github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/asserts/snapasserts/snapasserts.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 // Package snapasserts offers helpers to handle snap related assertions and their checking for installation. 21 package snapasserts 22 23 import ( 24 "fmt" 25 26 "github.com/snapcore/snapd/asserts" 27 "github.com/snapcore/snapd/release" 28 "github.com/snapcore/snapd/snap" 29 ) 30 31 type Finder interface { 32 // Find an assertion based on arbitrary headers. Provided 33 // headers must contain the primary key for the assertion 34 // type. It returns a asserts.NotFoundError if the assertion 35 // cannot be found. 36 Find(assertionType *asserts.AssertionType, headers map[string]string) (asserts.Assertion, error) 37 } 38 39 func findSnapDeclaration(snapID, name string, db Finder) (*asserts.SnapDeclaration, error) { 40 a, err := db.Find(asserts.SnapDeclarationType, map[string]string{ 41 "series": release.Series, 42 "snap-id": snapID, 43 }) 44 if err != nil { 45 return nil, fmt.Errorf("internal error: cannot find snap declaration for %q: %s", name, snapID) 46 } 47 snapDecl := a.(*asserts.SnapDeclaration) 48 49 if snapDecl.SnapName() == "" { 50 return nil, fmt.Errorf("cannot install snap %q with a revoked snap declaration", name) 51 } 52 53 return snapDecl, nil 54 } 55 56 // CrossCheck tries to cross check the instance name, hash digest and size of a snap plus its metadata in a SideInfo with the relevant snap assertions in a database that should have been populated with them. 57 func CrossCheck(instanceName, snapSHA3_384 string, snapSize uint64, si *snap.SideInfo, db Finder) error { 58 // get relevant assertions and do cross checks 59 a, err := db.Find(asserts.SnapRevisionType, map[string]string{ 60 "snap-sha3-384": snapSHA3_384, 61 }) 62 if err != nil { 63 return fmt.Errorf("internal error: cannot find pre-populated snap-revision assertion for %q: %s", instanceName, snapSHA3_384) 64 } 65 snapRev := a.(*asserts.SnapRevision) 66 67 if snapRev.SnapSize() != snapSize { 68 return fmt.Errorf("snap %q file does not have expected size according to signatures (download is broken or tampered): %d != %d", instanceName, snapSize, snapRev.SnapSize()) 69 } 70 71 snapID := si.SnapID 72 73 if snapRev.SnapID() != snapID || snapRev.SnapRevision() != si.Revision.N { 74 return fmt.Errorf("snap %q does not have expected ID or revision according to assertions (metadata is broken or tampered): %s / %s != %d / %s", instanceName, si.Revision, snapID, snapRev.SnapRevision(), snapRev.SnapID()) 75 } 76 77 snapDecl, err := findSnapDeclaration(snapID, instanceName, db) 78 if err != nil { 79 return err 80 } 81 82 if snapDecl.SnapName() != snap.InstanceSnap(instanceName) { 83 return fmt.Errorf("cannot install %q, snap %q is undergoing a rename to %q", instanceName, snap.InstanceSnap(instanceName), snapDecl.SnapName()) 84 } 85 86 return nil 87 } 88 89 // DeriveSideInfo tries to construct a SideInfo for the given snap using its digest to find the relevant snap assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them. 90 func DeriveSideInfo(snapPath string, db Finder) (*snap.SideInfo, error) { 91 snapSHA3_384, snapSize, err := asserts.SnapFileSHA3_384(snapPath) 92 if err != nil { 93 return nil, err 94 } 95 96 // get relevant assertions and reconstruct metadata 97 a, err := db.Find(asserts.SnapRevisionType, map[string]string{ 98 "snap-sha3-384": snapSHA3_384, 99 }) 100 if err != nil { 101 return nil, err 102 } 103 104 snapRev := a.(*asserts.SnapRevision) 105 106 if snapRev.SnapSize() != snapSize { 107 return nil, fmt.Errorf("snap %q does not have expected size according to signatures (broken or tampered): %d != %d", snapPath, snapSize, snapRev.SnapSize()) 108 } 109 110 snapID := snapRev.SnapID() 111 112 snapDecl, err := findSnapDeclaration(snapID, snapPath, db) 113 if err != nil { 114 return nil, err 115 } 116 117 return SideInfoFromSnapAssertions(snapDecl, snapRev), nil 118 } 119 120 // SideInfoFromSnapAssertions returns a *snap.SideInfo reflecting the given snap assertions. 121 func SideInfoFromSnapAssertions(snapDecl *asserts.SnapDeclaration, snapRev *asserts.SnapRevision) *snap.SideInfo { 122 return &snap.SideInfo{ 123 RealName: snapDecl.SnapName(), 124 SnapID: snapDecl.SnapID(), 125 Revision: snap.R(snapRev.SnapRevision()), 126 } 127 } 128 129 // FetchSnapAssertions fetches the assertions matching the snap file digest using the given fetcher. 130 func FetchSnapAssertions(f asserts.Fetcher, snapSHA3_384 string) error { 131 // for now starting from the snap-revision will get us all other relevant assertions 132 ref := &asserts.Ref{ 133 Type: asserts.SnapRevisionType, 134 PrimaryKey: []string{snapSHA3_384}, 135 } 136 137 return f.Fetch(ref) 138 } 139 140 // FetchSnapDeclaration fetches the snap declaration and its prerequisites for the given snap id using the given fetcher. 141 func FetchSnapDeclaration(f asserts.Fetcher, snapID string) error { 142 ref := &asserts.Ref{ 143 Type: asserts.SnapDeclarationType, 144 PrimaryKey: []string{release.Series, snapID}, 145 } 146 147 return f.Fetch(ref) 148 } 149 150 // FetchStore fetches the store assertion and its prerequisites for the given store id using the given fetcher. 151 func FetchStore(f asserts.Fetcher, storeID string) error { 152 ref := &asserts.Ref{ 153 Type: asserts.StoreType, 154 PrimaryKey: []string{storeID}, 155 } 156 157 return f.Fetch(ref) 158 }