snapd/tests/main/snap-validate-basic/task.yaml

summary: Ensure `snap validate` commands work with local assertions.

# This test uses a local validation set assertion (vs1.json) signed upfront
# with my (stolowski) private store key (account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f,
# public-key-sha3: o_x83A3wpIvJznIHBJIK7jRmRZKLlqx5jOr30HUsloFfBseXNF0ztoj18EvNualy);
# the resulting assertion provided with the test is vs1.assert.
#
# If this needs to be redone with another developer account, the steps are:
# 1. update account-id and authority-id in vs1.json for the developer to use.
# 2. snap sign vs1.json -k <gpg key name> > vs1.assert (replace the assert file)
# 3. change account-ids and sha3 checksum used below in the test with
# the desired developer key.

systems:
  # go-flags panics when showing --help for a hidden command on Fedora 32/33
  - -fedora-*

environment:
  ACCOUNT_ID: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f
  PUBKEY_SHA: o_x83A3wpIvJznIHBJIK7jRmRZKLlqx5jOr30HUsloFfBseXNF0ztoj18EvNualy

prepare : |
  echo "Acknowledging account and account-key assertions required by local validation set"
  snap known --remote account account-id="$ACCOUNT_ID" > account.assert
  snap known --remote account-key public-key-sha3-384="$PUBKEY_SHA" > key.assert
  snap ack account.assert
  snap ack key.assert
  # validation-set assertion ack'ed locally (but not available in the store)
  snap ack vs1.assert
  # sanity check
  snap known validation-set | MATCH "name: hello-world"

execute: |
  snap validate --help | MATCH "The validate command lists or applies validations sets"
  snap validate 2>&1 | MATCH "No validations are available"

  snap validate --monitor 2>&1 | MATCH "missing validation set argument"
  snap validate --monitor --enforce foo/bar 2>&1 | MATCH "cannot use --monitor and --enforce together"
  snap validate foo 2>&1 | MATCH "cannot parse validation set \"foo\""

  echo "Checking that enforce mode is not supported yet"
  snap validate --enforce foo/bar=1 2>&1 | MATCH "error: cannot apply validation set: invalid mode \"enforce\""

  echo "Tracking not set up yet, but validation is possible with local assertion"
  snap validate "$ACCOUNT_ID"/bar=1 2>&1 | MATCH "^invalid"

  echo "Checking that monitor mode is supported with a pinned sequence and local validation-set"
  snap validate --monitor "$ACCOUNT_ID"/bar=1
  snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +invalid"

  echo "Checking that validation-set is valid or invalid depending on presence of the snap"
  snap install hello-world
  snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +valid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"

  # presence of bare snap is optional (validation set was valid
  # already and optional snap doesn't change that).
  snap install bare
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"

  # presence of test-snapd-base-bare is invalid
  snap install test-snapd-base-bare
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
  snap remove --purge test-snapd-base-bare
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
  snap remove --purge hello-world
  snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +invalid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"

  echo "Checking that validation sets can be forgotten"
  snap validate --forget "$ACCOUNT_ID"/bar
  snap validate 2>&1 | MATCH "No validations are available"

  echo "Checking that monitor mode is supported with a local validation-set (non-pinned)"
  snap validate --monitor "$ACCOUNT_ID"/bar
  snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +invalid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
  snap validate "$ACCOUNT_ID"/bar | MATCH "^invalid"
  snap install hello-world
  snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +valid"
  snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
  snap validate "$ACCOUNT_ID"/bar | MATCH "^valid"