tests: genericize system-usernames-microk8s test

Extend the system-usernames-microk8s test to allow creating variants to test arbitrary system usernames scoped to particular snaps. Rename the test to reflect this. Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
canonical · Sep 13, 2022 · 1d7a570 · 1d7a570
1 parent fb7cc17
commit 1d7a570
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 34 deletions.
diff --git a/tests/main/system-usernames-microk8s/snap/meta/snap.yaml.in b/tests/main/system-usernames-microk8s/snap/meta/snap.yaml.in
diff --git a/...ain/system-usernames-microk8s/snap/bin/sh → .../system-usernames-snap-scoped/snap/bin/sh b/...ain/system-usernames-microk8s/snap/bin/sh → .../system-usernames-snap-scoped/snap/bin/sh
diff --git a/tests/main/system-usernames-snap-scoped/snap/meta/snap.yaml.in b/tests/main/system-usernames-snap-scoped/snap/meta/snap.yaml.in
@@ -0,0 +1,7 @@
+name: SNAPNAME
+summary: Snap requesting snap-scoped system users
+version: '1.0'
+
+apps:
+  test-app:
+    command: bin/sh
diff --git a/.../main/system-usernames-microk8s/task.yaml → ...in/system-usernames-snap-scoped/task.yaml b/.../main/system-usernames-microk8s/task.yaml → ...in/system-usernames-snap-scoped/task.yaml
@@ -1,4 +1,4 @@
-summary: ensure only approved snaps can use the microk8s system user
+summary: ensure only approved snaps can use snap-scoped system user
 
 # - not running on 14.04 as we have no real systemd here
 # - also exclude debian 10 and centos 7 because of old libseccomp (the
@@ -8,6 +8,10 @@ systems: [-ubuntu-14.04-*, -debian-10-*, -centos-7-*]
 
 environment:
     STORE_DIR: $(pwd)/fake-store-blobdir
+    UNAPPROVED_SNAP_NAME: test-unapproved-username
+    APPROVED_SNAP_ID/microk8s: EaXqgt1lyCaxKaQCU349mlodBkDCXRcg
+    APPROVED_SNAP_NAME/microk8s: microk8s
+    TESTED_USERS/microk8s: snap_microk8s
 
 prepare: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -39,29 +43,41 @@ prepare: |
     snap ack "$TESTSLIB/assertions/developer1.account"
     snap ack "$TESTSLIB/assertions/developer1.account-key"
 
-    # Create a snap which is not entitled to use the microk8s user
+    create_snap_yaml() {
+        yaml2json -i  snap/meta/snap.yaml.in > snap/meta/snap.json
+        for user in $TESTED_USERS
+        do
+            cat snap/meta/snap.json | jq ".\"system-usernames\" += { \"$user\" : \"shared\"}" > snap/meta/snap.json.tmp
+            mv snap/meta/snap.json.tmp snap/meta/snap.json
+        done
+        cat snap/meta/snap.json | jq ".name = \"$1\"" | json2yaml -o snap/meta/snap.yaml
+    }
 
-    sed "snap/meta/snap.yaml.in" -e "s/SNAPNAME/test-microk8s-username/" > "snap/meta/snap.yaml"
+    # Create a snap which is not entitled to use the user(s) under test
+
+    create_snap_yaml $UNAPPROVED_SNAP_NAME
     snap_path=$("$TESTSTOOLS"/snaps-state pack-local snap)
     make_snap_installable "$STORE_DIR" "${snap_path}"
 
-    # Then create a snap which is entitled to use the microk8s user
+    # Then create a snap which is entitled to use the user(s) under test
 
-    sed "snap/meta/snap.yaml.in" -e "s/SNAPNAME/microk8s/" > "snap/meta/snap.yaml"
+    create_snap_yaml $APPROVED_SNAP_NAME
     snap_path=$("$TESTSTOOLS"/snaps-state pack-local snap)
-    MICROK8S_SNAP_ID="EaXqgt1lyCaxKaQCU349mlodBkDCXRcg"
-    make_snap_installable_with_id "$STORE_DIR" "${snap_path}" "$MICROK8S_SNAP_ID"
+    make_snap_installable_with_id "$STORE_DIR" "${snap_path}" "$APPROVED_SNAP_ID"
 
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
 
-    userdel -f snap_microk8s || userdel -f --extrausers snap_microk8s || true
-    not getent passwd snap_microk8s
-    groupdel snap_microk8s || groupdel --extrausers snap_microk8s || true
-    not getent group snap_microk8s
+    for user in $TESTED_USERS
+    do
+        userdel -f "$user" || userdel -f --extrausers "$user" || true
+        not getent passwd "$user"
+        groupdel "$user" || groupdel --extrausers "$user" || true
+        not getent group "$user"
+    done
 
     #shellcheck source=tests/lib/store.sh
     . "$TESTSLIB"/store.sh
@@ -73,17 +89,23 @@ execute: |
         exit
     fi
 
-    echo "Try to install a snap which is not entitled to use the microk8s user"
-    OUT=$(snap install "test-microk8s-username" 2>&1 || true)
-    echo "$OUT" | MATCH 'snap "test-microk8s-username" is not allowed to use the system user "snap_microk8s"'
-
-    # Make sure neither snap_microk8s user nor group are created
-    not getent passwd snap_microk8s
-    not getent group snap_microk8s
-
-    echo "Now install the microk8s snap"
-    snap install "microk8s" 2>&1 | MATCH 'microk8s 1.0.* installed'
-
-    # Make sure both snap_microk8s user and group are created
-    getent passwd snap_microk8s
-    getent group snap_microk8s
+    echo "Try to install a snap which is not entitled to use the user(s) under test"
+    OUT=$(snap install "$UNAPPROVED_SNAP_NAME" 2>&1 || true)
+    echo "$OUT" | MATCH "snap \"$UNAPPROVED_SNAP_NAME\" is not allowed to use the system user \"(${TESTED_USERS// /|})\""
+
+    # Make sure no user(s) nor group(s) under test are created
+    for user in $TESTED_USERS
+    do
+        not getent passwd "$user"
+        not getent group "$user"
+    done
+
+    echo "Now install the $APPROVED_SNAP_NAME snap"
+    snap install "$APPROVED_SNAP_NAME" 2>&1 | MATCH "$APPROVED_SNAP_NAME 1.0.* installed"
+
+    # Make sure all user(s) and group(s) under test are created
+    for user in $TESTED_USERS
+    do
+        getent passwd "$user"
+        getent group "$user"
+    done