func (s *assertMgrSuite) TestBaseSnapDeclaration(c *C) {
s.state.Lock()
defer s.state.Unlock()
r1 := assertstest.MockBuiltinBaseDeclaration(nil)
defer r1()
baseDecl, err := assertstate.BaseDeclaration(s.state)
c.Assert(err, Equals, asserts.ErrNotFound)
c.Check(baseDecl, IsNil)
r2 := assertstest.MockBuiltinBaseDeclaration([]byte(`
type: base-declaration
authority-id: canonical
series: 16
plugs:
iface: true
`))
defer r2()
baseDecl, err = assertstate.BaseDeclaration(s.state)
c.Assert(err, IsNil)
c.Check(baseDecl, NotNil)
c.Check(baseDecl.PlugRule("iface"), NotNil)
}
// CheckInterfaces checks whether plugs and slots of snap are allowed for installation.
func CheckInterfaces(st *state.State, snapInfo *snap.Info) error {
// XXX: AddImplicitSlots is really a brittle interface
snap.AddImplicitSlots(snapInfo)
baseDecl, err := assertstate.BaseDeclaration(st)
if err != nil {
return fmt.Errorf("internal error: cannot find base declaration: %v", err)
}
var snapDecl *asserts.SnapDeclaration
if snapInfo.SnapID != "" {
var err error
snapDecl, err = assertstate.SnapDeclaration(st, snapInfo.SnapID)
if err != nil {
return fmt.Errorf("cannot find snap declaration for %q: %v", snapInfo.Name(), err)
}
}
ic := policy.InstallCandidate{
Snap: snapInfo,
SnapDeclaration: snapDecl,
BaseDeclaration: baseDecl,
}
return ic.Check()
}
func newAutoConnectChecker(s *state.State) (*autoConnectChecker, error) {
baseDecl, err := assertstate.BaseDeclaration(s)
if err != nil {
return nil, fmt.Errorf("internal error: cannot find base declaration: %v", err)
}
return &autoConnectChecker{
st: s,
cache: make(map[string]*asserts.SnapDeclaration),
baseDecl: baseDecl,
}, nil
}
func (m *InterfaceManager) doConnect(task *state.Task, _ *tomb.Tomb) error {
st := task.State()
st.Lock()
defer st.Unlock()
plugRef, slotRef, err := getPlugAndSlotRefs(task)
if err != nil {
return err
}
conns, err := getConns(st)
if err != nil {
return err
}
connRef, err := m.repo.ResolveConnect(plugRef.Snap, plugRef.Name, slotRef.Snap, slotRef.Name)
if err != nil {
return err
}
plug := m.repo.Plug(connRef.PlugRef.Snap, connRef.PlugRef.Name)
if plug == nil {
return fmt.Errorf("snap %q has no %q plug", connRef.PlugRef.Snap, connRef.PlugRef.Name)
}
var plugDecl *asserts.SnapDeclaration
if plug.Snap.SnapID != "" {
var err error
plugDecl, err = assertstate.SnapDeclaration(st, plug.Snap.SnapID)
if err != nil {
return fmt.Errorf("cannot find snap declaration for %q: %v", plug.Snap.Name(), err)
}
}
slot := m.repo.Slot(connRef.SlotRef.Snap, connRef.SlotRef.Name)
if slot == nil {
return fmt.Errorf("snap %q has no %q slot", connRef.SlotRef.Snap, connRef.SlotRef.Name)
}
var slotDecl *asserts.SnapDeclaration
if slot.Snap.SnapID != "" {
var err error
slotDecl, err = assertstate.SnapDeclaration(st, slot.Snap.SnapID)
if err != nil {
return fmt.Errorf("cannot find snap declaration for %q: %v", slot.Snap.Name(), err)
}
}
baseDecl, err := assertstate.BaseDeclaration(st)
if err != nil {
return fmt.Errorf("internal error: cannot find base declaration: %v", err)
}
// check the connection against the declarations' rules
ic := policy.ConnectCandidate{
Plug: plug.PlugInfo,
PlugSnapDeclaration: plugDecl,
Slot: slot.SlotInfo,
SlotSnapDeclaration: slotDecl,
BaseDeclaration: baseDecl,
}
err = ic.Check()
if err != nil {
return err
}
err = m.repo.Connect(connRef)
if err != nil {
return err
}
var plugSnapst snapstate.SnapState
if err := snapstate.Get(st, connRef.PlugRef.Snap, &plugSnapst); err != nil {
return err
}
var slotSnapst snapstate.SnapState
if err := snapstate.Get(st, connRef.SlotRef.Snap, &slotSnapst); err != nil {
return err
}
if err := setupSnapSecurity(task, slot.Snap, slotSnapst.DevModeAllowed(), m.repo); err != nil {
return err
}
if err := setupSnapSecurity(task, plug.Snap, plugSnapst.DevModeAllowed(), m.repo); err != nil {
return err
}
conns[connRef.ID()] = connState{Interface: plug.Interface}
setConns(st, conns)
return nil
}
func (m *InterfaceManager) doConnect(task *state.Task, _ *tomb.Tomb) error {
st := task.State()
st.Lock()
defer st.Unlock()
plugRef, slotRef, err := getPlugAndSlotRefs(task)
if err != nil {
return err
}
conns, err := getConns(st)
if err != nil {
return err
}
connRef, err := m.repo.ResolveConnect(plugRef.Snap, plugRef.Name, slotRef.Snap, slotRef.Name)
if err != nil {
return err
}
plug := m.repo.Plug(connRef.PlugRef.Snap, connRef.PlugRef.Name)
if plug == nil {
return fmt.Errorf("snap %q has no %q plug", connRef.PlugRef.Snap, connRef.PlugRef.Name)
}
var plugDecl *asserts.SnapDeclaration
if plug.Snap.SnapID != "" {
var err error
plugDecl, err = assertstate.SnapDeclaration(st, plug.Snap.SnapID)
if err != nil {
return fmt.Errorf("cannot find snap declaration for %q: %v", plug.Snap.Name(), err)
}
}
slot := m.repo.Slot(connRef.SlotRef.Snap, connRef.SlotRef.Name)
if slot == nil {
return fmt.Errorf("snap %q has no %q slot", connRef.SlotRef.Snap, connRef.SlotRef.Name)
}
var slotDecl *asserts.SnapDeclaration
if slot.Snap.SnapID != "" {
var err error
slotDecl, err = assertstate.SnapDeclaration(st, slot.Snap.SnapID)
if err != nil {
return fmt.Errorf("cannot find snap declaration for %q: %v", slot.Snap.Name(), err)
}
}
baseDecl, err := assertstate.BaseDeclaration(st)
if err != nil {
return fmt.Errorf("internal error: cannot find base declaration: %v", err)
}
// check the connection against the declarations' rules
ic := policy.ConnectCandidate{
Plug: plug.PlugInfo,
PlugSnapDeclaration: plugDecl,
Slot: slot.SlotInfo,
SlotSnapDeclaration: slotDecl,
BaseDeclaration: baseDecl,
}
// if either of plug or slot snaps don't have a declaration it
// means they were installed with "dangerous", so the security
// check should be skipped at this point.
if plugDecl != nil && slotDecl != nil {
err = ic.Check()
if err != nil {
return err
}
}
err = m.repo.Connect(connRef)
if err != nil {
return err
}
var plugSnapst snapstate.SnapState
if err := snapstate.Get(st, connRef.PlugRef.Snap, &plugSnapst); err != nil {
return err
}
var slotSnapst snapstate.SnapState
if err := snapstate.Get(st, connRef.SlotRef.Snap, &slotSnapst); err != nil {
return err
}
slotOpts := confinementOptions(slotSnapst.Flags)
if err := setupSnapSecurity(task, slot.Snap, slotOpts, m.repo); err != nil {
return err
}
plugOpts := confinementOptions(plugSnapst.Flags)
if err := setupSnapSecurity(task, plug.Snap, plugOpts, m.repo); err != nil {
return err
}
conns[connRef.ID()] = connState{Interface: plug.Interface}
setConns(st, conns)
return nil
}
