func (s *FirstBootTestSuite) SetUpTest(c *C) {
tempdir := c.MkDir()
dirs.SetRootDir(tempdir)
// mock the world!
err := os.MkdirAll(filepath.Join(dirs.SnapSeedDir, "snaps"), 0755)
c.Assert(err, IsNil)
err = os.MkdirAll(filepath.Join(dirs.SnapSeedDir, "assertions"), 0755)
c.Assert(err, IsNil)
err = os.MkdirAll(dirs.SnapServicesDir, 0755)
c.Assert(err, IsNil)
os.Setenv("SNAPPY_SQUASHFS_UNPACK_FOR_TESTS", "1")
s.systemctl = testutil.MockCommand(c, "systemctl", "")
s.mockUdevAdm = testutil.MockCommand(c, "udevadm", "")
err = ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), nil, 0644)
c.Assert(err, IsNil)
rootPrivKey, _ := assertstest.GenerateKey(1024)
storePrivKey, _ := assertstest.GenerateKey(752)
s.storeSigning = assertstest.NewStoreStack("can0nical", rootPrivKey, storePrivKey)
s.restore = sysdb.InjectTrusted(s.storeSigning.Trusted)
s.brandPrivKey, _ = assertstest.GenerateKey(752)
s.brandSigning = assertstest.NewSigningDB("my-brand", s.brandPrivKey)
ovld, err := overlord.New()
c.Assert(err, IsNil)
s.overlord = ovld
}
func (s *assertMgrSuite) SetUpTest(c *C) {
dirs.SetRootDir(c.MkDir())
rootPrivKey, _ := assertstest.GenerateKey(1024)
storePrivKey, _ := assertstest.GenerateKey(752)
s.storeSigning = assertstest.NewStoreStack("can0nical", rootPrivKey, storePrivKey)
s.restore = sysdb.InjectTrusted(s.storeSigning.Trusted)
dev1PrivKey, _ := assertstest.GenerateKey(752)
s.dev1Acct = assertstest.NewAccount(s.storeSigning, "developer1", nil, "")
err := s.storeSigning.Add(s.dev1Acct)
c.Assert(err, IsNil)
// developer signing
dev1AcctKey := assertstest.NewAccountKey(s.storeSigning, s.dev1Acct, nil, dev1PrivKey.PublicKey(), "")
err = s.storeSigning.Add(dev1AcctKey)
c.Assert(err, IsNil)
s.dev1Signing = assertstest.NewSigningDB(s.dev1Acct.AccountID(), dev1PrivKey)
s.state = state.New(nil)
mgr, err := assertstate.Manager(s.state)
c.Assert(err, IsNil)
s.mgr = mgr
s.state.Lock()
snapstate.ReplaceStore(s.state, &fakeStore{
state: s.state,
db: s.storeSigning,
})
s.state.Unlock()
}
func (sdbs *sysDBSuite) SetUpTest(c *C) {
tmpdir := c.MkDir()
pk, _ := assertstest.GenerateKey(752)
signingDB := assertstest.NewSigningDB("can0nical", pk)
trustedAcct := assertstest.NewAccount(signingDB, "can0nical", map[string]interface{}{
"account-id": "can0nical",
"validation": "certified",
"timestamp": "2015-11-20T15:04:00Z",
}, "")
trustedAccKey := assertstest.NewAccountKey(signingDB, trustedAcct, map[string]interface{}{
"account-id": "can0nical",
"since": "2015-11-20T15:04:00Z",
"until": "2500-11-20T15:04:00Z",
}, pk.PublicKey(), "")
sdbs.extraTrusted = []asserts.Assertion{trustedAcct, trustedAccKey}
fakeRoot := filepath.Join(tmpdir, "root")
err := os.Mkdir(fakeRoot, os.ModePerm)
c.Assert(err, IsNil)
dirs.SetRootDir(fakeRoot)
sdbs.probeAssert = assertstest.NewAccount(signingDB, "probe", nil, "")
}
func setup3rdPartySigning(c *C, username string, storeDB *assertstest.SigningDB, checkDB *asserts.Database) (signingDB *assertstest.SigningDB) {
privKey := testPrivKey2
acct := assertstest.NewAccount(storeDB, username, map[string]interface{}{
"account-id": username,
}, "")
accKey := assertstest.NewAccountKey(storeDB, acct, nil, privKey.PublicKey(), "")
err := checkDB.Add(acct)
c.Assert(err, IsNil)
err = checkDB.Add(accKey)
c.Assert(err, IsNil)
return assertstest.NewSigningDB(acct.AccountID(), privKey)
}
func (aks *accountKeySuite) TestAccountKeyCheckUntrustedAuthority(c *C) {
trustedKey := testPrivKey0
db := aks.openDB(c)
storeDB := assertstest.NewSigningDB("canonical", trustedKey)
otherDB := setup3rdPartySigning(c, "other", storeDB, db)
headers := map[string]interface{}{
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
"until": aks.until.Format(time.RFC3339),
}
accKey, err := otherDB.Sign(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), "")
c.Assert(err, IsNil)
err = db.Check(accKey)
c.Assert(err, ErrorMatches, `account-key assertion for "acc-id1" is not signed by a directly trusted authority:.*`)
}
func (s *imageSuite) SetUpTest(c *C) {
s.root = c.MkDir()
s.bootloader = boottest.NewMockBootloader("grub", c.MkDir())
partition.ForceBootloader(s.bootloader)
s.stdout = bytes.NewBuffer(nil)
image.Stdout = s.stdout
s.downloadedSnaps = make(map[string]string)
s.storeSnapInfo = make(map[string]*snap.Info)
rootPrivKey, _ := assertstest.GenerateKey(1024)
storePrivKey, _ := assertstest.GenerateKey(752)
s.storeSigning = assertstest.NewStoreStack("can0nical", rootPrivKey, storePrivKey)
brandPrivKey, _ := assertstest.GenerateKey(752)
s.brandSigning = assertstest.NewSigningDB("my-brand", brandPrivKey)
brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
"account-id": "my-brand",
"verification": "certified",
}, "")
s.storeSigning.Add(brandAcct)
brandAccKey := assertstest.NewAccountKey(s.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
s.storeSigning.Add(brandAccKey)
model, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
"series": "16",
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"architecture": "amd64",
"gadget": "pc",
"kernel": "pc-kernel",
"required-snaps": []interface{}{"required-snap1"},
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
s.model = model.(*asserts.Model)
}
func (ms *mgrsSuite) TestInstallKernelSnapUpdatesBootloader(c *C) {
bootloader := boottest.NewMockBootloader("mock", c.MkDir())
partition.ForceBootloader(bootloader)
defer partition.ForceBootloader(nil)
restore := release.MockOnClassic(false)
defer restore()
brandAcct := assertstest.NewAccount(ms.storeSigning, "my-brand", map[string]interface{}{
"account-id": "my-brand",
"verification": "certified",
}, "")
brandAccKey := assertstest.NewAccountKey(ms.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
brandSigning := assertstest.NewSigningDB("my-brand", brandPrivKey)
model, err := brandSigning.Sign(asserts.ModelType, map[string]interface{}{
"series": "16",
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"architecture": "amd64",
"store": "my-brand-store-id",
"gadget": "gadget",
"kernel": "krnl",
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
const packageKernel = `
name: krnl
version: 4.0-1
type: kernel`
files := [][]string{
{"kernel.img", "I'm a kernel"},
{"initrd.img", "...and I'm an initrd"},
{"meta/kernel.yaml", "version: 4.2"},
}
snapPath := snaptest.MakeTestSnapWithFiles(c, packageKernel, files)
st := ms.o.State()
st.Lock()
defer st.Unlock()
// setup model assertion
err = assertstate.Add(st, ms.storeSigning.StoreAccountKey(""))
c.Assert(err, IsNil)
err = assertstate.Add(st, brandAcct)
c.Assert(err, IsNil)
err = assertstate.Add(st, brandAccKey)
c.Assert(err, IsNil)
auth.SetDevice(st, &auth.DeviceState{
Brand: "my-brand",
Model: "my-model",
})
err = assertstate.Add(st, model)
c.Assert(err, IsNil)
ts, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "krnl"}, snapPath, "", snapstate.Flags{})
c.Assert(err, IsNil)
chg := st.NewChange("install-snap", "...")
chg.AddAll(ts)
st.Unlock()
err = ms.o.Settle()
st.Lock()
c.Assert(err, IsNil)
c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("install-snap change failed with: %v", chg.Err()))
c.Assert(bootloader.BootVars, DeepEquals, map[string]string{
"snap_try_kernel": "krnl_x1.snap",
"snap_mode": "try",
})
}
func (ms *mgrsSuite) TestHappyRefreshControl(c *C) {
// test install through store and update, plus some mechanics
// of update
// TODO: ok to split if it gets too messy to maintain
ms.prereqSnapAssertions(c)
snapYamlContent := `name: foo
version: @VERSION@
`
ver := "1.0"
revno := "42"
snapPath, _ := ms.makeStoreTestSnap(c, strings.Replace(snapYamlContent, "@VERSION@", ver, -1), revno)
ms.serveSnap(snapPath, revno)
mockServer := ms.mockStore(c)
defer mockServer.Close()
st := ms.o.State()
st.Lock()
defer st.Unlock()
ts, err := snapstate.Install(st, "foo", "stable", snap.R(0), 0, snapstate.Flags{})
c.Assert(err, IsNil)
chg := st.NewChange("install-snap", "...")
chg.AddAll(ts)
st.Unlock()
err = ms.o.Settle()
st.Lock()
c.Assert(err, IsNil)
c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("install-snap change failed with: %v", chg.Err()))
info, err := snapstate.CurrentInfo(st, "foo")
c.Assert(err, IsNil)
c.Check(info.Revision, Equals, snap.R(42))
// Refresh
// Setup refresh control
headers := map[string]interface{}{
"series": "16",
"snap-id": "bar-id",
"snap-name": "bar",
"publisher-id": "devdevdev",
"refresh-control": []interface{}{fooSnapID},
"timestamp": time.Now().Format(time.RFC3339),
}
snapDeclBar, err := ms.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
c.Assert(err, IsNil)
err = ms.storeSigning.Add(snapDeclBar)
c.Assert(err, IsNil)
err = assertstate.Add(st, snapDeclBar)
c.Assert(err, IsNil)
snapstate.Set(st, "bar", &snapstate.SnapState{
Active: true,
Sequence: []*snap.SideInfo{
{RealName: "bar", SnapID: "bar-id", Revision: snap.R(1)},
},
Current: snap.R(1),
SnapType: "app",
})
develSigning := assertstest.NewSigningDB("devdevdev", develPrivKey)
develAccKey := assertstest.NewAccountKey(ms.storeSigning, ms.devAcct, nil, develPrivKey.PublicKey(), "")
err = ms.storeSigning.Add(develAccKey)
c.Assert(err, IsNil)
ver = "2.0"
revno = "50"
snapPath, _ = ms.makeStoreTestSnap(c, strings.Replace(snapYamlContent, "@VERSION@", ver, -1), revno)
ms.serveSnap(snapPath, revno)
updated, tss, err := snapstate.UpdateMany(st, []string{"foo"}, 0)
c.Check(updated, IsNil)
c.Check(tss, IsNil)
// no validation we, get an error
c.Check(err, ErrorMatches, `cannot refresh "foo" to revision 50: no validation by "bar"`)
// setup validation
headers = map[string]interface{}{
"series": "16",
"snap-id": "bar-id",
"approved-snap-id": fooSnapID,
"approved-snap-revision": "50",
"timestamp": time.Now().Format(time.RFC3339),
}
barValidation, err := develSigning.Sign(asserts.ValidationType, headers, nil, "")
c.Assert(err, IsNil)
err = ms.storeSigning.Add(barValidation)
c.Assert(err, IsNil)
// ... and try again
updated, tss, err = snapstate.UpdateMany(st, []string{"foo"}, 0)
c.Assert(err, IsNil)
c.Assert(updated, DeepEquals, []string{"foo"})
c.Assert(tss, HasLen, 1)
chg = st.NewChange("upgrade-snaps", "...")
chg.AddAll(tss[0])
st.Unlock()
err = ms.o.Settle()
st.Lock()
c.Assert(err, IsNil)
c.Assert(chg.Err(), IsNil)
c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("upgrade-snap change failed with: %v", chg.Err()))
info, err = snapstate.CurrentInfo(st, "foo")
c.Assert(err, IsNil)
c.Check(info.Revision, Equals, snap.R(50))
}
func (s *authContextSetupSuite) SetUpTest(c *C) {
tempdir := c.MkDir()
dirs.SetRootDir(tempdir)
err := os.MkdirAll(filepath.Dir(dirs.SnapStateFile), 0755)
c.Assert(err, IsNil)
captureAuthContext := func(_ *store.Config, ac auth.AuthContext) *store.Store {
s.ac = ac
return nil
}
r := overlord.MockStoreNew(captureAuthContext)
defer r()
s.storeSigning = assertstest.NewStoreStack("can0nical", rootPrivKey, storePrivKey)
s.restoreTrusted = sysdb.InjectTrusted(s.storeSigning.Trusted)
s.brandSigning = assertstest.NewSigningDB("my-brand", brandPrivKey)
brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
"account-id": "my-brand",
"verification": "certified",
}, "")
s.storeSigning.Add(brandAcct)
brandAccKey := assertstest.NewAccountKey(s.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
s.storeSigning.Add(brandAccKey)
model, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
"series": "16",
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"architecture": "amd64",
"store": "my-brand-store-id",
"gadget": "pc",
"kernel": "pc-kernel",
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
s.model = model.(*asserts.Model)
encDevKey, err := asserts.EncodePublicKey(deviceKey.PublicKey())
c.Assert(err, IsNil)
serial, err := s.brandSigning.Sign(asserts.SerialType, map[string]interface{}{
"authority-id": "my-brand",
"brand-id": "my-brand",
"model": "my-model",
"serial": "7878",
"device-key": string(encDevKey),
"device-key-sha3-384": deviceKey.PublicKey().ID(),
"timestamp": time.Now().Format(time.RFC3339),
}, nil, "")
c.Assert(err, IsNil)
s.serial = serial.(*asserts.Serial)
o, err := overlord.New()
c.Assert(err, IsNil)
s.o = o
st := o.State()
st.Lock()
defer st.Unlock()
prereqs := []asserts.Assertion{s.storeSigning.StoreAccountKey(""), brandAcct, brandAccKey}
for _, a := range prereqs {
err = assertstate.Add(st, a)
c.Assert(err, IsNil)
}
}
