/snapd

overlord/ifacestate,daemon: setup security on conect and disconnect #948

Merged
merged 15 commits into from Apr 14, 2016
+134 −34

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@zyga @niemeyer
@zyga
Contributor

zyga commented Apr 14, 2016

This branch makes connect/disconnect setup security of both affected snaps.

zyga added some commits Apr 14, 2016

@zyga
overlord/ifacestate: make MockSecurityBackendsForSnap public 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
b25344b
@zyga
daemon: disable real security backends for all tests 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
2d1960d
@zyga
overlord/ifacestate: setup security in doConnect 
This patch ensures calls to Connect setup the security of the affected
snaps (the plug side snap and the slot side snap).

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
4579cfe
@zyga
overlord/ifacestate: setup security in doDisconnect 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

All checks have passed

4 successful checks
@snappy-m-o
Integration tests — Success
Details
@snappy-m-o
autopkgtest — Success
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage decreased (-0.03%) to 76.827%
Details
efeba0d

@zyga zyga referenced this pull request Apr 14, 2016

Merged

overlord/ifacestate: reload snap connections when setting up security for a given snap #950

daemon/api_test.go
@@ -108,10 +110,15 @@ func (s *apiSuite) SetUpTest(c *check.C) {
configs: map[string]string{},
}
s.d = nil
+ // Disable real security backends for all API tests
+ s.restoreBackends = ifacestate.MockSecurityBackendsForSnap(
@niemeyer

niemeyer Apr 14, 2016

Contributor

How about making that simply MockSecurityBackends(nil)? I don't think any call site is using per-snap backends, which means all of that boilerplate is just unnecessary trouble.

@zyga

zyga Apr 14, 2016

Contributor

Good idea, done.

@zyga
overlord/ifacestate,daemon: simplify usage of MockSecurityBackendsFor… 
…Snap

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

1 failing and 3 successful checks
@snappy-m-o
autopkgtest
Details
@snappy-m-o
Integration tests — Success
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage decreased (-0.04%) to 76.813%
Details
0206b1d
overlord/ifacestate/ifacemgr.go
+// MockSecurityBackendsForSnap mocks the list of security backends that are used for setting up security.
+//
+// This function is public because it is referenced in the daemon
+func MockSecurityBackendsForSnap(fn func(snapInfo *snap.Info) []interfaces.SecurityBackend) func() {
@niemeyer

niemeyer Apr 14, 2016

Contributor

I actually meant this:

func MockSecurityBackends(backends []interfaces.SecurityBackend)
@zyga

zyga Apr 14, 2016

Contributor

Ahh, sorry. Will do in a sec.

@zyga

zyga Apr 14, 2016

Contributor

Done

overlord/ifacestate/ifacemgr.go
+ task.Errorf("cannot get state of snap %q: %s", snapInfo.Name(), err)
+ return state.Retry
+ }
+ for _, backend := range securityBackendsForSnap(snapInfo) {
@niemeyer

niemeyer Apr 14, 2016

Contributor

Similarly,

for _, backend := range securityBackends { ... }
@zyga

zyga Apr 14, 2016

Contributor

Done

zyga added some commits Apr 14, 2016

@zyga
overlord/ifacestate,daemon: simplify mocking of security backends 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 1 successful checks
@snappy-m-o
Integration tests
Details
@snappy-m-o
autopkgtest
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
bf0ce58
@zyga
overlord/ifacestate: shorten securityBackendsForSnap to securityBackends 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 2 successful checks
@snappy-m-o
Integration tests
Details
@snappy-m-o
autopkgtest
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage decreased (-0.04%) to 76.819%
Details
ec305be
overlord/ifacestate/ifacemgr.go
@@ -365,8 +365,25 @@ func (m *InterfaceManager) doConnect(task *state.Task, _ *tomb.Tomb) error {
}
plug := m.repo.Plug(plugRef.Snap, plugRef.Name)
+ slot := m.repo.Slot(slotRef.Snap, slotRef.Name)
+
+ for _, snapInfo := range []*snap.Info{plug.Snap, slot.Snap} {
@niemeyer

niemeyer Apr 14, 2016

Contributor

Can we please do this here instead:

err := setupSnapSecurity(task, plug.Snap, m.repo)
if err != nil {
        return err
}
err = setupSnapSecurity(task, slot.Snap, m.repo)
if err != nil {
        return err
}
@zyga

zyga Apr 14, 2016

Contributor

Done

overlord/ifacestate/ifacemgr.go
+ plug := m.repo.Plug(plugRef.Snap, plugRef.Name)
+ slot := m.repo.Slot(slotRef.Snap, slotRef.Name)
+
+ for _, snapInfo := range []*snap.Info{plug.Snap, slot.Snap} {
@niemeyer

niemeyer Apr 14, 2016

Contributor

Same as above.

@zyga

zyga Apr 14, 2016

Contributor

Done

overlord/ifacestate/ifacemgr.go
+//
+// This function is public because it is referenced in the daemon
+func MockSecurityBackends(backends []interfaces.SecurityBackend) func() {
+ securityBackends = func(snapInfo *snap.Info) []interfaces.SecurityBackend {
@niemeyer

niemeyer Apr 14, 2016

Contributor

This should be

oldBackends = securityBackends
securityBackends = backends
return func() { securityBackends = oldBackends }
@zyga

zyga Apr 14, 2016

Contributor

Done now

zyga added some commits Apr 14, 2016

@zyga
overlord/ifacestate: make securityBackends a simple list 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 2 successful checks
@snappy-m-o
Integration tests
Details
@snappy-m-o
autopkgtest
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage increased (+0.005%) to 76.861%
Details
8c03a3c
@zyga
interfaces/overlord: create setupSecurity helper and use it 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 2 successful checks
@snappy-m-o
Integration tests
Details
@snappy-m-o
autopkgtest
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage increased (+0.02%) to 76.872%
Details
18c5d7b
@zyga
overlord/ifacestate: unroll two setup loops 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
4f8d4a1
@zyga
overlord/ifacestate: rename setupSecurity to setupSnapSecurity 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
50710c8
@zyga
overlord/ifacestate: tweak arguments to setupSnapSecurity 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
fc219d6
@zyga
overlord/ifacestate: log errors in setupSnapSecurity 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 2 successful checks
@snappy-m-o
Integration tests
Details
@snappy-m-o
autopkgtest
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage increased (+0.04%) to 76.897%
Details
10564fa
@zyga
overlord/ifacestate: return state.Retry if setupSnapSecurity fails 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 2 successful checks
@snappy-m-o
Integration tests
Details
@snappy-m-o
autopkgtest
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage increased (+0.04%) to 76.897%
Details
ccfff95
overlord/ifacestate/ifacemgr.go
+ }
+ for _, backend := range securityBackends {
+ if err := backend.Setup(snapInfo, snapState.DevMode, repo); err != nil {
+ task.Errorf("cannot setup security of snap %q (backend %s): %s", snapName, backend.Name(), err)
@niemeyer

niemeyer Apr 14, 2016

Contributor

("cannot setup %s for snap %q: %s", backend.Name(), snapName, err)

@zyga

zyga Apr 14, 2016

Contributor

Done, thanks for the suggestion :-)

@zyga
overlord/ifacestate: tweak error message 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

1 errored, 1 failing, and 1 successful checks
continuous-integration/travis-ci/pr — The Travis CI build could not complete due to an error
Details
@snappy-m-o
Integration tests
Details
@snappy-m-o
autopkgtest — Success
Details
211e4a4
@niemeyer
Contributor

niemeyer commented Apr 14, 2016

Int tests infra is broken. Merging based on unit tests.

@niemeyer niemeyer merged commit 18fd1c0 into snapcore:master Apr 14, 2016
0 of 3 checks passed

0 of 3 checks passed

Integration tests Triggered
Details
autopkgtest Triggered
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details

@zyga zyga deleted the zyga:overlord-connect-disconnect-setup-security branch Apr 14, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment