github.com/rigado/snapd@v2.42.5-go-mod+incompatible/asserts/snapasserts/snapasserts.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 // Package snapasserts offers helpers to handle snap assertions and their checking for installation. 21 package snapasserts 22 23 import ( 24 "fmt" 25 26 "github.com/snapcore/snapd/asserts" 27 "github.com/snapcore/snapd/release" 28 "github.com/snapcore/snapd/snap" 29 ) 30 31 type Finder interface { 32 // Find an assertion based on arbitrary headers. Provided 33 // headers must contain the primary key for the assertion 34 // type. It returns a asserts.NotFoundError if the assertion 35 // cannot be found. 36 Find(assertionType *asserts.AssertionType, headers map[string]string) (asserts.Assertion, error) 37 } 38 39 func findSnapDeclaration(snapID, name string, db Finder) (*asserts.SnapDeclaration, error) { 40 a, err := db.Find(asserts.SnapDeclarationType, map[string]string{ 41 "series": release.Series, 42 "snap-id": snapID, 43 }) 44 if err != nil { 45 return nil, fmt.Errorf("internal error: cannot find snap declaration for %q: %s", name, snapID) 46 } 47 snapDecl := a.(*asserts.SnapDeclaration) 48 49 if snapDecl.SnapName() == "" { 50 return nil, fmt.Errorf("cannot install snap %q with a revoked snap declaration", name) 51 } 52 53 return snapDecl, nil 54 } 55 56 // CrossCheck tries to cross check the instance name, hash digest and size of a snap plus its metadata in a SideInfo with the relevant snap assertions in a database that should have been populated with them. 57 func CrossCheck(instanceName, snapSHA3_384 string, snapSize uint64, si *snap.SideInfo, db Finder) error { 58 // get relevant assertions and do cross checks 59 a, err := db.Find(asserts.SnapRevisionType, map[string]string{ 60 "snap-sha3-384": snapSHA3_384, 61 }) 62 if err != nil { 63 return fmt.Errorf("internal error: cannot find pre-populated snap-revision assertion for %q: %s", instanceName, snapSHA3_384) 64 } 65 snapRev := a.(*asserts.SnapRevision) 66 67 if snapRev.SnapSize() != snapSize { 68 return fmt.Errorf("snap %q file does not have expected size according to signatures (download is broken or tampered): %d != %d", instanceName, snapSize, snapRev.SnapSize()) 69 } 70 71 snapID := si.SnapID 72 73 if snapRev.SnapID() != snapID || snapRev.SnapRevision() != si.Revision.N { 74 return fmt.Errorf("snap %q does not have expected ID or revision according to assertions (metadata is broken or tampered): %s / %s != %d / %s", instanceName, si.Revision, snapID, snapRev.SnapRevision(), snapRev.SnapID()) 75 } 76 77 snapDecl, err := findSnapDeclaration(snapID, instanceName, db) 78 if err != nil { 79 return err 80 } 81 82 if snapDecl.SnapName() != snap.InstanceSnap(instanceName) { 83 return fmt.Errorf("cannot install %q, snap %q is undergoing a rename to %q", instanceName, snap.InstanceSnap(instanceName), snapDecl.SnapName()) 84 } 85 86 return nil 87 } 88 89 // DeriveSideInfo tries to construct a SideInfo for the given snap using its digest to find the relevant snap assertions with the information in the given database. It will fail with an asserts.NotFoundError if it cannot find them. 90 func DeriveSideInfo(snapPath string, db Finder) (*snap.SideInfo, error) { 91 snapSHA3_384, snapSize, err := asserts.SnapFileSHA3_384(snapPath) 92 if err != nil { 93 return nil, err 94 } 95 96 // get relevant assertions and reconstruct metadata 97 a, err := db.Find(asserts.SnapRevisionType, map[string]string{ 98 "snap-sha3-384": snapSHA3_384, 99 }) 100 if err != nil { 101 return nil, err 102 } 103 104 snapRev := a.(*asserts.SnapRevision) 105 106 if snapRev.SnapSize() != snapSize { 107 return nil, fmt.Errorf("snap %q does not have expected size according to signatures (broken or tampered): %d != %d", snapPath, snapSize, snapRev.SnapSize()) 108 } 109 110 snapID := snapRev.SnapID() 111 112 snapDecl, err := findSnapDeclaration(snapID, snapPath, db) 113 if err != nil { 114 return nil, err 115 } 116 117 name := snapDecl.SnapName() 118 119 return &snap.SideInfo{ 120 RealName: name, 121 SnapID: snapID, 122 Revision: snap.R(snapRev.SnapRevision()), 123 }, nil 124 } 125 126 // FetchSnapAssertions fetches the assertions matching the snap file digest using the given fetcher. 127 func FetchSnapAssertions(f asserts.Fetcher, snapSHA3_384 string) error { 128 // for now starting from the snap-revision will get us all other relevant assertions 129 ref := &asserts.Ref{ 130 Type: asserts.SnapRevisionType, 131 PrimaryKey: []string{snapSHA3_384}, 132 } 133 134 return f.Fetch(ref) 135 } 136 137 // FetchSnapDeclaration fetches the snap declaration and its prerequisites for the given snap id using the given fetcher. 138 func FetchSnapDeclaration(f asserts.Fetcher, snapID string) error { 139 ref := &asserts.Ref{ 140 Type: asserts.SnapDeclarationType, 141 PrimaryKey: []string{release.Series, snapID}, 142 } 143 144 return f.Fetch(ref) 145 } 146 147 // FetchStore fetches the store assertion and its prerequisites for the given store id using the given fetcher. 148 func FetchStore(f asserts.Fetcher, storeID string) error { 149 ref := &asserts.Ref{ 150 Type: asserts.StoreType, 151 PrimaryKey: []string{storeID}, 152 } 153 154 return f.Fetch(ref) 155 }