1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2017 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package asserts
import (
"errors"
"fmt"
"net/url"
"time"
)
// Store holds a store assertion, defining the configuration needed to connect
// a device to the store or relative to a non-default store.
type Store struct {
assertionBase
url *url.URL
friendlyStores []string
timestamp time.Time
}
// Store returns the identifying name of the operator's store.
func (store *Store) Store() string {
return store.HeaderString("store")
}
// OperatorID returns the account id of the store's operator.
func (store *Store) OperatorID() string {
return store.HeaderString("operator-id")
}
// URL returns the URL of the store's API.
func (store *Store) URL() *url.URL {
return store.url
}
// FriendlyStores returns stores holding snaps that are also exposed
// through this one.
func (store *Store) FriendlyStores() []string {
return store.friendlyStores
}
// Location returns a summary of the store's location/purpose.
func (store *Store) Location() string {
return store.HeaderString("location")
}
// Timestamp returns the time when the store assertion was issued.
func (store *Store) Timestamp() time.Time {
return store.timestamp
}
func (store *Store) checkConsistency(db RODatabase, acck *AccountKey) error {
// Will be applied to a system's snapd or influence snapd
// policy decisions (via friendly-stores) so must be signed by a trusted
// authority!
if !db.IsTrustedAccount(store.AuthorityID()) {
return fmt.Errorf("store assertion %q is not signed by a directly trusted authority: %s",
store.Store(), store.AuthorityID())
}
_, err := db.Find(AccountType, map[string]string{"account-id": store.OperatorID()})
if err != nil {
if errors.Is(err, &NotFoundError{}) {
return fmt.Errorf(
"store assertion %q does not have a matching account assertion for the operator %q",
store.Store(), store.OperatorID())
}
return err
}
return nil
}
// Prerequisites returns references to this store's prerequisite assertions.
func (store *Store) Prerequisites() []*Ref {
return []*Ref{
{AccountType, []string{store.OperatorID()}},
}
}
// checkStoreURL validates the "url" header and returns a full URL or nil.
func checkStoreURL(headers map[string]any) (*url.URL, error) {
s, err := checkOptionalString(headers, "url")
if err != nil {
return nil, err
}
if s == "" {
return nil, nil
}
errWhat := `"url" header`
u, err := url.Parse(s)
if err != nil {
return nil, fmt.Errorf("%s must be a valid URL: %s", errWhat, s)
}
if u.Scheme != "http" && u.Scheme != "https" {
return nil, fmt.Errorf(`%s scheme must be "https" or "http": %s`, errWhat, s)
}
if u.Host == "" {
return nil, fmt.Errorf(`%s must have a host: %s`, errWhat, s)
}
if u.RawQuery != "" {
return nil, fmt.Errorf(`%s must not have a query: %s`, errWhat, s)
}
if u.Fragment != "" {
return nil, fmt.Errorf(`%s must not have a fragment: %s`, errWhat, s)
}
return u, nil
}
func assembleStore(assert assertionBase) (Assertion, error) {
_, err := checkNotEmptyString(assert.headers, "operator-id")
if err != nil {
return nil, err
}
url, err := checkStoreURL(assert.headers)
if err != nil {
return nil, err
}
friendlyStores, err := checkStringList(assert.headers, "friendly-stores")
if err != nil {
return nil, err
}
_, err = checkOptionalString(assert.headers, "location")
if err != nil {
return nil, err
}
timestamp, err := checkRFC3339Date(assert.headers, "timestamp")
if err != nil {
return nil, err
}
return &Store{
assertionBase: assert,
url: url,
friendlyStores: friendlyStores,
timestamp: timestamp,
}, nil
}
|
