interfaces: sanitize plugs and slots early in ReadInfo

[stolowski]

Sanitize plugs and slots early in snap.ReadInfo so that every PlugInfo and SlotInfo is guaranteed to be sanitized when used. To preserve the current treatment of bad interfaces (which we skip but log in the task) I had to move away from BadInterfaceError (which is not really an error) and store bad interfaces in snap.Info, as they need to be reported at the point we have task at hand, rather than immediately on sanitize.

See the plan outlined here https://forum.snapcraft.io/t/preparing-the-interfaces-logic-for-connection-hooks/2184 - this is item no. 1 of the plan.

[codecov-io]

Codecov Report

Merging #3972 into master will increase coverage by 0.08%.
The diff coverage is 47.29%.

@@            Coverage Diff            @@
##           master   #3972      +/-   ##
=========================================
+ Coverage   75.71%   75.8%   +0.08%     
=========================================
  Files         429     433       +4     
  Lines       36709   37174     +465     
=========================================
+ Hits        27793   28178     +385     
- Misses       6964    7024      +60     
- Partials     1952    1972      +20

Impacted Files	Coverage Δ
overlord/snapstate/handlers.go	65.53% <ø> (ø)	⬆️
overlord/ifacestate/handlers.go	55.01% <0%> (-0.7%)	⬇️
snap/info_snap_yaml.go	94.03% <100%> (-0.04%)	⬇️
overlord/ifacestate/ifacemgr.go	93.18% <100%> (+0.15%)	⬆️
interfaces/repo.go	97.65% <100%> (-0.16%)	⬇️
cmd/snap-exec/main.go	69.23% <100%> (-0.18%)	⬇️
snap/info.go	80.42% <26.66%> (-7.87%)	⬇️
cmd/snap/main.go	63.38% <50%> (-0.15%)	⬇️
interfaces/builtin/all.go	73.33% <55.55%> (-26.67%)	⬇️
progress/progress.go	9.09% <0%> (-26.63%)	⬇️
... and 22 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d023f13...85124e7. Read the comment docs.

[zyga]

A few comments for your consideration, nothing major.

[zyga]

Could you please add a check that snap.SanitizePlugsSlots is not set yet? I worry that we may end up with sanitizer that checks against some ghost repository for whatever reason later.

[stolowski]

I tried a couple of different approches revolving around such check, but it turned out to be impossible due to the fact that in some tests we create two instances of repo side-by-side, or two daemons (with repos created implicitely).
Anyway, I changed this to an explicit setup call from ifacemgr, that way we know we do this only once in real code and there is no possiblity to mess it up. And ReadInfo will panic if the callback is not set.

[zyga]

Thank you

[zyga]

Is there any reason to validate the snap info at this step? Also, without this the whole method returns nothing.

[stolowski]

Good point, moved it back to AddSnap.

[zyga]

If you choose to keep snap validation out of interface validation then please this code here.

[stolowski]

Done.

[zyga]

Can you please remove the affected test function instead of commenting it out?

[stolowski]

Thanks for spotting... an oversight.

[zyga]

Nice! Thank you

[zyga]

I wonder if we should either use (en mass) testutil.BaseTest or remove it, we seem to have a swarm of restore me later functions in all the suites.

[stolowski]

Good idea, done that.

[zyga]

Shall we store the real error objects here? This way we could generate i18n specific message later.

[stolowski]

I'm not thrilled about storing error objects here, because these problems with interfaces are not actually treated as errors. Also, nothing is stopping us from populating this map with i18n, is it?

[zyga]

The errors can be stored and transformed to per-request i18n message later. We cannot translate them at this time.

[niemeyer]

We probably don't need to store those errors. Instead, if the interface definition is completely broken, we can reject the snap loading with the actual error.

[stolowski]

@niemeyer We have two possible problems to deal with: an unknown interface or interface not passing sanitization. AFAIR we didn't want to reject snaps on unknown interfaces.
Shall we only reject snaps that fail sanitization?

[niemeyer]

It's okay, let's keep it this way for now. Strings are fine for the time being (it is already like that in master). Easy to change when we want to.

[zyga]

I think this looks good now. The i18n issues can be solved once we do per-request i18n

[niemeyer]

This doesn't look right. This is changing global state by a method on a repository instance, setting to its own method. The idea of enabling and disabling the global logic by fiddling with this function is also suspect.

Why do we need the repository for those validations? We know about every interface at runtime without the need to touch the repository. That function should even be changeable I think, but rather an actual function that should always be available.

[niemeyer]

Sorry, I meant the function should not be changeable.

[stolowski]

Hmm. This function is called from snap.ReadInfo and needs to be a settable callback to avoid import cycle; in snapd it needs to actually sanitize plugs and slots against all interfaces, but in snap and snap-exec I set it to no-op func not to drag all the interfaces in (plus, it doesn't make sense to sanitize at this point).

To summarize, I'm not sure how to change this aspect to satisfy both cases - other than by having two ReadInfo functions (with- and without- sanitize), which I think is a bad idea.

NB, I got rid of the of the SetSanitizePlugSlots setter and do not depend on the repository anymore.

[niemeyer]

Same idea.. quite unexpected to have that initialized at a random point like this.

[zyga]

Shall we store the real error objects here? This way we could generate i18n specific message later.

[stolowski]

I'm not thrilled about storing error objects here, because these problems with interfaces are not actually treated as errors. Also, nothing is stopping us from populating this map with i18n, is it?

[zyga]

The errors can be stored and transformed to per-request i18n message later. We cannot translate them at this time.

[niemeyer]

We probably don't need to store those errors. Instead, if the interface definition is completely broken, we can reject the snap loading with the actual error.

[stolowski]

@niemeyer We have two possible problems to deal with: an unknown interface or interface not passing sanitization. AFAIR we didn't want to reject snaps on unknown interfaces.
Shall we only reject snaps that fail sanitization?

[niemeyer]

It's okay, let's keep it this way for now. Strings are fine for the time being (it is already like that in master). Easy to change when we want to.

[zyga]

I think that we can use the builtin.Interfaces() method so that we don't have to touch the repository in any way. @stolowski how does that sound to you? You can also expose the method builtin.Interface to access a specific one for the need of sanitization.

[stolowski]

@niemeyer @zyga Ok, I've made sanitization independent of repository, it's now a function based on allInterfaces.

[niemeyer]

LGTM with the following details sorted.

[niemeyer]

If you move this into an init() function there's no need to mock it in tests.

In either case, both snap-exec and the snap command should either have it in main, or in init, so we don't need to keep that distinction in mind.

[niemeyer]

Let's please add the interface name here:

"unknown interface %q"

[zyga]

Shall we store the real error objects here? This way we could generate i18n specific message later.

[stolowski]

I'm not thrilled about storing error objects here, because these problems with interfaces are not actually treated as errors. Also, nothing is stopping us from populating this map with i18n, is it?

[zyga]

The errors can be stored and transformed to per-request i18n message later. We cannot translate them at this time.

[niemeyer]

We probably don't need to store those errors. Instead, if the interface definition is completely broken, we can reject the snap loading with the actual error.

[stolowski]

@niemeyer We have two possible problems to deal with: an unknown interface or interface not passing sanitization. AFAIR we didn't want to reject snaps on unknown interfaces.
Shall we only reject snaps that fail sanitization?

[niemeyer]

It's okay, let's keep it this way for now. Strings are fine for the time being (it is already like that in master). Easy to change when we want to.

[niemeyer]

This would be nicer going into a function of its own. It seems too specialized and too custom-formatted to make sense in Info itself.

The function might look like this, at the package level:

func BadInterfacesSummary(snapInfo *snap.Info) string

I think we'll also want to change the formatting soon so it's more readable, but we can do that in a follow up.