snapasserts

package
v0.0.0-...-a843c82 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 21, 2025 License: GPL-3.0 Imports: 12 Imported by: 88

Documentation

Overview

Package snapasserts offers helpers to handle snap related assertions and their checking for installation.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckComponentProvenanceWithVerifiedRevision 

func CheckComponentProvenanceWithVerifiedRevision(compPath string, verifiedRev *asserts.SnapResourceRevision) error

CheckComponentProvenanceWithVerifiedRevision checks that the given component has the same provenance as of the provided resource-revision. It is intended to be called safely on components for which a matching and authorized resource-revision has been already found. Its purpose is to check that a blob has not been re-signed under an inappropriate provenance.

func CheckProvenanceWithVerifiedRevision 

func CheckProvenanceWithVerifiedRevision(snapPath string, verifiedRev *asserts.SnapRevision) error

CheckProvenanceWithVerifiedRevision checks that the given snap has the same provenance as of the provided snap-revision. It is intended to be called safely on snaps for which a matching and authorized snap-revision has been already found and cross-checked. Its purpose is to check that a blob has not been re-signed under an inappropriate provenance.

func CrossCheck 

func CrossCheck(instanceName, snapSHA3_384, provenance string, snapSize uint64, si *snap.SideInfo, model *asserts.Model, db Finder) (snapRev *asserts.SnapRevision, err error)

CrossCheck tries to cross check the instance name, hash digest, provenance and size of a snap plus its metadata in a SideInfo with the relevant snap assertions in a database that should have been populated with them. The optional model assertion must be passed to have full cross checks in the case of delegated authority snap-revisions before installing a snap. It returns the corresponding cross-checked snap-revision. Ultimately the provided provenance (if not default) must be checked with the provenance in the snap metadata by the caller as well, if the provided provenance was not read safely from there already.

func CrossCheckProvenance 

func CrossCheckProvenance(instanceName string, snapRev *asserts.SnapRevision, snapDecl *asserts.SnapDeclaration, model *asserts.Model, db Finder) (signedProvenance string, err error)

CrossCheckProvenance tries to cross check the given snap-revision if it has a non default provenance with the revision-authority constraints of the given snap-declaration including any device scope constraints using model (and implied store). It also returns the provenance if it is different from the default. Ultimately if not default the provenance must also be checked with the provenance in the snap metadata by the caller.

func CrossCheckResource 

func CrossCheckResource(name, hash, provenance string, size uint64, csi *snap.ComponentSideInfo, si *snap.SideInfo, model *asserts.Model, db Finder) (*asserts.SnapResourceRevision, error)

CrossCheckResource tries to cross check the name, hash digest, size, provenance, and metadata of a snap resource with the relevant assertions (snap-resource-revision and snap-resource-pair) in a database that should be pre-populated with them.

func DeriveComponentSideInfo 

func DeriveComponentSideInfo(name, path string, info *snap.Info, model *asserts.Model, db Finder) (*snap.ComponentSideInfo, error)

DeriveComponentSideInfo constructs a ComponentSideInfo from the given path, which should be the path to a component file. We also assert that the resource-revision assertion and the snap-resource-pair for this given component are present in the given database.

func DeriveComponentSideInfoFromDigestAndSize 

func DeriveComponentSideInfoFromDigestAndSize(resName, snapName, snapID string, compPath, snapSHA3_384 string, resSize uint64, model *asserts.Model, db Finder) (*snap.ComponentSideInfo, error)

DeriveComponentSideInfoFromDigestAndSize tries to construct a ComponentSideInfo using digest and size for a component and ID/name for the snap to find the relevant assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them.

func DeriveSideInfo 

func DeriveSideInfo(snapPath string, model *asserts.Model, db Finder) (*snap.SideInfo, error)

DeriveSideInfo tries to construct a SideInfo for the given snap using its digest to find the relevant snap assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them. model is used to cross check that the found snap-revision is applicable on the device.

func DeriveSideInfoFromDigestAndSize 

func DeriveSideInfoFromDigestAndSize(snapPath string, snapSHA3_384 string, snapSize uint64, model *asserts.Model, db Finder) (*snap.SideInfo, error)

DeriveSideInfoFromDigestAndSize tries to construct a SideInfo using digest and size as provided for the snap to find the relevant snap assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them. model is used to cross check that the found snap-revision is applicable on the device.

func FetchComponentAssertions 

func FetchComponentAssertions(f asserts.Fetcher, si *snap.SideInfo, csi *snap.ComponentSideInfo, hash, provenance string) error

FetchComponentAssertions fetches the assertions matching the information described in the given SideInfo and ComponentSideInfo using the given fetcher.

func FetchConfdb 

func FetchConfdb(f asserts.Fetcher, account, confdbName string) error

FetchConfdb fetches a confdb assertion described by account and confdb name using the given fetcher.

func FetchResourcePairAssertion 

func FetchResourcePairAssertion(f asserts.Fetcher, si *snap.SideInfo, resName string, resRev snap.Revision, provenance string) error

func FetchResourceRevisionAssertion 

func FetchResourceRevisionAssertion(f asserts.Fetcher, si *snap.SideInfo, resName, hash, provenance string) error

func FetchSnapAssertions 

func FetchSnapAssertions(f asserts.Fetcher, snapSHA3_384, provenance string) error

FetchSnapAssertions fetches the assertions matching the snap file digest and optional provenance using the given fetcher.

func FetchSnapDeclaration 

func FetchSnapDeclaration(f asserts.Fetcher, snapID string) error

FetchSnapDeclaration fetches the snap declaration and its prerequisites for the given snap id using the given fetcher.

func FetchStore 

func FetchStore(f asserts.Fetcher, storeID string) error

FetchStore fetches the store assertion and its prerequisites for the given store id using the given fetcher.

func ParseValidationSet 

func ParseValidationSet(arg string) (account, name string, seq int, err error)

ParseValidationSet parses a validation set string (account/name or account/name=sequence) and returns its individual components, or an error.

func SideInfoFromSnapAssertions 

func SideInfoFromSnapAssertions(snapDecl *asserts.SnapDeclaration, snapRev *asserts.SnapRevision) *snap.SideInfo

SideInfoFromSnapAssertions returns a *snap.SideInfo reflecting the given snap assertions.

Types

type Finder 

type Finder interface {
	// Find an assertion based on arbitrary headers.  Provided
	// headers must contain the primary key for the assertion
	// type.  It returns a asserts.NotFoundError if the assertion
	// cannot be found.
	Find(assertionType *asserts.AssertionType, headers map[string]string) (asserts.Assertion, error)
	// FindMany finds assertions based on arbitrary headers.
	// It returns a NotFoundError if no assertion can be found.
	FindMany(assertionType *asserts.AssertionType, headers map[string]string) ([]asserts.Assertion, error)
}

type InstalledComponent 

type InstalledComponent struct {
	naming.ComponentRef
	Revision snap.Revision
}

type InstalledSnap 

type InstalledSnap struct {
	naming.SnapRef
	Revision   snap.Revision
	Components []InstalledComponent
}

InstalledSnap holds the minimal details about an installed snap required to check it against validation sets.

func NewInstalledSnap 

func NewInstalledSnap(name, snapID string, revision snap.Revision, components []InstalledComponent) *InstalledSnap

NewInstalledSnap creates InstalledSnap.

type PresenceConstraint 

type PresenceConstraint struct {
	// Presence is the required presence of the snap or component.
	Presence asserts.Presence
	// Revision is the revision that the snap or component must be at if the
	// presence is not invalid.
	Revision snap.Revision
	// Sets is a list of validation sets that the presence is derived from.
	Sets ValidationSetKeySlice
}

PresenceConstraint represents the allowed presence of a snap or component with respect to a set of validation sets that it was derived from.

type PresenceConstraintError 

type PresenceConstraintError struct {
	SnapName string
	Presence asserts.Presence
}

PresenceConstraintError describes an error where presence of the given snap has unexpected value, e.g. it's "invalid" while checking for "required".

func (*PresenceConstraintError) Error 

func (e *PresenceConstraintError) Error() string

type SnapPresenceConstraints 

type SnapPresenceConstraints struct {
	PresenceConstraint
	// contains filtered or unexported fields
}

SnapPresenceConstraints contains information about a snap's allowed presence with respect to a set of validation sets.

func (*SnapPresenceConstraints) Component 

func (s *SnapPresenceConstraints) Component(name string) PresenceConstraint

Component returns the presence of the given component of the snap. If this SnapPresence doesn't know about the component, the component will be considered optional and allowed to have any revision.

func (*SnapPresenceConstraints) Constrained 

func (s *SnapPresenceConstraints) Constrained() bool

Constrained returns true if the snap is constrained in any way by the validation sets that this SnapPresence is created from. Ultimately, one of these things must be true for a snap to be constrained:

  • snap has a presence of either "required" or "invalid"
  • the snap's revision is pinned to a specific revision
  • either of the above are true for any of the snap's components

func (*SnapPresenceConstraints) RequiredComponents 

func (s *SnapPresenceConstraints) RequiredComponents() map[string]PresenceConstraint

RequiredComponents returns a set of all of the components that are required to be installed when this snap is installed.

type ValidationSetKey 

type ValidationSetKey string

ValidationSetKey is a string-backed primary key for a validation set assertion.

func NewValidationSetKey 

func NewValidationSetKey(vs *asserts.ValidationSet) ValidationSetKey

NewValidationSetKey returns a validation set key for a validation set.

func (ValidationSetKey) Components 

func (k ValidationSetKey) Components() []string

Components returns the components of the validation set's primary key (see assertion types in asserts/asserts.go).

func (ValidationSetKey) String 

func (k ValidationSetKey) String() string

type ValidationSetKeySlice 

type ValidationSetKeySlice []ValidationSetKey

ValidationSetKeySlice can be used to sort slices of ValidationSetKey.

func (ValidationSetKeySlice) CommaSeparated 

func (s ValidationSetKeySlice) CommaSeparated() string

CommaSeparated returns the validation set keys separated by commas.

func (ValidationSetKeySlice) Len 

func (s ValidationSetKeySlice) Len() int

func (ValidationSetKeySlice) Less 

func (s ValidationSetKeySlice) Less(i, j int) bool

func (ValidationSetKeySlice) Swap 

func (s ValidationSetKeySlice) Swap(i, j int)

type ValidationSets 

type ValidationSets struct {
	// contains filtered or unexported fields
}

ValidationSets can hold a combination of validation-set assertions and can check for conflicts or help applying them.

func NewValidationSets 

func NewValidationSets() *ValidationSets

NewValidationSets returns a new ValidationSets.

func (*ValidationSets) Add 

func (v *ValidationSets) Add(valset *asserts.ValidationSet) error

Add adds the given asserts.ValidationSet to the combination. It errors if a validation-set with the same sequence key has been added already.

func (*ValidationSets) CanBePresent 

func (v *ValidationSets) CanBePresent(snapRef naming.SnapRef) bool

CanBePresent returns true if a snap can be present in a situation in which these validation sets are being applied.

func (*ValidationSets) CheckInstalledSnaps 

func (v *ValidationSets) CheckInstalledSnaps(snaps []*InstalledSnap, ignoreValidation map[string]bool) error

CheckInstalledSnaps checks installed snaps against the validation sets.

func (*ValidationSets) Conflict 

func (v *ValidationSets) Conflict() error

Conflict returns a non-nil error if the combination is in conflict, nil otherwise.

func (*ValidationSets) Empty 

func (v *ValidationSets) Empty() bool

Empty returns true if this ValidationSets hasn't had any validation sets added to it. An empty ValidationSets doesn't enforce any constraints on the state of snaps.

func (*ValidationSets) Keys 

func (v *ValidationSets) Keys() []ValidationSetKey

Keys returns a slice of ValidationSetKey structs that represent each validation set that this ValidationSets knows about.

func (*ValidationSets) Presence 

func (v *ValidationSets) Presence(sn naming.SnapRef) (SnapPresenceConstraints, error)

Presence returns a SnapPresence for the given snap. The returned struct contains information about the allowed presence of the snap, with respect to the validation sets that are known to this ValidationSets. If the snap is not constrained by any validation sets, the presence will be considered optional.

Note that this method assumes that the validation sets are not in conflict. Check with ValidationSets.Conflict() before calling this method.

func (*ValidationSets) RequiredSnaps 

func (v *ValidationSets) RequiredSnaps() []string

RequiredSnaps returns a list of the names of all of the snaps that are required by any validation set known to this ValidationSets.

func (*ValidationSets) Revisions 

func (v *ValidationSets) Revisions() (map[string]snap.Revision, error)

Revisions returns the set of snap revisions that is enforced by the validation sets that ValidationSets manages.

func (*ValidationSets) Sets 

func (v *ValidationSets) Sets() []*asserts.ValidationSet

Sets returns a slice of all of the validation sets that this ValidationSets knows about.

func (*ValidationSets) SnapConstrained 

func (v *ValidationSets) SnapConstrained(snapRef naming.SnapRef) bool

SnapConstrained returns true if the given snap is constrained by any of the validation sets known to this ValidationSets.

type ValidationSetsComponentValidationError 

type ValidationSetsComponentValidationError struct {
	// MissingComponents maps missing component names to the expected revisions
	// and respective validation sets requiring them. Revisions may be unset if
	// no specific revision is required
	MissingComponents map[string]map[snap.Revision][]string
	// InvalidComponents maps component names to the validation sets declaring
	// them invalid.
	InvalidComponents map[string][]string
	// WronRevisionComponents maps component names to the expected revisions and
	// respective validation sets that require them.
	WrongRevisionComponents map[string]map[snap.Revision][]string
}

ValidationSetsComponentValidationError describes an error arising from validation of components of snaps against ValidationSets.

type ValidationSetsConflictError 

type ValidationSetsConflictError struct {
	Sets       map[string]*asserts.ValidationSet
	Snaps      map[string]error
	Components map[string]map[string]error
}

ValidationSetsConflictError describes an error where multiple validation sets are in conflict about snaps.

func (*ValidationSetsConflictError) Error 

func (e *ValidationSetsConflictError) Error() string

func (*ValidationSetsConflictError) Is 

func (e *ValidationSetsConflictError) Is(err error) bool

type ValidationSetsValidationError 

type ValidationSetsValidationError struct {
	// MissingSnaps maps missing snap names to the expected revisions and respective validation sets requiring them.
	// Revisions may be unset if no specific revision is required
	MissingSnaps map[string]map[snap.Revision][]string
	// InvalidSnaps maps snap names to the validation sets declaring them invalid.
	InvalidSnaps map[string][]string
	// WronRevisionSnaps maps snap names to the expected revisions and respective
	// validation sets that require them.
	WrongRevisionSnaps map[string]map[snap.Revision][]string
	// Sets maps validation set keys to all validation sets assertions considered
	// in the failed check.
	Sets map[string]*asserts.ValidationSet
	// ComponentErrors is a map of snap names to ValidationSetsComponentValidationError values.
	ComponentErrors map[string]*ValidationSetsComponentValidationError
}

ValidationSetsValidationError describes an error arising from validation of snaps against ValidationSets.

func (*ValidationSetsValidationError) Error 

func (e *ValidationSetsValidationError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.