feat: add support for socket.dev firewall client

Author: williamboman

README.md

@@ -28,6 +28,7 @@
 -   [Commands](#commands)
 -   [Registries](#registries)
 -   [Screenshots](#screenshots)
+-   [Firewall (socket.dev)](#firewall-socketdev)
 -   [Configuration](#configuration)
 
 ## Introduction
@@ -134,6 +135,39 @@ functions to ensure you have the latest package information before retrieving pa
 |           <img alt="Main window" src="https://github.com/user-attachments/assets/b9a57d21-f551-45ad-a1e5-a9fd66291510">           |                 <img alt="Language search" src="https://github.com/user-attachments/assets/3d24fb7b-2c57-4948-923b-0a42bb627cbe">                 | <img alt="Language filter" src="https://github.com/user-attachments/assets/c0ca5818-3c74-4071-bc41-427a2cd1056d"> |
 | <img alt="Package information" src="https://github.com/user-attachments/assets/6f9f6819-ac97-483d-a77c-8f6c6131ac85"> | <img alt="New package versions" src="https://github.com/user-attachments/assets/ff1adc4d-2fcc-46df-ab4c-291c891efa50"> |   <img alt="Help window" src="https://github.com/user-attachments/assets/1fbe75e4-fe69-4417-83e3-82329e1c236e">   |
 
+## Firewall (socket.dev)
+
+> Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection
+> against rising supply chain attacks.
+
+`mason.nvim` supports the [Socket.dev firewall](https://socket.dev/). To enable the firewall, turn it on in the configuration:
+
+```lua
+require("mason").setup {
+  firewall = {
+    enabled = true
+  }
+}
+```
+
+By default, `mason.nvim` will automatically install and update the Socket Firewall client. If you want to manage the
+client manually, set `auto_managed` to `false` (this requires the `sfw` binary to be available in your `PATH`):
+
+```lua
+require("mason").setup {
+  firewall = {
+    enabled = true,
+    auto_managed = false
+  }
+}
+```
+
+For more information refer to the [Socket.dev](https://socket.dev/) documentation.
+
+> [!NOTE]
+> If you already use the Socket.dev firewall in a proxy service configuration you don't need to enable the firewall in
+> `mason.nvim`.
+
 ## Configuration
 
 > [`:h mason-settings`][help-mason-settings]
@@ -215,6 +249,18 @@ local DEFAULT_SETTINGS = {
         "github:mason-org/mason-system-registry",
     },
 
+    firewall = {
+        ---@since 2.3.0
+        -- Whether to enable the socket.dev firewall (sfw) for supported package sources.
+        -- For more information, refer to https://socket.dev.
+        enabled = false,
+
+        ---@since 2.3.0
+        -- Whether mason.nvim should automatically install and update the Socket Firewall client.
+        -- If false, the sfw binary must exist in PATH if the firewall is enabled.
+        auto_managed = true,
+    },
+
     ---@since 1.0.0
     -- The provider implementations to use for resolving supplementary package metadata (e.g., all available versions).
     -- Accepts multiple entries, where later entries will be used as fallback should prior providers fail.

doc/mason.txt

@@ -136,6 +136,33 @@ See also ~
     Launch an embedded terminal: |terminal|.
     Launch background jobs: |jobstart| & |uv.spawn()| (via |vim.loop|)
 
+==============================================================================
+MASON FIREWALL                                                *mason-firewall*
+
+`mason.nvim` supports the Socket.dev firewall. To enable the firewall, turn it
+on in the configuration:
+>lua
+    require("mason").setup {
+      firewall = {
+        enabled = true
+      }
+    }
+<
+
+By default, `mason.nvim` will automatically install and update the Socket
+Firewall client. If you want to manage the client manually, set `auto_managed`
+to `false` (this requires the `sfw` binary to be available in your `PATH`):
+>lua
+    require("mason").setup {
+      firewall = {
+        enabled = true,
+        auto_managed = false
+      }
+    }
+<
+
+For more information refer to the [Socket.dev](https://socket.dev/) documentation.
+
 ==============================================================================
 COMMANDS                                                      *mason-commands*
 
@@ -258,6 +285,18 @@ Example:
             "github:mason-org/mason-system-registry",
         },
 
+        firewall = {
+            ---@since 2.3.0
+            -- Whether to enable the socket.dev firewall (sfw) for supported package sources.
+            -- For more information, refer to https://socket.dev.
+            enabled = false,
+
+            ---@since 2.3.0
+            -- Whether mason.nvim should automatically install and update the Socket Firewall client.
+            -- If false, the sfw binary must exist in PATH if the firewall is enabled.
+            auto_managed = true,
+        },
+
         ---@since 1.0.0
         -- The provider implementations to use for resolving supplementary package metadata (e.g., all available versions).
         -- Accepts multiple entries, where later entries will be used as fallback should prior providers fail.

lua/mason-core/async/init.lua

@@ -78,7 +78,8 @@ local function new_execution_context(suspend_fn, callback, ...)
         if cancelled or not thread then
             return
         end
-        local ok, promise_or_result = co.resume(thread, ...)
+        local results = { co.resume(thread, ...) }
+        local ok, promise_or_result = results[1], results[2]
         if cancelled or not thread then
             return
         end
@@ -88,7 +89,7 @@ local function new_execution_context(suspend_fn, callback, ...)
                     promise_or_result(step)
                 else
                     -- yield to parent coroutine
-                    step(coroutine.yield(promise_or_result))
+                    step(coroutine.yield(promise_or_result, unpack(results, 3)))
                 end
             else
                 callback(true, promise_or_result)

lua/mason-core/installer/InstallHandle.lua

@@ -20,21 +20,24 @@ local uv = vim.loop
 ---@field pid integer
 ---@field cmd string
 ---@field args string[]
+---@field firewall boolean
 local InstallHandleSpawnHandle = {}
 InstallHandleSpawnHandle.__index = InstallHandleSpawnHandle
 
 ---@param luv_handle luv_handle
 ---@param pid integer
 ---@param cmd string
 ---@param args string[]
-function InstallHandleSpawnHandle:new(luv_handle, pid, cmd, args)
+---@param firewall boolean
+function InstallHandleSpawnHandle:new(luv_handle, pid, cmd, args, firewall)
     ---@type InstallHandleSpawnHandle
     local instance = {}
     setmetatable(instance, InstallHandleSpawnHandle)
     instance.uv_handle = luv_handle
     instance.pid = pid
     instance.cmd = cmd
     instance.args = args
+    instance.firewall = firewall
     return instance
 end
 
@@ -73,8 +76,9 @@ end
 ---@param pid integer
 ---@param cmd string
 ---@param args string[]
-function InstallHandle:register_spawn_handle(luv_handle, pid, cmd, args)
-    local spawn_handles = InstallHandleSpawnHandle:new(luv_handle, pid, cmd, args)
+---@param firewall boolean
+function InstallHandle:register_spawn_handle(luv_handle, pid, cmd, args, firewall)
+    local spawn_handles = InstallHandleSpawnHandle:new(luv_handle, pid, cmd, args, firewall)
     log.fmt_trace("Pushing spawn_handles stack for %s: %s (pid: %s)", self, spawn_handles, pid)
     self.spawn_handles[#self.spawn_handles + 1] = spawn_handles
     self:emit "spawn_handles:change"

lua/mason-core/installer/InstallRunner.lua

@@ -39,7 +39,14 @@ function InstallRunner:execute(opts, callback)
     local handle = self.handle
     log.fmt_info("Executing installer for %s %s", handle.package, opts)
 
-    local context = InstallContext:new(handle, opts)
+    local context = InstallContext:new(handle, opts, {
+        suspend = function()
+            self:suspend()
+        end,
+        resume = function()
+            self:resume()
+        end,
+    })
 
     local tailed_output = {}
 
@@ -212,6 +219,20 @@ function InstallRunner:acquire_permit()
     return Result.success(channel)
 end
 
+function InstallRunner:suspend()
+    if self.global_permit then
+        self.global_permit:forget()
+        self.global_permit = nil
+    end
+end
+
+---@async
+function InstallRunner:resume()
+    self.handle:set_state "QUEUED"
+    self.global_permit = self.global_semaphore:acquire()
+    self.handle:set_state "ACTIVE"
+end
+
 ---@private
 function InstallRunner:release_permit()
     if self.global_permit then

lua/mason-core/installer/context/InstallContextSpawn.lua

@@ -22,15 +22,15 @@ end
 
 ---@param cmd string
 function InstallContextSpawn:__index(cmd)
-    ---@param args JobSpawnOpts
+    ---@param args SpawnArgs
     return function(args)
         args.cwd = args.cwd or self.cwd:get()
         args.stdio_sink = args.stdio_sink or self.handle.stdio_sink
         local on_spawn = args.on_spawn
         local captured_handle
         args.on_spawn = function(handle, stdio, pid, ...)
             captured_handle = handle
-            self.handle:register_spawn_handle(handle, pid, cmd, spawn._flatten_cmd_args(args))
+            self.handle:register_spawn_handle(handle, pid, cmd, spawn._flatten_cmd_args(args), args.firewall == true)
             if on_spawn then
                 on_spawn(handle, stdio, pid, ...)
             end

lua/mason-core/installer/context/init.lua

@@ -21,19 +21,22 @@ local receipt = require "mason-core.receipt"
 ---@field cwd InstallContextCwd
 ---@field opts PackageInstallOpts
 ---@field stdio_sink StdioSink
+---@field runner { suspend: fun(), resume: async fun() }
 ---@field links { bin: table<string, string>, share: table<string, string>, opt: table<string, string> }
 local InstallContext = {}
 InstallContext.__index = InstallContext
 
 ---@param handle InstallHandle
 ---@param opts PackageInstallOpts
-function InstallContext:new(handle, opts)
+---@param runner { suspend: fun(), resume: async fun() }
+function InstallContext:new(handle, opts, runner)
     local cwd = InstallContextCwd:new(handle)
     local spawn = InstallContextSpawn:new(handle, cwd, false)
     local fs = InstallContextFs:new(cwd)
     return setmetatable({
         cwd = cwd,
         spawn = spawn,
+        runner = runner,
         handle = handle,
         location = handle.location, -- for convenience
         package = handle.package, -- for convenience
@@ -264,6 +267,7 @@ function InstallContext:link_bin(executable, rel_path)
 end
 
 InstallContext.CONTEXT_REQUEST = {}
+InstallContext.ABORT = {}
 
 ---@generic T
 ---@param fn fun(context: InstallContext): T
@@ -277,14 +281,17 @@ function InstallContext:execute(fn)
     local step
     local ret_val
     step = function(...)
-        local ok, result = coroutine.resume(thread, ...)
+        local results = { coroutine.resume(thread, ...) }
+        local ok, result = results[1], results[2]
         if not ok then
             error(result, 0)
         elseif result == InstallContext.CONTEXT_REQUEST then
             step(self)
+        elseif result == InstallContext.ABORT then
+            ret_val = Result.failure(results[3])
         elseif coroutine.status(thread) == "suspended" then
             -- yield to parent coroutine
-            step(coroutine.yield(result))
+            step(coroutine.yield(result, unpack(results, 3)))
         else
             ret_val = result
         end
@@ -293,6 +300,31 @@ function InstallContext:execute(fn)
     return ret_val
 end
 
+---@async
+---@param system_pkg SystemPackage
+function InstallContext:require(system_pkg)
+    local result = Result.try(function(try)
+        if try(system_pkg:needs_install()) then
+            self.stdio_sink:stdout("Installing dependency " .. system_pkg.name .. ".\n")
+            self.runner.suspend()
+            try(system_pkg:install():on_failure(function()
+                if self.opts.force then
+                    self.runner.resume()
+                end
+            end))
+            self.runner.resume()
+        end
+    end)
+    if result:is_failure() then
+        if not self.opts.force then
+            self.stdio_sink:stderr "Run with :MasonInstall --force to attempt installation anyway.\n"
+            coroutine.yield(InstallContext.ABORT, result:err_or_nil())
+        else
+            self.stdio_sink:stderr(result:err_or_nil() .. "\n")
+        end
+    end
+end
+
 ---@async
 function InstallContext:build_receipt()
     log.fmt_debug("Building receipt for %s", self.package)

lua/mason-core/installer/managers/cargo.lua

@@ -1,4 +1,5 @@
 local Result = require "mason-core.result"
+local SystemPackage = require "mason-core.system-package"
 local _ = require "mason-core.functional"
 local installer = require "mason-core.installer"
 local log = require "mason-core.log"
@@ -15,6 +16,7 @@ function M.install(crate, version, opts)
     opts = opts or {}
     log.fmt_debug("cargo: install %s %s %s", crate, version, opts)
     local ctx = installer.context()
+    ctx:require(SystemPackage.sfw)
     ctx.stdio_sink:stdout(("Installing crate %s@%s…\n"):format(crate, version))
     return ctx.spawn.cargo {
         "install",
@@ -29,6 +31,7 @@ function M.install(crate, version, opts)
         opts.features and { "--features", opts.features } or vim.NIL,
         opts.locked and "--locked" or vim.NIL,
         crate,
+        firewall = true,
     }
 end
 

lua/mason-core/installer/managers/npm.lua

@@ -1,4 +1,5 @@
 local Result = require "mason-core.result"
+local SystemPackage = require "mason-core.system-package"
 local _ = require "mason-core.functional"
 local installer = require "mason-core.installer"
 local log = require "mason-core.log"
@@ -62,12 +63,14 @@ function M.install(pkg, version, opts)
     opts = opts or {}
     log.fmt_debug("npm: install %s %s %s", pkg, version, opts)
     local ctx = installer.context()
+    ctx:require(SystemPackage.sfw)
     ctx.stdio_sink:stdout(("Installing npm package %s@%s…\n"):format(pkg, version))
     return ctx.spawn.npm {
         "install",
         ("%s@%s"):format(pkg, version),
         opts.extra_packages or vim.NIL,
         opts.install_extra_args or vim.NIL,
+        firewall = true,
     }
 end
 

lua/mason-core/installer/managers/pypi.lua

@@ -1,5 +1,6 @@
 local Optional = require "mason-core.optional"
 local Result = require "mason-core.result"
+local SystemPackage = require "mason-core.system-package"
 local _ = require "mason-core.functional"
 local a = require "mason-core.async"
 local installer = require "mason-core.installer"
@@ -173,6 +174,8 @@ end
 ---@param pkgs string[]
 ---@param extra_args? string[]
 local function pip_install(pkgs, extra_args)
+    local ctx = installer.context()
+    ctx:require(SystemPackage.sfw)
     return venv_python {
         "-m",
         "pip",
@@ -182,6 +185,7 @@ local function pip_install(pkgs, extra_args)
         "--ignore-installed",
         extra_args or vim.NIL,
         pkgs,
+        firewall = true,
     }
 end