (webRTCEnabled) {
+        await ensureWebExtensionInstalled();
+
         const adminBaseUrl = `http://internal.httptoolkit.localhost:45456/session/${sessionId}`;
         await writeConfig(httpProxyPort, {
             mockRtc: {
@@ -38,11 +78,14 @@ export async function updateWebExtensionConfig(
             }
         });
     } else {
-        await writeConfig(httpProxyPort, { mockRtc: false });
+        if (WEBEXTENSION_INSTALL) {
+            // If the extension is set up, but this specific session has it disabled, we
+            // make the config explicitly disable it, just to be clear:
+            await writeConfig(httpProxyPort, { mockRtc: false });
+        }
     }
 }
 
 async function writeConfig(proxyPort: number, config: WebExtensionConfig) {
-    await mkDir(WEBEXTENSION_CONFIG_PATH).catch(() => {}); // Make sure the config dir exists
     return writeFile(getConfigPath(proxyPort), JSON.stringify(config));
 }