Snappy

Merge lp:~elopio/snappy/test-verify into lp:~snappy-dev/snappy/snappy-moved-to-github

test-verify
Merge into snappy-moved-to-github

Proposed by Leo Arias on 2015-06-30

Status:	Superseded
Proposed branch:	lp:~elopio/snappy/test-verify
Merge into:	lp:~snappy-dev/snappy/snappy-moved-to-github
Prerequisite:	lp:~elopio/snappy/snappy_from_trunk
Diff against target:	485 lines (+319/-45) 10 files modified _integration-tests/tests/latest/install_test.go (+9/-0) cmd/snappy/cmd_verify.go (+43/-0) helpers/helpers.go (+4/-0) snappy/build.go (+3/-37) snappy/build_test.go (+1/-3) snappy/hashes.go (+85/-0) snappy/hashes_test.go (+65/-0) snappy/snapp.go (+26/-5) snappy/verify.go (+48/-0) snappy/verify_test.go (+35/-0)
To merge this branch:	bzr merge lp:~elopio/snappy/test-verify
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Michael Vogt		2015-06-30	Pending
Review via email: mp+263311@code.launchpad.net

lp:~elopio/snappy/test-verify updated on 2015-06-30

520. By Leo Arias on 2015-06-30: Added a todo comment.

Unmerged revisions

520. By Leo Arias on 2015-06-30: Added a todo comment.
519. By Leo Arias on 2015-06-30: Merged with the other verify branch.
518. By Leo Arias on 2015-06-30: Update the common calls.
517. By Leo Arias on 2015-06-30: Fixed the suite name.
516. By Leo Arias on 2015-06-30: Merged with prerequisite.
515. By Leo Arias on 2015-06-24: Added a verify test.
514. By Leo Arias on 2015-06-24: Merged with prerequisites.
513. By Michael Vogt on 2015-06-17: helpers/helpers.go: fix typo in comment (thanks Leo)
512. By Michael Vogt on 2015-06-17: cmd/snappy/cmd_verify.go: improve help message (thanks Leo!)
511. By Michael Vogt on 2015-06-17: snappy/snapp.go: remove RemoteSnapPart.Verify, SystemImagePart.Verify

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Alan Meekins

Huang Jin

Leo Arias

Snappy Developers

Yung Shen

Snappy

Merge lp:~elopio/snappy/test-verify into lp:~snappy-dev/snappy/snappy-moved-to-github

Commit message

Description of the change

Unmerged revisions

Preview Diff

Subscribers

 === modified file '_integration-tests/tests/latest/install_test.go'
 --- _integration-tests/tests/latest/install_test.go	2015-06-30 03:40:28 +0000
 +++ _integration-tests/tests/latest/install_test.go	2015-06-30 03:40:28 +0000
@@ -92,3 +92,12 @@
  	expected := "(?ms).*^apps: hello-world\n"
  	c.Assert(infoOutput, Matches, expected)
+ }
++
++func (s *installSuite) TestVerifyWithInstalledPackage(c *C) {
++	installSnap(c, "hello-world")
++
++	verifyOutput := ExecCommand(c, "snappy", "verify")
++
++	// TODO fill the right expected message.
++	c.Assert(verifyOutput, Equals, "Verified successfully")
++}
 === added file 'cmd/snappy/cmd_verify.go'
 --- cmd/snappy/cmd_verify.go	1970-01-01 00:00:00 +0000
 +++ cmd/snappy/cmd_verify.go	2015-06-30 03:40:28 +0000
@@ -0,0 +1,43 @@
++// -*- Mode: Go; indent-tabs-mode: t -*-
++
++/*
++ * Copyright (C) 2014-2015 Canonical Ltd
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++package main
++
++import (
++	"launchpad.net/snappy/logger"
++	"launchpad.net/snappy/progress"
++	"launchpad.net/snappy/snappy"
++)
++
++type cmdVerify struct {
++}
++
++func init() {
++	_, err := parser.AddCommand("verify",
++		"Verify the integrity of all installed snap packages",
++		"Verify the integrity of all installed snap packages by comparing the permissions, sizes and file hashes of each file",
++		&cmdVerify{})
++	if err != nil {
++		logger.Panicf("Unable to verify: %v", err)
++	}
++}
++
++func (x *cmdVerify) Execute(args []string) (err error) {
++	return snappy.VerifyInstalled(progress.MakeProgressBar())
++}
 === modified file 'helpers/helpers.go'
 --- helpers/helpers.go	2015-06-09 19:11:54 +0000
 +++ helpers/helpers.go	2015-06-30 03:40:28 +0000
@@ -115,6 +115,10 @@
  // UnpackTar unpacks the given tar file into the target directory
  func UnpackTar(r io.Reader, targetDir string, fn UnpackTarTransformFunc) error {
++	// ensure we extract with the original permissions
++	oldUmask := syscall.Umask(0)
++	defer syscall.Umask(oldUmask)
++
  	return TarIterate(r, func(tr *tar.Reader, hdr *tar.Header) (err error) {
  		// run tar transform func
  		name := hdr.Name
 === modified file 'snappy/build.go'
 --- snappy/build.go	2015-06-11 19:30:45 +0000
 +++ snappy/build.go	2015-06-30 03:40:28 +0000
@@ -186,42 +186,6 @@
  	return strings.Fields(string(output))[0], nil
+ }
--func hashForFile(buildDir, path string, info os.FileInfo) (h *fileHash, err error) {
--	sha512sum := ""
--	// pointer so that omitempty works (we don't want size for
--	// directories or symlinks)
--	var size *int64
--	if info.Mode().IsRegular() {
--		sha512sum, err = helpers.Sha512sum(path)
--		if err != nil {
--			return nil, err
--		}
--		fsize := info.Size()
--		size = &fsize
--	}
--
--	// major/minor handling
--	device := ""
--	major, minor, err := helpers.MajorMinor(info)
--	if err == nil {
--		device = fmt.Sprintf("%v,%v", major, minor)
--	}
--
--	if buildDir != "" {
--		path = path[len(buildDir)+1:]
--	}
--
--	return &fileHash{
--		Name:   path,
--		Size:   size,
--		Sha512: sha512sum,
--		Device: device,
--		// FIXME: not portable, this output is different on
--		//        windows, macos
--		Mode: newYamlFileMode(info.Mode()),
--	}, nil
--}
--
  func writeHashes(buildDir, dataTar string) error {
  	debianDir := filepath.Join(buildDir, "DEBIAN")
@@ -244,10 +208,12 @@
  			return nil
+ 		}
--		hash, err := hashForFile(buildDir, path, info)
++		hash, err := hashForFile(path)
  		if err != nil {
  			return err
+ 		}
++		// adjust the name by removing the builddir
++		hash.Name = hash.Name[len(buildDir)+1:]
  		hashes.Files = append(hashes.Files, hash)
  		return nil
 === modified file 'snappy/build_test.go'
 --- snappy/build_test.go	2015-06-08 16:26:25 +0000
 +++ snappy/build_test.go	2015-06-30 03:40:28 +0000
@@ -432,9 +432,7 @@
  		c.Skip("no /dev/kmsg")
+ 	}
--	stat, err := os.Stat("/dev/kmsg")
--	c.Assert(err, IsNil)
--	h, err := hashForFile("", "/dev/kmsg", stat)
++	h, err := hashForFile("/dev/kmsg")
  	c.Assert(err, IsNil)
  	c.Assert(h.Name, Equals, "/dev/kmsg")
  	c.Assert(h.Device, Equals, "1,11")
 === modified file 'snappy/hashes.go'
 --- snappy/hashes.go	2015-05-15 13:33:27 +0000
 +++ snappy/hashes.go	2015-06-30 03:40:28 +0000
@@ -22,6 +22,8 @@
  import (
  	"fmt"
  	"os"
++
++	"launchpad.net/snappy/helpers"
+ )
  type yamlFileMode struct {
@@ -111,6 +113,40 @@
  	XAttr map[string]string `yaml:"xattr,omitempty"`
+ }
++func (fh *fileHash) Verify() error {
++	fh2, err := hashForFile(fh.Name)
++	if err != nil {
++		return err
++	}
++
++	// check permissions
++	if fh2.Mode.mode != fh.Mode.mode {
++		return fmt.Errorf("file mode mismatch for %v: 0%o != 0%o", fh.Name, fh.Mode.mode, fh2.Mode.mode)
++	}
++
++	// check size (only files have them)
++	if (fh2.Size == nil && fh.Size != nil) || (fh2.Size != nil && fh.Size == nil) {
++		return fmt.Errorf("size data mismatch for %v", fh.Name)
++	}
++	if fh2.Size != nil && fh.Size != nil {
++		if *fh2.Size != *fh.Size {
++			return fmt.Errorf("size mismatch for %v: %v != %v", fh.Name, *fh.Size, *fh2.Size)
++		}
++	}
++
++	// check hash
++	if fh2.Sha512 != fh.Sha512 {
++		return fmt.Errorf("hash mismatch for %v: %v != %v", fh.Name, fh.Sha512, fh2.Sha512)
++	}
++
++	// check device
++	if fh2.Device != fh.Device {
++		return fmt.Errorf("device info mismatch for %v: %v != %v", fh.Name, fh.Device, fh2.Device)
++	}
++
++	return nil
++}
++
  // the meta/hashes file
  type hashesYaml struct {
  	// the archive hash
@@ -119,3 +155,52 @@
  	// the hashes for the files in the archive
  	Files []*fileHash
+ }
++
++func (h *hashesYaml) Verify() error {
++	for _, fh := range h.Files {
++		if err := fh.Verify(); err != nil {
++			return err
++		}
++	}
++
++	return nil
++}
++
++// get the path for the given file
++func hashForFile(path string) (h *fileHash, err error) {
++	sha512sum := ""
++
++	info, err := os.Lstat(path)
++	if err != nil {
++		return nil, err
++	}
++
++	// pointer so that omitempty works (we don't want size for
++	// directories or symlinks)
++	var size *int64
++	if info.Mode().IsRegular() {
++		sha512sum, err = helpers.Sha512sum(path)
++		if err != nil {
++			return nil, err
++		}
++		fsize := info.Size()
++		size = &fsize
++	}
++
++	// major/minor handling
++	device := ""
++	major, minor, err := helpers.MajorMinor(info)
++	if err == nil {
++		device = fmt.Sprintf("%v,%v", major, minor)
++	}
++
++	return &fileHash{
++		Name:   path,
++		Size:   size,
++		Sha512: sha512sum,
++		Device: device,
++		// FIXME: not portable, this output is different on
++		//        windows, macos
++		Mode: newYamlFileMode(info.Mode()),
++	}, nil
++}
 === modified file 'snappy/hashes_test.go'
 --- snappy/hashes_test.go	2015-06-02 20:46:07 +0000
 +++ snappy/hashes_test.go	2015-06-30 03:40:28 +0000
@@ -152,3 +152,68 @@
    mode: frw-r--r--
  `)
+ }
++
++func makeTestFileWithHash(c *C) (*fileHash, string) {
++	p := filepath.Join(c.MkDir(), "foo")
++	err := ioutil.WriteFile(p, []byte("bar\n"), 0644)
++	c.Assert(err, IsNil)
++	st, err := os.Stat(p)
++	c.Assert(err, IsNil)
++
++	size := int64(4)
++	mode := newYamlFileMode(st.Mode())
++	fh := fileHash{
++		Name:   p,
++		Size:   &size,
++		Sha512: "cc06808cbbee0510331aa97974132e8dc296aeb795be229d064bae784b0a87a5cf4281d82e8c99271b75db2148f08a026c1a60ed9cabdb8cac6d24242dac4063",
++		Mode:   mode,
++	}
++	return &fh, p
++}
++
++func (s *SnapTestSuite) TestFileHashSimple(c *C) {
++	fh, _ := makeTestFileWithHash(c)
++	err := fh.Verify()
++	c.Assert(err, IsNil)
++}
++
++func (s *SnapTestSuite) TestFileHashWrongSize(c *C) {
++	fh, _ := makeTestFileWithHash(c)
++
++	fakeSize := int64(1)
++	fh.Size = &fakeSize
++
++	err := fh.Verify()
++	c.Assert(err, ErrorMatches, "size mismatch for .*/foo: 1 != 4")
++}
++
++func (s *SnapTestSuite) TestFileHashWrongMode(c *C) {
++	fh, _ := makeTestFileWithHash(c)
++	fh.Mode.mode = 0444
++
++	err := fh.Verify()
++	c.Assert(err, ErrorMatches, "file mode mismatch for .*/foo: 0444 != 0644")
++}
++
++func (s *SnapTestSuite) TestFileHashWrongHash(c *C) {
++	fh, _ := makeTestFileWithHash(c)
++	fh.Sha512 = "xx"
++
++	err := fh.Verify()
++	c.Assert(err, ErrorMatches, "hash mismatch for .*/foo: xx != cc06808cbbee0510331aa97974132e8dc296aeb795be229d064bae784b0a87a5cf4281d82e8c99271b75db2148f08a026c1a60ed9cabdb8cac6d24242dac4063")
++}
++
++func (s *SnapTestSuite) TestFileHashForDir(c *C) {
++	name := c.MkDir()
++	st, err := os.Stat(name)
++	c.Assert(err, IsNil)
++
++	mode := newYamlFileMode(st.Mode())
++	fh := fileHash{
++		Name: name,
++		Mode: mode,
++	}
++
++	err = fh.Verify()
++	c.Assert(err, IsNil)
++}
 === modified file 'snappy/snapp.go'
 --- snappy/snapp.go	2015-06-12 03:55:01 +0000
 +++ snappy/snapp.go	2015-06-30 03:40:28 +0000
@@ -608,9 +608,18 @@
  		part.description = description
+ 	}
--	// read hash, its ok if its not there, some older versions of
--	// snappy did not write this file
--	hashesData, err := ioutil.ReadFile(filepath.Join(part.basedir, "meta", "hashes.yaml"))
++	// read hash
++	h, err := part.hashesData()
++	if err != nil {
++		return nil, err
++	}
++	part.hash = h.ArchiveSha512
++
++	return part, nil
++}
++
++func (s *SnapPart) hashesData() (*hashesYaml, error) {
++	hashesData, err := ioutil.ReadFile(filepath.Join(s.basedir, "meta", "hashes.yaml"))
  	if err != nil {
  		return nil, err
+ 	}
@@ -620,9 +629,8 @@
  	if err != nil {
  		return nil, &ErrInvalidYaml{file: "hashes.yaml", err: err, yaml: hashesData}
+ 	}
--	part.hash = h.ArchiveSha512
--	return part, nil
++	return &h, nil
+ }
  // Type returns the type of the SnapPart (app, oem, ...)
@@ -1083,6 +1091,19 @@
  	return s.m.Frameworks, nil
+ }
++// Verify checks the integrity
++func (s *SnapPart) Verify(pb progress.Meter) error {
++	hashesData, err := s.hashesData()
++	if err != nil {
++		return err
++	}
++
++	helpers.ChDir(s.basedir, func() {
++		err = hashesData.Verify()
++	})
++	return err
++}
++
  // DependentNames returns a list of the names of apps installed that
  // depend on this one
  //
 === added file 'snappy/verify.go'
 --- snappy/verify.go	1970-01-01 00:00:00 +0000
 +++ snappy/verify.go	2015-06-30 03:40:28 +0000
@@ -0,0 +1,48 @@
++// -*- Mode: Go; indent-tabs-mode: t -*-
++
++/*
++ * Copyright (C) 2014-2015 Canonical Ltd
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++package snappy
++
++import (
++	"fmt"
++
++	"launchpad.net/snappy/progress"
++)
++
++// VerifyInstalled verifies all installed snaps
++func VerifyInstalled(pb progress.Meter) error {
++	m := NewMetaLocalRepository()
++	installed, err := m.Installed()
++	if err != nil {
++		return err
++	}
++
++	for _, part := range installed {
++		if _, ok := part.(*SnapPart); !ok {
++			continue
++		}
++		pb.Notify(fmt.Sprintf("Verifying %s", part.Name()))
++		if err := part.(*SnapPart).Verify(pb); err != nil {
++			return fmt.Errorf("verify for %v failed: %v", part.Name(), err)
++		}
++	}
++	pb.Notify(fmt.Sprintf("Verified %d successfully", len(installed)))
++
++	return nil
++}
 === added file 'snappy/verify_test.go'
 --- snappy/verify_test.go	1970-01-01 00:00:00 +0000
 +++ snappy/verify_test.go	2015-06-30 03:40:28 +0000
@@ -0,0 +1,35 @@
++// -*- Mode: Go; indent-tabs-mode: t -*-
++
++/*
++ * Copyright (C) 2014-2015 Canonical Ltd
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++package snappy
++
++import (
++	"path/filepath"
++
++	. "gopkg.in/check.v1"
++)
++
++func (s *SnapTestSuite) TestSnapVerifyWorksWithSystemImage(c *C) {
++	systemImageRoot = c.MkDir()
++
++	makeFakeSystemImageChannelConfig(c, filepath.Join(systemImageRoot, systemImageChannelConfig), "1")
++
++	err := VerifyInstalled(&MockProgressMeter{})
++	c.Assert(err, IsNil)
++}