Test validation enforcing.

6 files changed, 146 insertions, 0 deletions

diff --git a/tests/lib/snaps/store/test-snapd-validation-set-enforcing.v1/build-aux/snap/snapcraft.yaml b/tests/lib/snaps/store/test-snapd-validation-set-enforcing.v1/build-aux/snap/snapcraft.yaml
new file mode 100644
index 0000000000..7da39aa0ad
--- /dev/null
+++ b/tests/lib/snaps/store/test-snapd-validation-set-enforcing.v1/build-aux/snap/snapcraft.yaml
@@ -0,0 +1,17 @@
+name: test-snapd-validation-set-enforcing
+version: 1.0.0
+summary: Test snap for validation set enforcing.
+description: |
+ Test snap for validation set enforcing.
+grade: stable
+confinement: strict
+type: app
+base: core18
+architectures:
+ - build-on: amd64
+ run-on: all
+
+parts:
+ test-snapd-validation-set-enforcing:
+ plugin: nil
+
diff --git a/tests/lib/snaps/store/test-snapd-validation-set-enforcing.v2/build-aux/snap/snapcraft.yaml b/tests/lib/snaps/store/test-snapd-validation-set-enforcing.v2/build-aux/snap/snapcraft.yaml
new file mode 100644
index 0000000000..cfeb9704fd
--- /dev/null
+++ b/tests/lib/snaps/store/test-snapd-validation-set-enforcing.v2/build-aux/snap/snapcraft.yaml
@@ -0,0 +1,17 @@
+name: test-snapd-validation-set-enforcing
+version: 2.0.0
+summary: Test snap for validation set enforcing.
+description: |
+ Test snap for validation set enforcing.
+grade: stable
+confinement: strict
+type: app
+base: core18
+architectures:
+ - build-on: amd64
+ run-on: all
+
+parts:
+ test-snapd-validation-set-enforcing:
+ plugin: nil
+
diff --git a/tests/main/snap-validate-enforce/task.yaml b/tests/main/snap-validate-enforce/task.yaml
new file mode 100644
index 0000000000..0cf90cc491
--- /dev/null
+++ b/tests/main/snap-validate-enforce/task.yaml
@@ -0,0 +1,81 @@
+summary: |
+ Ensure `snap validate --enforce` works with validation-sets from the store.
+
+# This test uses validation set assertions from the store uploaded upfront
+# with my (stolowski) private store key (account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f,
+# public-key-sha3: o_x83A3wpIvJznIHBJIK7jRmRZKLlqx5jOr30HUsloFfBseXNF0ztoj18EvNualy);
+# the input assertion provided with the test is testenforce1-seq1.yaml and testenforce1-seq2.yaml;
+# they are included for reference and in case this needs to be recreated with another
+# developer account, but otherwise are not used in the test.
+#
+# If this needs to be redone with another developer account, the steps are:
+# 1. update account-id in the testenforce-*.yaml files for the developer to use.
+# 2. upload validation-set assertions to the store (repeat for sequence 1 and sequence 2,
+# paste respective testenforceX-seqN.yaml file when snapcraft opens up the editor):
+# snapcraft edit-validation-sets <account-id> testenforce1 1
+# snapcraft edit-validation-sets <account-id> testenforce1 2
+# snapcraft edit-validation-sets <account-id> testenforce2 1
+# 3. change account-ids in the test with the desired developer key
+
+environment:
+ ACCOUNT_ID: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f
+
+execute: |
+ echo "Setting validation set in enforce mode fails when snap is not installed"
+ if snap validate --enforce "$ACCOUNT_ID"/testenforce1 > log.txt 2>&1; then
+ echo "Expected snap validate to fail"
+ exit 1
+ fi
+ MATCH "error: cannot apply validation set: cannot enforce validation set: validation sets assertions are not met:" < log.txt
+ MATCH "missing required snaps:" < log.txt
+ MATCH "test-snapd-validation-set-enforcing \(required by sets xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f/testenforce1\)" < log.txt
+
+ echo "Install the required snap and enable enforcing mode, pinned at sequence point 1"
+ snap install --beta test-snapd-validation-set-enforcing
+ snap validate --enforce "$ACCOUNT_ID"/testenforce1=1
+
+ echo "Check that the validation set is listed and enforced"
+ snap validate | MATCH "^$ACCOUNT_ID/testenforce1=1 +enforce +1 +valid"
+ snap list | MATCH "test-snapd-validation-set-enforcing +1\.0\.0 +1 +latest/beta"
+
+ echo "Check that an invalid snap cannot be installed"
+ if snap install hello-world > log.txt 2>&1; then
+ echo "Expected snap install to fail"
+ exit 1
+ fi
+ MATCH 'error: cannot install "hello-world": cannot install snap "hello-world" due to' < log.txt
+ MATCH "enforcing rules of validation set" < log.txt
+ MATCH "16/$ACCOUNT_ID/testenforce1/1" < log.txt
+ 
+ echo "But it can be installed with --ignore-validation flag"
+ snap install --ignore-validation hello-world
+ snap remove --purge hello-world
+
+ echo "Snap cannot be removed when required"
+ if snap remove test-snapd-validation-set-enforcing > log.txt 2>&1; then
+ echo "Expected snap remove to fail"
+ exit 1
+ fi
+ MATCH 'error: cannot remove "test-snapd-validation-set-enforcing": snap' < log.txt
+ MATCH '"test-snapd-validation-set-enforcing" is not removable: snap' < log.txt
+ MATCH '"test-snapd-validation-set-enforcing" is required by validation sets:' < log.txt
+ MATCH "16/$ACCOUNT_ID/testenforce1/1" < log.txt
+
+ echo "Refresh the snap from edge channel (while the validation set is pinned)"
+ snap switch --edge test-snapd-validation-set-enforcing
+ snap refresh
+ snap validate | MATCH "^$ACCOUNT_ID/testenforce1=1 +enforce +1 +valid"
+ snap list | MATCH "test-snapd-validation-set-enforcing +2\.0\.0 +2 +latest/edge"
+
+ echo "And snap can be removed once validation set is forgotten"
+ snap validate --forget "$ACCOUNT_ID"/testenforce1
+ snap remove --purge test-snapd-validation-set-enforcing
+
+ echo "Use two validation sets, one requiring specific snap revision, no pinning"
+ snap install --edge test-snapd-validation-set-enforcing
+ snap validate --enforce "$ACCOUNT_ID"/testenforce1
+ snap validate --enforce "$ACCOUNT_ID"/testenforce2
+ # testenforce1 is at seq 2 since it wasn't pinned
+ snap validate | MATCH "^$ACCOUNT_ID/testenforce1 +enforce +2 +valid"
+ snap validate | MATCH "^$ACCOUNT_ID/testenforce2 +enforce +1 +valid"
+ snap list | MATCH "test-snapd-validation-set-enforcing +2\.0\.0 +2 +latest/edge"
diff --git a/tests/main/snap-validate-enforce/testenforce1-seq1.yaml b/tests/main/snap-validate-enforce/testenforce1-seq1.yaml
new file mode 100644
index 0000000000..01d25aa197
--- /dev/null
+++ b/tests/main/snap-validate-enforce/testenforce1-seq1.yaml
@@ -0,0 +1,13 @@
+account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f
+name: testenforce1
+sequence: 1
+snaps:
+ - name: test-snapd-validation-set-enforcing
+ id: Tl0BlRrTksgJBZT3a9ffCDzut2KjZTer
+ presence: required
+ - name: hello-world
+ id: buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ
+ presence: invalid
+ - name: bare
+ id: EISPgh06mRh1vordZY9OZ34QHdd7OrdR
+ presence: optional
diff --git a/tests/main/snap-validate-enforce/testenforce1-seq2.yaml b/tests/main/snap-validate-enforce/testenforce1-seq2.yaml
new file mode 100644
index 0000000000..b39e2f02c2
--- /dev/null
+++ b/tests/main/snap-validate-enforce/testenforce1-seq2.yaml
@@ -0,0 +1,10 @@
+account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f
+name: testenforce1
+sequence: 2
+snaps:
+ - name: test-snapd-validation-set-enforcing
+ id: Tl0BlRrTksgJBZT3a9ffCDzut2KjZTer
+ presence: required
+ - name: hello-world
+ id: buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ
+ presence: invalid
diff --git a/tests/main/snap-validate-enforce/testenfroce2-seq1.yaml b/tests/main/snap-validate-enforce/testenfroce2-seq1.yaml
new file mode 100644
index 0000000000..8176cb878c
--- /dev/null
+++ b/tests/main/snap-validate-enforce/testenfroce2-seq1.yaml
@@ -0,0 +1,8 @@
+account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f
+name: testenforce2
+sequence: 1
+snaps:
+ - name: test-snapd-validation-set-enforcing
+ id: Tl0BlRrTksgJBZT3a9ffCDzut2KjZTer
+ presence: required
+ revision: 2