// CheckInterfaces checks whether plugs and slots of snap are allowed for installation.
func CheckInterfaces(st *state.State, snapInfo *snap.Info) error {
// XXX: AddImplicitSlots is really a brittle interface
snap.AddImplicitSlots(snapInfo)
baseDecl, err := assertstate.BaseDeclaration(st)
if err != nil {
return fmt.Errorf("internal error: cannot find base declaration: %v", err)
}
var snapDecl *asserts.SnapDeclaration
if snapInfo.SnapID != "" {
var err error
snapDecl, err = assertstate.SnapDeclaration(st, snapInfo.SnapID)
if err != nil {
return fmt.Errorf("cannot find snap declaration for %q: %v", snapInfo.Name(), err)
}
}
ic := policy.InstallCandidate{
Snap: snapInfo,
SnapDeclaration: snapDecl,
BaseDeclaration: baseDecl,
}
return ic.Check()
}
func (s *policySuite) TestOnClassicInstallation(c *C) {
r1 := release.MockOnClassic(false)
defer r1()
r2 := release.MockReleaseInfo(&release.ReleaseInfo)
defer r2()
tests := []struct {
distro string // "" => not classic
installYaml string
err string // "" => no error
}{
{"", `name: install-snap
slots:
install-slot-on-classic-distros:`, `installation not allowed by "install-slot-on-classic-distros" slot rule.*`},
{"debian", `name: install-snap
slots:
install-slot-on-classic-distros:`, ""},
{"", `name: install-snap
plugs:
install-plug-on-classic-distros:`, `installation not allowed by "install-plug-on-classic-distros" plug rule.*`},
{"debian", `name: install-snap
plugs:
install-plug-on-classic-distros:`, ""},
}
for _, t := range tests {
if t.distro == "" {
release.OnClassic = false
} else {
release.OnClassic = true
release.ReleaseInfo = release.OS{
ID: t.distro,
}
}
installSnap := snaptest.MockInfo(c, t.installYaml, nil)
cand := policy.InstallCandidate{
Snap: installSnap,
BaseDeclaration: s.baseDecl,
}
err := cand.Check()
if t.err == "" {
c.Check(err, IsNil)
} else {
c.Check(err, ErrorMatches, t.err)
}
}
}
func (s *policySuite) TestBaselineDefaultIsAllowInstallation(c *C) {
installSnap := snaptest.MockInfo(c, `
name: install-slot-snap
slots:
random1:
plugs:
random2:
`, nil)
cand := policy.InstallCandidate{
Snap: installSnap,
BaseDeclaration: s.baseDecl,
}
c.Check(cand.Check(), IsNil)
}
func (s *policySuite) TestSnapDeclAllowDenyInstallation(c *C) {
tests := []struct {
installYaml string
plugsSlots string
expected string // "" => no error
}{
{`name: install-snap
slots:
install-slot-base-allow-snap-deny:
have: yes # bool
`, `slots:
install-slot-base-allow-snap-deny:
deny-installation:
slot-attributes:
have: true
`, `installation denied by "install-slot-base-allow-snap-deny" slot rule of interface "install-slot-base-allow-snap-deny" for "install-snap" snap`},
{`name: install-snap
slots:
install-slot-base-allow-snap-not-allow:
have: yes # bool
`, `slots:
install-slot-base-allow-snap-not-allow:
allow-installation:
slot-attributes:
have: false
`, `installation not allowed by "install-slot-base-allow-snap-not-allow" slot rule of interface "install-slot-base-allow-snap-not-allow" for "install-snap" snap`},
{`name: install-snap
slots:
install-slot-base-deny-snap-allow:
have: yes
`, `slots:
install-slot-base-deny-snap-allow:
allow-installation: true
`, ""},
{`name: install-snap
plugs:
install-plug-base-allow-snap-deny:
attr: give-me
`, `plugs:
install-plug-base-allow-snap-deny:
deny-installation:
plug-attributes:
attr: .*
`, `installation denied by "install-plug-base-allow-snap-deny" plug rule of interface "install-plug-base-allow-snap-deny" for "install-snap" snap`},
{`name: install-snap
plugs:
install-plug-base-allow-snap-not-allow:
attr: give-me
`, `plugs:
install-plug-base-allow-snap-not-allow:
allow-installation:
plug-attributes:
attr: minimal
`, `installation not allowed by "install-plug-base-allow-snap-not-allow" plug rule of interface "install-plug-base-allow-snap-not-allow" for "install-snap" snap`},
{`name: install-snap
plugs:
install-plug-base-deny-snap-allow:
attr: attrvalue
`, `plugs:
install-plug-base-deny-snap-allow:
allow-installation:
plug-attributes:
attr: attrvalue
`, ""},
}
for _, t := range tests {
installSnap := snaptest.MockInfo(c, t.installYaml, nil)
a, err := asserts.Decode([]byte(strings.Replace(`type: snap-declaration
authority-id: canonical
series: 16
snap-name: install-snap
snap-id: installsnap6idididididididididid
publisher-id: publisher
@plugsSlots@
timestamp: 2016-09-30T12:00:00Z
sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
AXNpZw==`, "@plugsSlots@", strings.TrimSpace(t.plugsSlots), 1)))
c.Assert(err, IsNil)
snapDecl := a.(*asserts.SnapDeclaration)
cand := policy.InstallCandidate{
Snap: installSnap,
SnapDeclaration: snapDecl,
BaseDeclaration: s.baseDecl,
}
err = cand.Check()
if t.expected == "" {
c.Check(err, IsNil)
} else {
c.Check(err, ErrorMatches, t.expected)
}
}
}
func (s *policySuite) TestBaseDeclAllowDenyInstallation(c *C) {
tests := []struct {
installYaml string
expected string // "" => no error
}{
{`name: install-snap
slots:
innocuous:
install-slot-coreonly:
`, `installation not allowed by "install-slot-coreonly" slot rule of interface "install-slot-coreonly"`},
{`name: install-snap
slots:
install-slot-attr-ok:
attr: ok
`, ""},
{`name: install-snap
slots:
install-slot-attr-deny:
trust: trusted
`, `installation denied by "install-slot-attr-deny" slot rule of interface "install-slot-attr-deny"`},
{`name: install-snap
plugs:
install-plug-attr-ok:
attr: ok
`, ""},
{`name: install-snap
plugs:
install-plug-attr-ok:
attr: not-ok
`, `installation not allowed by "install-plug-attr-ok" plug rule of interface "install-plug-attr-ok"`},
{`name: install-snap
plugs:
install-plug-gadget-only:
`, `installation not allowed by "install-plug-gadget-only" plug rule of interface "install-plug-gadget-only"`},
{`name: install-gadget
type: gadget
plugs:
install-plug-gadget-only:
`, ""},
{`name: install-gadget
type: gadget
plugs:
install-plug-or:
p: P2`, `installation denied by "install-plug-or" plug rule.*`},
{`name: install-snap
plugs:
install-plug-or:
p: P1`, `installation denied by "install-plug-or" plug rule.*`},
{`name: install-snap
plugs:
install-plug-or:
p: P3`, ""},
{`name: install-gadget
type: gadget
slots:
install-slot-or:
p: P2`, `installation denied by "install-slot-or" slot rule.*`},
{`name: install-snap
slots:
install-slot-or:
p: P1`, `installation denied by "install-slot-or" slot rule.*`},
{`name: install-snap
slots:
install-slot-or:
p: P3`, ""},
}
for _, t := range tests {
installSnap := snaptest.MockInfo(c, t.installYaml, nil)
cand := policy.InstallCandidate{
Snap: installSnap,
BaseDeclaration: s.baseDecl,
}
err := cand.Check()
if t.expected == "" {
c.Check(err, IsNil)
} else {
c.Check(err, ErrorMatches, t.expected)
}
}
}