Skip to content

Commit

Permalink
daemon: also verify snap instructions for multi-snap requests
Browse files Browse the repository at this point in the history 
Without this change, the checks done in `verifySnapInstructions` were
not done for requests done by POSTing to `/v2/snaps`. This meant that
you could install `ubuntu-core`, by doing `snap install ubuntu-core
hello`.

This change makes the multi-snap operation also check the instruction,
so now that multi-snap operation properly errors out.
  • Loading branch information
@chipaca
chipaca committed Apr 26, 2019
1 parent a7dc812 commit b1b50fb
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
3 changes: 3 additions & 0 deletions daemon/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1381,6 +1381,9 @@ func snapsOp(c *Command, r *http.Request, user *auth.UserState) Response {
return BadRequest("cannot decode request body into snap instruction: %v", err)
}

if err := verifySnapInstructions(&inst); err != nil {
return BadRequest("%v", err)
}
if inst.Channel != "" || !inst.Revision.Unset() || inst.DevMode || inst.JailMode {
return BadRequest("unsupported option provided for multi-snap operation")
}
Expand Down
17 changes: 16 additions & 1 deletion daemon/api_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2404,7 +2404,7 @@ func (s *apiSuite) TestPostSnap(c *check.C) {
c.Check(soon, check.Equals, 1)
}

func (s *apiSuite) TestPostSnapVerfySnapInstruction(c *check.C) {
func (s *apiSuite) TestPostSnapVerifySnapInstruction(c *check.C) {
s.daemonWithOverlordMock(c)

buf := bytes.NewBufferString(`{"action": "install"}`)
Expand All @@ -2419,6 +2419,21 @@ func (s *apiSuite) TestPostSnapVerfySnapInstruction(c *check.C) {
c.Check(rsp.Result.(*errorResult).Message, testutil.Contains, `cannot install "ubuntu-core", please use "core" instead`)
}

func (s *apiSuite) TestPostSnapVerifyMultiSnapInstruction(c *check.C) {
s.daemonWithOverlordMock(c)

buf := strings.NewReader(`{"action": "install","snaps":["ubuntu-core"]}`)
req, err := http.NewRequest("POST", "/v2/snaps", buf)
c.Assert(err, check.IsNil)
req.Header.Set("Content-Type", "application/json")

rsp := postSnaps(snapsCmd, req, nil).(*resp)

c.Check(rsp.Type, check.Equals, ResponseTypeError)
c.Check(rsp.Status, check.Equals, 400)
c.Check(rsp.Result.(*errorResult).Message, testutil.Contains, `cannot install "ubuntu-core", please use "core" instead`)
}

func (s *apiSuite) TestPostSnapSetsUser(c *check.C) {
d := s.daemon(c)
ensureStateSoon = func(st *state.State) {}
Expand Down

0 comments on commit b1b50fb

Please sign in to comment.