snapd/tests/main/snap-validate-basic/task.yaml

summary: Ensure `snap validate` commands work with local assertions.

details: |
  A validation set is an assertion that lists specific snaps that are either
  required to be installed together or are permitted to be installed together
  on a device or system.

  The validate command lists or applies validation sets that state which snaps
  are required or permitted to be installed together, optionally constrained to
  fixed revisions.

  This test uses a local assertion to acknowledge a validation set and verifies
  the following points:
  . `snap validate` command required arguments are required
  . monitor mode is supported with a pinned sequence and local validation-set
  . a validation set is valid or invalid depending on presence of the snap
  . the presence of an optional snap (validation set remains valid)
  . a validation set can be forgotten
  . monitor mode is supported with a local validation-set (non-pinned)
  . monitor mode report valid status when enabled

# This test uses a local validation set assertion (vs1.json) signed upfront
# with my (stolowski) private store key (account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f,
# public-key-sha3: o_x83A3wpIvJznIHBJIK7jRmRZKLlqx5jOr30HUsloFfBseXNF0ztoj18EvNualy);
# the resulting assertion provided with the test is vs1.assert.
#
# If this needs to be redone with another developer account, the steps are:
# 1. update account-id and authority-id in vs1.json for the developer to use.
# 2. snap sign vs1.json -k <gpg key name> > vs1.assert (replace the assert file)
# 3. change account-ids and sha3 checksum used below in the test with
# the desired developer key.

systems:
  # go-flags panics when showing --help for a hidden command on Fedora 32/33
  - -fedora-*

environment:
  ACCOUNT_ID: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f
  PUBKEY_SHA: o_x83A3wpIvJznIHBJIK7jRmRZKLlqx5jOr30HUsloFfBseXNF0ztoj18EvNualy

prepare : |
  echo "Acknowledging account and account-key assertions required by local validation set"
  snap known --remote account account-id="$ACCOUNT_ID" > account.assert
  snap known --remote account-key public-key-sha3-384="$PUBKEY_SHA" > key.assert
  snap ack account.assert
  snap ack key.assert
  # validation-set assertion ack'ed locally (but not available in the store)
  snap ack vs1.assert
  # precondition check
  snap known validation-set | MATCH "name: hello-world"

execute: |
  snap validate --help | MATCH "The validate command lists or applies validation sets"
  snap validate 2>&1 | MATCH "No validations are available"

  snap validate --monitor 2>&1 | MATCH "missing validation set argument"
  snap validate --monitor --enforce foo/bar 2>&1 | MATCH "cannot use --monitor and --enforce together"
  snap validate foo 2>&1 | MATCH "cannot parse validation set \"foo\""

  echo "Checking enforce mode error"
  snap validate --enforce "$ACCOUNT_ID"/bar=1 2>&1 | MATCH "error: cannot apply validation set: cannot enforce validation set: validation sets assertions are not met:"

  echo "Tracking not set up yet, but validation is possible with local assertion"
  snap validate "$ACCOUNT_ID"/bar=1 2>&1 | MATCH "^invalid"

  echo "Checking that monitor mode is supported with a pinned sequence and local validation-set"
  snap validate --monitor "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
  snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +invalid"

  echo "Checking that validation-set is valid or invalid depending on presence of the snap"
  snap install hello-world
  snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +valid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"

  # presence of bare snap is optional (validation set was valid
  # already and optional snap doesn't change that).
  snap install bare
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"

  # presence of test-snapd-base-bare is invalid
  snap install test-snapd-base-bare
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
  snap remove --purge test-snapd-base-bare
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
  snap remove --purge hello-world
  snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +invalid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"

  echo "Checking that validation sets can be forgotten"
  snap validate --forget "$ACCOUNT_ID"/bar
  snap validate 2>&1 | MATCH "No validations are available"

  echo "Checking that monitor mode is supported with a local validation-set (non-pinned)"
  snap validate --monitor "$ACCOUNT_ID"/bar | MATCH "^invalid"
  snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +invalid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
  snap validate "$ACCOUNT_ID"/bar | MATCH "^invalid"
  snap install hello-world
  snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +valid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
  snap validate "$ACCOUNT_ID"/bar | MATCH "^valid"

  echo "Check that --monitor mode report valid status when enabled"
  snap validate --monitor "$ACCOUNT_ID"/bar | MATCH "^valid"
  snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +valid"