snap/system_usernames: add Azure IoT Edge usernames

Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>

overlord/snapstate/check_snap_test.go

@@ -1158,6 +1158,71 @@ var systemUsernamesTests = []struct {
 	// missing snap ID, therefore installation allowed
 	sysIDs: "snap_microk8s:\n    scope: shared",
 	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	sysIDs: "snap_iotedge: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+	snapID: "some-uninteresting-snap-id",
+	error:  `snap "foo" is not allowed to use the system user "snap_iotedge"`,
+}, {
+	snapID: "8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	sysIDs: "snap_iotedge: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	// missing snap ID, therefore installation allowed
+	sysIDs: "snap_iotedge:\n    scope: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	sysIDs: "snap_aziotid: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+	snapID: "some-uninteresting-snap-id",
+	error:  `snap "foo" is not allowed to use the system user "snap_aziotid"`,
+}, {
+	snapID: "8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	sysIDs: "snap_aziotid: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	// missing snap ID, therefore installation allowed
+	sysIDs: "snap_aziotid:\n    scope: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	sysIDs: "snap_aziotcs: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+	snapID: "some-uninteresting-snap-id",
+	error:  `snap "foo" is not allowed to use the system user "snap_aziotcs"`,
+}, {
+	snapID: "8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	sysIDs: "snap_aziotcs: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	// missing snap ID, therefore installation allowed
+	sysIDs: "snap_aziotcs:\n    scope: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	sysIDs: "snap_aziotks: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+	snapID: "some-uninteresting-snap-id",
+	error:  `snap "foo" is not allowed to use the system user "snap_aziotks"`,
+}, {
+	snapID: "8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	sysIDs: "snap_aziotks: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	// missing snap ID, therefore installation allowed
+	sysIDs: "snap_aziotks:\n    scope: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	sysIDs: "snap_aziottpm: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+	snapID: "some-uninteresting-snap-id",
+	error:  `snap "foo" is not allowed to use the system user "snap_aziottpm"`,
+}, {
+	snapID: "8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	sysIDs: "snap_aziottpm: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
+}, {
+	// missing snap ID, therefore installation allowed
+	sysIDs: "snap_aziottpm:\n    scope: shared",
+	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
 }, {
 	sysIDs: "snap_daemon:\n    scope: private",
 	scVer:  "dead 2.4.1 deadbeef bpf-actlog",
@@ -1326,6 +1391,51 @@ system-usernames:
 	s.testCheckSnapSystemUsernamesCallsCommon(c, "snap_microk8s", "584789", yaml)
 }
 
+func (s *checkSnapSuite) TestCheckSnapSystemUsernamesCallsSnapIotEdge(c *C) {
+	const yaml = `name: azure-iot-edge
+version: 1.0
+system-usernames:
+  snap_iotedge: shared`
+
+	s.testCheckSnapSystemUsernamesCallsCommon(c, "snap_iotedge", "584790", yaml)
+}
+
+func (s *checkSnapSuite) TestCheckSnapSystemUsernamesCallsSnapAzIotId(c *C) {
+	const yaml = `name: azure-iot-edge
+version: 1.0
+system-usernames:
+  snap_aziotid: shared`
+
+	s.testCheckSnapSystemUsernamesCallsCommon(c, "snap_aziotid", "584791", yaml)
+}
+
+func (s *checkSnapSuite) TestCheckSnapSystemUsernamesCallsSnapAzIotCs(c *C) {
+	const yaml = `name: azure-iot-edge
+version: 1.0
+system-usernames:
+  snap_aziotcs: shared`
+
+	s.testCheckSnapSystemUsernamesCallsCommon(c, "snap_aziotcs", "584792", yaml)
+}
+
+func (s *checkSnapSuite) TestCheckSnapSystemUsernamesCallsSnapAzIotKs(c *C) {
+	const yaml = `name: azure-iot-edge
+version: 1.0
+system-usernames:
+  snap_aziotks: shared`
+
+	s.testCheckSnapSystemUsernamesCallsCommon(c, "snap_aziotks", "584793", yaml)
+}
+
+func (s *checkSnapSuite) TestCheckSnapSystemUsernamesCallsSnapAzIotTpm(c *C) {
+	const yaml = `name: azure-iot-edge
+version: 1.0
+system-usernames:
+  snap_aziottpm: shared`
+
+	s.testCheckSnapSystemUsernamesCallsCommon(c, "snap_aziottpm", "584794", yaml)
+}
+
 func (s *checkSnapSuite) testCheckSnapSystemUsernamesCallsCommon(c *C, expectedUser, expectedID, yaml string) {
 	r := osutil.MockFindGid(func(groupname string) (uint64, error) {
 		if groupname == expectedUser || groupname == "snapd-range-524288-root" {

snap/system_usernames.go

@@ -155,4 +155,19 @@ var SupportedSystemUsernames = map[string]systemUsername{
 	"snap_microk8s": {Id: 584789, AllowedSnapIds: []string{
 		"EaXqgt1lyCaxKaQCU349mlodBkDCXRcg", // microk8s
 	}},
+	"snap_iotedge": {Id: 584790, AllowedSnapIds: []string{
+		"8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	}},
+	"snap_aziotid": {Id: 584791, AllowedSnapIds: []string{
+		"8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	}},
+	"snap_aziotcs": {Id: 584792, AllowedSnapIds: []string{
+		"8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	}},
+	"snap_aziotks": {Id: 584793, AllowedSnapIds: []string{
+		"8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	}},
+	"snap_aziottpm": {Id: 584794, AllowedSnapIds: []string{
+		"8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt", // azure-iot-edge
+	}},
 }

tests/main/system-usernames-snap-scoped/task.yaml

@@ -12,6 +12,9 @@ environment:
     APPROVED_SNAP_ID/microk8s: EaXqgt1lyCaxKaQCU349mlodBkDCXRcg
     APPROVED_SNAP_NAME/microk8s: microk8s
     TESTED_USERS/microk8s: snap_microk8s
+    APPROVED_SNAP_ID/azureiotedge: 8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt
+    APPROVED_SNAP_NAME/azureiotedge: azure-iot-edge
+    TESTED_USERS/azureiotedge: snap_iotedge snap_aziotid snap_aziotcs snap_aziotks snap_aziottpm
 
 prepare: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then