restrict plugin-manager endpoint to localhost and station domain and update e2e tests (#1436)

* restrict plugin-manager endpoint to localhost and station domain and update e2e tests

* fix robot tests

* fix copilot review and upgrade deprecated macos-13 to macos-15 in pipelines

* remove old CI delete and install wallet plugin process

* fix ubuntu deb packaging process

* update fyne.io/fyne/v2 from v2.3.4 to v2.7.1~ to have compatibility with fyne.io/tools/cmd/fyne@latest.

* test

* test

* test

* test

* test

* fix macos pipeline issue

Author: fleandrei

.github/workflows/build.yml

@@ -25,10 +25,10 @@ jobs:
           - os: ubuntu-24.04
             arch: amd64
             target: linux
-          - os: macos-13
+          - os: macos-15
             arch: amd64
             target: darwin
-          - os: macos-13
+          - os: macos-15
             arch: arm64
             target: darwin
 
@@ -61,7 +61,7 @@ jobs:
         if: matrix.target != 'windows'
         shell: bash
         run: |
-          task package
+          task package OS=${{ matrix.target }}
       - name: Rename binary for ${{ matrix.target }} on ${{ matrix.arch }}
         shell: bash
         run: |
@@ -75,15 +75,27 @@ jobs:
             massastation_${{ matrix.target }}_${{ matrix.arch }}.exe
           if-no-files-found: error
           retention-days: 7
-      - name: Upload Package
-        # We don't need to upload package for windows since we do not package for windows.
-        if: matrix.target != 'windows'
+      - name: Prepare macOS app bundle for upload
+        if: matrix.target == 'darwin'
+        shell: bash
+        # The actions/upload-artifact only import content of a folder, so we need to create a temporary folder to upload MassaStation.app
+        run: |
+          mkdir -p package_output
+          cp -R MassaStation.app package_output/
+      - name: Upload Package (macOS)
+        if: matrix.target == 'darwin'
         uses: actions/upload-artifact@v4
         with:
           name: massastation_${{ matrix.target }}_${{ matrix.arch }}_package
-          path: |
-            MassaStation.app
-            MassaStation.tar.xz
+          path: package_output/
+          if-no-files-found: error
+          retention-days: 1
+      - name: Upload Package (Linux)
+        if: matrix.target == 'linux'
+        uses: actions/upload-artifact@v4
+        with:
+          name: massastation_${{ matrix.target }}_${{ matrix.arch }}_package
+          path: MassaStation.tar.xz
           if-no-files-found: error
           retention-days: 1
 
@@ -97,7 +109,7 @@ jobs:
       matrix:
         arch: [amd64, arm64]
 
-    runs-on: macos-13
+    runs-on: macos-15
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/tests.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: ["windows-latest", "ubuntu-latest", "macos-13"]
+        os: ["windows-latest", "ubuntu-latest", "macos-15"]
     steps:
       - uses: actions/checkout@v4
       - name: installing dependencies

Taskfile.yml

@@ -19,7 +19,7 @@ tasks:
       - cmd: go install github.com/go-swagger/go-swagger/cmd/swagger@latest
       - cmd: go install golang.org/x/tools/cmd/stringer@latest
       - cmd: go install go.uber.org/mock/mockgen@v0.2.0
-      - cmd: go install fyne.io/fyne/v2/cmd/fyne@latest
+      - cmd: go install fyne.io/tools/cmd/fyne@latest
 
   install-dev:
     desc: Installs development dependencies (fmt, lint, etc.)
@@ -102,7 +102,7 @@ tasks:
     desc: Packages MassaStation using fyne
     platforms: [linux, darwin]
     cmds:
-      - cmd: fyne package -name MassaStation -icon ./int/systray/embedded/logo.png -appID net.massalabs.massastation -exe massastation
+      - cmd: fyne package -name MassaStation -icon ../../int/systray/embedded/logo.png --app-id net.massalabs.massastation -src ./cmd/massastation {{if .OS}}--os {{.OS}}{{end}}
 
   generate-dirs:
     desc: Generates required directories for MassaStation

api/domain_restriction.go

@@ -29,7 +29,7 @@ func DomainRestrictionMiddleware(handler http.Handler) http.Handler {
 }
 
 func IsRestrictedPath(path string) bool {
-	restrictedPaths := []string{"/network"}
+	restrictedPaths := []string{"/network", "/plugin-manager"}
 	for _, restrictedPath := range restrictedPaths {
 		if strings.HasPrefix(path, restrictedPath) {
 			return true

api/test/robot_tests/cmd/keywords.resource

@@ -7,42 +7,42 @@ Resource            ../keywords.resource
 Resource            ../variables.resource
 
 *** Variables ***
-${WALLET_PLUGIN_VERSION}       v0.5.0
+${WALLET_PLUGIN_VERSION}       v0.5.6
 
 *** Keywords ***
 Suite Setup
     Basic Suite Setup
     Switch To Buildnet
     Init SC build environment
-    ${GITHUB_ACTIONS}    Get Environment Variable    GITHUB_ACTIONS    false
-    IF    "${GITHUB_ACTIONS}" == "true"
-        Log To Console    We are in the CI
-        Delete Wallet Plugin
-        Install Wallet Plugin
-    END
+    Install Wallet Plugin
 
 Delete Wallet Plugin
-    Log To Console    Deleting Massa Wallet Plugin
+    Log To Console    Attempt to delete Massa Wallet Plugin if exist
     ${pluginId}=    Get Plugin ID From Author and Name    massalabs    wallet
     IF    "${pluginId}" != "${EMPTY}"
-        Log To Console    Deleting plugin with ID ${pluginId}
-        ${response}=    DELETE    ${API_URL}/plugin-manager/${pluginId}
+        Log To Console    Deleting plugin Massa Wallet with ID ${pluginId}
+        ${headers}=    Create Dictionary    Origin=http://localhost
+        ${response}=    DELETE    ${API_URL}/plugin-manager/${pluginId}    headers=${headers}
         Sleep    1 seconds    # Wait for the plugin to be deleted
     END
 
 Install Wallet Plugin
-    Log To Console    Installing Massa Wallet Plugin
-    ${source}=    Set Variable
-    ...    https://massa-station-assets.s3.eu-west-3.amazonaws.com/plugins/wallet/${WALLET_PLUGIN_VERSION}/wallet-plugin_${OS}-${ARCH}.zip
-    ${response}=    POST
-    ...    ${API_URL}/plugin-manager
-    ...    params=source=${source}
-    ...    expected_status=${STATUS_NO_CONTENT}
-    Sleep    1 seconds    # Wait for the plugin to be registered
+    Log To Console    Attempt to install Massa Wallet Plugin if not already installed
+    ${pluginId}=    Get Plugin ID From Author and Name    massalabs    wallet
+    IF      "${pluginId}" == "${EMPTY}"
+        Log To Console    Installing Massa Wallet Plugin because it does not exist yet
+        ${source}=    Set Variable
+        ...    https://massa-station-assets.s3.eu-west-3.amazonaws.com/plugins/wallet/${WALLET_PLUGIN_VERSION}/wallet-plugin_${OS}-${ARCH}.zip
+        ${headers}=    Create Dictionary    Origin=http://localhost
+        ${response}=    POST
+        ...    ${API_URL}/plugin-manager
+        ...    params=source=${source}
+        ...    headers=${headers}
+        ...    expected_status=${STATUS_NO_CONTENT}
+        Sleep    1 seconds    # Wait for the plugin to be registered
+    END
 
 Init SC build environment
     Log To Console    Initializing SC build environment
-    Log To Console    Installing SC dependencies
     Run    cd testSC; npm install
-    Log To Console    Building SC
     Run    cd testSC; npm run build

api/test/robot_tests/plugin_manager/keywords.resource

@@ -16,7 +16,8 @@ Delete all plugins
     Log To Console    Deleting all plugins
     ${response}=    GET    ${API_URL}/plugin-manager
     FOR    ${element}    IN    @{response.json()}
-        ${response}=    DELETE    ${API_URL}/plugin-manager/${element['id']}
+        ${headers}=    Create Dictionary    Origin=http://localhost
+        ${response}=    DELETE    ${API_URL}/plugin-manager/${element['id']}    headers=${headers}
         Status Should Be    ${STATUS_NO_CONTENT}
     END
 
@@ -25,5 +26,6 @@ Delete Hello World Plugin
     Log To Console    Deleting Hello World Plugin
     ${pluginId}=    Get Plugin ID From Author and Name    massalabs    hello-world
     IF    "${pluginId}" != "${EMPTY}"
-        ${response}=    DELETE    ${API_URL}/plugin-manager/${pluginId}
+        ${headers}=    Create Dictionary    Origin=http://localhost
+        ${response}=    DELETE    ${API_URL}/plugin-manager/${pluginId}    headers=${headers}
     END

api/test/robot_tests/plugin_manager/plugin_manager.robot

@@ -8,10 +8,9 @@ Resource            variables.resource
 Resource            ../variables.resource
 
 Suite Setup         Suite Setup
-Suite Teardown      Delete all plugins
 
 *** Variables ***
-${HELLO_WORLD_PLUGIN_VERSION}       v0.0.8
+${HELLO_WORLD_PLUGIN_VERSION}       v0.0.11
 
 *** Test Cases ***
 GET /plugin-manager with no plugins
@@ -23,12 +22,33 @@ GET /plugin-manager with no plugins
 POST /plugin-manager?source={{pluginSource}}
     ${source}=    Set Variable
     ...    https://github.com/massalabs/station-massa-hello-world/releases/download/${HELLO_WORLD_PLUGIN_VERSION}/station-massa-hello-world_${OS}-${ARCH}.zip
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager
     ...    params=source=${source}
+    ...    headers=${headers}
     ...    expected_status=${STATUS_NO_CONTENT}
     Sleep    1 seconds    # Wait for the plugin to be registered
 
+POST /plugin-manager?source={{pluginSource}} should fail when Origin not provided
+    ${source}=    Set Variable
+    ...    https://github.com/massalabs/station-massa-hello-world/releases/download/${HELLO_WORLD_PLUGIN_VERSION}/station-massa-hello-world_${OS}-${ARCH}.zip
+    ${response}=    POST
+    ...    ${API_URL}/plugin-manager
+    ...    params=source=${source}
+    ...    expected_status=${STATUS_FORBIDDEN}
+
+POST /plugin-manager?source={{pluginSource}} should fail when Origin not allowed
+    ${source}=    Set Variable
+    ...    https://github.com/massalabs/station-massa-hello-world/releases/download/${HELLO_WORLD_PLUGIN_VERSION}/station-massa-hello-world_${OS}-${ARCH}.zip
+    ${headers}=    Create Dictionary    Origin=http://malicious.example.com
+    ${response}=    POST
+    ...    ${API_URL}/plugin-manager
+    ...    params=source=${source}
+    ...    headers=${headers}
+    ...    expected_status=${STATUS_FORBIDDEN}
+
+
 GET /plugin-manager with one plugin
     ${response}=    GET    ${API_URL}/plugin-manager
     Status Should Be    ${STATUS_OK}
@@ -45,25 +65,54 @@ GET /plugin-manager/{id}
 POST /plugin-manager/{id}/execute with stop command
     ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
     ${data}=    Create Dictionary    command=stop
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/${id}/execute
+    ...    headers=${headers}
     ...    expected_status=${STATUS_NO_CONTENT}
     ...    json=${data}
 
+POST /plugin-manager/{id}/execute should fail when Origin not allowed
+    ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
+    ${data}=    Create Dictionary    command=stop
+    ${headers}=    Create Dictionary    Origin=http://malicious.example.com
+    ${response}=    POST
+    ...    ${API_URL}/plugin-manager/${id}/execute
+    ...    headers=${headers}
+    ...    expected_status=${STATUS_FORBIDDEN}
+    ...    json=${data}
+    ${data}=    Create Dictionary    command=start
+    ${response}=    POST
+    ...    ${API_URL}/plugin-manager/${id}/execute
+    ...    headers=${headers}
+    ...    expected_status=${STATUS_FORBIDDEN}
+    ...    json=${data}
+    ${data}=    Create Dictionary    command=restart
+    ${response}=    POST
+    ...    ${API_URL}/plugin-manager/${id}/execute
+    ...    headers=${headers}
+    ...    expected_status=${STATUS_FORBIDDEN}
+    ...    json=${data}
+
+
 POST /plugin-manager/{id}/execute with start command
     ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
     ${data}=    Create Dictionary    command=start
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/${id}/execute
+    ...    headers=${headers}
     ...    expected_status=${STATUS_NO_CONTENT}
     ...    json=${data}
     Sleep    1 seconds    # Wait for the plugin to be started
 
 POST /plugin-manager/{id}/execute with restart command
     ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
     ${data}=    Create Dictionary    command=restart
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/${id}/execute
+    ...    headers=${headers}
     ...    expected_status=${STATUS_NO_CONTENT}
     ...    json=${data}
     Sleep    1 seconds    # Wait for the plugin to be restarted
@@ -100,8 +149,10 @@ GET /plugin/{author}/{name}/
 POST /plugins-manager/{id}/execute already started
     ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
     ${data}=    Create Dictionary    command=start
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/${id}/execute
+    ...    headers=${headers}
     ...    expected_status=${STATUS_BAD_REQUEST}
     ...    json=${data}
 
@@ -121,23 +172,21 @@ GET /plugin/${author}/${name} with invalid author and name
 
 POST /plugin-manager/{id}/execute with invalid id
     ${data}=    Create Dictionary    command=start
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/invalid/execute
+    ...    headers=${headers}
     ...    expected_status=${STATUS_NOT_FOUND}
     ...    json=${data}
     Should Be Equal As Strings    ${response.json()['code']}    Plugin-0001
     Should Be Equal As Strings    ${response.json()['message']}    get plugin error: no plugin matching correlationID invalid
 
-DELETE /plugin-manager/{id} with invalid id
-    ${response}=    DELETE    ${API_URL}/plugin-manager/3829029    expected_status=${STATUS_INTERNAL_SERVER_ERROR}
-    Should Be Equal As Strings
-    ...    ${response.json()['message']}
-    ...    getting plugin 3829029: no plugin matching correlationID 3829029
-
 POST /plugin-manager/{id}/execute with invalid body
     ${data}=    Create Dictionary    command=test
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/invalid/execute
+    ...    headers=${headers}
     ...    expected_status=${STATUS_UNPROCESSABLE_ENTITY}
     ...    json=${data}
     Should Be Equal As Strings    ${response.json()['code']}    606
@@ -155,8 +204,10 @@ POST /plugin-manager/register with invalid id
     ...    home=sunt
     ...    api_spec=culpa enim sint aliqua
     ...    url=oluptate
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/register
+    ...    headers=${headers}
     ...    expected_status=${STATUS_NOT_FOUND}
     ...    json=${data}
 
@@ -172,9 +223,47 @@ POST /plugin-manager/register with invalid body
     ...    logo=id et sunt irure,
     ...    home=sunt
     ...    api_spec=culpa enim sint aliqua
+    ${headers}=    Create Dictionary    Origin=http://localhost
     ${response}=    POST
     ...    ${API_URL}/plugin-manager/register
+    ...    headers=${headers}
     ...    expected_status=${STATUS_UNPROCESSABLE_ENTITY}
     ...    json=${data}
     Should Be Equal As Strings    ${response.json()['code']}    602
     Should Be Equal As Strings    ${response.json()['message']}    body.url in body is required
+
+POST /plugin-manager/register with not allowed origin header
+    ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
+    ${data}=    Create Dictionary
+    ...    id=
+    ...    url=http://localhost:1234
+    ${headers}=    Create Dictionary    Origin=http://malicious.example.com
+    ${response}=    POST
+    ...    ${API_URL}/plugin-manager/register
+    ...    headers=${headers}
+    ...    expected_status=${STATUS_FORBIDDEN}
+    ...    json=${data}
+    ${response_str}=    Convert To String    ${response.content}
+    Should Contain    ${response_str}    Forbidden: Operations restricted to authorized domains
+
+
+DELETE /plugin-manager/{id} with invalid id
+    ${headers}=    Create Dictionary    Origin=http://localhost
+    ${response}=    DELETE    ${API_URL}/plugin-manager/3829029    headers=${headers}    expected_status=${STATUS_INTERNAL_SERVER_ERROR}
+    Should Be Equal As Strings
+    ...    ${response.json()['message']}
+    ...    getting plugin 3829029: no plugin matching correlationID 3829029
+
+DELETE /plugin-manager/{id} with not allowed origin header
+    ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
+    ${headers}=    Create Dictionary    Origin=http://malicious.example.com
+    ${response}=    DELETE    ${API_URL}/plugin-manager/${id}    headers=${headers}    expected_status=${STATUS_FORBIDDEN}
+    ${response_str}=    Convert To String    ${response.content}
+    Should Contain    ${response_str}    Forbidden: Operations restricted to authorized domains
+
+DELETE /plugin-manager/{id} hello-world plugin
+    ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
+    ${headers}=    Create Dictionary    Origin=http://station.massa
+    ${response}=    DELETE    ${API_URL}/plugin-manager/${id}    headers=${headers}    expected_status=${STATUS_NO_CONTENT}
+    ${id}=    Get Plugin ID From Author and Name    massa-labs    hello-world
+    Should Be Equal As Strings      ${id}       ${EMPTY}