[feat] Allow usage of Wix extensions (FirewallException etc)

[betamos]

Describe the problem

On Windows, apps are typically intercepted for a user prompt when they accept incoming network connections through TCP or UDP.

I have an app targeted toward non-technical users which does not work without this. My app's sidecar is the one that does the networking. I would like a way to suppress these warnings for the intended use.

Turns out that it's supported and fairly common to add firewall rules during install through Wix directives.

First, you need to reference the schema:

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:fire="http://schemas.microsoft.com/wix/FirewallExtension">

Then you need to add your rules to something.. I nested it within a <File> tag for my sidecar binary, but there may be other options:

<File ...>
    <fire:FirewallException Id="ArbitraryId1" Name="App Name (TCP)" Profile="all" Protocol="tcp" Scope="any" IgnoreFailure="yes" />
    <fire:FirewallException Id="ArbitraryId2" Name="App Name (UDP)" Profile="all" Protocol="udp" Scope="any" IgnoreFailure="yes" />
</File>

Finally, both candle and light needs a flag to turn on the extension:

candle.exe -ext WixFirewallExtension [...]
light.exe -ext WixFirewallExtension [...]

Describe the solution you'd like

Unclear.. It doesn't seem realistic that tauri maintains a complex structure of different options in Wix, plist etc.
It may be smart to offer flexibility, since both firewall rules and my rules in particular are quite specific use cases.

1. For the light & candle flags, as well as the schema parts:
   a. Perhaps it's possible to simply enable all extensions by default? Or
   b. Offer a way to add wix extensions through the WixConfig object.
2. For the actual directives:
   a. Perhaps WixConfig.fragmentPaths (or similar) already works today? It would need a way to reference template variables (the sidecar binary in my case). I don't know how to do that.
   b. Override the wsx template entirely (works today, but requires more maintenance)

Alternatives considered

No response

Additional context

No response

[feoff3]

Upvote. I want to use a difx extension for WiX to manipulate system drivers.

[lucasfernog]

With #4656 this is the fragment i'm using to set a firewall exception:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:fire="http://schemas.microsoft.com/wix/FirewallExtension">
  <Fragment>
    <DirectoryRef Id="TARGETDIR">
      <Component Id="FirewallExceptions" Guid="de95bf40-7d9c-4ee6-8c47-1a06f3b7ebe3">
        <fire:FirewallException Id="ArbitraryId1" Name="App Name (TCP)" Program="[!Path]" Profile="all" Protocol="tcp" Scope="any" />
      </Component>
    </DirectoryRef>
  </Fragment>
</Wix>

and the tauri.conf.json:

{
  "tauri": {
    "bundle": {
      "windows": {
        "wix": {
          "fragmentPaths": ["./frag.wxs"],
          "componentRefs": ["FirewallExceptions"]
        } 
      }
    }
  }
}

This adds the rule to the main binary (Path id). I'll change the bundler to produce a known ID too - right now it's a random GUID.

[betamos]

For anyone else: my sidecar is named pld which becomes pld.exe on Windows, with externalBin": ["../build/pld"] in tauri.conf.json.

The prefix of the file id is Bin_, so I tried a few different permutations:

• File="Bin_pld.exe" (best)
• Program="[#Bin_pld.exe]" (works too)
• Program="pld.exe" (doesn't work because it needs the full abs path with C:...)

If you need to reference the main binary, you can use File="Path" instead (a bit non-descriptive name, but I just checked and it works for me).

My frag.wxs:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:fire="http://schemas.microsoft.com/wix/FirewallExtension">
  <Fragment>
    <DirectoryRef Id="TARGETDIR">
      <Component Id="FirewallExceptions" Guid="de95bf40-7d9c-4ee6-8c47-1a06f3b7ebe3">
        <fire:FirewallException Id="PayloadAgentTCP" File="Bin_pld.exe" Name="Payload (TCP)" Profile="all" Protocol="tcp" Scope="any" IgnoreFailure="yes" />
        <fire:FirewallException Id="PayloadAgentUDP" File="Bin_pld.exe" Name="Payload (UDP)" Profile="all" Protocol="udp" Scope="any" IgnoreFailure="yes" />
      </Component>
    </DirectoryRef>
  </Fragment>
</Wix>

Obligatory 2 year late thanks and much love to Lucas for fixing such an esoteric issue. Hope more people have use for it.