Checkbox Provider - Base

Merge ~kristinchuang/plainbox-provider-checkbox:model-grade-check-revamp into plainbox-provider-checkbox:master

  1. Git
  2. lp:~kristinchuang/plainbox-provider-checkbox
  3. model-grade-check-revamp
  4. Merge into master
Proposed by Kristin Chuang
Status: Merged
Approved by: Jonathan Cave
Approved revision: 8b80db367ebb6cb02acae79c49ef8c90a1823572
Merged at revision: 3b91bc778fcff39e2a90dab13a667aa1e4d2d7e5
Proposed branch: ~kristinchuang/plainbox-provider-checkbox:model-grade-check-revamp
Merge into: plainbox-provider-checkbox:master
Diff against target: 53 lines (+10/-3)
2 files modified
bin/ubuntucore_image_checks.py (+5/-0)
units/image/jobs.pxu (+5/-3)
Reviewer Review Type Date Requested Status
Devices Certification Bot Needs Fixing
Jonathan Cave (community) Approve
Review via email: mp+404940@code.launchpad.net

Description of the change

Modify the existing Ubuntu Core model grade check from simply 'checking if the grade != dangerous' into 'checking if the actual grade set is as expected':

===== Changes =====
* Rename the existing `image/model-grade-not-dangerous` job into `image/model-grade`

* Updated the description of `image/model-grade` job

* Modified the logic of model checking function in `ubuntucore_image_checks.py`:
- always fail if model grade is missing
- always fail if model grade is 'dangerous'
- if a MODEL_GRADE exists in configuration variables, make sure the model grade matches MODEL_GRADE
- if no MODEL_GRADE was given, make sure the model grade is 'secured'

===== Trial run with the change =====
[OK] model grade missing - case expected to fail
[OK] image is classic - case expected to be skipped
-
[OK] model grade is dangerous, MODEL_GRADE set - case expected to fail
[OK] model grade is dangerous, MODEL_GRADE not set - case expected to fail
-
[OK] MODEL_GRADE set, matches actual model grade - case expected to pass
[OK] MODEL_GRADE set, does not match actual model grade - case expected to fail
-
[OK] MODEL_GRADE not set, matches actual model grade - case expected to pass
[OK] MODEL_GRADE not set, does not match actual model grade - case expected to fail

Model assertion grade documentation:
https://ubuntu.com/core/docs/reference/assertions/model

To post a comment you must log in.
Revision history for this message
Jonathan Cave (jocave) wrote :

Could you just modify the description to use the accurate grade "secured" rather than "secure"? Otherwise looks good, thanks

review: Approve
Revision history for this message
Kristin Chuang (kristinchuang) wrote :

Good catch, thanks Jonathan!
Re-pushed with typo corrected.

Revision history for this message
Jonathan Cave (jocave) wrote :

Thanks, still approved :)

review: Approve
Revision history for this message
Devices Certification Bot (ce-certification-qa) wrote :

The merge was fine but running tests failed.

[bionic] [09:06:22] starting container
[focal] [09:06:22] starting container
[xenial] [09:06:23] starting container
Device project added to bionic-testing
Device project added to focal-testing
Device project added to xenial-testing
[xenial] [09:06:35] provisioning container
[bionic] [09:06:44] provisioning container
[focal] [09:06:44] provisioning container
[xenial] [09:06:54] Starting tests...
[xenial] Found a test script: ./requirements/container-tests-provider-checkbox
[bionic] [09:07:04] Starting tests...
[bionic] Found a test script: ./requirements/container-tests-provider-checkbox
[focal] [09:07:18] Starting tests...
[focal] Found a test script: ./requirements/container-tests-provider-checkbox
[xenial] [09:08:47] container-tests-provider-checkbox: FAIL
[xenial] output: https://paste.ubuntu.com/p/qpRgXnxCBR/
[xenial] [09:08:50] Fixing file permissions in source directory
[xenial] [09:08:50] Destroying container
[bionic] [09:09:07] container-tests-provider-checkbox: FAIL
[bionic] output: https://paste.ubuntu.com/p/W5RkWKQNFh/
[bionic] [09:09:09] Fixing file permissions in source directory
[bionic] [09:09:09] Destroying container
[focal] [09:09:21] container-tests-provider-checkbox: FAIL
[focal] output: https://paste.ubuntu.com/p/XdQHHvd4jr/
[focal] [09:09:23] Fixing file permissions in source directory
[focal] [09:09:24] Destroying container

review: Needs Fixing
Revision history for this message
Jonathan Cave (jocave) wrote :

test_flake8_/root/project/bin/ubuntucore_image_checks.py (plainbox.provider_manager.Flake8Tests) ... /root/project/bin/ubuntucore_image_checks.py:101:80: E501 line too long (80 > 79 characters)

Revision history for this message
Kristin Chuang (kristinchuang) wrote :

re-pushed with flake8 error fixed

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/bin/ubuntucore_image_checks.py b/bin/ubuntucore_image_checks.py
2index e381e61..ff14784 100755
3--- a/bin/ubuntucore_image_checks.py
4+++ b/bin/ubuntucore_image_checks.py
5@@ -6,6 +6,7 @@
6 # Jonathan Cave <jonathan.cave@canonical.com>
7
8 import io
9+import os
10 import sys
11
12 from checkbox_support.snap_utils.snapd import Snapd
13@@ -91,10 +92,14 @@ class ModelInfo():
14 print('PASS')
15
16 def test_model_grade(self):
17+ MODEL_GRADE = os.environ.get('MODEL_GRADE', 'secured')
18 if not self.grade:
19 raise SystemExit('ERROR: failed to get model grade info')
20 if self.grade == 'dangerous':
21 raise SystemExit('ERROR: model grade must not be dangerous')
22+ if self.grade != MODEL_GRADE:
23+ raise SystemExit('ERROR: model grade is "{}",'.format(self.grade) +
24+ ' but "{}" is expected'.format(MODEL_GRADE))
25 print('PASS')
26
27
28diff --git a/units/image/jobs.pxu b/units/image/jobs.pxu
29index d185550..d5aa7d4 100644
30--- a/units/image/jobs.pxu
31+++ b/units/image/jobs.pxu
32@@ -71,16 +71,18 @@ command:
33 estimated_duration: 2.0
34 flags: preserve-locale
35
36-id: image/model-grade-not-dangerous
37+id: image/model-grade
38 category_id: image
39-_summary: Check that the model grade is not missing or set to dangerous
40+_summary: Check that the model grade is correctly set
41 requires:
42 lsb.distributor_id == "Ubuntu Core" and int(lsb.release) >= 20
43 _description:
44 Images with the 'dangerous' grade (the lowest of all available grades)
45 results in certain security measures to be relaxed.
46 Images that require strict security related implementations must
47- have the model grade set to a grade higher than 'dangerous'.
48+ have the model grade set to non-dangerous grades - either the highest
49+ grade of 'secured', or a grade passed to checkbox for checking via the
50+ MODEL_GRADE configuration variable.
51 plugin: shell
52 command:
53 ubuntucore_image_checks.py model-grade

Subscribers

People subscribed via source and target branches