Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

a/snapasserts, o/assertstate: implement validate-component task handler #13964

Merged
merged 3 commits into from
Jun 3, 2024

Conversation

andrewphelpsj
Copy link
Member

This PR adds a task handler for performing the validity checks on a component from the store. This is mostly fairly consistent with how validate-snap works, with the addition of checking that there is a snap-resource-pair that exists for the component and snap revision.

@andrewphelpsj andrewphelpsj force-pushed the validate-component branch 2 times, most recently from 17449b0 to 472604e Compare May 17, 2024 09:53
Copy link
Contributor

@miguelpires miguelpires left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just some small comments and questions

asserts/snapasserts/snapasserts.go Outdated Show resolved Hide resolved
asserts/snapasserts/snapasserts.go Outdated Show resolved Hide resolved
asserts/snapasserts/snapasserts.go Outdated Show resolved Hide resolved
asserts/snapasserts/snapasserts.go Outdated Show resolved Hide resolved
asserts/snapasserts/snapasserts.go Outdated Show resolved Hide resolved
overlord/assertstate/assertmgr.go Outdated Show resolved Hide resolved
return err
}

// TODO: do we need to do something like snapasserts.CheckProvenanceWithVerifiedRevision for components?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like its already included in the checks above, but maybe I'm misunderstanding

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pedronis can you speak to the necessity of this check and the one in https://github.com/snapcore/snapd/pull/13964/files#r1604780776? They're modeled after the ones from doValidateSnap

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is about checking provenance value from inside the blob, we need to check with snapcraft whether it's being stored atm or not, it might not yet be but it should though

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per @mr-cal, the snapcraft side of this isn't implemented at the moment

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Snapcraft takes the provenance keyword from a snapcraft.yaml and writes it into meta/snap.yaml.

If I understand this correctly, snapcraft should always write the same provenance keyword in meta/component.yaml file?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I believe that is correct.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, correct

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From discussions with @pedronis, we're gonna leave the TODO for now and come back to this when the snapcraft side is implemented

Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did a first quick pass, looks reasonable, couple initial small comments

asserts/snapasserts/snapasserts.go Outdated Show resolved Hide resolved
return err
}

// TODO: do we need to do something like snapasserts.CheckProvenanceWithVerifiedRevision for components?
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is about checking provenance value from inside the blob, we need to check with snapcraft whether it's being stored atm or not, it might not yet be but it should though

Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you

Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a test need changes as well and there's an error path not reached perhaps

Comment on lines +152 to +156
provInf := ""
if provenance != "" {
provInf = fmt.Sprintf(" provenance: %s", provenance)
}
return fmt.Errorf("internal error: cannot find pre-populated snap-resource-revision assertion for %q: %s%s", name, hash, provInf)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this bit of code doesn't seem reached by tests

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added in 3ad8649

Copy link
Contributor

@miguelpires miguelpires left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

digest := makeDigest(12)
const size = uint64(1024)
const resourceName = "test-component"
const snapID = "snap-id-1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't being used below. Also, as a minor preference, not having these externalised unless it's necessary makes it easier to follow the test IMO

@ernestl ernestl merged commit 6abc1a3 into canonical:master Jun 3, 2024
43 of 49 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants