func (s *assertMgrSuite) SetUpTest(c *C) {
dirs.SetRootDir(c.MkDir())
rootPrivKey, _ := assertstest.GenerateKey(1024)
storePrivKey, _ := assertstest.GenerateKey(752)
s.storeSigning = assertstest.NewStoreStack("can0nical", rootPrivKey, storePrivKey)
s.restore = sysdb.InjectTrusted(s.storeSigning.Trusted)
dev1PrivKey, _ := assertstest.GenerateKey(752)
s.dev1Acct = assertstest.NewAccount(s.storeSigning, "developer1", nil, "")
err := s.storeSigning.Add(s.dev1Acct)
c.Assert(err, IsNil)
// developer signing
dev1AcctKey := assertstest.NewAccountKey(s.storeSigning, s.dev1Acct, nil, dev1PrivKey.PublicKey(), "")
err = s.storeSigning.Add(dev1AcctKey)
c.Assert(err, IsNil)
s.dev1Signing = assertstest.NewSigningDB(s.dev1Acct.AccountID(), dev1PrivKey)
s.state = state.New(nil)
mgr, err := assertstate.Manager(s.state)
c.Assert(err, IsNil)
s.mgr = mgr
s.state.Lock()
snapstate.ReplaceStore(s.state, &fakeStore{
state: s.state,
db: s.storeSigning,
})
s.state.Unlock()
}
func (safs *signAddFindSuite) TestFindFindsTrustedAccountKeys(c *C) {
pk1 := testPrivKey1
acct1 := assertstest.NewAccount(safs.signingDB, "acc-id1", map[string]interface{}{
"authority-id": "canonical",
}, safs.signingKeyID)
acct1Key := assertstest.NewAccountKey(safs.signingDB, acct1, map[string]interface{}{
"authority-id": "canonical",
}, pk1.PublicKey(), safs.signingKeyID)
err := safs.db.Add(acct1)
c.Assert(err, IsNil)
err = safs.db.Add(acct1Key)
c.Assert(err, IsNil)
// find the trusted key as well
tKey, err := safs.db.Find(asserts.AccountKeyType, map[string]string{
"account-id": "canonical",
"public-key-sha3-384": safs.signingKeyID,
})
c.Assert(err, IsNil)
c.Assert(tKey.(*asserts.AccountKey).AccountID(), Equals, "canonical")
c.Assert(tKey.(*asserts.AccountKey).PublicKeyID(), Equals, safs.signingKeyID)
// find trusted and indirectly trusted
accKeys, err := safs.db.FindMany(asserts.AccountKeyType, nil)
c.Assert(err, IsNil)
c.Check(accKeys, HasLen, 2)
}
func (sdbs *sysDBSuite) SetUpTest(c *C) {
tmpdir := c.MkDir()
pk, _ := assertstest.GenerateKey(752)
signingDB := assertstest.NewSigningDB("can0nical", pk)
trustedAcct := assertstest.NewAccount(signingDB, "can0nical", map[string]interface{}{
"account-id": "can0nical",
"validation": "certified",
"timestamp": "2015-11-20T15:04:00Z",
}, "")
trustedAccKey := assertstest.NewAccountKey(signingDB, trustedAcct, map[string]interface{}{
"account-id": "can0nical",
"since": "2015-11-20T15:04:00Z",
"until": "2500-11-20T15:04:00Z",
}, pk.PublicKey(), "")
sdbs.extraTrusted = []asserts.Assertion{trustedAcct, trustedAccKey}
fakeRoot := filepath.Join(tmpdir, "root")
err := os.Mkdir(fakeRoot, os.ModePerm)
c.Assert(err, IsNil)
dirs.SetRootDir(fakeRoot)
sdbs.probeAssert = assertstest.NewAccount(signingDB, "probe", nil, "")
}
func setup3rdPartySigning(c *C, username string, storeDB *assertstest.SigningDB, checkDB *asserts.Database) (signingDB *assertstest.SigningDB) {
privKey := testPrivKey2
acct := assertstest.NewAccount(storeDB, username, map[string]interface{}{
"account-id": username,
}, "")
accKey := assertstest.NewAccountKey(storeDB, acct, nil, privKey.PublicKey(), "")
err := checkDB.Add(acct)
c.Assert(err, IsNil)
err = checkDB.Add(accKey)
c.Assert(err, IsNil)
return assertstest.NewSigningDB(acct.AccountID(), privKey)
}
func (gkms *gpgKeypairMgrSuite) TestUseInSigning(c *C) {
store := assertstest.NewStoreStack("trusted", testPrivKey0, testPrivKey1)
devKey, err := gkms.keypairMgr.Get(assertstest.DevKeyID)
c.Assert(err, IsNil)
devAcct := assertstest.NewAccount(store, "devel1", map[string]interface{}{
"account-id": "dev1-id",
}, "")
devAccKey := assertstest.NewAccountKey(store, devAcct, nil, devKey.PublicKey(), "")
signDB, err := asserts.OpenDatabase(&asserts.DatabaseConfig{
KeypairManager: gkms.keypairMgr,
})
c.Assert(err, IsNil)
checkDB, err := asserts.OpenDatabase(&asserts.DatabaseConfig{
Backstore: asserts.NewMemoryBackstore(),
Trusted: store.Trusted,
})
c.Assert(err, IsNil)
// add store key
err = checkDB.Add(store.StoreAccountKey(""))
c.Assert(err, IsNil)
// enable devel key
err = checkDB.Add(devAcct)
c.Assert(err, IsNil)
err = checkDB.Add(devAccKey)
c.Assert(err, IsNil)
headers := map[string]interface{}{
"authority-id": "dev1-id",
"snap-sha3-384": blobSHA3_384,
"snap-id": "snap-id-1",
"grade": "devel",
"snap-size": "1025",
"timestamp": time.Now().Format(time.RFC3339),
}
snapBuild, err := signDB.Sign(asserts.SnapBuildType, headers, nil, assertstest.DevKeyID)
c.Assert(err, IsNil)
err = checkDB.Check(snapBuild)
c.Check(err, IsNil)
}
func (safs *signAddFindSuite) TestFindTrusted(c *C) {
pk1 := testPrivKey1
acct1 := assertstest.NewAccount(safs.signingDB, "acc-id1", map[string]interface{}{
"authority-id": "canonical",
}, safs.signingKeyID)
acct1Key := assertstest.NewAccountKey(safs.signingDB, acct1, map[string]interface{}{
"authority-id": "canonical",
}, pk1.PublicKey(), safs.signingKeyID)
err := safs.db.Add(acct1)
c.Assert(err, IsNil)
err = safs.db.Add(acct1Key)
c.Assert(err, IsNil)
// find the trusted account
tAcct, err := safs.db.FindTrusted(asserts.AccountType, map[string]string{
"account-id": "canonical",
})
c.Assert(err, IsNil)
c.Assert(tAcct.(*asserts.Account).AccountID(), Equals, "canonical")
// find the trusted key
tKey, err := safs.db.FindTrusted(asserts.AccountKeyType, map[string]string{
"account-id": "canonical",
"public-key-sha3-384": safs.signingKeyID,
})
c.Assert(err, IsNil)
c.Assert(tKey.(*asserts.AccountKey).AccountID(), Equals, "canonical")
c.Assert(tKey.(*asserts.AccountKey).PublicKeyID(), Equals, safs.signingKeyID)
// doesn't find not trusted assertions
_, err = safs.db.FindTrusted(asserts.AccountType, map[string]string{
"account-id": acct1.AccountID(),
})
c.Check(err, Equals, asserts.ErrNotFound)
_, err = safs.db.FindTrusted(asserts.AccountKeyType, map[string]string{
"account-id": acct1.AccountID(),
"public-key-sha3-384": acct1Key.PublicKeyID(),
})
c.Check(err, Equals, asserts.ErrNotFound)
}
func (s *FirstBootTestSuite) makeModelAssertionChain(c *C) []asserts.Assertion {
assertChain := []asserts.Assertion{}
brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
"account-id": "my-brand",
"verification": "certified",
}, "")
assertChain = append(assertChain, brandAcct)
brandAccKey := assertstest.NewAccountKey(s.storeSigning, brandAcct, nil, s.brandPrivKey.PublicKey(), "")
assertChain = append(assertChain, brandAccKey)
model := s.makeModelAssertion(c, "my-model")
assertChain = append(assertChain, model)
storeAccountKey := s.storeSigning.StoreAccountKey("")
assertChain = append(assertChain, storeAccountKey)
return assertChain
}
func (s *imageSuite) SetUpTest(c *C) {
s.root = c.MkDir()
s.bootloader = boottest.NewMockBootloader("grub", c.MkDir())
partition.ForceBootloader(s.bootloader)
s.stdout = bytes.NewBuffer(nil)
image.Stdout = s.stdout
s.downloadedSnaps = make(map[string]string)
s.storeSnapInfo = make(map[string]*snap.Info)
rootPrivKey, _ := assertstest.GenerateKey(1024)
storePrivKey, _ := assertstest.GenerateKey(752)
s.storeSigning = assertstest.NewStoreStack("can0nical", rootPrivKey, storePrivKey)
brandPrivKey, _ := assertstest.GenerateKey(752)
s.brandSigning = assertstest.NewSigningDB("my-brand", brandPrivKey)
brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
"account-id": "my-brand",
"verification": "certified",
}, "")
s.storeSigning.Add(brandAcct)
brandAccKey := assertstest.NewAccountKey(s.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
s.storeSigning.Add(brandAccKey)
model, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
"series": "16",
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"architecture": "amd64",
"gadget": "pc",
"kernel": "pc-kernel",
"required-snaps": []interface{}{"required-snap1"},
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
s.model = model.(*asserts.Model)
}
func (ms *mgrsSuite) TestInstallKernelSnapUpdatesBootloader(c *C) {
bootloader := boottest.NewMockBootloader("mock", c.MkDir())
partition.ForceBootloader(bootloader)
defer partition.ForceBootloader(nil)
restore := release.MockOnClassic(false)
defer restore()
brandAcct := assertstest.NewAccount(ms.storeSigning, "my-brand", map[string]interface{}{
"account-id": "my-brand",
"verification": "certified",
}, "")
brandAccKey := assertstest.NewAccountKey(ms.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
brandSigning := assertstest.NewSigningDB("my-brand", brandPrivKey)
model, err := brandSigning.Sign(asserts.ModelType, map[string]interface{}{
"series": "16",
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"architecture": "amd64",
"store": "my-brand-store-id",
"gadget": "gadget",
"kernel": "krnl",
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
const packageKernel = `
name: krnl
version: 4.0-1
type: kernel`
files := [][]string{
{"kernel.img", "I'm a kernel"},
{"initrd.img", "...and I'm an initrd"},
{"meta/kernel.yaml", "version: 4.2"},
}
snapPath := snaptest.MakeTestSnapWithFiles(c, packageKernel, files)
st := ms.o.State()
st.Lock()
defer st.Unlock()
// setup model assertion
err = assertstate.Add(st, ms.storeSigning.StoreAccountKey(""))
c.Assert(err, IsNil)
err = assertstate.Add(st, brandAcct)
c.Assert(err, IsNil)
err = assertstate.Add(st, brandAccKey)
c.Assert(err, IsNil)
auth.SetDevice(st, &auth.DeviceState{
Brand: "my-brand",
Model: "my-model",
})
err = assertstate.Add(st, model)
c.Assert(err, IsNil)
ts, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "krnl"}, snapPath, "", snapstate.Flags{})
c.Assert(err, IsNil)
chg := st.NewChange("install-snap", "...")
chg.AddAll(ts)
st.Unlock()
err = ms.o.Settle()
st.Lock()
c.Assert(err, IsNil)
c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("install-snap change failed with: %v", chg.Err()))
c.Assert(bootloader.BootVars, DeepEquals, map[string]string{
"snap_try_kernel": "krnl_x1.snap",
"snap_mode": "try",
})
}
func (ms *mgrsSuite) TestHappyRefreshControl(c *C) {
// test install through store and update, plus some mechanics
// of update
// TODO: ok to split if it gets too messy to maintain
ms.prereqSnapAssertions(c)
snapYamlContent := `name: foo
version: @VERSION@
`
ver := "1.0"
revno := "42"
snapPath, _ := ms.makeStoreTestSnap(c, strings.Replace(snapYamlContent, "@VERSION@", ver, -1), revno)
ms.serveSnap(snapPath, revno)
mockServer := ms.mockStore(c)
defer mockServer.Close()
st := ms.o.State()
st.Lock()
defer st.Unlock()
ts, err := snapstate.Install(st, "foo", "stable", snap.R(0), 0, snapstate.Flags{})
c.Assert(err, IsNil)
chg := st.NewChange("install-snap", "...")
chg.AddAll(ts)
st.Unlock()
err = ms.o.Settle()
st.Lock()
c.Assert(err, IsNil)
c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("install-snap change failed with: %v", chg.Err()))
info, err := snapstate.CurrentInfo(st, "foo")
c.Assert(err, IsNil)
c.Check(info.Revision, Equals, snap.R(42))
// Refresh
// Setup refresh control
headers := map[string]interface{}{
"series": "16",
"snap-id": "bar-id",
"snap-name": "bar",
"publisher-id": "devdevdev",
"refresh-control": []interface{}{fooSnapID},
"timestamp": time.Now().Format(time.RFC3339),
}
snapDeclBar, err := ms.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
c.Assert(err, IsNil)
err = ms.storeSigning.Add(snapDeclBar)
c.Assert(err, IsNil)
err = assertstate.Add(st, snapDeclBar)
c.Assert(err, IsNil)
snapstate.Set(st, "bar", &snapstate.SnapState{
Active: true,
Sequence: []*snap.SideInfo{
{RealName: "bar", SnapID: "bar-id", Revision: snap.R(1)},
},
Current: snap.R(1),
SnapType: "app",
})
develSigning := assertstest.NewSigningDB("devdevdev", develPrivKey)
develAccKey := assertstest.NewAccountKey(ms.storeSigning, ms.devAcct, nil, develPrivKey.PublicKey(), "")
err = ms.storeSigning.Add(develAccKey)
c.Assert(err, IsNil)
ver = "2.0"
revno = "50"
snapPath, _ = ms.makeStoreTestSnap(c, strings.Replace(snapYamlContent, "@VERSION@", ver, -1), revno)
ms.serveSnap(snapPath, revno)
updated, tss, err := snapstate.UpdateMany(st, []string{"foo"}, 0)
c.Check(updated, IsNil)
c.Check(tss, IsNil)
// no validation we, get an error
c.Check(err, ErrorMatches, `cannot refresh "foo" to revision 50: no validation by "bar"`)
// setup validation
headers = map[string]interface{}{
"series": "16",
"snap-id": "bar-id",
"approved-snap-id": fooSnapID,
"approved-snap-revision": "50",
"timestamp": time.Now().Format(time.RFC3339),
}
barValidation, err := develSigning.Sign(asserts.ValidationType, headers, nil, "")
c.Assert(err, IsNil)
err = ms.storeSigning.Add(barValidation)
c.Assert(err, IsNil)
// ... and try again
updated, tss, err = snapstate.UpdateMany(st, []string{"foo"}, 0)
c.Assert(err, IsNil)
c.Assert(updated, DeepEquals, []string{"foo"})
c.Assert(tss, HasLen, 1)
chg = st.NewChange("upgrade-snaps", "...")
chg.AddAll(tss[0])
st.Unlock()
err = ms.o.Settle()
st.Lock()
c.Assert(err, IsNil)
c.Assert(chg.Err(), IsNil)
c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("upgrade-snap change failed with: %v", chg.Err()))
info, err = snapstate.CurrentInfo(st, "foo")
c.Assert(err, IsNil)
c.Check(info.Revision, Equals, snap.R(50))
}
func (s *authContextSetupSuite) SetUpTest(c *C) {
tempdir := c.MkDir()
dirs.SetRootDir(tempdir)
err := os.MkdirAll(filepath.Dir(dirs.SnapStateFile), 0755)
c.Assert(err, IsNil)
captureAuthContext := func(_ *store.Config, ac auth.AuthContext) *store.Store {
s.ac = ac
return nil
}
r := overlord.MockStoreNew(captureAuthContext)
defer r()
s.storeSigning = assertstest.NewStoreStack("can0nical", rootPrivKey, storePrivKey)
s.restoreTrusted = sysdb.InjectTrusted(s.storeSigning.Trusted)
s.brandSigning = assertstest.NewSigningDB("my-brand", brandPrivKey)
brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
"account-id": "my-brand",
"verification": "certified",
}, "")
s.storeSigning.Add(brandAcct)
brandAccKey := assertstest.NewAccountKey(s.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
s.storeSigning.Add(brandAccKey)
model, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
"series": "16",
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"architecture": "amd64",
"store": "my-brand-store-id",
"gadget": "pc",
"kernel": "pc-kernel",
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
s.model = model.(*asserts.Model)
encDevKey, err := asserts.EncodePublicKey(deviceKey.PublicKey())
c.Assert(err, IsNil)
serial, err := s.brandSigning.Sign(asserts.SerialType, map[string]interface{}{
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"serial": "7878",
"device-key": string(encDevKey),
"device-key-sha3-384": deviceKey.PublicKey().ID(),
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
s.serial = serial.(*asserts.Serial)
o, err := overlord.New()
c.Assert(err, IsNil)
s.o = o
st := o.State()
st.Lock()
defer st.Unlock()
prereqs := []asserts.Assertion{s.storeSigning.StoreAccountKey(""), brandAcct, brandAccKey}
for _, a := range prereqs {
err = assertstate.Add(st, a)
c.Assert(err, IsNil)
}
}
