Change: check correctness of model grade instead of just checking if it's not set to 'dangerous'

2 files changed, 10 insertions, 3 deletions

diff --git a/bin/ubuntucore_image_checks.py b/bin/ubuntucore_image_checks.py
index e381e61..ff14784 100755
--- a/bin/ubuntucore_image_checks.py
+++ b/bin/ubuntucore_image_checks.py
@@ -6,6 +6,7 @@
 # Jonathan Cave <jonathan.cave@canonical.com>
 
 import io
+import os
 import sys
 
 from checkbox_support.snap_utils.snapd import Snapd
@@ -91,10 +92,14 @@ class ModelInfo():
 print('PASS')
 
 def test_model_grade(self):
+ MODEL_GRADE = os.environ.get('MODEL_GRADE', 'secured')
 if not self.grade:
 raise SystemExit('ERROR: failed to get model grade info')
 if self.grade == 'dangerous':
 raise SystemExit('ERROR: model grade must not be dangerous')
+ if self.grade != MODEL_GRADE:
+ raise SystemExit('ERROR: model grade is "{}",'.format(self.grade) +
+ ' but "{}" is expected'.format(MODEL_GRADE))
 print('PASS')
 
 
diff --git a/units/image/jobs.pxu b/units/image/jobs.pxu
index d185550..d5aa7d4 100644
--- a/units/image/jobs.pxu
+++ b/units/image/jobs.pxu
@@ -71,16 +71,18 @@ command:
 estimated_duration: 2.0
 flags: preserve-locale
 
-id: image/model-grade-not-dangerous
+id: image/model-grade
 category_id: image
-_summary: Check that the model grade is not missing or set to dangerous
+_summary: Check that the model grade is correctly set
 requires:
 lsb.distributor_id == "Ubuntu Core" and int(lsb.release) >= 20
 _description:
 Images with the 'dangerous' grade (the lowest of all available grades)
 results in certain security measures to be relaxed.
 Images that require strict security related implementations must
- have the model grade set to a grade higher than 'dangerous'.
+ have the model grade set to non-dangerous grades - either the highest
+ grade of 'secured', or a grade passed to checkbox for checking via the
+ MODEL_GRADE configuration variable.
 plugin: shell
 command:
 ubuntucore_image_checks.py model-grade