forked from canonical/snapd
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request canonical#12141 from alexclewontin/system-username…
…s-aziotedge snap/system_usernames,tests: Azure IoT Edge system usernames
- Loading branch information
Showing
6 changed files
with
127 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
File renamed without changes.
7 changes: 7 additions & 0 deletions
7
tests/main/system-usernames-snap-scoped/snap/meta/snap.yaml.in
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| name: SNAPNAME | ||
| summary: Snap requesting snap-scoped system users | ||
| version: '1.0' | ||
|
|
||
| apps: | ||
| test-app: | ||
| command: bin/sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| summary: ensure only approved snaps can use snap-scoped system user | ||
|
|
||
| # - not running on 14.04 as we have no real systemd here | ||
| # - also exclude debian 10 and centos 7 because of old libseccomp (the | ||
| # system-usernames test is already checking which distributions have the | ||
| # needed support, so there's no need to replicate that code here) | ||
| systems: [-ubuntu-14.04-*, -debian-10-*, -centos-7-*] | ||
|
|
||
| environment: | ||
| STORE_DIR: $(pwd)/fake-store-blobdir | ||
| UNAPPROVED_SNAP_NAME: test-unapproved-username | ||
| APPROVED_SNAP_ID/microk8s: EaXqgt1lyCaxKaQCU349mlodBkDCXRcg | ||
| APPROVED_SNAP_NAME/microk8s: microk8s | ||
| TESTED_USERS/microk8s: snap_microk8s | ||
| APPROVED_SNAP_ID/azureiotedge: 8neFt3wtSaWGgIbEepgIJcEZ3fnz7Lwt | ||
| APPROVED_SNAP_NAME/azureiotedge: azure-iot-edge | ||
| TESTED_USERS/azureiotedge: snap_aziotedge | ||
| APPROVED_SNAP_ID/azuredeviceupdate: KzF67Mv8CeQBdUdrGaKU2sZVEiICWBg1 | ||
| APPROVED_SNAP_NAME/azuredeviceupdate: deviceupdate-agent | ||
| TESTED_USERS/azuredeviceupdate: snap_aziotdu | ||
|
|
||
| prepare: | | ||
| if [ "$TRUST_TEST_KEYS" = "false" ]; then | ||
| echo "This test needs test keys to be trusted" | ||
| exit | ||
| fi | ||
| echo "Ensure jq is installed" | ||
| if ! command -v jq; then | ||
| snap install --devmode jq | ||
| fi | ||
| echo "Ensure yaml2json is installed" | ||
| if ! command -v yaml2json; then | ||
| snap install --devmode remarshal | ||
| fi | ||
| snap debug can-manage-refreshes | MATCH false | ||
| snap ack "$TESTSLIB/assertions/testrootorg-store.account-key" | ||
| #shellcheck source=tests/lib/store.sh | ||
| . "$TESTSLIB"/store.sh | ||
| setup_fake_store "$STORE_DIR" | ||
| cp "$TESTSLIB"/assertions/developer1.account "$STORE_DIR/asserts" | ||
| cp "$TESTSLIB"/assertions/developer1.account-key "$STORE_DIR/asserts" | ||
| snap ack "$TESTSLIB/assertions/developer1.account" | ||
| snap ack "$TESTSLIB/assertions/developer1.account-key" | ||
| create_snap() { | ||
| yaml2json -i snap/meta/snap.yaml.in > snap/meta/snap.json | ||
| for user in $TESTED_USERS | ||
| do | ||
| jq ".\"system-usernames\" += { \"$user\" : \"shared\"}" snap/meta/snap.json > snap/meta/snap.json.tmp | ||
| mv snap/meta/snap.json.tmp snap/meta/snap.json | ||
| done | ||
| jq ".name = \"$1\"" snap/meta/snap.json | json2yaml -o snap/meta/snap.yaml | ||
| "$TESTSTOOLS"/snaps-state pack-local snap | ||
| } | ||
| # Create a snap which is not entitled to use the user(s) under test | ||
| snap_path=$(create_snap $UNAPPROVED_SNAP_NAME) | ||
| make_snap_installable "$STORE_DIR" "${snap_path}" | ||
| # Then create a snap which is entitled to use the user(s) under test | ||
| snap_path=$(create_snap $APPROVED_SNAP_NAME) | ||
| make_snap_installable_with_id "$STORE_DIR" "${snap_path}" "$APPROVED_SNAP_ID" | ||
| restore: | | ||
| if [ "$TRUST_TEST_KEYS" = "false" ]; then | ||
| echo "This test needs test keys to be trusted" | ||
| exit | ||
| fi | ||
| for user in $TESTED_USERS | ||
| do | ||
| userdel -f "$user" || userdel -f --extrausers "$user" || true | ||
| not getent passwd "$user" | ||
| groupdel "$user" || groupdel --extrausers "$user" || true | ||
| not getent group "$user" | ||
| done | ||
| #shellcheck source=tests/lib/store.sh | ||
| . "$TESTSLIB"/store.sh | ||
| teardown_fake_store "$STORE_DIR" | ||
| execute: | | ||
| if [ "$TRUST_TEST_KEYS" = "false" ]; then | ||
| echo "This test needs test keys to be trusted" | ||
| exit | ||
| fi | ||
| echo "Try to install a snap which is not entitled to use the user(s) under test" | ||
| OUT=$(snap install "$UNAPPROVED_SNAP_NAME" 2>&1 || true) | ||
| echo "$OUT" | MATCH "snap \"$UNAPPROVED_SNAP_NAME\" is not allowed to use the system user \"(${TESTED_USERS// /|})\"" | ||
| # Make sure no user(s) nor group(s) under test are created | ||
| for user in $TESTED_USERS | ||
| do | ||
| not getent passwd "$user" | ||
| not getent group "$user" | ||
| done | ||
| echo "Now install the $APPROVED_SNAP_NAME snap" | ||
| snap install "$APPROVED_SNAP_NAME" 2>&1 | MATCH "$APPROVED_SNAP_NAME 1.0.* installed" | ||
| # Make sure all user(s) and group(s) under test are created | ||
| for user in $TESTED_USERS | ||
| do | ||
| getent passwd "$user" | ||
| getent group "$user" | ||
| done |