Merge pull request #1938 from pedronis/cross-check-validation-signer

asserts: check that validation assertions are signed by the publisher of the gating snap

2 files changed, 28 insertions, 12 deletions

diff --git a/asserts/snap_asserts.go b/asserts/snap_asserts.go
index f35342144b..083a422488 100644
--- a/asserts/snap_asserts.go
+++ b/asserts/snap_asserts.go
@@ -65,8 +65,8 @@ func (snapdcl *SnapDeclaration) Timestamp() time.Time {
 }
 
 // RefreshControl returns the ids of snaps whose updates are controlled by this declaration.
-func (mod *SnapDeclaration) RefreshControl() []string {
-	return mod.refreshControl
+func (snapdcl *SnapDeclaration) RefreshControl() []string {
+	return snapdcl.refreshControl
 }
 
 // Implement further consistency checks.
@@ -383,7 +383,7 @@ func (validation *Validation) checkConsistency(db RODatabase, acck *AccountKey)
	if err != nil {
	return err
	}
-	_, err = db.Find(SnapDeclarationType, map[string]string{
+	a, err := db.Find(SnapDeclarationType, map[string]string{
	"series": validation.Series(),
	"snap-id": validation.SnapID(),
	})
@@ -394,6 +394,11 @@ func (validation *Validation) checkConsistency(db RODatabase, acck *AccountKey)
	return err
	}
 
+	gatingDecl := a.(*SnapDeclaration)
+	if gatingDecl.PublisherID() != validation.AuthorityID() {
+	return fmt.Errorf("validation assertion by snap %q (id %q) not signed by its publisher", gatingDecl.SnapName(), validation.SnapID())
+	}
+
	return nil
 }
 
diff --git a/asserts/snap_asserts_test.go b/asserts/snap_asserts_test.go
index 48d9eeb065..7011836622 100644
--- a/asserts/snap_asserts_test.go
+++ b/asserts/snap_asserts_test.go
@@ -172,7 +172,6 @@ func (sds *snapDeclSuite) TestSnapDeclarationCheck(c *C) {
	"snap-id": "snap-id-1",
	"snap-name": "foo",
	"publisher-id": "dev-id1",
-	"gates": "",
	"timestamp": time.Now().Format(time.RFC3339),
	}
	snapDecl, err := storeDB.Sign(asserts.SnapDeclarationType, headers, nil, "")
@@ -192,7 +191,6 @@ func (sds *snapDeclSuite) TestSnapDeclarationCheckUntrustedAuthority(c *C) {
	"snap-id": "snap-id-1",
	"snap-name": "foo",
	"publisher-id": "dev-id1",
-	"gates": "",
	"timestamp": time.Now().Format(time.RFC3339),
	}
	snapDecl, err := otherDB.Sign(asserts.SnapDeclarationType, headers, nil, "")
@@ -210,7 +208,6 @@ func (sds *snapDeclSuite) TestSnapDeclarationCheckMissingPublisherAccount(c *C)
	"snap-id": "snap-id-1",
	"snap-name": "foo",
	"publisher-id": "dev-id1",
-	"gates": "",
	"timestamp": time.Now().Format(time.RFC3339),
	}
	snapDecl, err := storeDB.Sign(asserts.SnapDeclarationType, headers, nil, "")
@@ -251,7 +248,6 @@ func (sds *snapDeclSuite) TestPrerequisites(c *C) {
	"snap-id: snap-id-1\n" +
	"snap-name: first\n" +
	"publisher-id: dev-id1\n" +
-	"gates: snap-id-3,snap-id-4\n" +
	sds.tsLine +
	"body-length: 0\n" +
	"sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij" +
@@ -365,7 +361,9 @@ func makeStoreAndCheckDB(c *C) (storeDB *assertstest.SigningDB, checkDB *asserts
 func setup3rdPartySigning(c *C, username string, storeDB *assertstest.SigningDB, checkDB *asserts.Database) (signingDB *assertstest.SigningDB) {
	privKey := testPrivKey2
 
-	acct := assertstest.NewAccount(storeDB, username, nil, "")
+	acct := assertstest.NewAccount(storeDB, username, map[string]interface{}{
+	"account-id": username,
+	}, "")
	accKey := assertstest.NewAccountKey(storeDB, acct, nil, privKey.PublicKey(), "")
 
	err := checkDB.Add(acct)
@@ -381,7 +379,7 @@ func (sbs *snapBuildSuite) TestSnapBuildCheck(c *C) {
	devDB := setup3rdPartySigning(c, "devel1", storeDB, db)
 
	headers := map[string]interface{}{
-	"authority-id": devDB.AuthorityID,
+	"authority-id": "devel1",
	"snap-sha3-384": blobSHA3_384,
	"snap-id": "snap-id-1",
	"grade": "devel",
@@ -517,7 +515,6 @@ func prereqSnapDecl(c *C, storeDB assertstest.SignerDB, db *asserts.Database) {
	"snap-id": "snap-id-1",
	"snap-name": "foo",
	"publisher-id": "dev-id1",
-	"gates": "",
	"timestamp": time.Now().Format(time.RFC3339),
	}, nil, "")
	c.Assert(err, IsNil)
@@ -716,7 +713,6 @@ func prereqSnapDecl2(c *C, storeDB assertstest.SignerDB, db *asserts.Database) {
	"snap-id": "snap-id-2",
	"snap-name": "bar",
	"publisher-id": "dev-id1",
-	"gates": "",
	"timestamp": time.Now().Format(time.RFC3339),
	}, nil, "")
	c.Assert(err, IsNil)
@@ -726,6 +722,21 @@ func prereqSnapDecl2(c *C, storeDB assertstest.SignerDB, db *asserts.Database) {
 
 func (vs *validationSuite) TestValidationCheck(c *C) {
	storeDB, db := makeStoreAndCheckDB(c)
+	devDB := setup3rdPartySigning(c, "dev-id1", storeDB, db)
+
+	prereqSnapDecl(c, storeDB, db)
+	prereqSnapDecl2(c, storeDB, db)
+
+	headers := vs.makeHeaders(nil)
+	validation, err := devDB.Sign(asserts.ValidationType, headers, nil, "")
+	c.Assert(err, IsNil)
+
+	err = db.Check(validation)
+	c.Assert(err, IsNil)
+}
+
+func (vs *validationSuite) TestValidationCheckWrongAuthority(c *C) {
+	storeDB, db := makeStoreAndCheckDB(c)
 
	prereqDevAccount(c, storeDB, db)
	prereqSnapDecl(c, storeDB, db)
@@ -736,7 +747,7 @@ func (vs *validationSuite) TestValidationCheck(c *C) {
	c.Assert(err, IsNil)
 
	err = db.Check(validation)
-	c.Assert(err, IsNil)
+	c.Assert(err, ErrorMatches, `validation assertion by snap "foo" \(id "snap-id-1"\) not signed by its publisher`)
 }
 
 func (vs *validationSuite) TestRevocation(c *C) {