snapasserts

package
v0.0.0-...-263a040 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 8, 2024 License: GPL-3.0 Imports: 11 Imported by: 0

Documentation

Overview

Package snapasserts offers helpers to handle snap related assertions and their checking for installation.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckComponentProvenanceWithVerifiedRevision

func CheckComponentProvenanceWithVerifiedRevision(compPath string, verifiedRev *asserts.SnapResourceRevision) error

CheckComponentProvenanceWithVerifiedRevision checks that the given component has the same provenance as of the provided resource-revision. It is intended to be called safely on components for which a matching and authorized resource-revision has been already found. Its purpose is to check that a blob has not been re-signed under an inappropriate provenance.

func CheckProvenanceWithVerifiedRevision

func CheckProvenanceWithVerifiedRevision(snapPath string, verifiedRev *asserts.SnapRevision) error

CheckProvenanceWithVerifiedRevision checks that the given snap has the same provenance as of the provided snap-revision. It is intended to be called safely on snaps for which a matching and authorized snap-revision has been already found and cross-checked. Its purpose is to check that a blob has not been re-signed under an inappropriate provenance.

func CrossCheck

func CrossCheck(instanceName, snapSHA3_384, provenance string, snapSize uint64, si *snap.SideInfo, model *asserts.Model, db Finder) (snapRev *asserts.SnapRevision, err error)

CrossCheck tries to cross check the instance name, hash digest, provenance and size of a snap plus its metadata in a SideInfo with the relevant snap assertions in a database that should have been populated with them. The optional model assertion must be passed to have full cross checks in the case of delegated authority snap-revisions before installing a snap. It returns the corresponding cross-checked snap-revision. Ultimately the provided provenance (if not default) must be checked with the provenance in the snap metadata by the caller as well, if the provided provenance was not read safely from there already.

func CrossCheckProvenance

func CrossCheckProvenance(instanceName string, snapRev *asserts.SnapRevision, snapDecl *asserts.SnapDeclaration, model *asserts.Model, db Finder) (signedProvenance string, err error)

CrossCheckProvenance tries to cross check the given snap-revision if it has a non default provenance with the revision-authority constraints of the given snap-declaration including any device scope constraints using model (and implied store). It also returns the provenance if it is different from the default. Ultimately if not default the provenance must also be checked with the provenance in the snap metadata by the caller.

func CrossCheckResource

func CrossCheckResource(name, hash, provenance string, size uint64, csi *snap.ComponentSideInfo, si *snap.SideInfo, model *asserts.Model, db Finder) error

CrossCheckResource tries to cross check the name, hash digest, size, provenance, and metadata of a snap resource with the relevant assertions (snap-resource-revision and snap-resource-pair) in a database that should be pre-populated with them.

func DeriveComponentSideInfoFromDigestAndSize

func DeriveComponentSideInfoFromDigestAndSize(resName, snapName, snapID string, compPath, snapSHA3_384 string, resSize uint64, model *asserts.Model, db Finder) (*snap.ComponentSideInfo, error)

DeriveComponentSideInfoFromDigestAndSize tries to construct a ComponentSideInfo using digest and size for a component and ID/name for the snap to find the relevant assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them.

func DeriveSideInfo

func DeriveSideInfo(snapPath string, model *asserts.Model, db Finder) (*snap.SideInfo, error)

DeriveSideInfo tries to construct a SideInfo for the given snap using its digest to find the relevant snap assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them. model is used to cross check that the found snap-revision is applicable on the device.

func DeriveSideInfoFromDigestAndSize

func DeriveSideInfoFromDigestAndSize(snapPath string, snapSHA3_384 string, snapSize uint64, model *asserts.Model, db Finder) (*snap.SideInfo, error)

DeriveSideInfoFromDigestAndSize tries to construct a SideInfo using digest and size as provided for the snap to find the relevant snap assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them. model is used to cross check that the found snap-revision is applicable on the device.

func FetchComponentAssertions

func FetchComponentAssertions(f asserts.Fetcher, si *snap.SideInfo, csi *snap.ComponentSideInfo, hash, provenance string) error

FetchComponentAssertions fetches the assertions matching the information described in the given SideInfo and ComponentSideInfo using the given fetcher.

func FetchRegistry

func FetchRegistry(f asserts.Fetcher, account, registryName string) error

FetchRegistry fetches a registry assertion described by account and registry name using the given fetcher.

func FetchResourcePairAssertion

func FetchResourcePairAssertion(f asserts.Fetcher, si *snap.SideInfo, resName string, resRev snap.Revision, provenance string) error

func FetchResourceRevisionAssertion

func FetchResourceRevisionAssertion(f asserts.Fetcher, si *snap.SideInfo, resName, hash, provenance string) error

func FetchSnapAssertions

func FetchSnapAssertions(f asserts.Fetcher, snapSHA3_384, provenance string) error

FetchSnapAssertions fetches the assertions matching the snap file digest and optional provenance using the given fetcher.

func FetchSnapDeclaration

func FetchSnapDeclaration(f asserts.Fetcher, snapID string) error

FetchSnapDeclaration fetches the snap declaration and its prerequisites for the given snap id using the given fetcher.

func FetchStore

func FetchStore(f asserts.Fetcher, storeID string) error

FetchStore fetches the store assertion and its prerequisites for the given store id using the given fetcher.

func ParseValidationSet

func ParseValidationSet(arg string) (account, name string, seq int, err error)

ParseValidationSet parses a validation set string (account/name or account/name=sequence) and returns its individual components, or an error.

func SideInfoFromSnapAssertions

func SideInfoFromSnapAssertions(snapDecl *asserts.SnapDeclaration, snapRev *asserts.SnapRevision) *snap.SideInfo

SideInfoFromSnapAssertions returns a *snap.SideInfo reflecting the given snap assertions.

Types

type Finder

type Finder interface {
	// Find an assertion based on arbitrary headers.  Provided
	// headers must contain the primary key for the assertion
	// type.  It returns a asserts.NotFoundError if the assertion
	// cannot be found.
	Find(assertionType *asserts.AssertionType, headers map[string]string) (asserts.Assertion, error)
	// FindMany finds assertions based on arbitrary headers.
	// It returns a NotFoundError if no assertion can be found.
	FindMany(assertionType *asserts.AssertionType, headers map[string]string) ([]asserts.Assertion, error)
}

type InstalledSnap

type InstalledSnap struct {
	naming.SnapRef
	Revision snap.Revision
}

InstalledSnap holds the minimal details about an installed snap required to check it against validation sets.

func NewInstalledSnap

func NewInstalledSnap(name, snapID string, revision snap.Revision) *InstalledSnap

NewInstalledSnap creates InstalledSnap.

type PresenceConstraintError

type PresenceConstraintError struct {
	SnapName string
	Presence asserts.Presence
}

PresenceConstraintError describes an error where presence of the given snap has unexpected value, e.g. it's "invalid" while checking for "required".

func (*PresenceConstraintError) Error

func (e *PresenceConstraintError) Error() string

type ValidationSetKey

type ValidationSetKey string

ValidationSetKey is a string-backed primary key for a validation set assertion.

func NewValidationSetKey

func NewValidationSetKey(vs *asserts.ValidationSet) ValidationSetKey

NewValidationSetKey returns a validation set key for a validation set.

func (ValidationSetKey) Components

func (k ValidationSetKey) Components() []string

Components returns the components of the validation set's primary key (see assertion types in asserts/asserts.go).

func (ValidationSetKey) String

func (k ValidationSetKey) String() string

type ValidationSetKeySlice

type ValidationSetKeySlice []ValidationSetKey

ValidationSetKeySlice can be used to sort slices of ValidationSetKey.

func (ValidationSetKeySlice) CommaSeparated

func (s ValidationSetKeySlice) CommaSeparated() string

CommaSeparated returns the validation set keys separated by commas.

func (ValidationSetKeySlice) Len

func (s ValidationSetKeySlice) Len() int

func (ValidationSetKeySlice) Less

func (s ValidationSetKeySlice) Less(i, j int) bool

func (ValidationSetKeySlice) Swap

func (s ValidationSetKeySlice) Swap(i, j int)

type ValidationSets

type ValidationSets struct {
	// contains filtered or unexported fields
}

ValidationSets can hold a combination of validation-set assertions and can check for conflicts or help applying them.

func NewValidationSets

func NewValidationSets() *ValidationSets

NewValidationSets returns a new ValidationSets.

func (*ValidationSets) Add

func (v *ValidationSets) Add(valset *asserts.ValidationSet) error

Add adds the given asserts.ValidationSet to the combination. It errors if a validation-set with the same sequence key has been added already.

func (*ValidationSets) CanBePresent

func (v *ValidationSets) CanBePresent(snapRef naming.SnapRef) bool

CanBePresent returns true if a snap can be present in a situation in which these validation sets are being applied.

func (*ValidationSets) CheckInstalledSnaps

func (v *ValidationSets) CheckInstalledSnaps(snaps []*InstalledSnap, ignoreValidation map[string]bool) error

CheckInstalledSnaps checks installed snaps against the validation sets.

func (*ValidationSets) CheckPresenceInvalid

func (v *ValidationSets) CheckPresenceInvalid(snapRef naming.SnapRef) ([]ValidationSetKey, error)

CheckPresenceInvalid returns the list of all validation sets that declare presence of the given snap as invalid. PresenceConstraintError is returned if presence of the snap is "optional" or "required". The method assumes that validation sets are not in conflict.

func (*ValidationSets) CheckPresenceRequired

func (v *ValidationSets) CheckPresenceRequired(snapRef naming.SnapRef) ([]ValidationSetKey, snap.Revision, error)

CheckPresenceRequired returns the list of all validation sets that declare presence of the given snap as required and the required revision (or snap.R(0) if no specific revision is required). PresenceConstraintError is returned if presence of the snap is "invalid". The method assumes that validation sets are not in conflict.

func (*ValidationSets) Conflict

func (v *ValidationSets) Conflict() error

Conflict returns a non-nil error if the combination is in conflict, nil otherwise.

func (*ValidationSets) Keys

func (v *ValidationSets) Keys() []ValidationSetKey

Keys returns a slice of ValidationSetKey structs that represent each validation set that this ValidationSets knows about.

func (*ValidationSets) RequiredSnaps

func (v *ValidationSets) RequiredSnaps() []string

RequiredSnaps returns a list of the names of all of the snaps that are required by any validation set known to this ValidationSets.

func (*ValidationSets) Revisions

func (v *ValidationSets) Revisions() (map[string]snap.Revision, error)

Revisions returns the set of snap revisions that is enforced by the validation sets that ValidationSets manages.

func (*ValidationSets) Sets

func (v *ValidationSets) Sets() []*asserts.ValidationSet

Sets returns a slice of all of the validation sets that this ValidationSets knows about.

func (*ValidationSets) SnapConstrained

func (v *ValidationSets) SnapConstrained(snapRef naming.SnapRef) bool

SnapConstrained returns true if the given snap is constrained by any of the validation sets known to this ValidationSets.

type ValidationSetsConflictError

type ValidationSetsConflictError struct {
	Sets  map[string]*asserts.ValidationSet
	Snaps map[string]error
}

ValidationSetsConflictError describes an error where multiple validation sets are in conflict about snaps.

func (*ValidationSetsConflictError) Error

func (*ValidationSetsConflictError) Is

type ValidationSetsValidationError

type ValidationSetsValidationError struct {
	// MissingSnaps maps missing snap names to the expected revisions and respective validation sets requiring them.
	// Revisions may be unset if no specific revision is required
	MissingSnaps map[string]map[snap.Revision][]string
	// InvalidSnaps maps snap names to the validation sets declaring them invalid.
	InvalidSnaps map[string][]string
	// WronRevisionSnaps maps snap names to the expected revisions and respective
	// validation sets that require them.
	WrongRevisionSnaps map[string]map[snap.Revision][]string
	// Sets maps validation set keys to all validation sets assertions considered
	// in the failed check.
	Sets map[string]*asserts.ValidationSet
}

ValidationSetsValidationError describes an error arising from validation of snaps against ValidationSets.

func (*ValidationSetsValidationError) Error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL