From cfc2d90970d3c8fc94ea03f430a1d0e3eff39c71 Mon Sep 17 00:00:00 2001 From: Dheyay Date: Fri, 23 Feb 2024 14:14:05 -0800 Subject: [PATCH] Rebased and added --- features/_version.feature | 215 +- features/airgapped.feature | 186 +- features/anbox.feature | 212 +- features/api.feature | 230 +- features/api_configure_retry_service.feature | 107 +- features/api_fix_execute.feature | 2652 +++++------ features/api_fix_plan.feature | 4490 +++++++++--------- features/api_full_auto_attach.feature | 63 +- features/api_magic_attach.feature | 232 +- features/api_packages.feature | 108 +- features/api_security.feature | 135 +- features/api_unattended_upgrades.feature | 494 +- features/apt_messages.feature | 1427 +++--- features/attach_invalidtoken.feature | 98 +- features/attach_validtoken.feature | 638 +-- features/attached_commands.feature | 1835 +++---- features/attached_enable.feature | 1987 ++++---- features/attached_status.feature | 804 ++-- features/cloud_pro_clone.feature | 107 +- features/collect_logs.feature | 184 +- features/config.feature | 101 +- features/daemon.feature | 779 ++- features/detached_auto_attach.feature | 56 +- features/docker.feature | 320 +- features/enable_fips_cloud.feature | 541 ++- features/enable_fips_container.feature | 220 +- features/enable_fips_pro.feature | 112 +- features/enable_fips_vm.feature | 950 ++-- features/fix.feature | 1763 +++---- features/i18n.feature | 437 +- features/install_uninstall.feature | 151 +- features/landscape.feature | 681 ++- features/livepatch.feature | 393 +- features/logs.feature | 157 +- features/magic_attach.feature | 92 +- features/motd_messages.feature | 260 +- features/proxy_config.feature | 2527 +++++----- features/realtime_kernel.feature | 689 +-- features/reboot_cmds.feature | 79 +- features/retry_auto_attach.feature | 726 +-- features/security_status.feature | 1715 +++---- features/timer.feature | 29 +- features/ubuntu_pro.feature | 510 +- features/ubuntu_pro_fips.feature | 482 +- features/ubuntu_upgrade.feature | 234 +- features/ubuntu_upgrade_unattached.feature | 122 +- features/unattached_commands.feature | 1003 ++-- features/unattached_status.feature | 1245 ++--- 48 files changed, 16272 insertions(+), 16306 deletions(-) diff --git a/features/_version.feature b/features/_version.feature index b0d2dc5c13..34c2e8bb7e 100644 --- a/features/_version.feature +++ b/features/_version.feature @@ -1,110 +1,111 @@ Feature: Pro is expected version - @uses.config.check_version - Scenario Outline: Check pro version - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo - Then I will see the following on stdout - """ - $behave_var{version} - """ - When I run `pro version` with sudo - Then I will see the following on stdout - """ - $behave_var{version} - """ - # The following doesn't actually assert anything. It merely ensures that the output of - # apt-cache policy ubuntu-advantage-tools on the test machine is included in our test output. - # This is useful to manually verify the package is installed from the correct source e.g. -proposed. - When I check the apt-cache policy of ubuntu-advantage-tools - Then the apt-cache policy of ubuntu-advantage-tools is - """ - THIS GETS REPLACED AT RUNTIME VIA A HACK IN steps/ubuntu_advantage_tools.py - """ - Examples: version - | release | machine_type | - | xenial | lxd-container | - | xenial | lxd-vm | - | xenial | aws.generic | - | xenial | aws.pro | - | xenial | aws.pro-fips | - | xenial | azure.generic | - | xenial | azure.pro | - | xenial | azure.pro-fips | - | xenial | gcp.generic | - | xenial | gcp.pro | - | xenial | gcp.pro-fips | - | bionic | lxd-container | - | bionic | lxd-vm | - | bionic | aws.generic | - | bionic | aws.pro | - | bionic | aws.pro-fips | - | bionic | azure.generic | - | bionic | azure.pro | - | bionic | azure.pro-fips | - | bionic | gcp.generic | - | bionic | gcp.pro | - | bionic | gcp.pro-fips | - | focal | lxd-container | - | focal | lxd-vm | - | focal | aws.generic | - | focal | aws.pro | - | focal | aws.pro-fips | - | focal | azure.generic | - | focal | azure.pro | - | focal | azure.pro-fips | - | focal | gcp.generic | - | focal | gcp.pro | - | focal | gcp.pro-fips | - | jammy | lxd-container | - | jammy | lxd-vm | - | jammy | aws.generic | - | jammy | aws.pro | - | jammy | aws.pro-fips | - | jammy | azure.generic | - | jammy | azure.pro | - | jammy | azure.pro-fips | - | jammy | gcp.generic | - | jammy | gcp.pro | - | jammy | gcp.pro-fips | - | mantic | lxd-container | - | mantic | lxd-vm | - | mantic | aws.generic | - | mantic | aws.pro | - | mantic | aws.pro-fips | - | mantic | azure.generic | - | mantic | azure.pro | - | mantic | azure.pro-fips | - | mantic | gcp.generic | - | mantic | gcp.pro | - | mantic | gcp.pro-fips | + @uses.config.check_version + Scenario Outline: Check pro version + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo + Then I will see the following on stdout + """ + $behave_var{version} + """ + When I run `pro version` with sudo + Then I will see the following on stdout + """ + $behave_var{version} + """ + # The following doesn't actually assert anything. It merely ensures that the output of + # apt-cache policy ubuntu-advantage-tools on the test machine is included in our test output. + # This is useful to manually verify the package is installed from the correct source e.g. -proposed. + When I check the apt-cache policy of ubuntu-advantage-tools + Then the apt-cache policy of ubuntu-advantage-tools is + """ + THIS GETS REPLACED AT RUNTIME VIA A HACK IN steps/ubuntu_advantage_tools.py + """ - @uses.config.check_version - @upgrade - Scenario Outline: Check pro version - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo - Then I will see the following on stdout - """ - $behave_var{version} - """ - When I run `pro version` with sudo - Then I will see the following on stdout - """ - $behave_var{version} - """ - # The following doesn't actually assert anything. It merely ensures that the output of - # apt-cache policy ubuntu-advantage-tools on the test machine is included in our test output. - # This is useful to manually verify the package is installed from the correct source e.g. -proposed. - When I check the apt-cache policy of ubuntu-advantage-tools - Then the apt-cache policy of ubuntu-advantage-tools is - """ - THIS GETS REPLACED AT RUNTIME VIA A HACK IN steps/ubuntu_advantage_tools.py - """ - Examples: version - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: version + | release | machine_type | + | xenial | lxd-container | + | xenial | lxd-vm | + | xenial | aws.generic | + | xenial | aws.pro | + | xenial | aws.pro-fips | + | xenial | azure.generic | + | xenial | azure.pro | + | xenial | azure.pro-fips | + | xenial | gcp.generic | + | xenial | gcp.pro | + | xenial | gcp.pro-fips | + | bionic | lxd-container | + | bionic | lxd-vm | + | bionic | aws.generic | + | bionic | aws.pro | + | bionic | aws.pro-fips | + | bionic | azure.generic | + | bionic | azure.pro | + | bionic | azure.pro-fips | + | bionic | gcp.generic | + | bionic | gcp.pro | + | bionic | gcp.pro-fips | + | focal | lxd-container | + | focal | lxd-vm | + | focal | aws.generic | + | focal | aws.pro | + | focal | aws.pro-fips | + | focal | azure.generic | + | focal | azure.pro | + | focal | azure.pro-fips | + | focal | gcp.generic | + | focal | gcp.pro | + | focal | gcp.pro-fips | + | jammy | lxd-container | + | jammy | lxd-vm | + | jammy | aws.generic | + | jammy | aws.pro | + | jammy | aws.pro-fips | + | jammy | azure.generic | + | jammy | azure.pro | + | jammy | azure.pro-fips | + | jammy | gcp.generic | + | jammy | gcp.pro | + | jammy | gcp.pro-fips | + | mantic | lxd-container | + | mantic | lxd-vm | + | mantic | aws.generic | + | mantic | aws.pro | + | mantic | aws.pro-fips | + | mantic | azure.generic | + | mantic | azure.pro | + | mantic | azure.pro-fips | + | mantic | gcp.generic | + | mantic | gcp.pro | + | mantic | gcp.pro-fips | + + @uses.config.check_version @upgrade + Scenario Outline: Check pro version + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo + Then I will see the following on stdout + """ + $behave_var{version} + """ + When I run `pro version` with sudo + Then I will see the following on stdout + """ + $behave_var{version} + """ + # The following doesn't actually assert anything. It merely ensures that the output of + # apt-cache policy ubuntu-advantage-tools on the test machine is included in our test output. + # This is useful to manually verify the package is installed from the correct source e.g. -proposed. + When I check the apt-cache policy of ubuntu-advantage-tools + Then the apt-cache policy of ubuntu-advantage-tools is + """ + THIS GETS REPLACED AT RUNTIME VIA A HACK IN steps/ubuntu_advantage_tools.py + """ + + Examples: version + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/airgapped.feature b/features/airgapped.feature index 6a450726c8..45a2a043b6 100644 --- a/features/airgapped.feature +++ b/features/airgapped.feature @@ -1,99 +1,99 @@ @uses.config.contract_token Feature: Performing attach using ua-airgapped - Scenario Outline: Pro works with the airgapped contract server - Given a `` `` machine with ubuntu-advantage-tools installed - # set up the apt mirror configuration - Given a `jammy` `` machine named `mirror` - When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `mirror` machine - And I apt update on the `mirror` machine - And I apt install `apt-mirror get-resource-tokens ua-airgapped` on the `mirror` machine - And I download the service credentials on the `mirror` machine - And I extract the `esm-infra` credentials from the `mirror` machine - And I extract the `esm-apps` credentials from the `mirror` machine - And I set the apt-mirror file for `` with the `esm-infra,esm-apps` credentials on the `mirror` machine - And I run `apt-mirror` `with sudo` on the `mirror` machine - And I serve the `esm-infra` mirror using port `8000` on the `mirror` machine - And I serve the `esm-apps` mirror using port `9000` on the `mirror` machine - # set up the ua-airgapped configuration - And I create the contract config overrides file for `esm-infra,esm-apps` on the `mirror` machine - And I generate the contracts-airgapped configuration on the `mirror` machine - # set up the contracts-airgapped configuration - Given a `jammy` `` machine named `contracts` - When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `contracts` machine - And I apt update on the `contracts` machine - And I apt install `contracts-airgapped` on the `contracts` machine - And I run `apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4067E40313CB4B13` `with sudo` on the `contracts` machine - And I disable any internet connection on the `contracts` machine - And I send the contracts-airgapped config from the `mirror` machine to the `contracts` machine - And I start the contracts-airgapped service on the `contracts` machine - # attach an airgapped machine to the contracts-airgapped server - And I disable any internet connection on the machine - And I change config key `contract_url` to use value `http://$behave_var{machine-ip contracts}:8484` - And I attach `contract_token` with sudo - Then I verify that `esm-infra` is enabled - And I verify that `esm-apps` is enabled - When I run `apt-cache policy hello` with sudo - Then stdout matches regexp: - """ - 510 .*:9000/ubuntu jammy-apps-security/main - """ - And stdout matches regexp: - """ - 510 .*:8000/ubuntu jammy-infra-security/main - """ - Then I verify that running `pro refresh` `with sudo` exits `0` + Scenario Outline: Pro works with the airgapped contract server + Given a `` `` machine with ubuntu-advantage-tools installed + # set up the apt mirror configuration + Given a `jammy` `` machine named `mirror` + When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `mirror` machine + And I apt update on the `mirror` machine + And I apt install `apt-mirror get-resource-tokens ua-airgapped` on the `mirror` machine + And I download the service credentials on the `mirror` machine + And I extract the `esm-infra` credentials from the `mirror` machine + And I extract the `esm-apps` credentials from the `mirror` machine + And I set the apt-mirror file for `` with the `esm-infra,esm-apps` credentials on the `mirror` machine + And I run `apt-mirror` `with sudo` on the `mirror` machine + And I serve the `esm-infra` mirror using port `8000` on the `mirror` machine + And I serve the `esm-apps` mirror using port `9000` on the `mirror` machine + # set up the ua-airgapped configuration + And I create the contract config overrides file for `esm-infra,esm-apps` on the `mirror` machine + And I generate the contracts-airgapped configuration on the `mirror` machine + # set up the contracts-airgapped configuration + Given a `jammy` `` machine named `contracts` + When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `contracts` machine + And I apt update on the `contracts` machine + And I apt install `contracts-airgapped` on the `contracts` machine + And I run `apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4067E40313CB4B13` `with sudo` on the `contracts` machine + And I disable any internet connection on the `contracts` machine + And I send the contracts-airgapped config from the `mirror` machine to the `contracts` machine + And I start the contracts-airgapped service on the `contracts` machine + # attach an airgapped machine to the contracts-airgapped server + And I disable any internet connection on the machine + And I change config key `contract_url` to use value `http://$behave_var{machine-ip contracts}:8484` + And I attach `contract_token` with sudo + Then I verify that `esm-infra` is enabled + And I verify that `esm-apps` is enabled + When I run `apt-cache policy hello` with sudo + Then stdout matches regexp: + """ + 510 .*:9000/ubuntu jammy-apps-security/main + """ + And stdout matches regexp: + """ + 510 .*:8000/ubuntu jammy-infra-security/main + """ + Then I verify that running `pro refresh` `with sudo` exits `0` - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | - Scenario Outline: airgapped environment with same apt url for different services - Given a `` `` machine with ubuntu-advantage-tools installed - # set up the apt mirror configuration - Given a `jammy` `` machine named `mirror` - When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `mirror` machine - And I run `apt-get update` `with sudo` on the `mirror` machine - And I run `apt-get install apt-mirror get-resource-tokens ua-airgapped -yq` `with sudo` on the `mirror` machine - And I download the service credentials on the `mirror` machine - And I extract the `esm-infra` credentials from the `mirror` machine - And I extract the `esm-apps` credentials from the `mirror` machine - And I set the apt-mirror file for `` with the `esm-infra,esm-apps` credentials on the `mirror` machine - And I run `apt-mirror` `with sudo` on the `mirror` machine - And I consolidate `esm-infra,esm-apps` on a single mirror on the `mirror` machine - And I serve the `all-mirrors` mirror using port `8000` on the `mirror` machine - # set up the ua-airgapped configuration - And I create the contract config overrides file for `esm-infra,esm-apps` on the `mirror` machine - And I generate the contracts-airgapped configuration on the `mirror` machine - # set up the contracts-airgapped configuration - Given a `jammy` `` machine named `contracts` - When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `contracts` machine - And I run `apt-get update` `with sudo` on the `contracts` machine - And I run `apt-get install contracts-airgapped -yq` `with sudo` on the `contracts` machine - And I run `apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4067E40313CB4B13` `with sudo` on the `contracts` machine - And I disable any internet connection on the `contracts` machine - And I send the contracts-airgapped config from the `mirror` machine to the `contracts` machine - And I start the contracts-airgapped service on the `contracts` machine - # attach an airgapped machine to the contracts-airgapped server - And I disable any internet connection on the machine - And I change config key `contract_url` to use value `http://$behave_var{machine-ip contracts}:8484` - And I attach `contract_token` with sudo - Then stdout matches regexp: - """ - esm-apps +yes +enabled .* - esm-infra +yes +enabled .* - """ - When I run `apt-cache policy hello` with sudo - Then stdout matches regexp: - """ - 510 .*:8000/ubuntu jammy-apps-security/main - """ - And stdout matches regexp: - """ - 510 .*:8000/ubuntu jammy-infra-security/main - """ - Then I verify that running `pro refresh` `with sudo` exits `0` + Scenario Outline: airgapped environment with same apt url for different services + Given a `` `` machine with ubuntu-advantage-tools installed + # set up the apt mirror configuration + Given a `jammy` `` machine named `mirror` + When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `mirror` machine + And I run `apt-get update` `with sudo` on the `mirror` machine + And I run `apt-get install apt-mirror get-resource-tokens ua-airgapped -yq` `with sudo` on the `mirror` machine + And I download the service credentials on the `mirror` machine + And I extract the `esm-infra` credentials from the `mirror` machine + And I extract the `esm-apps` credentials from the `mirror` machine + And I set the apt-mirror file for `` with the `esm-infra,esm-apps` credentials on the `mirror` machine + And I run `apt-mirror` `with sudo` on the `mirror` machine + And I consolidate `esm-infra,esm-apps` on a single mirror on the `mirror` machine + And I serve the `all-mirrors` mirror using port `8000` on the `mirror` machine + # set up the ua-airgapped configuration + And I create the contract config overrides file for `esm-infra,esm-apps` on the `mirror` machine + And I generate the contracts-airgapped configuration on the `mirror` machine + # set up the contracts-airgapped configuration + Given a `jammy` `` machine named `contracts` + When I run `add-apt-repository ppa:yellow/ua-airgapped -y` `with sudo` on the `contracts` machine + And I run `apt-get update` `with sudo` on the `contracts` machine + And I run `apt-get install contracts-airgapped -yq` `with sudo` on the `contracts` machine + And I run `apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4067E40313CB4B13` `with sudo` on the `contracts` machine + And I disable any internet connection on the `contracts` machine + And I send the contracts-airgapped config from the `mirror` machine to the `contracts` machine + And I start the contracts-airgapped service on the `contracts` machine + # attach an airgapped machine to the contracts-airgapped server + And I disable any internet connection on the machine + And I change config key `contract_url` to use value `http://$behave_var{machine-ip contracts}:8484` + And I attach `contract_token` with sudo + Then stdout matches regexp: + """ + esm-apps +yes +enabled .* + esm-infra +yes +enabled .* + """ + When I run `apt-cache policy hello` with sudo + Then stdout matches regexp: + """ + 510 .*:8000/ubuntu jammy-apps-security/main + """ + And stdout matches regexp: + """ + 510 .*:8000/ubuntu jammy-infra-security/main + """ + Then I verify that running `pro refresh` `with sudo` exits `0` - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | diff --git a/features/anbox.feature b/features/anbox.feature index afd8f0e460..5a144bbcca 100644 --- a/features/anbox.feature +++ b/features/anbox.feature @@ -1,116 +1,116 @@ @uses.config.contract_token Feature: Enable anbox on Ubuntu - Scenario Outline: Enable Anbox cloud service in a container - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - Then I verify that `anbox-cloud` is disabled - Then I verify that running `pro enable anbox-cloud` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro enable anbox-cloud` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - It is only possible to enable Anbox Cloud on a container using - the --access-only flag. - """ - When I run `pro enable anbox-cloud --access-only` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating Anbox Cloud package lists - Anbox Cloud access enabled - """ - And I verify that `anbox-cloud` is enabled - When I run `apt-cache policy` with sudo - Then apt-cache policy for the following url has priority `500` - """ - https://archive.anbox-cloud.io/stable /main amd64 Packages - """ - When I run `pro disable anbox-cloud` with sudo - Then I verify that `anbox-cloud` is disabled + Scenario Outline: Enable Anbox cloud service in a container + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + Then I verify that `anbox-cloud` is disabled + Then I verify that running `pro enable anbox-cloud` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro enable anbox-cloud` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + It is only possible to enable Anbox Cloud on a container using + the --access-only flag. + """ + When I run `pro enable anbox-cloud --access-only` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating Anbox Cloud package lists + Anbox Cloud access enabled + """ + And I verify that `anbox-cloud` is enabled + When I run `apt-cache policy` with sudo + Then apt-cache policy for the following url has priority `500` + """ + https://archive.anbox-cloud.io/stable /main amd64 Packages + """ + When I run `pro disable anbox-cloud` with sudo + Then I verify that `anbox-cloud` is disabled - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | - Scenario Outline: Enable Anbox cloud service in an unsupported release - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - And I verify that running `pro enable anbox-cloud` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Anbox Cloud is not available for Ubuntu 16.04 LTS (Xenial Xerus). - """ + Scenario Outline: Enable Anbox cloud service in an unsupported release + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + And I verify that running `pro enable anbox-cloud` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Anbox Cloud is not available for Ubuntu 16.04 LTS (Xenial Xerus). + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | - Scenario Outline: Enable Anbox cloud service in a VM - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - And I run `snap remove lxd` with sudo - And I run `pro enable anbox-cloud --access-only --assume-yes` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating Anbox Cloud package lists - Anbox Cloud access enabled - """ - And I verify that `anbox-cloud` is enabled - When I run `apt-cache policy` with sudo - Then apt-cache policy for the following url has priority `500` - """ - https://archive.anbox-cloud.io/stable /main amd64 Packages - """ - And I check that snap `amc` is not installed - And I check that snap `lxd` is not installed - And I check that snap `anbox-cloud-appliance` is not installed - And I verify that files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` - When I run `cat /var/lib/ubuntu-advantage/private/anbox-cloud-credentials` with sudo - Then stdout is a json matching the `anbox_cloud_credentials` schema - When I run `pro disable anbox-cloud` with sudo - Then I verify that `anbox-cloud` is disabled - And I verify that no files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` - When I run `pro enable anbox-cloud --assume-yes` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Installing required snaps - Installing required snap: amc - Installing required snap: anbox-cloud-appliance - Installing required snap: lxd - Updating Anbox Cloud package lists - Anbox Cloud enabled - To finish setting up the Anbox Cloud Appliance, run: + Scenario Outline: Enable Anbox cloud service in a VM + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + And I run `snap remove lxd` with sudo + And I run `pro enable anbox-cloud --access-only --assume-yes` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating Anbox Cloud package lists + Anbox Cloud access enabled + """ + And I verify that `anbox-cloud` is enabled + When I run `apt-cache policy` with sudo + Then apt-cache policy for the following url has priority `500` + """ + https://archive.anbox-cloud.io/stable /main amd64 Packages + """ + And I check that snap `amc` is not installed + And I check that snap `lxd` is not installed + And I check that snap `anbox-cloud-appliance` is not installed + And I verify that files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` + When I run `cat /var/lib/ubuntu-advantage/private/anbox-cloud-credentials` with sudo + Then stdout is a json matching the `anbox_cloud_credentials` schema + When I run `pro disable anbox-cloud` with sudo + Then I verify that `anbox-cloud` is disabled + And I verify that no files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` + When I run `pro enable anbox-cloud --assume-yes` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Installing required snaps + Installing required snap: amc + Installing required snap: anbox-cloud-appliance + Installing required snap: lxd + Updating Anbox Cloud package lists + Anbox Cloud enabled + To finish setting up the Anbox Cloud Appliance, run: - $ sudo anbox-cloud-appliance init + $ sudo anbox-cloud-appliance init - You can accept the default answers if you do not have any specific - configuration changes. - For more information, see https://anbox-cloud.io/docs/tut/installing-appliance#initialise - """ - Then I verify that `anbox-cloud` is enabled - When I run `apt-cache policy` with sudo - Then apt-cache policy for the following url has priority `500` - """ - https://archive.anbox-cloud.io/stable /main amd64 Packages - """ - And I check that snap `amc` is installed - And I check that snap `lxd` is installed - And I check that snap `anbox-cloud-appliance` is installed - And I verify that files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` - When I run `cat /var/lib/ubuntu-advantage/private/anbox-cloud-credentials` with sudo - Then stdout is a json matching the `anbox_cloud_credentials` schema - When I run `pro disable anbox-cloud` with sudo - Then I verify that `anbox-cloud` is disabled - And I verify that no files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` + You can accept the default answers if you do not have any specific + configuration changes. + For more information, see https://anbox-cloud.io/docs/tut/installing-appliance#initialise + """ + Then I verify that `anbox-cloud` is enabled + When I run `apt-cache policy` with sudo + Then apt-cache policy for the following url has priority `500` + """ + https://archive.anbox-cloud.io/stable /main amd64 Packages + """ + And I check that snap `amc` is installed + And I check that snap `lxd` is installed + And I check that snap `anbox-cloud-appliance` is installed + And I verify that files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` + When I run `cat /var/lib/ubuntu-advantage/private/anbox-cloud-credentials` with sudo + Then stdout is a json matching the `anbox_cloud_credentials` schema + When I run `pro disable anbox-cloud` with sudo + Then I verify that `anbox-cloud` is disabled + And I verify that no files exist matching `/var/lib/ubuntu-advantage/private/anbox-cloud-credentials` - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-vm | diff --git a/features/api.feature b/features/api.feature index f4a060451b..ae7a2383b9 100644 --- a/features/api.feature +++ b/features/api.feature @@ -1,6 +1,6 @@ Feature: Client behaviour for the API endpoints - Scenario Outline: all API endpoints can be imported individually + Scenario Outline: all API endpoints can be imported individually Given a `` `` machine with ubuntu-advantage-tools installed When I run `python3 -c "from uaclient.api.u.pro.attach.auto.configure_retry_service.v1 import configure_retry_service"` as non-root When I run `python3 -c "from uaclient.api.u.pro.attach.auto.full_auto_attach.v1 import full_auto_attach"` as non-root @@ -24,145 +24,145 @@ Feature: Client behaviour for the API endpoints When I run `python3 -c "from uaclient.api.u.apt_news.current_news.v1 import current_news"` as non-root Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Scenario Outline: API invalid endpoint or args + Scenario Outline: API invalid endpoint or args Given a `` `` machine with ubuntu-advantage-tools installed When I verify that running `pro api invalid.endpoint` `with sudo` exits `1` Then API full output matches regexp: - """ - { - "_schema_version": "v1", - "data": { - "meta": { - "environment_vars": [] - } - }, - "errors": [ + """ + { + "_schema_version": "v1", + "data": { + "meta": { + "environment_vars": [] + } + }, + "errors": [ + { + "code": "api-invalid-endpoint", + "meta": { + "endpoint": "invalid\.endpoint" + }, + "title": "'invalid\.endpoint' is not a valid endpoint" + } + ], + "result": "failure", + "version": ".*", + "warnings": [] + } + """ + When I verify that running `pro api u.pro.version.v1 --args extra=arg` `with sudo` exits `1` + Then API errors field output matches regexp: + """ + [ { - "code": "api-invalid-endpoint", + "code": "api-no-argument-for-endpoint", "meta": { - "endpoint": "invalid\.endpoint" + "endpoint": "u.pro.version.v1" }, - "title": "'invalid\.endpoint' is not a valid endpoint" + "title": "u.pro.version.v1 accepts no arguments" } - ], - "result": "failure", - "version": ".*", - "warnings": [] - } - """ - When I verify that running `pro api u.pro.version.v1 --args extra=arg` `with sudo` exits `1` - Then API errors field output matches regexp: - """ - [ - { - "code": "api-no-argument-for-endpoint", - "meta": { - "endpoint": "u.pro.version.v1" - }, - "title": "u.pro.version.v1 accepts no arguments" - } - ] - """ + ] + """ Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Scenario Outline: Basic endpoints + Scenario Outline: Basic endpoints Given a `` `` machine with ubuntu-advantage-tools installed When I run `pro api u.pro.version.v1` with sudo Then API full output matches regexp: - """ - { - "_schema_version": "v1", - "data": { + """ + { + "_schema_version": "v1", + "data": { + "attributes": { + "installed_version": ".*" + }, + "meta": { + "environment_vars": [] + }, + "type": "Version" + }, + "errors": [], + "result": "success", + "version": ".*", + "warnings": [] + } + """ + When I run `UA_LOG_FILE=/tmp/some_file OTHER_ENVVAR=not_there pro api u.pro.version.v1` with sudo + Then API data field output matches regexp: + """ + { "attributes": { "installed_version": ".*" }, "meta": { - "environment_vars": [] + "environment_vars": [ + { + "name": "UA_LOG_FILE", + "value": "/tmp/some_file" + } + ] }, "type": "Version" - }, - "errors": [], - "result": "success", - "version": ".*", - "warnings": [] - } - """ - When I run `UA_LOG_FILE=/tmp/some_file OTHER_ENVVAR=not_there pro api u.pro.version.v1` with sudo - Then API data field output matches regexp: - """ - { - "attributes": { - "installed_version": ".*" - }, - "meta": { - "environment_vars": [ - { - "name": "UA_LOG_FILE", - "value": "/tmp/some_file" - } - ] - }, - "type": "Version" - } - """ + } + """ When I run `ua api u.pro.attach.auto.should_auto_attach.v1` with sudo Then API data field output matches regexp: - """ - { - "attributes": { - "should_auto_attach": false - }, - "meta": { - "environment_vars": [] - }, - "type": "ShouldAutoAttach" - } - """ + """ + { + "attributes": { + "should_auto_attach": false + }, + "meta": { + "environment_vars": [] + }, + "type": "ShouldAutoAttach" + } + """ When I run `ua api u.pro.status.is_attached.v1` with sudo Then API data field output matches regexp: - """ - { - "attributes": { - "is_attached": false - }, - "meta": { - "environment_vars": [] - }, - "type": "IsAttached" - } - """ + """ + { + "attributes": { + "is_attached": false + }, + "meta": { + "environment_vars": [] + }, + "type": "IsAttached" + } + """ When I run `ua api u.pro.status.enabled_services.v1` with sudo Then API data field output matches regexp: - """ - { - "attributes": { - "enabled_services": [] - }, - "meta": { - "environment_vars": [] - }, - "type": "EnabledServices" - } - """ + """ + { + "attributes": { + "enabled_services": [] + }, + "meta": { + "environment_vars": [] + }, + "type": "EnabledServices" + } + """ Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/api_configure_retry_service.feature b/features/api_configure_retry_service.feature index c9a4e68914..322583c589 100644 --- a/features/api_configure_retry_service.feature +++ b/features/api_configure_retry_service.feature @@ -1,57 +1,58 @@ Feature: api.u.pro.attach.auto.configure_retry_service - Scenario Outline: v1 successfully triggers retry service when run during startup - Given a `` `` machine with ubuntu-advantage-tools installed - When I change contract to staging with sudo - When I create the file `/lib/systemd/system/apitest.service` with the following - """ - [Unit] - Description=test - Before=cloud-config.service - After=cloud-config.target + Scenario Outline: v1 successfully triggers retry service when run during startup + Given a `` `` machine with ubuntu-advantage-tools installed + When I change contract to staging with sudo + When I create the file `/lib/systemd/system/apitest.service` with the following + """ + [Unit] + Description=test + Before=cloud-config.service + After=cloud-config.target - [Service] - Type=oneshot - ExecStart=/usr/bin/pro api u.pro.attach.auto.configure_retry_service.v1 + [Service] + Type=oneshot + ExecStart=/usr/bin/pro api u.pro.attach.auto.configure_retry_service.v1 - [Install] - WantedBy=cloud-config.service multi-user.target - """ - When I run `systemctl enable apitest.service` with sudo - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - Then stdout matches regexp: - """ - mode: retry auto attach - """ - Then stdout does not match regexp: - """ - mode: poll for pro license - """ - When I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). - The failure was due to: an unknown error. - The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. - You can try manually with `sudo pro auto-attach`. - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). - The failure was due to: an unknown error. - The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. - You can try manually with `sudo pro auto-attach`. - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + [Install] + WantedBy=cloud-config.service multi-user.target + """ + When I run `systemctl enable apitest.service` with sudo + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + Then stdout matches regexp: + """ + mode: retry auto attach + """ + Then stdout does not match regexp: + """ + mode: poll for pro license + """ + When I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). + The failure was due to: an unknown error. + The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. + You can try manually with `sudo pro auto-attach`. + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). + The failure was due to: an unknown error. + The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. + You can try manually with `sudo pro auto-attach`. + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | diff --git a/features/api_fix_execute.feature b/features/api_fix_execute.feature index fda6331d85..23ffce8e4e 100644 --- a/features/api_fix_execute.feature +++ b/features/api_fix_execute.feature @@ -1,94 +1,15 @@ Feature: Fix execute API endpoints - Scenario Outline: Fix execute command on invalid CVEs/USNs - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-1800-123456"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - Then API full output matches regexp: - """ - { - "_schema_version": "v1", - "data": { - "attributes": { - "cves_data": { - "cves": [ - { - "description": null, - "errors": [ - { - "error_type": "security-fix-not-found-issue", - "failed_upgrades": null, - "reason": "Error: CVE-1800-123456 not found." - } - ], - "status": "error", - "title": "CVE-1800-123456", - "upgraded_packages": [] - } - ], - "status": "error" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - }, - "errors": [], - "result": "success", - "version": ".*", - "warnings": [] - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-123455"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - Then API full output matches regexp: - """ - { - "_schema_version": "v1", - "data": { - "attributes": { - "usns_data": { - "status": "error", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": null, - "errors": [ - { - "error_type": "invalid-security-issue", - "failed_upgrades": null, - "reason": "Error: issue \\"USN-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." - } - ], - "status": "error", - "title": "USN-123455", - "upgraded_packages": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - }, - "errors": [], - "result": "success", - "version": ".*", - "warnings": [] - } - """ - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-123455", "CVE-12"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - Then API data field output matches regexp: - """ - { + Scenario Outline: Fix execute command on invalid CVEs/USNs + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-1800-123456"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + Then API full output matches regexp: + """ + { + "_schema_version": "v1", + "data": { "attributes": { "cves_data": { "cves": [ @@ -96,26 +17,13 @@ Feature: Fix execute API endpoints "description": null, "errors": [ { - "error_type": "invalid-security-issue", - "failed_upgrades": null, - "reason": "Error: issue \\"CVE-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." - } - ], - "status": "error", - "title": "CVE-123455", - "upgraded_packages": [] - }, - { - "description": null, - "errors": [ - { - "error_type": "invalid-security-issue", + "error_type": "security-fix-not-found-issue", "failed_upgrades": null, - "reason": "Error: issue \\"CVE-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + "reason": "Error: CVE-1800-123456 not found." } ], "status": "error", - "title": "CVE-12", + "title": "CVE-1800-123456", "upgraded_packages": [] } ], @@ -126,14 +34,21 @@ Feature: Fix execute API endpoints "environment_vars": [] }, "type": "CVEFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-123455", "USN-12"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - Then API data field output matches regexp: - """ - { + }, + "errors": [], + "result": "success", + "version": ".*", + "warnings": [] + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-123455"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + Then API full output matches regexp: + """ + { + "_schema_version": "v1", + "data": { "attributes": { "usns_data": { "status": "error", @@ -153,22 +68,6 @@ Feature: Fix execute API endpoints "title": "USN-123455", "upgraded_packages": [] } - }, - { - "related_usns": [], - "target_usn": { - "description": null, - "errors": [ - { - "error_type": "invalid-security-issue", - "failed_upgrades": null, - "reason": "Error: issue \\"USN-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." - } - ], - "status": "error", - "title": "USN-12", - "upgraded_packages": [] - } } ] } @@ -177,960 +76,1162 @@ Feature: Fix execute API endpoints "environment_vars": [] }, "type": "USNFixExecute" - } - """ + }, + "errors": [], + "result": "success", + "version": ".*", + "warnings": [] + } + """ + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-123455", "CVE-12"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": null, + "errors": [ + { + "error_type": "invalid-security-issue", + "failed_upgrades": null, + "reason": "Error: issue \\"CVE-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + } + ], + "status": "error", + "title": "CVE-123455", + "upgraded_packages": [] + }, + { + "description": null, + "errors": [ + { + "error_type": "invalid-security-issue", + "failed_upgrades": null, + "reason": "Error: issue \\"CVE-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + } + ], + "status": "error", + "title": "CVE-12", + "upgraded_packages": [] + } + ], + "status": "error" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-123455", "USN-12"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "error", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": null, + "errors": [ + { + "error_type": "invalid-security-issue", + "failed_upgrades": null, + "reason": "Error: issue \\"USN-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + } + ], + "status": "error", + "title": "USN-123455", + "upgraded_packages": [] + } + }, + { + "related_usns": [], + "target_usn": { + "description": null, + "errors": [ + { + "error_type": "invalid-security-issue", + "failed_upgrades": null, + "reason": "Error: issue \\"USN-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + } + ], + "status": "error", + "title": "USN-12", + "upgraded_packages": [] + } + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ - Examples: ubuntu release details - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release details + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - Scenario Outline: Fix execute on a Focal machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Kerberos vulnerability", - "errors": null, - "status": "fixed", - "title": "CVE-2020-28196", + Scenario Outline: Fix execute on a Focal machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Kerberos vulnerability", + "errors": null, + "status": "fixed", + "title": "CVE-2020-28196", + "upgraded_packages": [] + } + ], + "status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2022-24959"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "CVE-2022-24959", + "upgraded_packages": [] + } + ], + "status": "not-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2022-24959"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Kerberos vulnerability", + "errors": null, + "status": "fixed", + "title": "CVE-2020-28196", + "upgraded_packages": [] + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "CVE-2022-24959", + "upgraded_packages": [] + } + ], + "status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I apt install `libawl-php=0.60-1` + And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "error", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "AWL vulnerability", + "errors": [ + { + "error_type": "fix-require-root", + "failed_upgrades": [ + { + "name": "awl", + "pocket": "standard-updates" + } + ], + "reason": "Package fixes cannot be installed.\nTo install them, run this command as root (try using sudo)" + } + ], + "status": "error", + "title": "USN-4539-1", "upgraded_packages": [] } - ], - "status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2022-24959"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Linux kernel vulnerabilities", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` with sudo + Then stdout is a json matching the `api_response` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "AWL vulnerability", "errors": null, - "status": "not-affected", - "title": "CVE-2022-24959", - "upgraded_packages": [] + "status": "fixed", + "title": "USN-4539-1", + "upgraded_packages": [ + { + "name": "libawl-php", + "pocket": "standard-updates", + "version": ".*" + } + ] } - ], - "status": "not-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2022-24959"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Kerberos vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` with sudo + Then stdout is a json matching the `api_response` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "AWL vulnerability", "errors": null, "status": "fixed", - "title": "CVE-2020-28196", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "CVE-2022-24959", + "title": "USN-4539-1", "upgraded_packages": [] } - ], - "status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I apt install `libawl-php=0.60-1` - And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "error", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "AWL vulnerability", - "errors": [ - { - "error_type": "fix-require-root", - "failed_upgrades": [ - { - "name": "awl", - "pocket": "standard-updates" - } - ], - "reason": "Package fixes cannot be installed.\nTo install them, run this command as root (try using sudo)" - } - ], - "status": "error", - "title": "USN-4539-1", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I apt install `rsync=3.1.3-8 zlib1g=1:1.2.11.dfsg-2ubuntu1` + And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5573-1"]}'` with sudo + Then stdout is a json matching the `api_response` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [ + { + "description": "zlib vulnerability", + "errors": null, + "status": "not-affected", + "title": "USN-5570-1", "upgraded_packages": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` with sudo - Then stdout is a json matching the `api_response` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "AWL vulnerability", + }, + { + "description": "zlib vulnerability", "errors": null, "status": "fixed", - "title": "USN-4539-1", + "title": "USN-5570-2", "upgraded_packages": [ { - "name": "libawl-php", + "name": "zlib1g", "pocket": "standard-updates", "version": ".*" } ] } + ], + "target_usn": { + "description": "rsync vulnerability", + "errors": null, + "status": "fixed", + "title": "USN-5573-1", + "upgraded_packages": [ + { + "name": "rsync", + "pocket": "standard-updates", + "version": ".*" + } + ] } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` with sudo - Then stdout is a json matching the `api_response` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "AWL vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1", "USN-5573-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + Then API data field output matches regexp: + """ + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "AWL vulnerability", + "errors": null, + "status": "fixed", + "title": "USN-4539-1", + "upgraded_packages": [] + } + }, + { + "related_usns": [ + { + "description": "zlib vulnerability", + "errors": null, + "status": "not-affected", + "title": "USN-5570-1", + "upgraded_packages": [] + }, + { + "description": "zlib vulnerability", "errors": null, "status": "fixed", - "title": "USN-4539-1", + "title": "USN-5570-2", "upgraded_packages": [] } + ], + "target_usn": { + "description": "rsync vulnerability", + "errors": null, + "status": "fixed", + "title": "USN-5573-1", + "upgraded_packages": [] } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I apt install `rsync=3.1.3-8 zlib1g=1:1.2.11.dfsg-2ubuntu1` - And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5573-1"]}'` with sudo - Then stdout is a json matching the `api_response` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [ - { - "description": "zlib vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5570-1", - "upgraded_packages": [] - }, - { - "description": "zlib vulnerability", - "errors": null, - "status": "fixed", - "title": "USN-5570-2", - "upgraded_packages": [ - { - "name": "zlib1g", - "pocket": "standard-updates", - "version": ".*" - } - ] - } - ], - "target_usn": { - "description": "rsync vulnerability", - "errors": null, - "status": "fixed", - "title": "USN-5573-1", - "upgraded_packages": [ + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + + Examples: ubuntu release details + | release | machine_type | + | focal | lxd-container | + + Scenario Outline: Fix execute API command on a Xenial machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-15180"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "MariaDB vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "CVE-2020-15180", + "upgraded_packages": [] + } + ], + "status": "not-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Kerberos vulnerability", + "errors": null, + "status": "fixed", + "title": "CVE-2020-28196", + "upgraded_packages": [] + } + ], + "status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I apt install `expat=2.1.0-7 swish-e matanza ghostscript` + And I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2017-9233"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Expat vulnerability", + "errors": [ + { + "error_type": "security-issue-not-fixed", + "failed_upgrades": [ { - "name": "rsync", - "pocket": "standard-updates", - "version": ".*" + "name": "matanza", + "pocket": null + }, + { + "name": "swish-e", + "pocket": null } - ] + ], + "reason": "Ubuntu security engineers are investigating this issue." + }, + { + "error_type": "fix-require-root", + "failed_upgrades": [ + { + "name": "expat", + "pocket": "standard-updates" + } + ], + "reason": "Package fixes cannot be installed.\nTo install them, run this command as root (try using sudo)" } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1", "USN-5573-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - Then API data field output matches regexp: - """ - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "AWL vulnerability", - "errors": null, - "status": "fixed", - "title": "USN-4539-1", - "upgraded_packages": [] + ], + "status": "error", + "title": "CVE-2017-9233", + "upgraded_packages": [] + } + ], + "status": "error" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2017-9233"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Expat vulnerability", + "errors": [ + { + "error_type": "security-issue-not-fixed", + "failed_upgrades": [ + { + "name": "matanza", + "pocket": null + }, + { + "name": "swish-e", + "pocket": null + } + ], + "reason": "Ubuntu security engineers are investigating this issue." } - }, - { - "related_usns": [ - { - "description": "zlib vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5570-1", - "upgraded_packages": [] - }, - { - "description": "zlib vulnerability", - "errors": null, - "status": "fixed", - "title": "USN-5570-2", - "upgraded_packages": [] - } - ], - "target_usn": { - "description": "rsync vulnerability", - "errors": null, - "status": "fixed", - "title": "USN-5573-1", - "upgraded_packages": [] + ], + "status": "still-affected", + "title": "CVE-2017-9233", + "upgraded_packages": [ + { + "name": "expat", + "pocket": "standard-updates", + "version": ".*" } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - - Examples: ubuntu release details - | release | machine_type | - | focal | lxd-container | - - Scenario Outline: Fix execute API command on a Xenial machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-15180"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "MariaDB vulnerabilities", + ] + } + ], + "status": "still-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2020-15180", "CVE-2017-9233"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Kerberos vulnerability", + "errors": null, + "status": "fixed", + "title": "CVE-2020-28196", + "upgraded_packages": [] + }, + { + "description": "MariaDB vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "CVE-2020-15180", + "upgraded_packages": [] + }, + { + "description": "Expat vulnerability", + "errors": [ + { + "error_type": "security-issue-not-fixed", + "failed_upgrades": [ + { + "name": "matanza", + "pocket": null + }, + { + "name": "swish-e", + "pocket": null + } + ], + "reason": "Ubuntu security engineers are investigating this issue." + } + ], + "status": "still-affected", + "title": "CVE-2017-9233", + "upgraded_packages": [] + } + ], + "status": "still-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I apt install `libawl-php` + And I reboot the machine + And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "not-affected", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "AWL vulnerability", "errors": null, "status": "not-affected", - "title": "CVE-2020-15180", - "upgraded_packages": [] - } - ], - "status": "not-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Kerberos vulnerability", - "errors": null, - "status": "fixed", - "title": "CVE-2020-28196", + "title": "USN-4539-1", "upgraded_packages": [] } - ], - "status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I apt install `expat=2.1.0-7 swish-e matanza ghostscript` - And I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2017-9233"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Expat vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5079-2"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "still-affected", + "usns": [ + { + "related_usns": null, + "target_usn": { + "description": "curl vulnerabilities", "errors": [ { - "error_type": "security-issue-not-fixed", - "failed_upgrades": [ - { - "name": "matanza", - "pocket": null - }, - { - "name": "swish-e", - "pocket": null - } - ], - "reason": "Ubuntu security engineers are investigating this issue." - }, - { - "error_type": "fix-require-root", + "error_type": "fix-requires-attach", "failed_upgrades": [ { - "name": "expat", - "pocket": "standard-updates" + "name": "curl", + "pocket": "esm-infra" } ], - "reason": "Package fixes cannot be installed.\nTo install them, run this command as root (try using sudo)" + "reason": "The update is not installed because this system is not attached to a\nsubscription.\n" } ], - "status": "error", - "title": "CVE-2017-9233", + "status": "still-affected", + "title": "USN-5079-2", "upgraded_packages": [] } - ], - "status": "error" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2017-9233"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Expat vulnerability", - "errors": [ - { - "error_type": "security-issue-not-fixed", - "failed_upgrades": [ - { - "name": "matanza", - "pocket": null - }, - { - "name": "swish-e", - "pocket": null - } - ], - "reason": "Ubuntu security engineers are investigating this issue." - } - ], - "status": "still-affected", - "title": "CVE-2017-9233", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I attach `contract_token` with sudo + And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5079-2"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [ + { + "description": "curl vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-5079-1", + "upgraded_packages": [] + } + ], + "target_usn": { + "description": "curl vulnerabilities", + "errors": null, + "status": "fixed", + "title": "USN-5079-2", "upgraded_packages": [ { - "name": "expat", - "pocket": "standard-updates", + "name": "curl", + "pocket": "esm-infra", + "version": ".*" + }, + { + "name": "libcurl3-gnutls", + "pocket": "esm-infra", "version": ".*" } ] } - ], - "status": "still-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2020-15180", "CVE-2017-9233"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Kerberos vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5051-2"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [ + { + "description": "OpenSSL vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-5051-1", + "upgraded_packages": [] + }, + { + "description": "OpenSSL vulnerability", + "errors": null, + "status": "not-affected", + "title": "USN-5051-3", + "upgraded_packages": [] + }, + { + "description": "EDK II vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-5088-1", + "upgraded_packages": [] + } + ], + "target_usn": { + "description": "OpenSSL vulnerability", "errors": null, "status": "fixed", - "title": "CVE-2020-28196", - "upgraded_packages": [] - }, - { - "description": "MariaDB vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "CVE-2020-15180", - "upgraded_packages": [] - }, - { - "description": "Expat vulnerability", - "errors": [ + "title": "USN-5051-2", + "upgraded_packages": [ { - "error_type": "security-issue-not-fixed", - "failed_upgrades": [ - { - "name": "matanza", - "pocket": null - }, - { - "name": "swish-e", - "pocket": null - } - ], - "reason": "Ubuntu security engineers are investigating this issue." + "name": "libssl1.0.0", + "pocket": "esm-infra", + "version": ".*" + }, + { + "name": "openssl", + "pocket": "esm-infra", + "version": ".*" } - ], - "status": "still-affected", - "title": "CVE-2017-9233", - "upgraded_packages": [] + ] } - ], - "status": "still-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I apt install `libawl-php` - And I reboot the machine - And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "not-affected", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "AWL vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5378-4"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + And API data field output matches regexp: + """ + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [ + { + "description": "Gzip vulnerability", "errors": null, "status": "not-affected", - "title": "USN-4539-1", + "title": "USN-5378-1", "upgraded_packages": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5079-2"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "still-affected", - "usns": [ - { - "related_usns": null, - "target_usn": { - "description": "curl vulnerabilities", - "errors": [ - { - "error_type": "fix-requires-attach", - "failed_upgrades": [ - { - "name": "curl", - "pocket": "esm-infra" - } - ], - "reason": "The update is not installed because this system is not attached to a\nsubscription.\n" - } - ], - "status": "still-affected", - "title": "USN-5079-2", + }, + { + "description": "XZ Utils vulnerability", + "errors": null, + "status": "not-affected", + "title": "USN-5378-2", "upgraded_packages": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I attach `contract_token` with sudo - And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5079-2"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [ - { - "description": "curl vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-5079-1", - "upgraded_packages": [] - } - ], - "target_usn": { - "description": "curl vulnerabilities", + }, + { + "description": "XZ Utils vulnerability", "errors": null, "status": "fixed", - "title": "USN-5079-2", + "title": "USN-5378-3", "upgraded_packages": [ { - "name": "curl", + "name": "liblzma5", "pocket": "esm-infra", "version": ".*" }, { - "name": "libcurl3-gnutls", + "name": "xz-utils", "pocket": "esm-infra", "version": ".*" } ] } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5051-2"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [ - { - "description": "OpenSSL vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-5051-1", - "upgraded_packages": [] - }, + ], + "target_usn": { + "description": "Gzip vulnerability", + "errors": null, + "status": "fixed", + "title": "USN-5378-4", + "upgraded_packages": [ { - "description": "OpenSSL vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5051-3", - "upgraded_packages": [] - }, - { - "description": "EDK II vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-5088-1", - "upgraded_packages": [] + "name": "gzip", + "pocket": "esm-infra", + "version": ".*" } - ], - "target_usn": { + ] + } + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5051-2", "USN-5378-4"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [ + { + "description": "OpenSSL vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-5051-1", + "upgraded_packages": [] + }, + { "description": "OpenSSL vulnerability", "errors": null, - "status": "fixed", - "title": "USN-5051-2", - "upgraded_packages": [ - { - "name": "libssl1.0.0", - "pocket": "esm-infra", - "version": ".*" - }, - { - "name": "openssl", - "pocket": "esm-infra", - "version": ".*" - } - ] + "status": "not-affected", + "title": "USN-5051-3", + "upgraded_packages": [] + }, + { + "description": "EDK II vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-5088-1", + "upgraded_packages": [] } + ], + "target_usn": { + "description": "OpenSSL vulnerability", + "errors": null, + "status": "fixed", + "title": "USN-5051-2", + "upgraded_packages": [] } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5378-4"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - And API data field output matches regexp: - """ - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [ - { - "description": "Gzip vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5378-1", - "upgraded_packages": [] - }, - { - "description": "XZ Utils vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5378-2", - "upgraded_packages": [] - }, - { - "description": "XZ Utils vulnerability", - "errors": null, - "status": "fixed", - "title": "USN-5378-3", - "upgraded_packages": [ - { - "name": "liblzma5", - "pocket": "esm-infra", - "version": ".*" - }, - { - "name": "xz-utils", - "pocket": "esm-infra", - "version": ".*" - } - ] - } - ], - "target_usn": { + }, + { + "related_usns": [ + { "description": "Gzip vulnerability", "errors": null, - "status": "fixed", - "title": "USN-5378-4", - "upgraded_packages": [ - { - "name": "gzip", - "pocket": "esm-infra", - "version": ".*" - } - ] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-5051-2", "USN-5378-4"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [ - { - "description": "OpenSSL vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-5051-1", - "upgraded_packages": [] - }, - { - "description": "OpenSSL vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5051-3", - "upgraded_packages": [] - }, - { - "description": "EDK II vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-5088-1", - "upgraded_packages": [] - } - ], - "target_usn": { - "description": "OpenSSL vulnerability", + "status": "not-affected", + "title": "USN-5378-1", + "upgraded_packages": [] + }, + { + "description": "XZ Utils vulnerability", "errors": null, - "status": "fixed", - "title": "USN-5051-2", + "status": "not-affected", + "title": "USN-5378-2", "upgraded_packages": [] - } - }, - { - "related_usns": [ - { - "description": "Gzip vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5378-1", - "upgraded_packages": [] - }, - { - "description": "XZ Utils vulnerability", - "errors": null, - "status": "not-affected", - "title": "USN-5378-2", - "upgraded_packages": [] - }, - { - "description": "XZ Utils vulnerability", - "errors": null, - "status": "fixed", - "title": "USN-5378-3", - "upgraded_packages": [] - } - ], - "target_usn": { - "description": "Gzip vulnerability", + }, + { + "description": "XZ Utils vulnerability", "errors": null, "status": "fixed", - "title": "USN-5378-4", + "title": "USN-5378-3", "upgraded_packages": [] } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro detach --assume-yes` with sudo - And I run `sed -i "/xenial-updates/d" /etc/apt/sources.list` with sudo - And I run `sed -i "/xenial-security/d" /etc/apt/sources.list` with sudo - And I apt update - And I apt install `squid` - And I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-25097"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Squid vulnerabilities", - "errors": [ - { - "error_type": "package-cannot-be-installed", - "failed_upgrades": [ - { - "name": "squid", - "pocket": "standard-updates" - } - ], - "reason": "Cannot install package squid version .*" - }, - { - "error_type": "package-cannot-be-installed", - "failed_upgrades": [ - { - "name": "squid-common", - "pocket": "standard-updates" - } - ], - "reason": "Cannot install package squid-common version .*" - } - ], - "status": "still-affected", - "title": "CVE-2020-25097", + ], + "target_usn": { + "description": "Gzip vulnerability", + "errors": null, + "status": "fixed", + "title": "USN-5378-4", "upgraded_packages": [] } - ], - "status": "still-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro detach --assume-yes` with sudo + And I run `sed -i "/xenial-updates/d" /etc/apt/sources.list` with sudo + And I run `sed -i "/xenial-security/d" /etc/apt/sources.list` with sudo + And I apt update + And I apt install `squid` + And I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-25097"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Squid vulnerabilities", + "errors": [ + { + "error_type": "package-cannot-be-installed", + "failed_upgrades": [ + { + "name": "squid", + "pocket": "standard-updates" + } + ], + "reason": "Cannot install package squid version .*" + }, + { + "error_type": "package-cannot-be-installed", + "failed_upgrades": [ + { + "name": "squid-common", + "pocket": "standard-updates" + } + ], + "reason": "Cannot install package squid-common version .*" + } + ], + "status": "still-affected", + "title": "CVE-2020-25097", + "upgraded_packages": [] + } + ], + "status": "still-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ - Examples: ubuntu release details - | release | machine_type | - | xenial | lxd-container | + Examples: ubuntu release details + | release | machine_type | + | xenial | lxd-container | - Scenario Outline: Fix execute API command on a Bionic machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "Kerberos vulnerability", + Scenario Outline: Fix execute API command on a Bionic machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "Kerberos vulnerability", + "errors": null, + "status": "fixed", + "title": "CVE-2020-28196", + "upgraded_packages": [] + } + ], + "status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I apt install `xterm=330-1ubuntu2` + And I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2021-27135"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "xterm vulnerability", + "errors": [ + { + "error_type": "fix-require-root", + "failed_upgrades": [ + { + "name": "xterm", + "pocket": "standard-updates" + } + ], + "reason": "Package fixes cannot be installed.\nTo install them, run this command as root (try using sudo)" + } + ], + "status": "error", + "title": "CVE-2021-27135", + "upgraded_packages": [] + } + ], + "status": "error" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2021-27135"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_execute` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "description": "xterm vulnerability", + "errors": null, + "status": "fixed", + "title": "CVE-2021-27135", + "upgraded_packages": [ + { + "name": "xterm", + "pocket": "standard-updates", + "version": ".*" + } + ] + } + ], + "status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixExecute" + } + """ + When I apt install `libawl-php` + And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "not-affected", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "AWL vulnerability", "errors": null, - "status": "fixed", - "title": "CVE-2020-28196", + "status": "not-affected", + "title": "USN-4539-1", "upgraded_packages": [] } - ], - "status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I apt install `xterm=330-1ubuntu2` - And I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2021-27135"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "xterm vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I apt install `libbz2-1.0=1.0.6-8.1 bzip2=1.0.6-8.1` + And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4038-3"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "error", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "bzip2 regression", "errors": [ { "error_type": "fix-require-root", "failed_upgrades": [ { - "name": "xterm", + "name": "bzip2", "pocket": "standard-updates" } ], @@ -1138,375 +1239,274 @@ Feature: Fix execute API endpoints } ], "status": "error", - "title": "CVE-2021-27135", + "title": "USN-4038-3", "upgraded_packages": [] } - ], - "status": "error" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I run `pro api u.pro.security.fix.cve.execute.v1 --data '{"cves": ["CVE-2021-27135"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_execute` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "description": "xterm vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4038-3"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "bzip2 regression", "errors": null, "status": "fixed", - "title": "CVE-2021-27135", + "title": "USN-4038-3", "upgraded_packages": [ { - "name": "xterm", + "name": "bzip2", + "pocket": "standard-updates", + "version": ".*" + }, + { + "name": "libbz2-1.0", "pocket": "standard-updates", "version": ".*" } ] } - ], - "status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixExecute" - } - """ - When I apt install `libawl-php` - And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "not-affected", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "AWL vulnerability", + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-6130-1"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "not-affected", + "usns": [ + { + "related_usns": [ + { + "description": "Linux kernel (OEM) vulnerabilities", "errors": null, "status": "not-affected", - "title": "USN-4539-1", + "title": "USN-6033-1", "upgraded_packages": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I apt install `libbz2-1.0=1.0.6-8.1 bzip2=1.0.6-8.1` - And I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4038-3"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "error", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "bzip2 regression", - "errors": [ - { - "error_type": "fix-require-root", - "failed_upgrades": [ - { - "name": "bzip2", - "pocket": "standard-updates" - } - ], - "reason": "Package fixes cannot be installed.\nTo install them, run this command as root (try using sudo)" - } - ], - "status": "error", - "title": "USN-4038-3", + }, + { + "description": "Linux kernel (OEM) vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6122-1", "upgraded_packages": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4038-3"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "bzip2 regression", + }, + { + "description": "Linux kernel (OEM) vulnerabilities", "errors": null, - "status": "fixed", - "title": "USN-4038-3", - "upgraded_packages": [ - { - "name": "bzip2", - "pocket": "standard-updates", - "version": ".*" - }, - { - "name": "libbz2-1.0", - "pocket": "standard-updates", - "version": ".*" - } - ] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-6130-1"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "not-affected", - "usns": [ - { - "related_usns": [ - { - "description": "Linux kernel (OEM) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6033-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (OEM) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6122-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (OEM) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6123-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (OEM) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6124-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6127-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6131-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6132-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (Azure CVM) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6135-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6149-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6150-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (Intel IoTG) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6162-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (OEM) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6173-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6175-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6186-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (Xilinx ZynqMP) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6222-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (IoT) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6256-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel (OEM) vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6385-1", - "upgraded_packages": [] - }, - { - "description": "Linux kernel vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-6460-1", - "upgraded_packages": [] - } - ], - "target_usn": { + "status": "not-affected", + "title": "USN-6123-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel (OEM) vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6124-1", + "upgraded_packages": [] + }, + { "description": "Linux kernel vulnerabilities", "errors": null, "status": "not-affected", - "title": "USN-6130-1", + "title": "USN-6127-1", "upgraded_packages": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ - When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1", "USN-4038-1"]}'` with sudo - Then stdout is a json matching the `api_response` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "status": "fixed", - "usns": [ - { - "related_usns": [], - "target_usn": { - "description": "AWL vulnerability", + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6131-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6132-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel (Azure CVM) vulnerabilities", "errors": null, "status": "not-affected", - "title": "USN-4539-1", + "title": "USN-6135-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6149-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6150-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel (Intel IoTG) vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6162-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel (OEM) vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6173-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6175-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6186-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel (Xilinx ZynqMP) vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6222-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel (IoT) vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6256-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel (OEM) vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6385-1", + "upgraded_packages": [] + }, + { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6460-1", "upgraded_packages": [] } - }, - { - "related_usns": [ - { - "description": "bzip2 vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-4038-2", - "upgraded_packages": [] - }, - { - "description": "ClamAV vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-4146-1", - "upgraded_packages": [] - }, - { - "description": "ClamAV vulnerabilities", - "errors": null, - "status": "not-affected", - "title": "USN-4146-2", - "upgraded_packages": [] - } - ], - "target_usn": { + ], + "target_usn": { + "description": "Linux kernel vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-6130-1", + "upgraded_packages": [] + } + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ + When I run `pro api u.pro.security.fix.usn.execute.v1 --data '{"usns": ["USN-4539-1", "USN-4038-1"]}'` with sudo + Then stdout is a json matching the `api_response` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "status": "fixed", + "usns": [ + { + "related_usns": [], + "target_usn": { + "description": "AWL vulnerability", + "errors": null, + "status": "not-affected", + "title": "USN-4539-1", + "upgraded_packages": [] + } + }, + { + "related_usns": [ + { "description": "bzip2 vulnerabilities", "errors": null, - "status": "fixed", - "title": "USN-4038-1", + "status": "not-affected", + "title": "USN-4038-2", + "upgraded_packages": [] + }, + { + "description": "ClamAV vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-4146-1", + "upgraded_packages": [] + }, + { + "description": "ClamAV vulnerabilities", + "errors": null, + "status": "not-affected", + "title": "USN-4146-2", "upgraded_packages": [] } + ], + "target_usn": { + "description": "bzip2 vulnerabilities", + "errors": null, + "status": "fixed", + "title": "USN-4038-1", + "upgraded_packages": [] } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixExecute" - } - """ + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixExecute" + } + """ - Examples: ubuntu release details - | release | machine_type | - | bionic | lxd-container | + Examples: ubuntu release details + | release | machine_type | + | bionic | lxd-container | diff --git a/features/api_fix_plan.feature b/features/api_fix_plan.feature index afebd40bf5..169039fa4e 100644 --- a/features/api_fix_plan.feature +++ b/features/api_fix_plan.feature @@ -1,443 +1,411 @@ Feature: Fix plan API endpoints - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-1800-123456"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-1800-123456"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": null, + "description": null, + "error": { + "code": "security-fix-not-found-issue", + "msg": "Error: CVE-1800-123456 not found." + }, + "expected_status": "error", + "plan": [], + "title": "CVE-1800-123456", + "warnings": [] + } + ], + "expected_status": "error" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-123455"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "error", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { "additional_data": {}, "affected_packages": null, "description": null, "error": { - "code": "security-fix-not-found-issue", - "msg": "Error: CVE-1800-123456 not found." + "code": "invalid-security-issue", + "msg": "Error: issue \\"USN-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." }, "expected_status": "error", "plan": [], - "title": "CVE-1800-123456", + "title": "USN-123455", "warnings": [] } - ], - "expected_status": "error" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-123455"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "error", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { - "additional_data": {}, - "affected_packages": null, - "description": null, - "error": { - "code": "invalid-security-issue", - "msg": "Error: issue \\"USN-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." - }, - "expected_status": "error", - "plan": [], - "title": "USN-123455", - "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-123455", "CVE-12"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-123455", "CVE-12"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": null, + "description": null, + "error": { + "code": "invalid-security-issue", + "msg": "Error: issue \\"CVE-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + }, + "expected_status": "error", + "plan": [], + "title": "CVE-123455", + "warnings": [] + }, + { + "additional_data": {}, + "affected_packages": null, + "description": null, + "error": { + "code": "invalid-security-issue", + "msg": "Error: issue \\"CVE-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + }, + "expected_status": "error", + "plan": [], + "title": "CVE-12", + "warnings": [] + } + ], + "expected_status": "error" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-123455", "USN-12"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "error", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { "additional_data": {}, "affected_packages": null, "description": null, "error": { "code": "invalid-security-issue", - "msg": "Error: issue \\"CVE-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + "msg": "Error: issue \\"USN-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." }, "expected_status": "error", "plan": [], - "title": "CVE-123455", + "title": "USN-123455", "warnings": [] - }, - { + } + }, + { + "related_usns_plan": [], + "target_usn_plan": { "additional_data": {}, "affected_packages": null, "description": null, "error": { "code": "invalid-security-issue", - "msg": "Error: issue \\"CVE-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." + "msg": "Error: issue \\"USN-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." }, "expected_status": "error", "plan": [], - "title": "CVE-12", + "title": "USN-12", "warnings": [] } - ], - "expected_status": "error" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-123455", "USN-12"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "error", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { - "additional_data": {}, - "affected_packages": null, - "description": null, - "error": { - "code": "invalid-security-issue", - "msg": "Error: issue \\"USN-123455\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." - }, - "expected_status": "error", - "plan": [], - "title": "USN-123455", - "warnings": [] - } - }, - { - "related_usns_plan": [], - "target_usn_plan": { - "additional_data": {}, - "affected_packages": null, - "description": null, - "error": { - "code": "invalid-security-issue", - "msg": "Error: issue \\"USN-12\\" is not recognized.\n\nCVEs should follow the pattern CVE-yyyy-nnn.\n\nUSNs should follow the pattern USN-nnnn." - }, - "expected_status": "error", - "plan": [], - "title": "USN-12", - "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ - Examples: ubuntu release details - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release details + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "krb5" + ], + "description": "Kerberos vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "pocket": "standard-updates", + "source_packages": [ + "krb5" + ], + "status": "cve-already-fixed" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2020-28196", + "warnings": [] + } + ], + "expected_status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2022-24959"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2022-24959", + "warnings": [] + } + ], + "expected_status": "not-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2022-24959"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "krb5" + ], + "description": "Kerberos vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "pocket": "standard-updates", + "source_packages": [ + "krb5" + ], + "status": "cve-already-fixed" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2020-28196", + "warnings": [] + }, + { + "additional_data": {}, + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2022-24959", + "warnings": [] + } + ], + "expected_status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I apt install `libawl-php=0.60-1` + And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2020-11728" + ], + "associated_launchpad_bugs": [] + }, "affected_packages": [ - "krb5" + "awl" ], - "description": "Kerberos vulnerability", + "description": "AWL vulnerability", "error": null, "expected_status": "fixed", "plan": [ { "data": { - "pocket": "standard-updates", - "source_packages": [ - "krb5" + "binary_packages": [ + "libawl-php" ], - "status": "cve-already-fixed" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "CVE-2020-28196", - "warnings": [] - } - ], - "expected_status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2022-24959"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "CVE-2022-24959", - "warnings": [] - } - ], - "expected_status": "not-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2022-24959"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, - "affected_packages": [ - "krb5" - ], - "description": "Kerberos vulnerability", - "error": null, - "expected_status": "fixed", - "plan": [ - { - "data": { "pocket": "standard-updates", "source_packages": [ - "krb5" - ], - "status": "cve-already-fixed" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "CVE-2020-28196", - "warnings": [] - }, - { - "additional_data": {}, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" + "awl" + ] }, - "operation": "no-op", + "operation": "apt-upgrade", "order": 1 } ], - "title": "CVE-2022-24959", + "title": "USN-4539-1", "warnings": [] } - ], - "expected_status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I apt install `libawl-php=0.60-1` - And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I apt install `rsync=3.1.3-8 zlib1g=1:1.2.11.dfsg-2ubuntu1` + And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5573-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [ + { "additional_data": { "associated_cves": [ - "CVE-2020-11728" + "CVE-2022-37434" ], "associated_launchpad_bugs": [] }, - "affected_packages": [ - "awl" - ], - "description": "AWL vulnerability", + "affected_packages": [], + "description": "zlib vulnerability", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "binary_packages": [ - "libawl-php" - ], - "pocket": "standard-updates", - "source_packages": [ - "awl" - ] + "status": "system-not-affected" }, - "operation": "apt-upgrade", + "operation": "no-op", "order": 1 } ], - "title": "USN-4539-1", + "title": "USN-5570-1", "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I apt install `rsync=3.1.3-8 zlib1g=1:1.2.11.dfsg-2ubuntu1` - And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5573-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [ - { - "additional_data": { - "associated_cves": [ - "CVE-2022-37434" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "zlib vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5570-1", - "warnings": [] - }, - { - "additional_data": { - "associated_cves": [ - "CVE-2022-37434" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [ - "zlib" - ], - "description": "zlib vulnerability", - "error": null, - "expected_status": "fixed", - "plan": [ - { - "data": { - "binary_packages": [ - "zlib1g" - ], - "pocket": "standard-updates", - "source_packages": [ - "zlib" - ] - }, - "operation": "apt-upgrade", - "order": 1 - } - ], - "title": "USN-5570-2", - "warnings": [] - } - ], - "target_usn_plan": { + }, + { "additional_data": { "associated_cves": [ "CVE-2022-37434" @@ -445,141 +413,141 @@ Feature: Fix plan API endpoints "associated_launchpad_bugs": [] }, "affected_packages": [ - "rsync" + "zlib" ], - "description": "rsync vulnerability", + "description": "zlib vulnerability", "error": null, "expected_status": "fixed", "plan": [ { "data": { "binary_packages": [ - "rsync" + "zlib1g" ], "pocket": "standard-updates", "source_packages": [ - "rsync" + "zlib" ] }, "operation": "apt-upgrade", "order": 1 } ], - "title": "USN-5573-1", + "title": "USN-5570-2", "warnings": [] } + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2022-37434" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [ + "rsync" + ], + "description": "rsync vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "binary_packages": [ + "rsync" + ], + "pocket": "standard-updates", + "source_packages": [ + "rsync" + ] + }, + "operation": "apt-upgrade", + "order": 1 + } + ], + "title": "USN-5573-1", + "warnings": [] + } + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1", "USN-5573-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2020-11728" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [ + "awl" + ], + "description": "AWL vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "binary_packages": [ + "libawl-php" + ], + "pocket": "standard-updates", + "source_packages": [ + "awl" + ] + }, + "operation": "apt-upgrade", + "order": 1 + } + ], + "title": "USN-4539-1", + "warnings": [] } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1", "USN-5573-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { + }, + { + "related_usns_plan": [ + { "additional_data": { "associated_cves": [ - "CVE-2020-11728" + "CVE-2022-37434" ], "associated_launchpad_bugs": [] }, - "affected_packages": [ - "awl" - ], - "description": "AWL vulnerability", + "affected_packages": [], + "description": "zlib vulnerability", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "binary_packages": [ - "libawl-php" - ], - "pocket": "standard-updates", - "source_packages": [ - "awl" - ] + "status": "system-not-affected" }, - "operation": "apt-upgrade", + "operation": "no-op", "order": 1 } ], - "title": "USN-4539-1", + "title": "USN-5570-1", "warnings": [] - } - }, - { - "related_usns_plan": [ - { - "additional_data": { - "associated_cves": [ - "CVE-2022-37434" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "zlib vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5570-1", - "warnings": [] - }, - { - "additional_data": { - "associated_cves": [ - "CVE-2022-37434" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [ - "zlib" - ], - "description": "zlib vulnerability", - "error": null, - "expected_status": "fixed", - "plan": [ - { - "data": { - "binary_packages": [ - "zlib1g" - ], - "pocket": "standard-updates", - "source_packages": [ - "zlib" - ] - }, - "operation": "apt-upgrade", - "order": 1 - } - ], - "title": "USN-5570-2", - "warnings": [] - } - ], - "target_usn_plan": { + }, + { "additional_data": { "associated_cves": [ "CVE-2022-37434" @@ -587,59 +555,341 @@ Feature: Fix plan API endpoints "associated_launchpad_bugs": [] }, "affected_packages": [ - "rsync" + "zlib" ], - "description": "rsync vulnerability", + "description": "zlib vulnerability", "error": null, "expected_status": "fixed", "plan": [ { "data": { "binary_packages": [ - "rsync" + "zlib1g" ], "pocket": "standard-updates", "source_packages": [ - "rsync" + "zlib" ] }, "operation": "apt-upgrade", "order": 1 } ], - "title": "USN-5573-1", + "title": "USN-5570-2", "warnings": [] } + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2022-37434" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [ + "rsync" + ], + "description": "rsync vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "binary_packages": [ + "rsync" + ], + "pocket": "standard-updates", + "source_packages": [ + "rsync" + ] + }, + "operation": "apt-upgrade", + "order": 1 + } + ], + "title": "USN-5573-1", + "warnings": [] } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ - Examples: ubuntu release details - | release | machine_type | - | focal | lxd-container | + Examples: ubuntu release details + | release | machine_type | + | focal | lxd-container | - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-15180"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-15180"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [], + "description": "MariaDB vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2020-15180", + "warnings": [] + } + ], + "expected_status": "not-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "krb5" + ], + "description": "Kerberos vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "pocket": "standard-updates", + "source_packages": [ + "krb5" + ], + "status": "cve-already-fixed" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2020-28196", + "warnings": [] + } + ], + "expected_status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I apt install `expat=2.1.0-7 swish-e matanza ghostscript` + And I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2017-9233"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "expat", + "matanza", + "swish-e" + ], + "description": "Expat vulnerability", + "error": null, + "expected_status": "still-affected", + "plan": [ + { + "data": { + "binary_packages": [ + "expat" + ], + "pocket": "standard-updates", + "source_packages": [ + "expat" + ] + }, + "operation": "apt-upgrade", + "order": 2 + } + ], + "title": "CVE-2017-9233", + "warnings": [ + { + "data": { + "source_packages": [ + "matanza", + "swish-e" + ], + "status": "needs-triage" + }, + "order": 1, + "warning_type": "security-issue-not-fixed" + } + ] + } + ], + "expected_status": "still-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2020-15180", "CVE-2017-9233"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "krb5" + ], + "description": "Kerberos vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "pocket": "standard-updates", + "source_packages": [ + "krb5" + ], + "status": "cve-already-fixed" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2020-28196", + "warnings": [] + }, + { + "additional_data": {}, + "affected_packages": [], + "description": "MariaDB vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2020-15180", + "warnings": [] + }, + { + "additional_data": {}, + "affected_packages": [ + "expat", + "matanza", + "swish-e" + ], + "description": "Expat vulnerability", + "error": null, + "expected_status": "still-affected", + "plan": [ + { + "data": { + "binary_packages": [ + "expat" + ], + "pocket": "standard-updates", + "source_packages": [ + "expat" + ] + }, + "operation": "apt-upgrade", + "order": 2 + } + ], + "title": "CVE-2017-9233", + "warnings": [ + { + "data": { + "source_packages": [ + "matanza", + "swish-e" + ], + "status": "needs-triage" + }, + "order": 1, + "warning_type": "security-issue-not-fixed" + } + ] + } + ], + "expected_status": "still-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I apt install `libawl-php` + And I reboot the machine + And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "not-affected", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2020-11728" + ], + "associated_launchpad_bugs": [] + }, "affected_packages": [], - "description": "MariaDB vulnerabilities", + "description": "AWL vulnerability", "error": null, "expected_status": "not-affected", "plan": [ @@ -651,245 +901,143 @@ Feature: Fix plan API endpoints "order": 1 } ], - "title": "CVE-2020-15180", + "title": "USN-4539-1", "warnings": [] } - ], - "expected_status": "not-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5079-2"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [ + { + "additional_data": { + "associated_cves": [ + "CVE-2021-22947", + "CVE-2021-22945", + "CVE-2021-22946" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "curl vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-5079-1", + "warnings": [] + } + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2021-22946", + "CVE-2021-22947" + ], + "associated_launchpad_bugs": [] + }, "affected_packages": [ - "krb5" + "curl" ], - "description": "Kerberos vulnerability", + "description": "curl vulnerabilities", "error": null, "expected_status": "fixed", "plan": [ { "data": { - "pocket": "standard-updates", + "reason": "required-pro-service", + "required_service": "esm-infra", "source_packages": [ - "krb5" - ], - "status": "cve-already-fixed" + "curl" + ] }, - "operation": "no-op", + "operation": "attach", "order": 1 - } - ], - "title": "CVE-2020-28196", - "warnings": [] - } - ], - "expected_status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I apt install `expat=2.1.0-7 swish-e matanza ghostscript` - And I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2017-9233"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, - "affected_packages": [ - "expat", - "matanza", - "swish-e" - ], - "description": "Expat vulnerability", - "error": null, - "expected_status": "still-affected", - "plan": [ + }, { "data": { - "binary_packages": [ - "expat" - ], - "pocket": "standard-updates", + "service": "esm-infra", "source_packages": [ - "expat" + "curl" ] }, - "operation": "apt-upgrade", + "operation": "enable", "order": 2 - } - ], - "title": "CVE-2017-9233", - "warnings": [ - { - "data": { - "source_packages": [ - "matanza", - "swish-e" - ], - "status": "needs-triage" - }, - "order": 1, - "warning_type": "security-issue-not-fixed" - } - ] - } - ], - "expected_status": "still-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2020-15180", "CVE-2017-9233"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, - "affected_packages": [ - "krb5" - ], - "description": "Kerberos vulnerability", - "error": null, - "expected_status": "fixed", - "plan": [ - { - "data": { - "pocket": "standard-updates", - "source_packages": [ - "krb5" - ], - "status": "cve-already-fixed" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "CVE-2020-28196", - "warnings": [] - }, - { - "additional_data": {}, - "affected_packages": [], - "description": "MariaDB vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "CVE-2020-15180", - "warnings": [] - }, - { - "additional_data": {}, - "affected_packages": [ - "expat", - "matanza", - "swish-e" - ], - "description": "Expat vulnerability", - "error": null, - "expected_status": "still-affected", - "plan": [ + }, { "data": { "binary_packages": [ - "expat" + "curl", + "libcurl3-gnutls" ], - "pocket": "standard-updates", + "pocket": "esm-infra", "source_packages": [ - "expat" + "curl" ] }, "operation": "apt-upgrade", - "order": 2 + "order": 3 } ], - "title": "CVE-2017-9233", - "warnings": [ - { - "data": { - "source_packages": [ - "matanza", - "swish-e" - ], - "status": "needs-triage" - }, - "order": 1, - "warning_type": "security-issue-not-fixed" - } - ] + "title": "USN-5079-2", + "warnings": [] } - ], - "expected_status": "still-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I apt install `libawl-php` - And I reboot the machine - And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "not-affected", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5051-2"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [ + { "additional_data": { "associated_cves": [ - "CVE-2020-11728" + "CVE-2021-3711", + "CVE-2021-3712" ], "associated_launchpad_bugs": [] }, "affected_packages": [], - "description": "AWL vulnerability", + "description": "OpenSSL vulnerabilities", "error": null, "expected_status": "not-affected", "plan": [ @@ -901,383 +1049,181 @@ Feature: Fix plan API endpoints "order": 1 } ], - "title": "USN-4539-1", + "title": "USN-5051-1", "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5079-2"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [ - { - "additional_data": { - "associated_cves": [ - "CVE-2021-22947", - "CVE-2021-22945", - "CVE-2021-22946" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "curl vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5079-1", - "warnings": [] - } - ], - "target_usn_plan": { + }, + { "additional_data": { "associated_cves": [ - "CVE-2021-22946", - "CVE-2021-22947" + "CVE-2021-3712" ], "associated_launchpad_bugs": [] }, - "affected_packages": [ - "curl" - ], - "description": "curl vulnerabilities", + "affected_packages": [], + "description": "OpenSSL vulnerability", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "reason": "required-pro-service", - "required_service": "esm-infra", - "source_packages": [ - "curl" - ] + "status": "system-not-affected" }, - "operation": "attach", + "operation": "no-op", "order": 1 - }, - { - "data": { - "service": "esm-infra", - "source_packages": [ - "curl" - ] - }, - "operation": "enable", - "order": 2 - }, + } + ], + "title": "USN-5051-3", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2019-11098", + "CVE-2021-3712", + "CVE-2021-23840", + "CVE-2021-38575" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "EDK II vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ { "data": { - "binary_packages": [ - "curl", - "libcurl3-gnutls" - ], - "pocket": "esm-infra", - "source_packages": [ - "curl" - ] + "status": "system-not-affected" }, - "operation": "apt-upgrade", - "order": 3 + "operation": "no-op", + "order": 1 } ], - "title": "USN-5079-2", + "title": "USN-5088-1", "warnings": [] } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5051-2"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [ + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2021-3712" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [ + "openssl" + ], + "description": "OpenSSL vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ { - "additional_data": { - "associated_cves": [ - "CVE-2021-3711", - "CVE-2021-3712" - ], - "associated_launchpad_bugs": [] + "data": { + "reason": "required-pro-service", + "required_service": "esm-infra", + "source_packages": [ + "openssl" + ] }, - "affected_packages": [], - "description": "OpenSSL vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5051-1", - "warnings": [] + "operation": "attach", + "order": 1 }, { - "additional_data": { - "associated_cves": [ - "CVE-2021-3712" - ], - "associated_launchpad_bugs": [] + "data": { + "service": "esm-infra", + "source_packages": [ + "openssl" + ] }, - "affected_packages": [], - "description": "OpenSSL vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5051-3", - "warnings": [] + "operation": "enable", + "order": 2 }, { - "additional_data": { - "associated_cves": [ - "CVE-2019-11098", - "CVE-2021-3712", - "CVE-2021-23840", - "CVE-2021-38575" + "data": { + "binary_packages": [ + "libssl1.0.0", + "openssl" ], - "associated_launchpad_bugs": [] + "pocket": "esm-infra", + "source_packages": [ + "openssl" + ] }, - "affected_packages": [], - "description": "EDK II vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5088-1", - "warnings": [] + "operation": "apt-upgrade", + "order": 3 } ], - "target_usn_plan": { + "title": "USN-5051-2", + "warnings": [] + } + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5378-4"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [ + { "additional_data": { "associated_cves": [ - "CVE-2021-3712" + "CVE-2022-1271" ], "associated_launchpad_bugs": [] }, - "affected_packages": [ - "openssl" - ], - "description": "OpenSSL vulnerability", + "affected_packages": [], + "description": "Gzip vulnerability", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "reason": "required-pro-service", - "required_service": "esm-infra", - "source_packages": [ - "openssl" - ] + "status": "system-not-affected" }, - "operation": "attach", + "operation": "no-op", "order": 1 - }, - { - "data": { - "service": "esm-infra", - "source_packages": [ - "openssl" - ] - }, - "operation": "enable", - "order": 2 - }, - { - "data": { - "binary_packages": [ - "libssl1.0.0", - "openssl" - ], - "pocket": "esm-infra", - "source_packages": [ - "openssl" - ] - }, - "operation": "apt-upgrade", - "order": 3 } ], - "title": "USN-5051-2", + "title": "USN-5378-1", "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5378-4"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [ - { - "additional_data": { - "associated_cves": [ - "CVE-2022-1271" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Gzip vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5378-1", - "warnings": [] - }, - { - "additional_data": { - "associated_cves": [ - "CVE-2022-1271" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "XZ Utils vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2022-1271" ], - "title": "USN-5378-2", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2022-1271" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [ - "xz-utils" - ], - "description": "XZ Utils vulnerability", - "error": null, - "expected_status": "fixed", - "plan": [ - { - "data": { - "reason": "required-pro-service", - "required_service": "esm-infra", - "source_packages": [ - "xz-utils" - ] - }, - "operation": "attach", - "order": 1 - }, - { - "data": { - "service": "esm-infra", - "source_packages": [ - "xz-utils" - ] - }, - "operation": "enable", - "order": 2 + "affected_packages": [], + "description": "XZ Utils vulnerability", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" }, - { - "data": { - "binary_packages": [ - "liblzma5", - "xz-utils" - ], - "pocket": "esm-infra", - "source_packages": [ - "xz-utils" - ] - }, - "operation": "apt-upgrade", - "order": 3 - } - ], - "title": "USN-5378-3", - "warnings": [] - } - ], - "target_usn_plan": { + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-5378-2", + "warnings": [] + }, + { "additional_data": { "associated_cves": [ "CVE-2022-1271" @@ -1285,9 +1231,9 @@ Feature: Fix plan API endpoints "associated_launchpad_bugs": [] }, "affected_packages": [ - "gzip" + "xz-utils" ], - "description": "Gzip vulnerability", + "description": "XZ Utils vulnerability", "error": null, "expected_status": "fixed", "plan": [ @@ -1296,7 +1242,7 @@ Feature: Fix plan API endpoints "reason": "required-pro-service", "required_service": "esm-infra", "source_packages": [ - "gzip" + "xz-utils" ] }, "operation": "attach", @@ -1306,7 +1252,7 @@ Feature: Fix plan API endpoints "data": { "service": "esm-infra", "source_packages": [ - "gzip" + "xz-utils" ] }, "operation": "enable", @@ -1315,273 +1261,273 @@ Feature: Fix plan API endpoints { "data": { "binary_packages": [ - "gzip" + "liblzma5", + "xz-utils" ], "pocket": "esm-infra", "source_packages": [ - "gzip" + "xz-utils" ] }, "operation": "apt-upgrade", "order": 3 } ], - "title": "USN-5378-4", + "title": "USN-5378-3", "warnings": [] } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5051-2", "USN-5378-4"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [ + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2022-1271" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [ + "gzip" + ], + "description": "Gzip vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ { - "additional_data": { - "associated_cves": [ - "CVE-2021-3711", - "CVE-2021-3712" - ], - "associated_launchpad_bugs": [] + "data": { + "reason": "required-pro-service", + "required_service": "esm-infra", + "source_packages": [ + "gzip" + ] }, - "affected_packages": [], - "description": "OpenSSL vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5051-1", - "warnings": [] + "operation": "attach", + "order": 1 }, { - "additional_data": { - "associated_cves": [ - "CVE-2021-3712" - ], - "associated_launchpad_bugs": [] + "data": { + "service": "esm-infra", + "source_packages": [ + "gzip" + ] }, - "affected_packages": [], - "description": "OpenSSL vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5051-3", - "warnings": [] + "operation": "enable", + "order": 2 }, { - "additional_data": { - "associated_cves": [ - "CVE-2019-11098", - "CVE-2021-3712", - "CVE-2021-23840", - "CVE-2021-38575" + "data": { + "binary_packages": [ + "gzip" ], - "associated_launchpad_bugs": [] + "pocket": "esm-infra", + "source_packages": [ + "gzip" + ] }, - "affected_packages": [], - "description": "EDK II vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5088-1", - "warnings": [] + "operation": "apt-upgrade", + "order": 3 } ], - "target_usn_plan": { + "title": "USN-5378-4", + "warnings": [] + } + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-5051-2", "USN-5378-4"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [ + { "additional_data": { "associated_cves": [ + "CVE-2021-3711", "CVE-2021-3712" ], "associated_launchpad_bugs": [] }, - "affected_packages": [ - "openssl" - ], - "description": "OpenSSL vulnerability", + "affected_packages": [], + "description": "OpenSSL vulnerabilities", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "reason": "required-pro-service", - "required_service": "esm-infra", - "source_packages": [ - "openssl" - ] + "status": "system-not-affected" }, - "operation": "attach", + "operation": "no-op", "order": 1 - }, + } + ], + "title": "USN-5051-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2021-3712" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "OpenSSL vulnerability", + "error": null, + "expected_status": "not-affected", + "plan": [ { "data": { - "service": "esm-infra", - "source_packages": [ - "openssl" - ] + "status": "system-not-affected" }, - "operation": "enable", - "order": 2 - }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-5051-3", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2019-11098", + "CVE-2021-3712", + "CVE-2021-23840", + "CVE-2021-38575" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "EDK II vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ { "data": { - "binary_packages": [ - "libssl1.0.0", - "openssl" - ], - "pocket": "esm-infra", - "source_packages": [ - "openssl" - ] + "status": "system-not-affected" }, - "operation": "apt-upgrade", - "order": 3 + "operation": "no-op", + "order": 1 } ], - "title": "USN-5051-2", + "title": "USN-5088-1", "warnings": [] } - }, - { - "related_usns_plan": [ + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2021-3712" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [ + "openssl" + ], + "description": "OpenSSL vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ { - "additional_data": { - "associated_cves": [ - "CVE-2022-1271" - ], - "associated_launchpad_bugs": [] + "data": { + "reason": "required-pro-service", + "required_service": "esm-infra", + "source_packages": [ + "openssl" + ] }, - "affected_packages": [], - "description": "Gzip vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5378-1", - "warnings": [] + "operation": "attach", + "order": 1 }, { - "additional_data": { - "associated_cves": [ - "CVE-2022-1271" - ], - "associated_launchpad_bugs": [] + "data": { + "service": "esm-infra", + "source_packages": [ + "openssl" + ] }, - "affected_packages": [], - "description": "XZ Utils vulnerability", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-5378-2", - "warnings": [] + "operation": "enable", + "order": 2 }, { - "additional_data": { - "associated_cves": [ - "CVE-2022-1271" + "data": { + "binary_packages": [ + "libssl1.0.0", + "openssl" ], - "associated_launchpad_bugs": [] + "pocket": "esm-infra", + "source_packages": [ + "openssl" + ] }, - "affected_packages": [ - "xz-utils" + "operation": "apt-upgrade", + "order": 3 + } + ], + "title": "USN-5051-2", + "warnings": [] + } + }, + { + "related_usns_plan": [ + { + "additional_data": { + "associated_cves": [ + "CVE-2022-1271" ], - "description": "XZ Utils vulnerability", - "error": null, - "expected_status": "fixed", - "plan": [ - { - "data": { - "reason": "required-pro-service", - "required_service": "esm-infra", - "source_packages": [ - "xz-utils" - ] - }, - "operation": "attach", - "order": 1 - }, - { - "data": { - "service": "esm-infra", - "source_packages": [ - "xz-utils" - ] - }, - "operation": "enable", - "order": 2 + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "Gzip vulnerability", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" }, - { - "data": { - "binary_packages": [ - "liblzma5", - "xz-utils" - ], - "pocket": "esm-infra", - "source_packages": [ - "xz-utils" - ] - }, - "operation": "apt-upgrade", - "order": 3 - } + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-5378-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2022-1271" ], - "title": "USN-5378-3", - "warnings": [] - } - ], - "target_usn_plan": { + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "XZ Utils vulnerability", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-5378-2", + "warnings": [] + }, + { "additional_data": { "associated_cves": [ "CVE-2022-1271" @@ -1589,9 +1535,9 @@ Feature: Fix plan API endpoints "associated_launchpad_bugs": [] }, "affected_packages": [ - "gzip" + "xz-utils" ], - "description": "Gzip vulnerability", + "description": "XZ Utils vulnerability", "error": null, "expected_status": "fixed", "plan": [ @@ -1600,7 +1546,7 @@ Feature: Fix plan API endpoints "reason": "required-pro-service", "required_service": "esm-infra", "source_packages": [ - "gzip" + "xz-utils" ] }, "operation": "attach", @@ -1610,7 +1556,7 @@ Feature: Fix plan API endpoints "data": { "service": "esm-infra", "source_packages": [ - "gzip" + "xz-utils" ] }, "operation": "enable", @@ -1619,222 +1565,392 @@ Feature: Fix plan API endpoints { "data": { "binary_packages": [ - "gzip" + "liblzma5", + "xz-utils" ], "pocket": "esm-infra", "source_packages": [ - "gzip" + "xz-utils" ] }, "operation": "apt-upgrade", "order": 3 } ], - "title": "USN-5378-4", + "title": "USN-5378-3", "warnings": [] } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `sed -i "/xenial-updates/d" /etc/apt/sources.list` with sudo - And I run `sed -i "/xenial-security/d" /etc/apt/sources.list` with sudo - And I apt update - And I apt install `squid` - And I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-25097"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2022-1271" + ], + "associated_launchpad_bugs": [] + }, "affected_packages": [ - "squid3" + "gzip" ], - "description": "Squid vulnerabilities", + "description": "Gzip vulnerability", "error": null, - "expected_status": "still-affected", + "expected_status": "fixed", "plan": [ { "data": { - "binary_packages": [], - "pocket": "standard-updates", + "reason": "required-pro-service", + "required_service": "esm-infra", "source_packages": [ - "squid3" + "gzip" ] }, - "operation": "apt-upgrade", - "order": 3 - } - ], - "title": "CVE-2020-25097", - "warnings": [ + "operation": "attach", + "order": 1 + }, { "data": { - "binary_package": "squid", - "binary_package_version": ".*", - "pocket": "standard-updates", - "related_source_packages": [ - "squid3" - ], - "source_package": "squid3" + "service": "esm-infra", + "source_packages": [ + "gzip" + ] }, - "order": 1, - "warning_type": "package-cannot-be-installed" + "operation": "enable", + "order": 2 }, { "data": { - "binary_package": "squid-common", - "binary_package_version": ".*", - "pocket": "standard-updates", - "related_source_packages": [ - "squid3" + "binary_packages": [ + "gzip" ], - "source_package": "squid3" + "pocket": "esm-infra", + "source_packages": [ + "gzip" + ] }, - "order": 2, - "warning_type": "package-cannot-be-installed" + "operation": "apt-upgrade", + "order": 3 } - ] + ], + "title": "USN-5378-4", + "warnings": [] } - ], - "expected_status": "still-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `sed -i "/xenial-updates/d" /etc/apt/sources.list` with sudo + And I run `sed -i "/xenial-security/d" /etc/apt/sources.list` with sudo + And I apt update + And I apt install `squid` + And I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-25097"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "squid3" + ], + "description": "Squid vulnerabilities", + "error": null, + "expected_status": "still-affected", + "plan": [ + { + "data": { + "binary_packages": [], + "pocket": "standard-updates", + "source_packages": [ + "squid3" + ] + }, + "operation": "apt-upgrade", + "order": 3 + } + ], + "title": "CVE-2020-25097", + "warnings": [ + { + "data": { + "binary_package": "squid", + "binary_package_version": ".*", + "pocket": "standard-updates", + "related_source_packages": [ + "squid3" + ], + "source_package": "squid3" + }, + "order": 1, + "warning_type": "package-cannot-be-installed" + }, + { + "data": { + "binary_package": "squid-common", + "binary_package_version": ".*", + "pocket": "standard-updates", + "related_source_packages": [ + "squid3" + ], + "source_package": "squid3" + }, + "order": 2, + "warning_type": "package-cannot-be-installed" + } + ] + } + ], + "expected_status": "still-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ - Examples: ubuntu release details - | release | machine_type | - | xenial | lxd-container | + Examples: ubuntu release details + | release | machine_type | + | xenial | lxd-container | - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, - "affected_packages": [ - "krb5" - ], - "description": "Kerberos vulnerability", + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "krb5" + ], + "description": "Kerberos vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "pocket": "standard-updates", + "source_packages": [ + "krb5" + ], + "status": "cve-already-fixed" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2020-28196", + "warnings": [] + } + ], + "expected_status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I apt install `xterm=330-1ubuntu2` + And I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2021-27135"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [ + "xterm" + ], + "description": "xterm vulnerability", + "error": null, + "expected_status": "fixed", + "plan": [ + { + "data": { + "binary_packages": [ + "xterm" + ], + "pocket": "standard-updates", + "source_packages": [ + "xterm" + ] + }, + "operation": "apt-upgrade", + "order": 1 + } + ], + "title": "CVE-2021-27135", + "warnings": [] + } + ], + "expected_status": "fixed" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ + When I apt install `libawl-php` + And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "not-affected", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2020-11728" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "AWL vulnerability", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "pocket": "standard-updates", - "source_packages": [ - "krb5" - ], - "status": "cve-already-fixed" + "status": "system-not-affected" }, "operation": "no-op", "order": 1 } ], - "title": "CVE-2020-28196", + "title": "USN-4539-1", "warnings": [] } - ], - "expected_status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I apt install `xterm=330-1ubuntu2` - And I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2021-27135"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I apt install `libbz2-1.0=1.0.6-8.1 bzip2=1.0.6-8.1` + And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4038-3"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { + "additional_data": { + "associated_cves": [], + "associated_launchpad_bugs": [ + "https://launchpad.net/bugs/1834494" + ] + }, "affected_packages": [ - "xterm" + "bzip2" ], - "description": "xterm vulnerability", + "description": "bzip2 regression", "error": null, "expected_status": "fixed", "plan": [ { "data": { "binary_packages": [ - "xterm" + "bzip2", + "libbz2-1.0" ], "pocket": "standard-updates", "source_packages": [ - "xterm" + "bzip2" ] }, "operation": "apt-upgrade", "order": 1 } ], - "title": "CVE-2021-27135", + "title": "USN-4038-3", "warnings": [] } - ], - "expected_status": "fixed" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ - When I apt install `libawl-php` - And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "not-affected", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-6130-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "not-affected", + "usns": [ + { + "related_usns_plan": [ + { "additional_data": { "associated_cves": [ - "CVE-2020-11728" + "CVE-2023-1076", + "CVE-2023-1118", + "CVE-2023-25012", + "CVE-2023-1855", + "CVE-2023-1990", + "CVE-2023-28866", + "CVE-2023-1998", + "CVE-2023-1077", + "CVE-2023-1583", + "CVE-2023-1670", + "CVE-2023-1032", + "CVE-2023-1079", + "CVE-2023-30456", + "CVE-2023-28466", + "CVE-2023-1989", + "CVE-2023-1829", + "CVE-2022-4269" ], "associated_launchpad_bugs": [] }, "affected_packages": [], - "description": "AWL vulnerability", + "description": "Linux kernel (OEM) vulnerabilities", "error": null, "expected_status": "not-affected", "plan": [ @@ -1846,726 +1962,554 @@ Feature: Fix plan API endpoints "order": 1 } ], - "title": "USN-4539-1", + "title": "USN-6033-1", "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I apt install `libbz2-1.0=1.0.6-8.1 bzip2=1.0.6-8.1` - And I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4038-3"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { + }, + { "additional_data": { - "associated_cves": [], - "associated_launchpad_bugs": [ - "https://launchpad.net/bugs/1834494" - ] + "associated_cves": [ + "CVE-2023-32233", + "CVE-2023-2612" + ], + "associated_launchpad_bugs": [] }, - "affected_packages": [ - "bzip2" - ], - "description": "bzip2 regression", + "affected_packages": [], + "description": "Linux kernel (OEM) vulnerabilities", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "binary_packages": [ - "bzip2", - "libbz2-1.0" - ], - "pocket": "standard-updates", - "source_packages": [ - "bzip2" - ] + "status": "system-not-affected" }, - "operation": "apt-upgrade", + "operation": "no-op", "order": 1 } ], - "title": "USN-4038-3", + "title": "USN-6122-1", "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-6130-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "not-affected", - "usns": [ - { - "related_usns_plan": [ - { - "additional_data": { - "associated_cves": [ - "CVE-2023-1076", - "CVE-2023-1118", - "CVE-2023-25012", - "CVE-2023-1855", - "CVE-2023-1990", - "CVE-2023-28866", - "CVE-2023-1998", - "CVE-2023-1077", - "CVE-2023-1583", - "CVE-2023-1670", - "CVE-2023-1032", - "CVE-2023-1079", - "CVE-2023-30456", - "CVE-2023-28466", - "CVE-2023-1989", - "CVE-2023-1829", - "CVE-2022-4269" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (OEM) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-6033-1", - "warnings": [] - }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-32233", - "CVE-2023-2612" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (OEM) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-30456", + "CVE-2023-2612", + "CVE-2023-1670", + "CVE-2023-26606", + "CVE-2023-32233" ], - "title": "USN-6122-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-30456", - "CVE-2023-2612", - "CVE-2023-1670", - "CVE-2023-26606", - "CVE-2023-32233" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (OEM) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel (OEM) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6123-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-30456", + "CVE-2023-32233", + "CVE-2023-2612", + "CVE-2022-4139", + "CVE-2022-3586", + "CVE-2023-1670" ], - "title": "USN-6123-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-30456", - "CVE-2023-32233", - "CVE-2023-2612", - "CVE-2022-4139", - "CVE-2022-3586", - "CVE-2023-1670" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (OEM) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-6124-1", - "warnings": [] - }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-32233", - "CVE-2023-1380", - "CVE-2023-2612", - "CVE-2023-31436", - "CVE-2023-30456" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-6127-1", - "warnings": [] - }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-30456", - "CVE-2023-1380", - "CVE-2023-32233", - "CVE-2023-2612", - "CVE-2023-31436" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel (OEM) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6124-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-32233", + "CVE-2023-1380", + "CVE-2023-2612", + "CVE-2023-31436", + "CVE-2023-30456" ], - "title": "USN-6131-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-0459", - "CVE-2023-30456", - "CVE-2023-1380", - "CVE-2023-1075", - "CVE-2023-2162", - "CVE-2023-32233", - "CVE-2023-2612", - "CVE-2022-3707", - "CVE-2023-1118", - "CVE-2023-1513", - "CVE-2023-32269", - "CVE-2023-31436", - "CVE-2023-1078" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6127-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-30456", + "CVE-2023-1380", + "CVE-2023-32233", + "CVE-2023-2612", + "CVE-2023-31436" ], - "title": "USN-6132-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-32233", - "CVE-2023-1380", - "CVE-2023-2612", - "CVE-2023-31436", - "CVE-2023-30456" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (Azure CVM) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6131-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-0459", + "CVE-2023-30456", + "CVE-2023-1380", + "CVE-2023-1075", + "CVE-2023-2162", + "CVE-2023-32233", + "CVE-2023-2612", + "CVE-2022-3707", + "CVE-2023-1118", + "CVE-2023-1513", + "CVE-2023-32269", + "CVE-2023-31436", + "CVE-2023-1078" ], - "title": "USN-6135-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-32233", - "CVE-2023-28328", - "CVE-2023-1073", - "CVE-2023-30456", - "CVE-2023-1380", - "CVE-2023-31436" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6132-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-32233", + "CVE-2023-1380", + "CVE-2023-2612", + "CVE-2023-31436", + "CVE-2023-30456" ], - "title": "USN-6149-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-30456", - "CVE-2023-1380", - "CVE-2023-32233", - "CVE-2023-2612", - "CVE-2023-31436" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel (Azure CVM) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6135-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-32233", + "CVE-2023-28328", + "CVE-2023-1073", + "CVE-2023-30456", + "CVE-2023-1380", + "CVE-2023-31436" ], - "title": "USN-6150-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-31436", - "CVE-2023-2612", - "CVE-2023-30456", - "CVE-2023-1380", - "CVE-2023-32233" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (Intel IoTG) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6149-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-30456", + "CVE-2023-1380", + "CVE-2023-32233", + "CVE-2023-2612", + "CVE-2023-31436" ], - "title": "USN-6162-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-32254", - "CVE-2023-2002", - "CVE-2023-2156", - "CVE-2023-32250", - "CVE-2023-2269", - "CVE-2023-1380", - "CVE-2023-31436" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (OEM) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6150-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-31436", + "CVE-2023-2612", + "CVE-2023-30456", + "CVE-2023-1380", + "CVE-2023-32233" ], - "title": "USN-6173-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-33203", - "CVE-2023-1859", - "CVE-2023-1855", - "CVE-2023-33288", - "CVE-2023-2194", - "CVE-2023-30456", - "CVE-2023-32233", - "CVE-2023-2235", - "CVE-2023-2612", - "CVE-2023-28466", - "CVE-2023-1380", - "CVE-2023-1611", - "CVE-2023-1990", - "CVE-2023-31436", - "CVE-2023-1989", - "CVE-2023-1583", - "CVE-2023-28866", - "CVE-2023-30772", - "CVE-2023-1670", - "CVE-2022-4269" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel (Intel IoTG) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6162-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-32254", + "CVE-2023-2002", + "CVE-2023-2156", + "CVE-2023-32250", + "CVE-2023-2269", + "CVE-2023-1380", + "CVE-2023-31436" ], - "title": "USN-6175-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-33203", - "CVE-2023-1859", - "CVE-2023-1855", - "CVE-2023-33288", - "CVE-2023-2194", - "CVE-2023-30456", - "CVE-2023-32233", - "CVE-2023-2235", - "CVE-2023-2612", - "CVE-2023-28466", - "CVE-2023-1380", - "CVE-2023-1611", - "CVE-2023-1990", - "CVE-2023-31436", - "CVE-2023-1989", - "CVE-2023-1583", - "CVE-2023-28866", - "CVE-2023-30772", - "CVE-2023-1670", - "CVE-2022-4269" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel (OEM) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6173-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-33203", + "CVE-2023-1859", + "CVE-2023-1855", + "CVE-2023-33288", + "CVE-2023-2194", + "CVE-2023-30456", + "CVE-2023-32233", + "CVE-2023-2235", + "CVE-2023-2612", + "CVE-2023-28466", + "CVE-2023-1380", + "CVE-2023-1611", + "CVE-2023-1990", + "CVE-2023-31436", + "CVE-2023-1989", + "CVE-2023-1583", + "CVE-2023-28866", + "CVE-2023-30772", + "CVE-2023-1670", + "CVE-2022-4269" ], - "title": "USN-6186-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-1380", - "CVE-2023-32233", - "CVE-2022-4129", - "CVE-2023-2162", - "CVE-2023-26545", - "CVE-2022-3108", - "CVE-2023-1670", - "CVE-2023-1998", - "CVE-2022-3707", - "CVE-2023-1281", - "CVE-2023-1118", - "CVE-2023-30456", - "CVE-2023-0459", - "CVE-2023-2985", - "CVE-2023-1074", - "CVE-2023-2612", - "CVE-2023-1859", - "CVE-2023-32269", - "CVE-2023-1076", - "CVE-2022-3903", - "CVE-2023-1073", - "CVE-2023-1079", - "CVE-2023-0458", - "CVE-2023-1829", - "CVE-2023-1078", - "CVE-2023-3161", - "CVE-2023-25012", - "CVE-2023-1075", - "CVE-2023-1513", - "CVE-2023-1077", - "CVE-2023-31436" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (Xilinx ZynqMP) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6175-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-33203", + "CVE-2023-1859", + "CVE-2023-1855", + "CVE-2023-33288", + "CVE-2023-2194", + "CVE-2023-30456", + "CVE-2023-32233", + "CVE-2023-2235", + "CVE-2023-2612", + "CVE-2023-28466", + "CVE-2023-1380", + "CVE-2023-1611", + "CVE-2023-1990", + "CVE-2023-31436", + "CVE-2023-1989", + "CVE-2023-1583", + "CVE-2023-28866", + "CVE-2023-30772", + "CVE-2023-1670", + "CVE-2022-4269" ], - "title": "USN-6222-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-2162", - "CVE-2022-3707", - "CVE-2023-1078", - "CVE-2022-4129", - "CVE-2023-0459", - "CVE-2023-1859", - "CVE-2023-1077", - "CVE-2023-1079", - "CVE-2023-32269", - "CVE-2023-0458", - "CVE-2022-3903", - "CVE-2023-3161", - "CVE-2023-25012", - "CVE-2023-30456", - "CVE-2023-35788", - "CVE-2023-2612", - "CVE-2023-1829", - "CVE-2023-32233", - "CVE-2023-31436", - "CVE-2023-1380", - "CVE-2023-26545", - "CVE-2023-1075", - "CVE-2023-1998", - "CVE-2022-3108", - "CVE-2023-1513", - "CVE-2023-1074", - "CVE-2023-1073", - "CVE-2023-1281", - "CVE-2023-1670", - "CVE-2023-2985", - "CVE-2023-1118", - "CVE-2023-1076" - ], - "associated_launchpad_bugs": [ - "https://launchpad.net/bugs/2023220", - "https://launchpad.net/bugs/2023577" - ] - }, - "affected_packages": [], - "description": "Linux kernel (IoT) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6186-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-1380", + "CVE-2023-32233", + "CVE-2022-4129", + "CVE-2023-2162", + "CVE-2023-26545", + "CVE-2022-3108", + "CVE-2023-1670", + "CVE-2023-1998", + "CVE-2022-3707", + "CVE-2023-1281", + "CVE-2023-1118", + "CVE-2023-30456", + "CVE-2023-0459", + "CVE-2023-2985", + "CVE-2023-1074", + "CVE-2023-2612", + "CVE-2023-1859", + "CVE-2023-32269", + "CVE-2023-1076", + "CVE-2022-3903", + "CVE-2023-1073", + "CVE-2023-1079", + "CVE-2023-0458", + "CVE-2023-1829", + "CVE-2023-1078", + "CVE-2023-3161", + "CVE-2023-25012", + "CVE-2023-1075", + "CVE-2023-1513", + "CVE-2023-1077", + "CVE-2023-31436" ], - "title": "USN-6256-1", - "warnings": [] + "associated_launchpad_bugs": [] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-3141", - "CVE-2023-40283", - "CVE-2023-28328", - "CVE-2023-3220", - "CVE-2023-1206", - "CVE-2023-1075", - "CVE-2023-4273", - "CVE-2023-4015", - "CVE-2022-27672", - "CVE-2023-1076", - "CVE-2023-28466", - "CVE-2023-3609", - "CVE-2023-4128", - "CVE-2023-2898", - "CVE-2023-3090", - "CVE-2023-2235", - "CVE-2023-2002", - "CVE-2023-32269", - "CVE-2023-3863", - "CVE-2023-31436", - "CVE-2023-2163", - "CVE-2023-3777", - "CVE-2023-3390", - "CVE-2023-3611", - "CVE-2023-3776", - "CVE-2023-0458", - "CVE-2023-4004", - "CVE-2023-4194", - "CVE-2022-4269", - "CVE-2023-20593", - "CVE-2023-1611", - "CVE-2023-2269", - "CVE-2023-1380", - "CVE-2023-3995", - "CVE-2023-2162", - "CVE-2023-3610", - "CVE-2023-4569" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel (OEM) vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } + "affected_packages": [], + "description": "Linux kernel (Xilinx ZynqMP) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6222-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2023-2162", + "CVE-2022-3707", + "CVE-2023-1078", + "CVE-2022-4129", + "CVE-2023-0459", + "CVE-2023-1859", + "CVE-2023-1077", + "CVE-2023-1079", + "CVE-2023-32269", + "CVE-2023-0458", + "CVE-2022-3903", + "CVE-2023-3161", + "CVE-2023-25012", + "CVE-2023-30456", + "CVE-2023-35788", + "CVE-2023-2612", + "CVE-2023-1829", + "CVE-2023-32233", + "CVE-2023-31436", + "CVE-2023-1380", + "CVE-2023-26545", + "CVE-2023-1075", + "CVE-2023-1998", + "CVE-2022-3108", + "CVE-2023-1513", + "CVE-2023-1074", + "CVE-2023-1073", + "CVE-2023-1281", + "CVE-2023-1670", + "CVE-2023-2985", + "CVE-2023-1118", + "CVE-2023-1076" ], - "title": "USN-6385-1", - "warnings": [] + "associated_launchpad_bugs": [ + "https://launchpad.net/bugs/2023220", + "https://launchpad.net/bugs/2023577" + ] }, - { - "additional_data": { - "associated_cves": [ - "CVE-2023-42755", - "CVE-2023-1380", - "CVE-2023-42752", - "CVE-2023-35001", - "CVE-2023-1206", - "CVE-2023-4623", - "CVE-2023-31436" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "Linux kernel vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-6460-1", - "warnings": [] - } - ], - "target_usn_plan": { + "affected_packages": [], + "description": "Linux kernel (IoT) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6256-1", + "warnings": [] + }, + { "additional_data": { "associated_cves": [ - "CVE-2023-30456", + "CVE-2023-3141", + "CVE-2023-40283", + "CVE-2023-28328", + "CVE-2023-3220", + "CVE-2023-1206", + "CVE-2023-1075", + "CVE-2023-4273", + "CVE-2023-4015", + "CVE-2022-27672", + "CVE-2023-1076", + "CVE-2023-28466", + "CVE-2023-3609", + "CVE-2023-4128", + "CVE-2023-2898", + "CVE-2023-3090", + "CVE-2023-2235", + "CVE-2023-2002", + "CVE-2023-32269", + "CVE-2023-3863", + "CVE-2023-31436", + "CVE-2023-2163", + "CVE-2023-3777", + "CVE-2023-3390", + "CVE-2023-3611", + "CVE-2023-3776", + "CVE-2023-0458", + "CVE-2023-4004", + "CVE-2023-4194", + "CVE-2022-4269", + "CVE-2023-20593", + "CVE-2023-1611", + "CVE-2023-2269", "CVE-2023-1380", - "CVE-2023-32233", - "CVE-2023-31436" + "CVE-2023-3995", + "CVE-2023-2162", + "CVE-2023-3610", + "CVE-2023-4569" ], "associated_launchpad_bugs": [] }, "affected_packages": [], - "description": "Linux kernel vulnerabilities", + "description": "Linux kernel (OEM) vulnerabilities", "error": null, "expected_status": "not-affected", "plan": [ @@ -2577,40 +2521,24 @@ Feature: Fix plan API endpoints "order": 1 } ], - "title": "USN-6130-1", + "title": "USN-6385-1", "warnings": [] - } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1", "USN-4038-1"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `usn_fix_plan` schema - Then API data field output matches regexp: - """ - { - "attributes": { - "usns_data": { - "expected_status": "fixed", - "usns": [ - { - "related_usns_plan": [], - "target_usn_plan": { + }, + { "additional_data": { "associated_cves": [ - "CVE-2020-11728" + "CVE-2023-42755", + "CVE-2023-1380", + "CVE-2023-42752", + "CVE-2023-35001", + "CVE-2023-1206", + "CVE-2023-4623", + "CVE-2023-31436" ], "associated_launchpad_bugs": [] }, "affected_packages": [], - "description": "AWL vulnerability", + "description": "Linux kernel vulnerabilities", "error": null, "expected_status": "not-affected", "plan": [ @@ -2622,86 +2550,85 @@ Feature: Fix plan API endpoints "order": 1 } ], - "title": "USN-4539-1", + "title": "USN-6460-1", "warnings": [] } - }, - { - "related_usns_plan": [ - { - "additional_data": { - "associated_cves": [ - "CVE-2016-3189", - "CVE-2019-12900" - ], - "associated_launchpad_bugs": [] - }, - "affected_packages": [], - "description": "bzip2 vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-4038-2", - "warnings": [] - }, + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2023-30456", + "CVE-2023-1380", + "CVE-2023-32233", + "CVE-2023-31436" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "Linux kernel vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ { - "additional_data": { - "associated_cves": [ - "CVE-2019-12625", - "CVE-2019-12900" - ], - "associated_launchpad_bugs": [] + "data": { + "status": "system-not-affected" }, - "affected_packages": [], - "description": "ClamAV vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-4146-1", - "warnings": [] - }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-6130-1", + "warnings": [] + } + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + When I run `pro api u.pro.security.fix.usn.plan.v1 --data '{"usns": ["USN-4539-1", "USN-4038-1"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `usn_fix_plan` schema + Then API data field output matches regexp: + """ + { + "attributes": { + "usns_data": { + "expected_status": "fixed", + "usns": [ + { + "related_usns_plan": [], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2020-11728" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "AWL vulnerability", + "error": null, + "expected_status": "not-affected", + "plan": [ { - "additional_data": { - "associated_cves": [ - "CVE-2019-12625", - "CVE-2019-12900" - ], - "associated_launchpad_bugs": [] + "data": { + "status": "system-not-affected" }, - "affected_packages": [], - "description": "ClamAV vulnerabilities", - "error": null, - "expected_status": "not-affected", - "plan": [ - { - "data": { - "status": "system-not-affected" - }, - "operation": "no-op", - "order": 1 - } - ], - "title": "USN-4146-2", - "warnings": [] + "operation": "no-op", + "order": 1 } ], - "target_usn_plan": { + "title": "USN-4539-1", + "warnings": [] + } + }, + { + "related_usns_plan": [ + { "additional_data": { "associated_cves": [ "CVE-2016-3189", @@ -2709,86 +2636,159 @@ Feature: Fix plan API endpoints ], "associated_launchpad_bugs": [] }, - "affected_packages": [ - "bzip2" - ], + "affected_packages": [], "description": "bzip2 vulnerabilities", "error": null, - "expected_status": "fixed", + "expected_status": "not-affected", "plan": [ { "data": { - "binary_packages": [ - "bzip2", - "libbz2-1.0" - ], - "pocket": "standard-updates", - "source_packages": [ - "bzip2" - ] + "status": "system-not-affected" }, - "operation": "apt-upgrade", + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-4038-2", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2019-12625", + "CVE-2019-12900" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "ClamAV vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "USN-4146-1", + "warnings": [] + }, + { + "additional_data": { + "associated_cves": [ + "CVE-2019-12625", + "CVE-2019-12900" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [], + "description": "ClamAV vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", "order": 1 } ], - "title": "USN-4038-1", + "title": "USN-4146-2", "warnings": [] } - } - ] - } - }, - "meta": { - "environment_vars": [] - }, - "type": "USNFixPlan" - } - """ - - Examples: ubuntu release details - | release | machine_type | - | bionic | lxd-container | - - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2022-40982"]}'` as non-root - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `cve_fix_plan` schema - And API data field output matches regexp: - """ - { - "attributes": { - "cves_data": { - "cves": [ - { - "additional_data": {}, - "affected_packages": [], - "description": "Linux kernel (BlueField) vulnerabilities", + ], + "target_usn_plan": { + "additional_data": { + "associated_cves": [ + "CVE-2016-3189", + "CVE-2019-12900" + ], + "associated_launchpad_bugs": [] + }, + "affected_packages": [ + "bzip2" + ], + "description": "bzip2 vulnerabilities", "error": null, - "expected_status": "not-affected", + "expected_status": "fixed", "plan": [ { "data": { - "status": "system-not-affected" + "binary_packages": [ + "bzip2", + "libbz2-1.0" + ], + "pocket": "standard-updates", + "source_packages": [ + "bzip2" + ] }, - "operation": "no-op", + "operation": "apt-upgrade", "order": 1 } ], - "title": "CVE-2022-40982", + "title": "USN-4038-1", "warnings": [] } - ], - "expected_status": "not-affected" - } - }, - "meta": { - "environment_vars": [] - }, - "type": "CVEFixPlan" - } - """ + } + ] + } + }, + "meta": { + "environment_vars": [] + }, + "type": "USNFixPlan" + } + """ + + Examples: ubuntu release details + | release | machine_type | + | bionic | lxd-container | + + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2022-40982"]}'` as non-root + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `cve_fix_plan` schema + And API data field output matches regexp: + """ + { + "attributes": { + "cves_data": { + "cves": [ + { + "additional_data": {}, + "affected_packages": [], + "description": "Linux kernel (BlueField) vulnerabilities", + "error": null, + "expected_status": "not-affected", + "plan": [ + { + "data": { + "status": "system-not-affected" + }, + "operation": "no-op", + "order": 1 + } + ], + "title": "CVE-2022-40982", + "warnings": [] + } + ], + "expected_status": "not-affected" + } + }, + "meta": { + "environment_vars": [] + }, + "type": "CVEFixPlan" + } + """ - Examples: ubuntu release details - | release | machine_type | - | mantic | lxd-vm | + Examples: ubuntu release details + | release | machine_type | + | mantic | lxd-vm | diff --git a/features/api_full_auto_attach.feature b/features/api_full_auto_attach.feature index 71b87369bb..816e613a1b 100644 --- a/features/api_full_auto_attach.feature +++ b/features/api_full_auto_attach.feature @@ -1,36 +1,35 @@ Feature: Full Auto-Attach Endpoint - Scenario Outline: Run auto-attach on cloud instance. - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - When I create the file `/tmp/full_auto_attach.py` with the following: - """ - from uaclient.api.u.pro.attach.auto.full_auto_attach.v1 import full_auto_attach, FullAutoAttachOptions + Scenario Outline: Run auto-attach on cloud instance. + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + When I create the file `/tmp/full_auto_attach.py` with the following: + """ + from uaclient.api.u.pro.attach.auto.full_auto_attach.v1 import full_auto_attach, FullAutoAttachOptions - full_auto_attach(FullAutoAttachOptions(enable=["esm-infra"])) - """ - And I run `python3 /tmp/full_auto_attach.py` with sudo - Then I verify that `esm-infra` is enabled - And I verify that `livepatch` is disabled + full_auto_attach(FullAutoAttachOptions(enable=["esm-infra"])) + """ + And I run `python3 /tmp/full_auto_attach.py` with sudo + Then I verify that `esm-infra` is enabled + And I verify that `livepatch` is disabled - Examples: - | release | machine_type | - | xenial | aws.pro | - | xenial | azure.pro | - | xenial | gcp.pro | - | bionic | aws.pro | - | bionic | azure.pro | - | bionic | gcp.pro | - | focal | aws.pro | - | focal | azure.pro | - | focal | gcp.pro | - | jammy | aws.pro | - | jammy | azure.pro | - | jammy | gcp.pro | - + Examples: + | release | machine_type | + | xenial | aws.pro | + | xenial | azure.pro | + | xenial | gcp.pro | + | bionic | aws.pro | + | bionic | azure.pro | + | bionic | gcp.pro | + | focal | aws.pro | + | focal | azure.pro | + | focal | gcp.pro | + | jammy | aws.pro | + | jammy | azure.pro | + | jammy | gcp.pro | diff --git a/features/api_magic_attach.feature b/features/api_magic_attach.feature index 17c144f79b..580db2940f 100644 --- a/features/api_magic_attach.feature +++ b/features/api_magic_attach.feature @@ -1,129 +1,129 @@ Feature: Magic Attach endpoints - Scenario Outline: Call magic attach endpoints - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro api u.pro.attach.magic.revoke.v1` `as non-root` exits `1` - Then stdout is a json matching the `api_response` schema - And API errors field output matches regexp: - """ - [ - { - "code": "api-missing-argument", - "meta": { - "arg": "magic_token", - "endpoint": "u.pro.attach.magic.revoke.v1" - }, - "title": "Missing argument 'magic_token' for endpoint u.pro.attach.magic.revoke.v1" - } - ] - """ - When I verify that running `pro api u.pro.attach.magic.wait.v1 --args magic_token=INVALID` `as non-root` exits `1` - Then stdout is a json matching the `api_response` schema - And API errors field output matches regexp: - """ - [ - { - "code": "magic-attach-token-error", - "meta": {}, - "title": "The magic attach token is invalid, has expired or never existed" - } - ] - """ - When I verify that running `pro api u.pro.attach.magic.revoke.v1 --args magic_token=INVALID` `as non-root` exits `1` - Then stdout is a json matching the `api_response` schema - And API errors field output matches regexp: - """ - [ - { - "code": "magic-attach-token-error", - "meta": {}, - "title": "The magic attach token is invalid, has expired or never existed" - } - ] - """ - When I initiate the magic attach flow - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `magic_attach` schema - And API data field output matches regexp: - """ + Scenario Outline: Call magic attach endpoints + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro api u.pro.attach.magic.revoke.v1` `as non-root` exits `1` + Then stdout is a json matching the `api_response` schema + And API errors field output matches regexp: + """ + [ { - "attributes": { - "expires": ".*", - "expires_in": .*, - "token": ".*", - "user_code": ".*" - }, + "code": "api-missing-argument", "meta": { - "environment_vars": [] + "arg": "magic_token", + "endpoint": "u.pro.attach.magic.revoke.v1" }, - "type": "MagicAttachInitiate" + "title": "Missing argument 'magic_token' for endpoint u.pro.attach.magic.revoke.v1" } - """ - When I create the file `/tmp/response-overlay.json` with the following: - """ + ] + """ + When I verify that running `pro api u.pro.attach.magic.wait.v1 --args magic_token=INVALID` `as non-root` exits `1` + Then stdout is a json matching the `api_response` schema + And API errors field output matches regexp: + """ + [ { - "https://contracts.canonical.com/v1/magic-attach": [ - { - "code": 200, - "response": { - "userCode": "123", - "token": "testToken", - "expires": "expire-date", - "expiresIn": 2000, - "contractID": "test-contract-id", - "contractToken": "contract-token" - } - }] + "code": "magic-attach-token-error", + "meta": {}, + "title": "The magic attach token is invalid, has expired or never existed" } - """ - And I append the following on uaclient config: - """ - features: - serviceclient_url_responses: "/tmp/response-overlay.json" - """ - And I wait for the magic attach token to be activated - Then stdout is a json matching the `api_response` schema - And the json API response data matches the `magic_attach` schema - And API data field output matches regexp: - """ + ] + """ + When I verify that running `pro api u.pro.attach.magic.revoke.v1 --args magic_token=INVALID` `as non-root` exits `1` + Then stdout is a json matching the `api_response` schema + And API errors field output matches regexp: + """ + [ { - "attributes": { - "contract_id": "test-contract-id", - "contract_token": "contract-token", - "expires": "expire-date", - "expires_in": 2000, - "token": "testToken", - "user_code": "123" - }, + "code": "magic-attach-token-error", + "meta": {}, + "title": "The magic attach token is invalid, has expired or never existed" + } + ] + """ + When I initiate the magic attach flow + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `magic_attach` schema + And API data field output matches regexp: + """ + { + "attributes": { + "expires": ".*", + "expires_in": .*, + "token": ".*", + "user_code": ".*" + }, + "meta": { + "environment_vars": [] + }, + "type": "MagicAttachInitiate" + } + """ + When I create the file `/tmp/response-overlay.json` with the following: + """ + { + "https://contracts.canonical.com/v1/magic-attach": [ + { + "code": 200, + "response": { + "userCode": "123", + "token": "testToken", + "expires": "expire-date", + "expiresIn": 2000, + "contractID": "test-contract-id", + "contractToken": "contract-token" + } + }] + } + """ + And I append the following on uaclient config: + """ + features: + serviceclient_url_responses: "/tmp/response-overlay.json" + """ + And I wait for the magic attach token to be activated + Then stdout is a json matching the `api_response` schema + And the json API response data matches the `magic_attach` schema + And API data field output matches regexp: + """ + { + "attributes": { + "contract_id": "test-contract-id", + "contract_token": "contract-token", + "expires": "expire-date", + "expires_in": 2000, + "token": "testToken", + "user_code": "123" + }, + "meta": { + "environment_vars": [] + }, + "type": "MagicAttachWait" + } + """ + When I revoke the magic attach token + Then stdout is a json matching the `api_response` schema + And API full output matches regexp: + """ + { + "_schema_version": "v1", + "data": { + "attributes": {}, "meta": { "environment_vars": [] }, - "type": "MagicAttachWait" - } - """ - When I revoke the magic attach token - Then stdout is a json matching the `api_response` schema - And API full output matches regexp: - """ - { - "_schema_version": "v1", - "data": { - "attributes": {}, - "meta": { - "environment_vars": [] - }, - "type": "MagicAttachRevoke" - }, - "errors": [], - "result": "success", - "version": ".*", - "warnings": [] - } - """ + "type": "MagicAttachRevoke" + }, + "errors": [], + "result": "success", + "version": ".*", + "warnings": [] + } + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | diff --git a/features/api_packages.feature b/features/api_packages.feature index 2ae518582d..7690b21bd2 100644 --- a/features/api_packages.feature +++ b/features/api_packages.feature @@ -1,57 +1,57 @@ Feature: Package related API endpoints - @uses.config.contract_token - Scenario Outline: Call packages API endpoints to see information in a Ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.pro.packages.summary.v1` as non-root - Then API data field output matches regexp: - """ - { - "attributes": { - "summary": { - "num_esm_apps_packages": \d+, - "num_esm_infra_packages": \d+, - "num_installed_packages": \d+, - "num_main_packages": \d+, - "num_multiverse_packages": \d+, - "num_restricted_packages": \d+, - "num_third_party_packages": \d+, - "num_universe_packages": \d+, - "num_unknown_packages": \d+ - } - }, - "meta": { - "environment_vars": [] - }, - "type": "PackageSummary" - } - """ - When I run `pro api u.pro.packages.updates.v1` as non-root - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"summary": {"num_esm_apps_updates": \d+, "num_esm_infra_updates": \d+, "num_standard_security_updates": \d+, "num_standard_updates": \d+, "num_updates": \d+}, "updates": \[.*\]}, "meta": {"environment_vars": \[\]}, "type": "PackageUpdates"}, "errors": \[\], "result": "success", "version": ".+", "warnings": \[\]} - """ - # Make sure we have an updated system - When I attach `contract_token` with sudo - And I apt upgrade - # Install some outdated package - And I apt install `=` - # See the update there - When I store candidate version of package `` - And I regexify `candidate` stored var - And I run `pro api u.pro.packages.updates.v1` as non-root - Then stdout matches regexp: - """ - {"download_size": \d+, "origin": ".+", "package": "", "provided_by": "", "status": "upgrade_available", "version": "$behave_var{stored_var candidate}"} - """ + @uses.config.contract_token + Scenario Outline: Call packages API endpoints to see information in a Ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.pro.packages.summary.v1` as non-root + Then API data field output matches regexp: + """ + { + "attributes": { + "summary": { + "num_esm_apps_packages": \d+, + "num_esm_infra_packages": \d+, + "num_installed_packages": \d+, + "num_main_packages": \d+, + "num_multiverse_packages": \d+, + "num_restricted_packages": \d+, + "num_third_party_packages": \d+, + "num_universe_packages": \d+, + "num_unknown_packages": \d+ + } + }, + "meta": { + "environment_vars": [] + }, + "type": "PackageSummary" + } + """ + When I run `pro api u.pro.packages.updates.v1` as non-root + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"summary": {"num_esm_apps_updates": \d+, "num_esm_infra_updates": \d+, "num_standard_security_updates": \d+, "num_standard_updates": \d+, "num_updates": \d+}, "updates": \[.*\]}, "meta": {"environment_vars": \[\]}, "type": "PackageUpdates"}, "errors": \[\], "result": "success", "version": ".+", "warnings": \[\]} + """ + # Make sure we have an updated system + When I attach `contract_token` with sudo + And I apt upgrade + # Install some outdated package + And I apt install `=` + # See the update there + When I store candidate version of package `` + And I regexify `candidate` stored var + And I run `pro api u.pro.packages.updates.v1` as non-root + Then stdout matches regexp: + """ + {"download_size": \d+, "origin": ".+", "package": "", "provided_by": "", "status": "upgrade_available", "version": "$behave_var{stored_var candidate}"} + """ - Examples: ubuntu release - | release | machine_type | package | outdated_version | provided_by | - | xenial | lxd-container | libcurl3-gnutls | 7.47.0-1ubuntu2 | esm-infra | - | bionic | lxd-container | libcurl4 | 7.58.0-2ubuntu3 | esm-infra | - | bionic | wsl | libcurl4 | 7.58.0-2ubuntu3 | esm-infra | - | focal | lxd-container | libcurl4 | 7.68.0-1ubuntu2 | standard-security | - | focal | wsl | libcurl4 | 7.68.0-1ubuntu2 | standard-security | - | jammy | lxd-container | libcurl4 | 7.81.0-1 | standard-security | - | jammy | wsl | libcurl4 | 7.81.0-1 | standard-security | - | mantic | lxd-container | libcurl4 | 8.2.1-1ubuntu3 | standard-security | + Examples: ubuntu release + | release | machine_type | package | outdated_version | provided_by | + | xenial | lxd-container | libcurl3-gnutls | 7.47.0-1ubuntu2 | esm-infra | + | bionic | lxd-container | libcurl4 | 7.58.0-2ubuntu3 | esm-infra | + | bionic | wsl | libcurl4 | 7.58.0-2ubuntu3 | esm-infra | + | focal | lxd-container | libcurl4 | 7.68.0-1ubuntu2 | standard-security | + | focal | wsl | libcurl4 | 7.68.0-1ubuntu2 | standard-security | + | jammy | lxd-container | libcurl4 | 7.81.0-1 | standard-security | + | jammy | wsl | libcurl4 | 7.81.0-1 | standard-security | + | mantic | lxd-container | libcurl4 | 8.2.1-1ubuntu3 | standard-security | diff --git a/features/api_security.feature b/features/api_security.feature index f96b801fc5..0bb66f011b 100644 --- a/features/api_security.feature +++ b/features/api_security.feature @@ -1,70 +1,71 @@ Feature: API security/security status tests - @uses.config.contract_token - Scenario: Call Livepatched CVEs endpoint - Given a `xenial` `lxd-vm` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro api u.pro.security.status.livepatch_cves.v1` as non-root - Then stdout matches regexp: - """ - {"name": "cve-2013-1798", "patched": true} - """ - And stdout matches regexp: - """ - "type": "LivepatchCVEs" - """ + @uses.config.contract_token + Scenario: Call Livepatched CVEs endpoint + Given a `xenial` `lxd-vm` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro api u.pro.security.status.livepatch_cves.v1` as non-root + Then stdout matches regexp: + """ + {"name": "cve-2013-1798", "patched": true} + """ + And stdout matches regexp: + """ + "type": "LivepatchCVEs" + """ - @uses.config.contract_token - Scenario Outline: Call package manifest endpoint for machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that `esm-infra` is enabled - When I apt upgrade - And I apt install `jq bzip2` - # Install the oscap version 1.3.7 which solved the epoch error message issue - And I apt install `cmake libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev swig libxml-parser-perl libxml-xpath-perl libperl-dev libbz2-dev g++ libapt-pkg-dev libyaml-dev libxmlsec1-dev libxmlsec1-openssl` - And I run `wget https://github.com/OpenSCAP/openscap/releases/download/1.3.7/openscap-1.3.7.tar.gz` as non-root - And I run `tar xzf openscap-1.3.7.tar.gz` as non-root - And I run shell command `mkdir -p openscap-1.3.7/build` as non-root - And I run shell command `cd openscap-1.3.7/build/ && cmake ..` with sudo - And I run shell command `cd openscap-1.3.7/build/ && make` with sudo - And I run shell command `cd openscap-1.3.7/build/ && make install` with sudo - # Installs its shared libs in /usr/local/lib/ - And I run `ldconfig` with sudo - And I run shell command `pro api u.security.package_manifest.v1 | jq -r '.data.attributes.manifest_data' > manifest` as non-root - And I run shell command `wget https://security-metadata.canonical.com/oval/oci.com.ubuntu..usn.oval.xml.bz2` as non-root - And I run `bunzip2 oci.com.ubuntu..usn.oval.xml.bz2` as non-root - And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root - Then stdout matches regexp: - """ - oval:com.ubuntu.:def::\s+false - """ - # Trigger CVE https://ubuntu.com/security/CVE-2018-10846 with ID 39991000000 in OVAL data ( == Xenial $ Bionic) - # Trigger CVE https://ubuntu.com/security/CVE-2022-2509 with ID 55501000000 in OVAL data ( > Xenial) - When I run shell command `sed -i -E 's/libgnutls30:amd64\s+.*/libgnutls30:amd64 /' manifest` as non-root - And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root - Then stdout matches regexp: - """ - oval:com.ubuntu.:def::\s+true - """ - # Update the manifest - When I run shell command `pro api u.security.package_manifest.v1 | jq -r '.data.attributes.manifest_data' > manifest` as non-root - And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root - Then stdout matches regexp: - """ - oval:com.ubuntu.:def::\s+false - """ - # Downgrade the package - When I apt install `libgnutls30=` - And I run shell command `pro api u.security.package_manifest.v1 | jq -r '.data.attributes.manifest_data' > manifest` as non-root - And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root - Then stdout matches regexp: - """ - oval:com.ubuntu.:def::\s+true - """ - Examples: ubuntu release - | release | machine_type | base_version | CVE_ID | - | xenial | lxd-container | 3.4.10-4ubuntu1 | 39991000000 | - | bionic | lxd-container | 3.5.18-1ubuntu1 | 55501000000 | - | focal | lxd-container | 3.6.13-2ubuntu1 | 55501000000 | - | jammy | lxd-container | 3.7.3-4ubuntu1 | 55501000000 | + @uses.config.contract_token + Scenario Outline: Call package manifest endpoint for machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that `esm-infra` is enabled + When I apt upgrade + And I apt install `jq bzip2` + # Install the oscap version 1.3.7 which solved the epoch error message issue + And I apt install `cmake libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev swig libxml-parser-perl libxml-xpath-perl libperl-dev libbz2-dev g++ libapt-pkg-dev libyaml-dev libxmlsec1-dev libxmlsec1-openssl` + And I run `wget https://github.com/OpenSCAP/openscap/releases/download/1.3.7/openscap-1.3.7.tar.gz` as non-root + And I run `tar xzf openscap-1.3.7.tar.gz` as non-root + And I run shell command `mkdir -p openscap-1.3.7/build` as non-root + And I run shell command `cd openscap-1.3.7/build/ && cmake ..` with sudo + And I run shell command `cd openscap-1.3.7/build/ && make` with sudo + And I run shell command `cd openscap-1.3.7/build/ && make install` with sudo + # Installs its shared libs in /usr/local/lib/ + And I run `ldconfig` with sudo + And I run shell command `pro api u.security.package_manifest.v1 | jq -r '.data.attributes.manifest_data' > manifest` as non-root + And I run shell command `wget https://security-metadata.canonical.com/oval/oci.com.ubuntu..usn.oval.xml.bz2` as non-root + And I run `bunzip2 oci.com.ubuntu..usn.oval.xml.bz2` as non-root + And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root + Then stdout matches regexp: + """ + oval:com.ubuntu.:def::\s+false + """ + # Trigger CVE https://ubuntu.com/security/CVE-2018-10846 with ID 39991000000 in OVAL data ( == Xenial $ Bionic) + # Trigger CVE https://ubuntu.com/security/CVE-2022-2509 with ID 55501000000 in OVAL data ( > Xenial) + When I run shell command `sed -i -E 's/libgnutls30:amd64\s+.*/libgnutls30:amd64 /' manifest` as non-root + And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root + Then stdout matches regexp: + """ + oval:com.ubuntu.:def::\s+true + """ + # Update the manifest + When I run shell command `pro api u.security.package_manifest.v1 | jq -r '.data.attributes.manifest_data' > manifest` as non-root + And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root + Then stdout matches regexp: + """ + oval:com.ubuntu.:def::\s+false + """ + # Downgrade the package + When I apt install `libgnutls30=` + And I run shell command `pro api u.security.package_manifest.v1 | jq -r '.data.attributes.manifest_data' > manifest` as non-root + And I run shell command `oscap oval eval --report report.html oci.com.ubuntu..usn.oval.xml` as non-root + Then stdout matches regexp: + """ + oval:com.ubuntu.:def::\s+true + """ + + Examples: ubuntu release + | release | machine_type | base_version | CVE_ID | + | xenial | lxd-container | 3.4.10-4ubuntu1 | 39991000000 | + | bionic | lxd-container | 3.5.18-1ubuntu1 | 55501000000 | + | focal | lxd-container | 3.6.13-2ubuntu1 | 55501000000 | + | jammy | lxd-container | 3.7.3-4ubuntu1 | 55501000000 | diff --git a/features/api_unattended_upgrades.feature b/features/api_unattended_upgrades.feature index 7529a0714c..a7bc753c53 100644 --- a/features/api_unattended_upgrades.feature +++ b/features/api_unattended_upgrades.feature @@ -1,255 +1,255 @@ Feature: api.u.unattended_upgrades.status.v1 - Scenario Outline: v1 unattended upgrades status - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro api u.unattended_upgrades.status.v1` as non-root - Then API data field output matches regexp: - """ - { - "attributes": { - "apt_periodic_job_enabled": true, - "package_lists_refresh_frequency_days": 1, - "systemd_apt_timer_enabled": true, - "unattended_upgrades_allowed_origins": [ + Scenario Outline: v1 unattended upgrades status + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro api u.unattended_upgrades.status.v1` as non-root + Then API data field output matches regexp: + """ + { + "attributes": { + "apt_periodic_job_enabled": true, + "package_lists_refresh_frequency_days": 1, + "systemd_apt_timer_enabled": true, + "unattended_upgrades_allowed_origins": [ + "\$\{distro_id\}:\$\{distro_codename\}", + "\$\{distro_id\}:\$\{distro_codename\}-security", + "\$\{distro_id\}ESMApps:\$\{distro_codename\}-apps-security", + "\$\{distro_id\}ESM:\$\{distro_codename\}-infra-security" + ], + "unattended_upgrades_disabled_reason": null, + "unattended_upgrades_frequency_days": 1, + "unattended_upgrades_last_run": null, + "unattended_upgrades_running": true + }, + "meta": { + "environment_vars": [], + "raw_config": { + "APT::Periodic::Enable": "1", + "APT::Periodic::Unattended-Upgrade": "1", + "APT::Periodic::Update-Package-Lists": "1", + "Unattended-Upgrade::Allowed-Origins": [ "\$\{distro_id\}:\$\{distro_codename\}", "\$\{distro_id\}:\$\{distro_codename\}-security", "\$\{distro_id\}ESMApps:\$\{distro_codename\}-apps-security", "\$\{distro_id\}ESM:\$\{distro_codename\}-infra-security" - ], - "unattended_upgrades_disabled_reason": null, - "unattended_upgrades_frequency_days": 1, - "unattended_upgrades_last_run": null, - "unattended_upgrades_running": true + ] + """ + When I create the file `/etc/apt/apt.conf.d/99test` with the following: + """ + APT::Periodic::Enable "0"; + """ + And I apt update + And I apt install `jq` + And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.apt_periodic_job_enabled` as non-root + Then I will see the following on stdout: + """ + false + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root + Then I will see the following on stdout: + """ + false + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root + Then I will see the following on stdout: + """ + "APT::Periodic::Enable is turned off" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root + Then I will see the following on stdout: + """ + "unattended-upgrades-cfg-value-turned-off" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"APT::Periodic::Enable\"'` as non-root + Then I will see the following on stdout: + """ + "0" + """ + When I create the file `/etc/apt/apt.conf.d/99test` with the following: + """ + APT::Periodic::Update-Package-Lists "0"; + """ + And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.apt_periodic_job_enabled` as non-root + Then I will see the following on stdout: + """ + true + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.package_lists_refresh_frequency_days` as non-root + Then I will see the following on stdout: + """ + 0 + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root + Then I will see the following on stdout: + """ + false + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root + Then I will see the following on stdout: + """ + "APT::Periodic::Update-Package-Lists is turned off" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root + Then I will see the following on stdout: + """ + "unattended-upgrades-cfg-value-turned-off" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"APT::Periodic::Update-Package-Lists\"'` as non-root + Then I will see the following on stdout: + """ + "0" + """ + When I create the file `/etc/apt/apt.conf.d/99test` with the following: + """ + APT::Periodic::Unattended-Upgrade "0"; + """ + And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_frequency_days` as non-root + Then I will see the following on stdout: + """ + 0 + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.package_lists_refresh_frequency_days` as non-root + Then I will see the following on stdout: + """ + 1 + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root + Then I will see the following on stdout: + """ + false + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root + Then I will see the following on stdout: + """ + "APT::Periodic::Unattended-Upgrade is turned off" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root + Then I will see the following on stdout: + """ + "unattended-upgrades-cfg-value-turned-off" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"APT::Periodic::Unattended-Upgrade\"'` as non-root + Then I will see the following on stdout: + """ + "0" + """ + When I run `systemctl stop apt-daily.timer` with sudo + And I run `rm /etc/apt/apt.conf.d/99test` with sudo + And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.systemd_apt_timer_enabled` as non-root + Then I will see the following on stdout: + """ + false + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root + Then I will see the following on stdout: + """ + false + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root + Then I will see the following on stdout: + """ + "apt-daily.timer jobs are not running" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root + Then I will see the following on stdout: + """ + "unattended-upgrades-systemd-job-disabled" + """ + When I create the file `/etc/apt/apt.conf.d/50unattended-upgrades` with the following: + """ + APT::Periodic::Unattended-Upgrade "1"; + """ + And I run `systemctl start apt-daily.timer` with sudo + And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_frequency_days` as non-root + Then I will see the following on stdout: + """ + 1 + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.systemd_apt_timer_enabled` as non-root + Then I will see the following on stdout: + """ + true + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_allowed_origins` as non-root + Then I will see the following on stdout: + """ + [] + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root + Then I will see the following on stdout: + """ + false + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root + Then I will see the following on stdout: + """ + "Unattended-Upgrade::Allowed-Origins is empty" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root + Then I will see the following on stdout: + """ + "unattended-upgrades-cfg-list-value-empty" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"Unattended-Upgrade::Allowed-Origins\"'` as non-root + Then I will see the following on stdout: + """ + null + """ + When I run `/usr/lib/apt/apt.systemd.daily update` with sudo + And I run `/usr/lib/apt/apt.systemd.daily install` with sudo + And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_last_run` as non-root + Then stdout matches regexp: + """ + "(?!null).*" + """ + When I create the file `/etc/apt/apt.conf.d/99test` with the following: + """ + Unattended-Upgrade::Mail "mail"; + Unattended-Upgrade::Package-Blacklist { + "vim"; + }; + """ + And I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"Unattended-Upgrade::Mail\"'` as non-root + Then I will see the following on stdout: + """ + "mail" + """ + When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"Unattended-Upgrade::Package-Blacklist\"'` as non-root + Then I will see the following on stdout: + """ + [ + "vim" + ] + """ + When I apt remove `unattended-upgrades` + And I run `pro api u.unattended_upgrades.status.v1` as non-root + Then API data field output matches regexp: + """ + { + "attributes": { + "apt_periodic_job_enabled": false, + "package_lists_refresh_frequency_days": 0, + "systemd_apt_timer_enabled": false, + "unattended_upgrades_allowed_origins": [], + "unattended_upgrades_disabled_reason": { + "code": "unattended-upgrades-uninstalled", + "msg": "unattended-upgrades package is not installed" }, - "meta": { - "environment_vars": [], - "raw_config": { - "APT::Periodic::Enable": "1", - "APT::Periodic::Unattended-Upgrade": "1", - "APT::Periodic::Update-Package-Lists": "1", - "Unattended-Upgrade::Allowed-Origins": [ - "\$\{distro_id\}:\$\{distro_codename\}", - "\$\{distro_id\}:\$\{distro_codename\}-security", - "\$\{distro_id\}ESMApps:\$\{distro_codename\}-apps-security", - "\$\{distro_id\}ESM:\$\{distro_codename\}-infra-security" - ] - """ - When I create the file `/etc/apt/apt.conf.d/99test` with the following: - """ - APT::Periodic::Enable "0"; - """ - And I apt update - And I apt install `jq` - And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.apt_periodic_job_enabled` as non-root - Then I will see the following on stdout: - """ - false - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root - Then I will see the following on stdout: - """ - false - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root - Then I will see the following on stdout: - """ - "APT::Periodic::Enable is turned off" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root - Then I will see the following on stdout: - """ - "unattended-upgrades-cfg-value-turned-off" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"APT::Periodic::Enable\"'` as non-root - Then I will see the following on stdout: - """ - "0" - """ - When I create the file `/etc/apt/apt.conf.d/99test` with the following: - """ - APT::Periodic::Update-Package-Lists "0"; - """ - And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.apt_periodic_job_enabled` as non-root - Then I will see the following on stdout: - """ - true - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.package_lists_refresh_frequency_days` as non-root - Then I will see the following on stdout: - """ - 0 - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root - Then I will see the following on stdout: - """ - false - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root - Then I will see the following on stdout: - """ - "APT::Periodic::Update-Package-Lists is turned off" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root - Then I will see the following on stdout: - """ - "unattended-upgrades-cfg-value-turned-off" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"APT::Periodic::Update-Package-Lists\"'` as non-root - Then I will see the following on stdout: - """ - "0" - """ - When I create the file `/etc/apt/apt.conf.d/99test` with the following: - """ - APT::Periodic::Unattended-Upgrade "0"; - """ - And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_frequency_days` as non-root - Then I will see the following on stdout: - """ - 0 - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.package_lists_refresh_frequency_days` as non-root - Then I will see the following on stdout: - """ - 1 - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root - Then I will see the following on stdout: - """ - false - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root - Then I will see the following on stdout: - """ - "APT::Periodic::Unattended-Upgrade is turned off" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root - Then I will see the following on stdout: - """ - "unattended-upgrades-cfg-value-turned-off" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"APT::Periodic::Unattended-Upgrade\"'` as non-root - Then I will see the following on stdout: - """ - "0" - """ - When I run `systemctl stop apt-daily.timer` with sudo - And I run `rm /etc/apt/apt.conf.d/99test` with sudo - And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.systemd_apt_timer_enabled` as non-root - Then I will see the following on stdout: - """ - false - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root - Then I will see the following on stdout: - """ - false - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root - Then I will see the following on stdout: - """ - "apt-daily.timer jobs are not running" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root - Then I will see the following on stdout: - """ - "unattended-upgrades-systemd-job-disabled" - """ - When I create the file `/etc/apt/apt.conf.d/50unattended-upgrades` with the following: - """ - APT::Periodic::Unattended-Upgrade "1"; - """ - And I run `systemctl start apt-daily.timer` with sudo - And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_frequency_days` as non-root - Then I will see the following on stdout: - """ - 1 - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.systemd_apt_timer_enabled` as non-root - Then I will see the following on stdout: - """ - true - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_allowed_origins` as non-root - Then I will see the following on stdout: - """ - [] - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_running` as non-root - Then I will see the following on stdout: - """ - false - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.msg` as non-root - Then I will see the following on stdout: - """ - "Unattended-Upgrade::Allowed-Origins is empty" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_disabled_reason.code` as non-root - Then I will see the following on stdout: - """ - "unattended-upgrades-cfg-list-value-empty" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"Unattended-Upgrade::Allowed-Origins\"'` as non-root - Then I will see the following on stdout: - """ - null - """ - When I run `/usr/lib/apt/apt.systemd.daily update` with sudo - And I run `/usr/lib/apt/apt.systemd.daily install` with sudo - And I run shell command `pro api u.unattended_upgrades.status.v1 | jq .data.attributes.unattended_upgrades_last_run` as non-root - Then stdout matches regexp: - """ - "(?!null).*" - """ - When I create the file `/etc/apt/apt.conf.d/99test` with the following: - """ - Unattended-Upgrade::Mail "mail"; - Unattended-Upgrade::Package-Blacklist { - "vim"; - }; - """ - And I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"Unattended-Upgrade::Mail\"'` as non-root - Then I will see the following on stdout: - """ - "mail" - """ - When I run shell command `pro api u.unattended_upgrades.status.v1 | jq '.data.meta.raw_config.\"Unattended-Upgrade::Package-Blacklist\"'` as non-root - Then I will see the following on stdout: - """ - [ - "vim" - ] - """ - When I apt remove `unattended-upgrades` - And I run `pro api u.unattended_upgrades.status.v1` as non-root - Then API data field output matches regexp: - """ - { - "attributes": { - "apt_periodic_job_enabled": false, - "package_lists_refresh_frequency_days": 0, - "systemd_apt_timer_enabled": false, - "unattended_upgrades_allowed_origins": [], - "unattended_upgrades_disabled_reason": { - "code": "unattended-upgrades-uninstalled", - "msg": "unattended-upgrades package is not installed" - }, - "unattended_upgrades_frequency_days": 0, - "unattended_upgrades_last_run": null, - "unattended_upgrades_running": false - }, - "meta": { - "environment_vars": [] - }, - "type": "UnattendedUpgradesStatus" - } - """ + "unattended_upgrades_frequency_days": 0, + "unattended_upgrades_last_run": null, + "unattended_upgrades_running": false + }, + "meta": { + "environment_vars": [] + }, + "type": "UnattendedUpgradesStatus" + } + """ - Examples: ubuntu release - | release | machine_type | extra_field | - | xenial | lxd-container | | - | bionic | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "false" | - | focal | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "auto" | - | jammy | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "auto" | - | mantic | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "auto" | + Examples: ubuntu release + | release | machine_type | extra_field | + | xenial | lxd-container | | + | bionic | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "false" | + | focal | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "auto" | + | jammy | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "auto" | + | mantic | lxd-container | ,\n"Unattended-Upgrade::DevRelease": "auto" | diff --git a/features/apt_messages.feature b/features/apt_messages.feature index 4df5340466..460bc1a357 100644 --- a/features/apt_messages.feature +++ b/features/apt_messages.feature @@ -1,734 +1,719 @@ Feature: APT Messages - @uses.config.contract_token - Scenario Outline: APT JSON Hook prints package counts correctly on xenial - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I apt upgrade - When I apt install `` - When I apt upgrade - Then stdout matches regexp: - """ - 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - 1 standard LTS security update - """ + @uses.config.contract_token + Scenario Outline: APT JSON Hook prints package counts correctly on xenial + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I apt upgrade + When I apt install `` + When I apt upgrade + Then stdout matches regexp: + """ + 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + 1 standard LTS security update + """ + When I apt install `` + When I apt upgrade + Then stdout matches regexp: + """ + 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + 2 esm-infra security updates + """ + When I apt install `` + When I apt upgrade + Then stdout matches regexp: + """ + 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + 1 esm-apps security update + """ + When I apt install ` ` + When I apt upgrade + Then stdout matches regexp: + """ + 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + 1 standard LTS security update and 2 esm-infra security updates + """ + When I apt install ` ` + When I apt upgrade + Then stdout matches regexp: + """ + 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + 1 standard LTS security update and 1 esm-apps security update + """ + When I apt install ` ` + When I apt upgrade + Then stdout matches regexp: + """ + 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + 2 esm-infra security updates and 1 esm-apps security update + """ + When I apt install ` ` + When I apt upgrade + Then stdout matches regexp: + """ + 4 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + 1 standard LTS security update, 2 esm-infra security updates and 1 esm-apps security update + """ + When I apt upgrade + Then stdout matches regexp: + """ + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + Then stdout does not match regexp: + """ + standard LTS security update + """ + Then stdout does not match regexp: + """ + esm-infra + """ + Then stdout does not match regexp: + """ + esm-apps + """ - When I apt install `` - When I apt upgrade - Then stdout matches regexp: - """ - 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - 2 esm-infra security updates - """ + Examples: ubuntu release + | release | machine_type | standard-pkg | infra-pkg | apps-pkg | + | xenial | lxd-container | wget=1.17.1-1ubuntu1 | curl=7.47.0-1ubuntu2 libcurl3-gnutls=7.47.0-1ubuntu2 | hello=2.10-1 | - When I apt install `` - When I apt upgrade - Then stdout matches regexp: - """ - 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - 1 esm-apps security update - """ + @uses.config.contract_token + Scenario Outline: APT Hook advertises esm-infra on upgrade + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt upgrade + When I apt autoremove + When I run `pro config set apt_news=false` with sudo + When I run `pro refresh messages` with sudo + When I apt upgrade + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + The following security updates require Ubuntu Pro with 'esm-infra' enabled: + ([-+.\w\s]*) + Learn more about Ubuntu Pro for \.04 at https:\/\/ubuntu\.com\/-04 + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. + """ + When I apt-get upgrade + Then I will see the following on stdout: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I attach `contract_token` with sudo + When I apt upgrade on a dry run + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + The following packages will be upgraded: + """ + When I apt upgrade + When I run `pro detach --assume-yes` with sudo + When I run `pro refresh messages` with sudo + When I apt upgrade + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. + """ - When I apt install ` ` - When I apt upgrade - Then stdout matches regexp: - """ - 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - 1 standard LTS security update and 2 esm-infra security updates - """ + Examples: ubuntu release + | release | machine_type | version | + | xenial | lxd-container | 16 | + | bionic | lxd-container | 18 | + | bionic | wsl | 18 | - When I apt install ` ` - When I apt upgrade - Then stdout matches regexp: - """ - 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - 1 standard LTS security update and 1 esm-apps security update - """ + @uses.config.contract_token + Scenario Outline: APT Hook advertises esm-apps on upgrade + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt upgrade including phased updates + When I apt autoremove + When I apt install `` + When I run `pro config set apt_news=false` with sudo + When I run `pro refresh messages` with sudo + When I apt upgrade + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + Get through Ubuntu Pro with 'esm-apps' enabled: + + + 0 upgraded, 0 newly installed, 0 to remove and \d+ not upgraded. + """ + When I apt-get upgrade + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and \d+ not upgraded. + """ + When I attach `contract_token` with sudo + When I apt upgrade on a dry run + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + The following packages will be upgraded: + + """ + When I apt upgrade + When I run `pro detach --assume-yes` with sudo + When I run `pro refresh messages` with sudo + When I apt upgrade + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and \d+ not upgraded\. + """ - When I apt install ` ` - When I apt upgrade - Then stdout matches regexp: - """ - 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - 2 esm-infra security updates and 1 esm-apps security update - """ + Examples: ubuntu release + | release | machine_type | package | more_msg | learn_more_msg | + | focal | lxd-container | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | + | focal | wsl | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | + | jammy | lxd-container | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | + | jammy | wsl | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | - When I apt install ` ` - When I apt upgrade - Then stdout matches regexp: - """ - 4 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - 1 standard LTS security update, 2 esm-infra security updates and 1 esm-apps security update - """ + @uses.config.contract_token + Scenario Outline: APT News + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I apt upgrade including phased updates + When I apt autoremove + When I apt install `jq` + When I run `pro detach --assume-yes` with sudo + Given a `focal` `` machine named `apt-news-server` + When I apt install `nginx` on the `apt-news-server` machine + When I run `sed -i "s/gzip on;/gzip on;\n\tgzip_min_length 1;\n\tgzip_types application\/json;\n/" /etc/nginx/nginx.conf` `with sudo` on the `apt-news-server` machine + When I run `systemctl restart nginx` `with sudo` on the `apt-news-server` machine + When I run `pro config set apt_news_url=http://$behave_var{machine-ip apt-news-server}/aptnews.json` with sudo + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today}", + "lines": [ + "one" + ] + } + ] + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # one + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "one" + """ + # Test that it is not shown in apt-get output + When I apt-get upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today}", + "lines": [ + "one", + "two", + "three" + ] + } + ] + } + """ + # apt update stamp will prevent a apt_news refresh + When I apt update + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # one + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "one" + """ + # manual refresh gets new message + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # one + # two + # three + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "one\ntwo\nthree" + """ + # creates /run/ubuntu-advantage and /var/lib/ubuntu-advantage/messages if not there + When I run `rm -rf /run/ubuntu-advantage` with sudo + When I run `rm -rf /var/lib/ubuntu-advantage/messages` with sudo + When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo + When I apt update + # the apt-news.service unit runs in the background, give it some time to fetch the json file + When I wait `5` seconds + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # one + # two + # three + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "one\ntwo\nthree" + """ + # more than 3 lines ignored + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today}", + "lines": [ + "one", + "two", + "three", + "four" + ] + } + ] + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + null + """ + # more than 77 chars ignored + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today}", + "lines": [ + "000000000100000000020000000003000000000400000000050000000006000000000712345678" + ] + } + ] + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + null + """ + # end is respected + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today -3}", + "end": "$behave_var{today -1}", + "lines": [ + "one" + ] + } + ] + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + null + """ + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today -3}", + "end": "$behave_var{today +1}", + "lines": [ + "one" + ] + } + ] + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # one + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "one" + """ + # begin >30 days ago ignored, even if end is set to future + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today -31}", + "end": "$behave_var{today +1}", + "lines": [ + "one" + ] + } + ] + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + null + """ + # begin in future + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today +1}", + "lines": [ + "one" + ] + } + ] + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + null + """ + # local apt news overrides for contract expiry notices + When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: + """ + { + "messages": [ + { + "begin": "$behave_var{today}", + "lines": [ + "one" + ] + } + ] + } + """ + When I attach `contract_token` with sudo + When I apt upgrade + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + effectiveTo: $behave_var{today +2} + """ + # test that apt update will trigger hook to update apt_news for local override + When I run `rm -f /var/lib/apt/periodic/update-success-stamp` with sudo + When I apt update + # the apt-news.service unit runs in the background, give it some time to fetch the json file + When I wait `5` seconds + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # CAUTION: Your Ubuntu Pro subscription will expire in 2 days. + # Renew your subscription at https://ubuntu.com/pro/dashboard to ensure + # continued security coverage for your applications. + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "CAUTION: Your Ubuntu Pro subscription will expire in 2 days.\nRenew your subscription at https://ubuntu.com/pro/dashboard to ensure\ncontinued security coverage for your applications." + """ + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + effectiveTo: $behave_var{today -3} + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+. + # Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure + # continued security coverage for your applications. + # Your grace period will expire in 11 days. + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then stdout matches regexp: + """ + "CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+.\\nRenew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure\\ncontinued security coverage for your applications.\\nYour grace period will expire in 11 days." + """ + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + effectiveTo: $behave_var{today -20} + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # *Your Ubuntu Pro subscription has EXPIRED* + # Renew your subscription at https://ubuntu.com/pro/dashboard + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "*Your Ubuntu Pro subscription has EXPIRED*\nRenew your subscription at https://ubuntu.com/pro/dashboard" + """ + When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: + """ + { + "machineTokenInfo": { + "contractInfo": { + "effectiveTo": null + } + } + } + """ + When I run `pro refresh messages` with sudo + When I apt upgrade + Then I will see the following on stdout + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + # + # *Your Ubuntu Pro subscription has EXPIRED* + # Renew your subscription at https://ubuntu.com/pro/dashboard + # + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root + Then I will see the following on stdout + """ + "*Your Ubuntu Pro subscription has EXPIRED*\nRenew your subscription at https://ubuntu.com/pro/dashboard" + """ - When I apt upgrade - Then stdout matches regexp: - """ - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - Then stdout does not match regexp: - """ - standard LTS security update - """ - Then stdout does not match regexp: - """ - esm-infra - """ - Then stdout does not match regexp: - """ - esm-apps - """ + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Examples: ubuntu release - | release | machine_type | standard-pkg | infra-pkg | apps-pkg | - | xenial | lxd-container | wget=1.17.1-1ubuntu1 | curl=7.47.0-1ubuntu2 libcurl3-gnutls=7.47.0-1ubuntu2 | hello=2.10-1 | + Scenario Outline: Cloud and series-specific URLs + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt install `ansible` + # Update after installing to make sure messages are there + When I apt update + When I apt upgrade on a dry run + Then stdout contains substring: + """ + + """ - @uses.config.contract_token - Scenario Outline: APT Hook advertises esm-infra on upgrade - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt upgrade - When I apt autoremove - When I run `pro config set apt_news=false` with sudo - When I run `pro refresh messages` with sudo - When I apt upgrade - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - The following security updates require Ubuntu Pro with 'esm-infra' enabled: - ([-+.\w\s]*) - Learn more about Ubuntu Pro for \.04 at https:\/\/ubuntu\.com\/-04 - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. - """ - When I apt-get upgrade - Then I will see the following on stdout: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I attach `contract_token` with sudo - When I apt upgrade on a dry run - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - The following packages will be upgraded: - """ - When I apt upgrade - When I run `pro detach --assume-yes` with sudo - When I run `pro refresh messages` with sudo - When I apt upgrade - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. - """ - Examples: ubuntu release - | release | machine_type | version | - | xenial | lxd-container | 16 | - | bionic | lxd-container | 18 | - | bionic | wsl | 18 | + Examples: release-per-machine-type + | release | machine_type | msg | + | xenial | aws.generic | Learn more about Ubuntu Pro for 16.04 at https://ubuntu.com/16-04 | + | xenial | azure.generic | Learn more about Ubuntu Pro for 16.04 on Azure at https://ubuntu.com/16-04/azure | + | xenial | gcp.generic | Learn more about Ubuntu Pro for 16.04 at https://ubuntu.com/16-04 | + | bionic | aws.generic | Learn more about Ubuntu Pro for 18.04 at https://ubuntu.com/18-04 | + | bionic | azure.generic | Learn more about Ubuntu Pro for 18.04 on Azure at https://ubuntu.com/18-04/azure | + | bionic | gcp.generic | Learn more about Ubuntu Pro for 18.04 at https://ubuntu.com/18-04 | + | focal | aws.generic | Learn more about Ubuntu Pro on AWS at https://ubuntu.com/aws/pro | + | focal | azure.generic | Learn more about Ubuntu Pro on Azure at https://ubuntu.com/azure/pro | + | focal | gcp.generic | Learn more about Ubuntu Pro on GCP at https://ubuntu.com/gcp/pro | - @uses.config.contract_token - Scenario Outline: APT Hook advertises esm-apps on upgrade - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt upgrade including phased updates - When I apt autoremove - When I apt install `` - When I run `pro config set apt_news=false` with sudo - When I run `pro refresh messages` with sudo - When I apt upgrade - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - Get through Ubuntu Pro with 'esm-apps' enabled: - - - 0 upgraded, 0 newly installed, 0 to remove and \d+ not upgraded. - """ - When I apt-get upgrade - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and \d+ not upgraded. - """ - When I attach `contract_token` with sudo - When I apt upgrade on a dry run - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - The following packages will be upgraded: - - """ - When I apt upgrade - When I run `pro detach --assume-yes` with sudo - When I run `pro refresh messages` with sudo - When I apt upgrade - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and \d+ not upgraded\. - """ - Examples: ubuntu release - | release | machine_type | package | more_msg | learn_more_msg | - | focal | lxd-container | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | - | focal | wsl | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | - | jammy | lxd-container | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | - | jammy | wsl | hello | another security update | Learn more about Ubuntu Pro at https://ubuntu.com/pro | + @uses.config.contract_token + Scenario Outline: APT Hook do not advertises esm-apps on upgrade for interim releases + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt upgrade including phased updates + When I apt autoremove + When I apt install `hello` + When I run `pro config set apt_news=false` with sudo + When I run `pro refresh messages` with sudo + When I apt upgrade + Then stdout does not match regexp: + """ + Get more security updates through Ubuntu Pro with 'esm-apps' enabled: + """ + When I apt-get upgrade + Then I will see the following on stdout: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + """ + When I attach `contract_token` with sudo + When I apt upgrade on a dry run + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. + """ + When I apt upgrade + When I run `pro detach --assume-yes` with sudo + When I run `pro refresh messages` with sudo + When I apt upgrade + Then stdout matches regexp: + """ + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. + """ - @uses.config.contract_token - Scenario Outline: APT News - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I apt upgrade including phased updates - When I apt autoremove - When I apt install `jq` - When I run `pro detach --assume-yes` with sudo - - Given a `focal` `` machine named `apt-news-server` - When I apt install `nginx` on the `apt-news-server` machine - When I run `sed -i "s/gzip on;/gzip on;\n\tgzip_min_length 1;\n\tgzip_types application\/json;\n/" /etc/nginx/nginx.conf` `with sudo` on the `apt-news-server` machine - When I run `systemctl restart nginx` `with sudo` on the `apt-news-server` machine - - When I run `pro config set apt_news_url=http://$behave_var{machine-ip apt-news-server}/aptnews.json` with sudo - - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today}", - "lines": [ - "one" - ] - } - ] - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # one - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "one" - """ - - # Test that it is not shown in apt-get output - When I apt-get upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today}", - "lines": [ - "one", - "two", - "three" - ] - } - ] - } - """ - # apt update stamp will prevent a apt_news refresh - When I apt update - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # one - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "one" - """ - - # manual refresh gets new message - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # one - # two - # three - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "one\ntwo\nthree" - """ - - # creates /run/ubuntu-advantage and /var/lib/ubuntu-advantage/messages if not there - When I run `rm -rf /run/ubuntu-advantage` with sudo - When I run `rm -rf /var/lib/ubuntu-advantage/messages` with sudo - When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo - When I apt update - # the apt-news.service unit runs in the background, give it some time to fetch the json file - When I wait `5` seconds - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # one - # two - # three - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "one\ntwo\nthree" - """ - - # more than 3 lines ignored - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today}", - "lines": [ - "one", - "two", - "three", - "four" - ] - } - ] - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - null - """ - - # more than 77 chars ignored - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today}", - "lines": [ - "000000000100000000020000000003000000000400000000050000000006000000000712345678" - ] - } - ] - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - null - """ - - # end is respected - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today -3}", - "end": "$behave_var{today -1}", - "lines": [ - "one" - ] - } - ] - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - null - """ - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today -3}", - "end": "$behave_var{today +1}", - "lines": [ - "one" - ] - } - ] - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # one - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "one" - """ - - # begin >30 days ago ignored, even if end is set to future - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today -31}", - "end": "$behave_var{today +1}", - "lines": [ - "one" - ] - } - ] - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - null - """ - - # begin in future - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today +1}", - "lines": [ - "one" - ] - } - ] - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - null - """ - - # local apt news overrides for contract expiry notices - When I create the file `/var/www/html/aptnews.json` on the `apt-news-server` machine with the following: - """ - { - "messages": [ - { - "begin": "$behave_var{today}", - "lines": [ - "one" - ] - } - ] - } - """ - When I attach `contract_token` with sudo - When I apt upgrade - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - effectiveTo: $behave_var{today +2} - """ - # test that apt update will trigger hook to update apt_news for local override - When I run `rm -f /var/lib/apt/periodic/update-success-stamp` with sudo - When I apt update - # the apt-news.service unit runs in the background, give it some time to fetch the json file - When I wait `5` seconds - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # CAUTION: Your Ubuntu Pro subscription will expire in 2 days. - # Renew your subscription at https://ubuntu.com/pro/dashboard to ensure - # continued security coverage for your applications. - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "CAUTION: Your Ubuntu Pro subscription will expire in 2 days.\nRenew your subscription at https://ubuntu.com/pro/dashboard to ensure\ncontinued security coverage for your applications." - """ - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - effectiveTo: $behave_var{today -3} - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+. - # Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure - # continued security coverage for your applications. - # Your grace period will expire in 11 days. - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then stdout matches regexp: - """ - "CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+.\\nRenew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure\\ncontinued security coverage for your applications.\\nYour grace period will expire in 11 days." - """ - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - effectiveTo: $behave_var{today -20} - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # *Your Ubuntu Pro subscription has EXPIRED* - # Renew your subscription at https://ubuntu.com/pro/dashboard - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "*Your Ubuntu Pro subscription has EXPIRED*\nRenew your subscription at https://ubuntu.com/pro/dashboard" - """ - When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: - """ - { - "machineTokenInfo": { - "contractInfo": { - "effectiveTo": null - } - } - } - """ - When I run `pro refresh messages` with sudo - When I apt upgrade - Then I will see the following on stdout - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - # - # *Your Ubuntu Pro subscription has EXPIRED* - # Renew your subscription at https://ubuntu.com/pro/dashboard - # - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I run shell command `pro api u.apt_news.current_news.v1 | jq .data.attributes.current_news` as non-root - Then I will see the following on stdout - """ - "*Your Ubuntu Pro subscription has EXPIRED*\nRenew your subscription at https://ubuntu.com/pro/dashboard" - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | - - Scenario Outline: Cloud and series-specific URLs - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt install `ansible` - # Update after installing to make sure messages are there - When I apt update - When I apt upgrade on a dry run - Then stdout contains substring: - """ - - """ - Examples: release-per-machine-type - | release | machine_type | msg | - | xenial | aws.generic | Learn more about Ubuntu Pro for 16.04 at https://ubuntu.com/16-04 | - | xenial | azure.generic | Learn more about Ubuntu Pro for 16.04 on Azure at https://ubuntu.com/16-04/azure | - | xenial | gcp.generic | Learn more about Ubuntu Pro for 16.04 at https://ubuntu.com/16-04 | - | bionic | aws.generic | Learn more about Ubuntu Pro for 18.04 at https://ubuntu.com/18-04 | - | bionic | azure.generic | Learn more about Ubuntu Pro for 18.04 on Azure at https://ubuntu.com/18-04/azure | - | bionic | gcp.generic | Learn more about Ubuntu Pro for 18.04 at https://ubuntu.com/18-04 | - | focal | aws.generic | Learn more about Ubuntu Pro on AWS at https://ubuntu.com/aws/pro | - | focal | azure.generic | Learn more about Ubuntu Pro on Azure at https://ubuntu.com/azure/pro | - | focal | gcp.generic | Learn more about Ubuntu Pro on GCP at https://ubuntu.com/gcp/pro | - - @uses.config.contract_token - Scenario Outline: APT Hook do not advertises esm-apps on upgrade for interim releases - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt upgrade including phased updates - When I apt autoremove - When I apt install `hello` - When I run `pro config set apt_news=false` with sudo - When I run `pro refresh messages` with sudo - When I apt upgrade - Then stdout does not match regexp: - """ - Get more security updates through Ubuntu Pro with 'esm-apps' enabled: - """ - When I apt-get upgrade - Then I will see the following on stdout: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. - """ - When I attach `contract_token` with sudo - When I apt upgrade on a dry run - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. - """ - When I apt upgrade - When I run `pro detach --assume-yes` with sudo - When I run `pro refresh messages` with sudo - When I apt upgrade - Then stdout matches regexp: - """ - Reading package lists... - Building dependency tree... - Reading state information... - Calculating upgrade... - 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\. - """ - Examples: ubuntu release - | release | machine_type | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | mantic | lxd-container | diff --git a/features/attach_invalidtoken.feature b/features/attach_invalidtoken.feature index 0db2a467b5..4a878f7dad 100644 --- a/features/attach_invalidtoken.feature +++ b/features/attach_invalidtoken.feature @@ -1,54 +1,54 @@ Feature: Command behaviour when trying to attach a machine to an Ubuntu - Pro subscription using an invalid token + Pro subscription using an invalid token - Scenario Outline: Attach command failure on invalid token - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro attach INVALID_TOKEN` `with sudo` exits `1` - Then stderr matches regexp: - """ - Invalid token. See https://ubuntu.com/pro - """ - When I verify that running `pro attach INVALID_TOKEN` `as non-root` exits `1` - Then I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro attach invalid-token --format json` `with sudo` exits `1` - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ + Scenario Outline: Attach command failure on invalid token + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro attach INVALID_TOKEN` `with sudo` exits `1` + Then stderr matches regexp: + """ + Invalid token. See https://ubuntu.com/pro + """ + When I verify that running `pro attach INVALID_TOKEN` `as non-root` exits `1` + Then I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro attach invalid-token --format json` `with sudo` exits `1` + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - @uses.config.contract_token_staging_expired - Scenario Outline: Attach command failure on expired token - Given a `` `` machine with ubuntu-advantage-tools installed - When I attempt to attach `contract_token_staging_expired` with sudo - Then stderr matches regexp: - """ - Attach denied: - Contract ".*" .* - Visit https://ubuntu.com/pro/dashboard to manage contract tokens. - """ - When I verify that running attach `with sudo` using expired token with json response fails - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"contract_expiry_date": "08-21-2022", "contract_id": "cAHT7ADjWMRCjo5Q53QlTawtPlrhxeRg7cbEnquxxm1g", "date": "August 21, 2022"}, "message": "Attach denied:\nContract \"cAHT7ADjWMRCjo5Q53QlTawtPlrhxeRg7cbEnquxxm1g\" expired on August 21, 2022\nVisit https://ubuntu.com/pro/dashboard to manage contract tokens.", "message_code": "attach-forbidden-expired", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ + @uses.config.contract_token_staging_expired + Scenario Outline: Attach command failure on expired token + Given a `` `` machine with ubuntu-advantage-tools installed + When I attempt to attach `contract_token_staging_expired` with sudo + Then stderr matches regexp: + """ + Attach denied: + Contract ".*" .* + Visit https://ubuntu.com/pro/dashboard to manage contract tokens. + """ + When I verify that running attach `with sudo` using expired token with json response fails + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"contract_expiry_date": "08-21-2022", "contract_id": "cAHT7ADjWMRCjo5Q53QlTawtPlrhxeRg7cbEnquxxm1g", "date": "August 21, 2022"}, "message": "Attach denied:\nContract \"cAHT7ADjWMRCjo5Q53QlTawtPlrhxeRg7cbEnquxxm1g\" expired on August 21, 2022\nVisit https://ubuntu.com/pro/dashboard to manage contract tokens.", "message_code": "attach-forbidden-expired", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/attach_validtoken.feature b/features/attach_validtoken.feature index 9914845de3..374f6c6b91 100644 --- a/features/attach_validtoken.feature +++ b/features/attach_validtoken.feature @@ -1,335 +1,335 @@ @uses.config.contract_token Feature: Command behaviour when attaching a machine to an Ubuntu Pro - subscription using a valid token + subscription using a valid token - Scenario Outline: Attached command in a non-lts ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro status` as non-root - Then stdout matches regexp: - """ - - """ - And stdout matches regexp: - """ - For a list of all Ubuntu Pro services, run 'pro status --all' - """ - When I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +n/a +.* - cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages - cis +yes +n/a +Security compliance and audit tools - esm-apps +yes +n/a +Expanded Security Maintenance for Applications - esm-infra +yes +n/a +Expanded Security Maintenance for Infrastructure - fips +yes +n/a +NIST-certified FIPS crypto packages - fips-preview +yes +n/a +.* - fips-updates +yes +n/a +FIPS compliant crypto packages with stable security updates - landscape +yes + +Management and administration tool for Ubuntu - livepatch +yes +n/a +Canonical Livepatch service - """ - And stdout does not match regexp: - """ - For a list of all Ubuntu Pro services, run 'pro status --all' - """ + Scenario Outline: Attached command in a non-lts ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro status` as non-root + Then stdout matches regexp: + """ + + """ + And stdout matches regexp: + """ + For a list of all Ubuntu Pro services, run 'pro status --all' + """ + When I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +n/a +.* + cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages + cis +yes +n/a +Security compliance and audit tools + esm-apps +yes +n/a +Expanded Security Maintenance for Applications + esm-infra +yes +n/a +Expanded Security Maintenance for Infrastructure + fips +yes +n/a +NIST-certified FIPS crypto packages + fips-preview +yes +n/a +.* + fips-updates +yes +n/a +FIPS compliant crypto packages with stable security updates + landscape +yes + +Management and administration tool for Ubuntu + livepatch +yes +n/a +Canonical Livepatch service + """ + And stdout does not match regexp: + """ + For a list of all Ubuntu Pro services, run 'pro status --all' + """ - Examples: ubuntu release - | release | machine_type | landscape | status_string | - | mantic | lxd-container | disabled | landscape +yes +disabled +Management and administration tool for Ubuntu | + Examples: ubuntu release + | release | machine_type | landscape | status_string | + | mantic | lxd-container | disabled | landscape +yes +disabled +Management and administration tool for Ubuntu | - Scenario Outline: Attach command in a ubuntu lxd container - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt install `update-motd` - And I apt install `` - And I run `pro refresh messages` with sudo - Then stdout matches regexp: - """ - Successfully updated Ubuntu Pro related APT and MOTD messages. - """ - When I run `update-motd` with sudo - Then if `` in `xenial` and stdout matches regexp: - """ - \d+ update(s)? can be applied immediately. - \d+ of these updates (is a|are) standard security update(s)?. - """ - Then if `` in `bionic` and stdout matches regexp: - """ - \d+ update(s)? can be applied immediately. - \d+ of these updates (is a|are) standard security update(s)?. - """ - Then if `` in `focal` and stdout matches regexp: - """ - \d+ update(s)? can be applied immediately. - """ - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Ubuntu Pro: ESM Infra enabled - """ - And stdout matches regexp: - """ - This machine is now attached to - """ - And stderr matches regexp: - """ - Enabling default service esm-infra - """ - Then I verify that `esm-infra` is enabled - And I verify that `esm-apps` is enabled - When I verify that running `pro attach contract_token` `with sudo` exits `2` - Then stderr matches regexp: - """ - This machine is already attached to '.+' - To use a different subscription first run: sudo pro detach. - """ + Scenario Outline: Attach command in a ubuntu lxd container + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt install `update-motd` + And I apt install `` + And I run `pro refresh messages` with sudo + Then stdout matches regexp: + """ + Successfully updated Ubuntu Pro related APT and MOTD messages. + """ + When I run `update-motd` with sudo + Then if `` in `xenial` and stdout matches regexp: + """ + \d+ update(s)? can be applied immediately. + \d+ of these updates (is a|are) standard security update(s)?. + """ + Then if `` in `bionic` and stdout matches regexp: + """ + \d+ update(s)? can be applied immediately. + \d+ of these updates (is a|are) standard security update(s)?. + """ + Then if `` in `focal` and stdout matches regexp: + """ + \d+ update(s)? can be applied immediately. + """ + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Ubuntu Pro: ESM Infra enabled + """ + And stdout matches regexp: + """ + This machine is now attached to + """ + And stderr matches regexp: + """ + Enabling default service esm-infra + """ + Then I verify that `esm-infra` is enabled + And I verify that `esm-apps` is enabled + When I verify that running `pro attach contract_token` `with sudo` exits `2` + Then stderr matches regexp: + """ + This machine is already attached to '.+' + To use a different subscription first run: sudo pro detach. + """ - Examples: ubuntu release packages - | release | machine_type | downrev_pkg | cc_status | cis_or_usg | cis | fips | livepatch_desc | - | xenial | lxd-container | libkrad0=1.13.2+dfsg-5 | disabled | cis | disabled | disabled | Canonical Livepatch service | - | bionic | lxd-container | libkrad0=1.16-2build1 | disabled | cis | disabled | disabled | Canonical Livepatch service | - | focal | lxd-container | hello=2.10-2ubuntu2 | n/a | usg | disabled | disabled | Canonical Livepatch service | - | jammy | lxd-container | hello=2.10-2ubuntu4 | n/a | usg | n/a | n/a | Canonical Livepatch service | + Examples: ubuntu release packages + | release | machine_type | downrev_pkg | cc_status | cis_or_usg | cis | fips | livepatch_desc | + | xenial | lxd-container | libkrad0=1.13.2+dfsg-5 | disabled | cis | disabled | disabled | Canonical Livepatch service | + | bionic | lxd-container | libkrad0=1.16-2build1 | disabled | cis | disabled | disabled | Canonical Livepatch service | + | focal | lxd-container | hello=2.10-2ubuntu2 | n/a | usg | disabled | disabled | Canonical Livepatch service | + | jammy | lxd-container | hello=2.10-2ubuntu4 | n/a | usg | n/a | n/a | Canonical Livepatch service | - Scenario Outline: Attach command with attach config - Given a `` `` machine with ubuntu-advantage-tools installed - # simplest happy path - When I create the file `/tmp/attach.yaml` with the following - """ - token: - """ - When I replace `` in `/tmp/attach.yaml` with token `contract_token` - When I run `pro attach --attach-config /tmp/attach.yaml` with sudo - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `` is disabled - When I run `pro detach --assume-yes` with sudo - # don't allow both token on cli and config - Then I verify that running `pro attach TOKEN --attach-config /tmp/attach.yaml` `with sudo` exits `1` - Then stderr matches regexp: - """ - Do not pass the TOKEN arg if you are using --attach-config. - Include the token in the attach-config file instead. - """ - # happy path with service overrides - When I create the file `/tmp/attach.yaml` with the following - """ - token: - enable_services: - - esm-apps - - - """ - When I replace `` in `/tmp/attach.yaml` with token `contract_token` - When I run `pro attach --attach-config /tmp/attach.yaml` with sudo - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is disabled - And I verify that `` is enabled - When I run `pro detach --assume-yes` with sudo - # missing token - When I create the file `/tmp/attach.yaml` with the following - """ - enable_services: - - esm-apps - - - """ - Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1` - Then stderr matches regexp: - """ - Error while reading /tmp/attach.yaml: - Got value with incorrect type for field "token": - Expected value with type StringDataValue but got type: null - """ - # other schema error - When I create the file `/tmp/attach.yaml` with the following - """ - token: - enable_services: {cis: true} - """ - When I replace `` in `/tmp/attach.yaml` with token `contract_token` - Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1` - Then stderr matches regexp: - """ - Error while reading /tmp/attach.yaml: - Got value with incorrect type for field "enable_services": - Expected value with type list but got type: dict - """ - # invalid service name - When I create the file `/tmp/attach.yaml` with the following - """ - token: - enable_services: - - esm-apps - - nonexistent - - nonexistent2 - """ - When I replace `` in `/tmp/attach.yaml` with token `contract_token` - Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1` - And stderr matches regexp: - """ - Cannot enable unknown service 'nonexistent, nonexistent2'. - """ - And I verify that `esm-apps` is enabled - And I verify that `esm-infra` is disabled + Scenario Outline: Attach command with attach config + Given a `` `` machine with ubuntu-advantage-tools installed + # simplest happy path + When I create the file `/tmp/attach.yaml` with the following + """ + token: + """ + When I replace `` in `/tmp/attach.yaml` with token `contract_token` + When I run `pro attach --attach-config /tmp/attach.yaml` with sudo + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `` is disabled + When I run `pro detach --assume-yes` with sudo + # don't allow both token on cli and config + Then I verify that running `pro attach TOKEN --attach-config /tmp/attach.yaml` `with sudo` exits `1` + Then stderr matches regexp: + """ + Do not pass the TOKEN arg if you are using --attach-config. + Include the token in the attach-config file instead. + """ + # happy path with service overrides + When I create the file `/tmp/attach.yaml` with the following + """ + token: + enable_services: + - esm-apps + - + """ + When I replace `` in `/tmp/attach.yaml` with token `contract_token` + When I run `pro attach --attach-config /tmp/attach.yaml` with sudo + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is disabled + And I verify that `` is enabled + When I run `pro detach --assume-yes` with sudo + # missing token + When I create the file `/tmp/attach.yaml` with the following + """ + enable_services: + - esm-apps + - + """ + Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1` + Then stderr matches regexp: + """ + Error while reading /tmp/attach.yaml: + Got value with incorrect type for field "token": + Expected value with type StringDataValue but got type: null + """ + # other schema error + When I create the file `/tmp/attach.yaml` with the following + """ + token: + enable_services: {cis: true} + """ + When I replace `` in `/tmp/attach.yaml` with token `contract_token` + Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1` + Then stderr matches regexp: + """ + Error while reading /tmp/attach.yaml: + Got value with incorrect type for field "enable_services": + Expected value with type list but got type: dict + """ + # invalid service name + When I create the file `/tmp/attach.yaml` with the following + """ + token: + enable_services: + - esm-apps + - nonexistent + - nonexistent2 + """ + When I replace `` in `/tmp/attach.yaml` with token `contract_token` + Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1` + And stderr matches regexp: + """ + Cannot enable unknown service 'nonexistent, nonexistent2'. + """ + And I verify that `esm-apps` is enabled + And I verify that `esm-infra` is disabled - Examples: ubuntu - | release | machine_type | cis_or_usg | - | xenial | lxd-container | cis | - | bionic | lxd-container | cis | - | focal | lxd-container | usg | + Examples: ubuntu + | release | machine_type | cis_or_usg | + | xenial | lxd-container | cis | + | bionic | lxd-container | cis | + | focal | lxd-container | usg | - Scenario Outline: Attach command in an generic cloud images - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Ubuntu Pro: ESM Infra enabled - """ - And stdout matches regexp: - """ - This machine is now attached to - """ - And stderr matches regexp: - """ - Enabling default service esm-infra - """ - And I verify that `esm-infra` is enabled + Scenario Outline: Attach command in an generic cloud images + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Ubuntu Pro: ESM Infra enabled + """ + And stdout matches regexp: + """ + This machine is now attached to + """ + And stderr matches regexp: + """ + Enabling default service esm-infra + """ + And I verify that `esm-infra` is enabled - Examples: ubuntu release livepatch status - | release | machine_type | - | xenial | aws.generic | - | xenial | azure.generic | - | xenial | gcp.generic | - | bionic | aws.generic | - | bionic | azure.generic | - | bionic | gcp.generic | - | focal | aws.generic | - | focal | azure.generic | - | focal | gcp.generic | - | jammy | aws.generic | - | jammy | azure.generic | - | jammy | gcp.generic | + Examples: ubuntu release livepatch status + | release | machine_type | + | xenial | aws.generic | + | xenial | azure.generic | + | xenial | gcp.generic | + | bionic | aws.generic | + | bionic | azure.generic | + | bionic | gcp.generic | + | focal | aws.generic | + | focal | azure.generic | + | focal | gcp.generic | + | jammy | aws.generic | + | jammy | azure.generic | + | jammy | gcp.generic | - Scenario Outline: Attach command with json output - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running attach `as non-root` with json response exits `1` - Then I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - When I verify that running attach `with sudo` with json response exits `0` - Then I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} - """ - And I verify that `esm-infra` is enabled - And I verify that `esm-apps` is enabled + Scenario Outline: Attach command with json output + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running attach `as non-root` with json response exits `1` + Then I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + When I verify that running attach `with sudo` with json response exits `0` + Then I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} + """ + And I verify that `esm-infra` is enabled + And I verify that `esm-apps` is enabled - Examples: ubuntu release - | release | machine_type | cc-eal | - | xenial | lxd-container | disabled | - | bionic | lxd-container | disabled | - | focal | lxd-container | n/a | - | jammy | lxd-container | n/a | + Examples: ubuntu release + | release | machine_type | cc-eal | + | xenial | lxd-container | disabled | + | bionic | lxd-container | disabled | + | focal | lxd-container | n/a | + | jammy | lxd-container | n/a | - Scenario Outline: Attach and Check for contract change in status checking - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Ubuntu Pro: ESM Infra enabled - """ - And stdout matches regexp: - """ - This machine is now attached to - """ - And I verify that `esm-infra` is enabled - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - effectiveTo: 2000-01-02T03:04:05Z - """ - And I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - And I run `pro status` with sudo - Then stdout matches regexp: - """ - A change has been detected in your contract. - Please run `sudo pro refresh`. - """ - When I run `pro refresh contract` with sudo - Then stdout matches regexp: - """ - Successfully refreshed your subscription. - """ - # remove machine token overlay - When I change config key `features` to use value `{}` - And I run `pro status` with sudo - Then stdout does not match regexp: - """ - A change has been detected in your contract. - Please run `sudo pro refresh`. - """ + Scenario Outline: Attach and Check for contract change in status checking + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Ubuntu Pro: ESM Infra enabled + """ + And stdout matches regexp: + """ + This machine is now attached to + """ + And I verify that `esm-infra` is enabled + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + effectiveTo: 2000-01-02T03:04:05Z + """ + And I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + And I run `pro status` with sudo + Then stdout matches regexp: + """ + A change has been detected in your contract. + Please run `sudo pro refresh`. + """ + When I run `pro refresh contract` with sudo + Then stdout matches regexp: + """ + Successfully refreshed your subscription. + """ + # remove machine token overlay + When I change config key `features` to use value `{}` + And I run `pro status` with sudo + Then stdout does not match regexp: + """ + A change has been detected in your contract. + Please run `sudo pro refresh`. + """ - Examples: ubuntu release livepatch status - | release | machine_type | - # removing until we add this feature back in a way that doesn't hammer the server - #| xenial | lxd-container | - #| bionic | lxd-container | - #| focal | lxd-container | + Examples: ubuntu release livepatch status + | release | machine_type | - Scenario Outline: Attach and Check for contract change in status checking - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/tmp/response-overlay.json` with the following: - """ - { - "https://contracts.canonical.com/v1/context/machines/token": [ - { - "code": 200, - "response": { - "machineTokenInfo": { - "contractInfo": { - "resourceEntitlements": [ - { - "type": "esm-infra", - "directives": { - "aptURL": "test", - "suites": [""] - } - }, - { - "type": "esm-apps", - "directives": { - "aptURL": "test", - "suites": [""] - } - } - ] - } - } - } - }] - } - """ - And I append the following on uaclient config: - """ - features: - serviceclient_url_responses: "/tmp/response-overlay.json" - """ - And I verify that running `pro attach TOKEN` `with sudo` exits `1` - Then I will see the following on stderr: - """ - There is a problem with the resource directives provided by https://contracts.canonical.com - These entitlements: esm-apps, esm-infra are sharing the following directives - - APT url: test - - Suite: - These directives need to be unique for every entitlement. - """ - And the machine is unattached + # removing until we add this feature back in a way that doesn't hammer the server + # | xenial | lxd-container | + # | bionic | lxd-container | + # | focal | lxd-container | + Scenario Outline: Attach and Check for contract change in status checking + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/tmp/response-overlay.json` with the following: + """ + { + "https://contracts.canonical.com/v1/context/machines/token": [ + { + "code": 200, + "response": { + "machineTokenInfo": { + "contractInfo": { + "resourceEntitlements": [ + { + "type": "esm-infra", + "directives": { + "aptURL": "test", + "suites": [""] + } + }, + { + "type": "esm-apps", + "directives": { + "aptURL": "test", + "suites": [""] + } + } + ] + } + } + } + }] + } + """ + And I append the following on uaclient config: + """ + features: + serviceclient_url_responses: "/tmp/response-overlay.json" + """ + And I verify that running `pro attach TOKEN` `with sudo` exits `1` + Then I will see the following on stderr: + """ + There is a problem with the resource directives provided by https://contracts.canonical.com + These entitlements: esm-apps, esm-infra are sharing the following directives + - APT url: test + - Suite: + These directives need to be unique for every entitlement. + """ + And the machine is unattached - Examples: ubuntu release livepatch status - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release livepatch status + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | diff --git a/features/attached_commands.feature b/features/attached_commands.feature index 009604525f..73835a61b6 100644 --- a/features/attached_commands.feature +++ b/features/attached_commands.feature @@ -1,921 +1,922 @@ @uses.config.contract_token Feature: Command behaviour when attached to an Ubuntu Pro subscription - Scenario Outline: Attached refresh in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro refresh` `as non-root` exits `1` - And stderr matches regexp: - """ - This command must be run as root \(try using sudo\). - """ - When I run `pro refresh` with sudo - Then I will see the following on stdout: - """ - Successfully processed your pro configuration. - Successfully refreshed your subscription. - Successfully updated Ubuntu Pro related APT and MOTD messages. - """ - When I run `pro refresh config` with sudo - Then I will see the following on stdout: - """ - Successfully processed your pro configuration. - """ - When I run `pro refresh contract` with sudo - Then I will see the following on stdout: - """ - Successfully refreshed your subscription. - """ - When I run `pro refresh messages` with sudo - Then I will see the following on stdout: - """ - Successfully updated Ubuntu Pro related APT and MOTD messages. - """ - When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - And I run `sh -c "ls /var/log/ubuntu-advantage* | sort -d"` as non-root - Then stdout matches regexp: - """ - /var/log/ubuntu-advantage.log - """ - When I run `logrotate --force /etc/logrotate.d/ubuntu-advantage-tools` with sudo - And I run `sh -c "ls /var/log/ubuntu-advantage* | sort -d"` as non-root - Then stdout matches regexp: - """ - /var/log/ubuntu-advantage.log - /var/log/ubuntu-advantage.log.1 - """ - - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | bionic | wsl | - | focal | lxd-container | - | focal | wsl | - | xenial | lxd-container | - | jammy | lxd-container | - | jammy | wsl | - | mantic | lxd-container | - - Scenario Outline: Disable command on an attached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro disable livepatch` `as non-root` exits `1` - And stderr matches regexp: - """ - This command must be run as root \(try using sudo\). - """ - When I verify that running `pro disable foobar` `as non-root` exits `1` - Then stderr matches regexp: - """ - This command must be run as root \(try using sudo\). - """ - When I verify that running `pro disable livepatch` `with sudo` exits `1` - Then I will see the following on stdout: - """ - Livepatch is not currently enabled - See: sudo pro status - """ - When I verify that running `pro disable foobar` `with sudo` exits `1` - Then stderr matches regexp: - """ - Cannot disable unknown service 'foobar'. - - """ - When I verify that running `pro disable livepatch foobar` `as non-root` exits `1` - Then stderr matches regexp: - """ - This command must be run as root \(try using sudo\) - """ - When I verify that running `pro disable livepatch foobar` `with sudo` exits `1` - Then I will see the following on stdout: - """ - Livepatch is not currently enabled - See: sudo pro status - """ - And stderr matches regexp: - """ - Cannot disable unknown service 'foobar'. - - """ - When I verify that running `pro disable esm-infra` `as non-root` exits `1` - Then stderr matches regexp: - """ - This command must be run as root \(try using sudo\). - """ - When I run `pro disable esm-infra` with sudo - Then I verify that `esm-infra` is disabled - And I verify that running `apt update` `with sudo` exits `0` - - Examples: ubuntu release - | release | machine_type | msg | - | xenial | lxd-container | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | bionic | lxd-container | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | focal | lxd-container | Try anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | - | jammy | lxd-container | Try anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | - - Scenario Outline: Attached disable with json format - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro disable foobar --format json` `as non-root` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - Then I verify that running `pro disable foobar --format json` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - Then I verify that running `pro disable foobar --format json --assume-yes` `as non-root` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - And I verify that running `pro disable foobar --format json --assume-yes` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "disable", "service_msg": "Try "}, "message": "Cannot disable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - And I verify that running `pro disable livepatch --format json --assume-yes` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "Livepatch is not currently enabled\nSee: sudo pro status", "message_code": "service-already-disabled", "service": "livepatch", "type": "service"}], "failed_services": ["livepatch"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - And I verify that running `pro disable esm-infra esm-apps --format json --assume-yes` `with sudo` exits `0` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} - """ - When I run `pro enable esm-infra` with sudo - Then I verify that running `pro disable esm-infra foobar --format json --assume-yes` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "disable", "service_msg": "Try "}, "message": "Cannot disable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "failure", "warnings": []} - """ - - Examples: ubuntu release - | release | machine_type | valid_services | - | xenial | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | bionic | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | focal | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | - | jammy | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | - - Scenario Outline: Attached detach in an ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro api u.pro.status.enabled_services.v1` as non-root - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "esm-apps", "variant_enabled": false, "variant_name": null}, {"name": "esm-infra", "variant_enabled": false, "variant_name": null}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - Then I verify that running `pro detach` `as non-root` exits `1` - And stderr matches regexp: - """ - This command must be run as root \(try using sudo\). - """ - When I run `pro detach --assume-yes` with sudo - Then I will see the following on stdout: - """ - Detach will disable the following services: - esm-apps - esm-infra - Updating package lists - Updating package lists - This machine is now detached. - """ - And the machine is unattached - And I ensure apt update runs without errors - When I attach `contract_token` with sudo - Then I verify that running `pro enable foobar --format json` `as non-root` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - Then I verify that running `pro enable foobar --format json` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - Then I verify that running `pro detach --format json --assume-yes` `as non-root` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - When I run `pro detach --format json --assume-yes` with sudo - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} - """ - And the machine is unattached - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | bionic | wsl | - | focal | lxd-container | - | focal | wsl | - | jammy | lxd-container | - | jammy | wsl | - - Scenario Outline: Attached auto-attach in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro auto-attach` `as non-root` exits `1` - And stderr matches regexp: - """ - This command must be run as root \(try using sudo\). - """ - When I verify that running `pro auto-attach` `with sudo` exits `2` - Then stderr matches regexp: - """ - This machine is already attached to '.+' - To use a different subscription first run: sudo pro detach. - """ - - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | - - Scenario Outline: Attached show version in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro version` as non-root - Then I will see the uaclient version on stdout - When I run `pro version` with sudo - Then I will see the uaclient version on stdout - When I run `pro --version` as non-root - Then I will see the uaclient version on stdout - When I run `pro --version` with sudo - Then I will see the uaclient version on stdout - - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | - - Scenario Outline: Attached status in a ubuntu machine with feature overrides - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: - """ - { - "machineTokenInfo": { - "contractInfo": { - "resourceEntitlements": [ - { - "type": "cc-eal", - "entitled": false - } - ] - } - } - } - """ - And I append the following on uaclient config: - """ - features: - machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" - disable_auto_attach: true - other: false - """ - And I attach `contract_token` with sudo - And I run `pro status --all` with sudo - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +.* - cc-eal +no - """ - And stdout matches regexp: - """ - FEATURES - disable_auto_attach: True - machine_token_overlay: /var/lib/ubuntu-advantage/machine-token-overlay.json - other: False - """ - When I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +.* - cc-eal +no - """ - And stdout matches regexp: - """ - FEATURES - disable_auto_attach: True - machine_token_overlay: /var/lib/ubuntu-advantage/machine-token-overlay.json - other: False - """ - When I run `pro detach --assume-yes` with sudo - Then I verify that running `pro auto-attach` `with sudo` exits `1` - Then stderr matches regexp: - """ - features.disable_auto_attach set in config - """ - - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | - - Scenario Outline: Attached enable when reboot required - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro disable esm-infra` with sudo - And I run `touch /var/run/reboot-required` with sudo - And I run `touch /var/run/reboot-required.pkgs` with sudo - And I run `pro enable esm-infra` with sudo - Then stdout matches regexp: - """ - Updating Ubuntu Pro: ESM Infra package lists - Ubuntu Pro: ESM Infra enabled - """ - And stdout does not match regexp: - """ - A reboot is required to complete install. - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - - Scenario Outline: Help command on an attached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro help esm-infra` with sudo - Then I will see the following on stdout: - """ - Name: - esm-infra - - Entitled: - yes - - Status: - - - Help: - Expanded Security Maintenance for Infrastructure provides access to a private - PPA which includes available high and critical CVE fixes for Ubuntu LTS - packages in the Ubuntu Main repository between the end of the standard Ubuntu - LTS security maintenance and its end of life. It is enabled by default with - Ubuntu Pro. You can find out more about the service at - https://ubuntu.com/security/esm - """ - When I run `pro help esm-infra --format json` with sudo - Then I will see the following on stdout: - """ - {"name": "esm-infra", "entitled": "yes", "status": "", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} - """ - And I verify that running `pro help invalid-service` `with sudo` exits `1` - And I will see the following on stderr: - """ - No help available for 'invalid-service' - """ - When I run `pro --help` as non-root - Then stdout matches regexp: - """ - Client to manage Ubuntu Pro services on a machine. - - anbox-cloud: .* - - cc-eal: Common Criteria EAL2 Provisioning Packages - \(https://ubuntu.com/security/cc\) - - cis: Security compliance and audit tools - \(https://ubuntu.com/security/certifications/docs/usg\) - - esm-apps: Expanded Security Maintenance for Applications - \(https://ubuntu.com/security/esm\) - - esm-infra: Expanded Security Maintenance for Infrastructure - \(https://ubuntu.com/security/esm\) - - fips-preview: .* - .*\(https://ubuntu.com/security/fips\) - - fips-updates: FIPS compliant crypto packages with stable security updates - \(https://ubuntu.com/security/fips\) - - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) - - landscape: Management and administration tool for Ubuntu - \(https://ubuntu.com/landscape\) - - livepatch: Canonical Livepatch service - \(https://ubuntu.com/security/livepatch\) - """ - When I run `pro help` with sudo - Then stdout matches regexp: - """ - Client to manage Ubuntu Pro services on a machine. - - anbox-cloud: .* - - cc-eal: Common Criteria EAL2 Provisioning Packages - \(https://ubuntu.com/security/cc\) - - cis: Security compliance and audit tools - \(https://ubuntu.com/security/certifications/docs/usg\) - - esm-apps: Expanded Security Maintenance for Applications - \(https://ubuntu.com/security/esm\) - - esm-infra: Expanded Security Maintenance for Infrastructure - \(https://ubuntu.com/security/esm\) - - fips-preview: .* - .*\(https://ubuntu.com/security/fips\) - - fips-updates: FIPS compliant crypto packages with stable security updates - \(https://ubuntu.com/security/fips\) - - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) - - landscape: Management and administration tool for Ubuntu - \(https://ubuntu.com/landscape\) - - livepatch: Canonical Livepatch service - \(https://ubuntu.com/security/livepatch\) - """ - When I run `pro help --all` as non-root - Then stdout matches regexp: - """ - Client to manage Ubuntu Pro services on a machine. - - anbox-cloud: .* - - cc-eal: Common Criteria EAL2 Provisioning Packages - \(https://ubuntu.com/security/cc\) - - cis: Security compliance and audit tools - \(https://ubuntu.com/security/certifications/docs/usg\) - - esm-apps: Expanded Security Maintenance for Applications - \(https://ubuntu.com/security/esm\) - - esm-infra: Expanded Security Maintenance for Infrastructure - \(https://ubuntu.com/security/esm\) - - fips-preview: .* - .*\(https://ubuntu.com/security/fips\) - - fips-updates: FIPS compliant crypto packages with stable security updates - \(https://ubuntu.com/security/fips\) - - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) - - landscape: Management and administration tool for Ubuntu - \(https://ubuntu.com/landscape\) - - livepatch: Canonical Livepatch service - \(https://ubuntu.com/security/livepatch\) - - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated - \(https://ubuntu.com/realtime-kernel\) - - ros-updates: All Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - - ros: Security Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - """ - - Examples: ubuntu release - | release | machine_type | infra-status | - | bionic | lxd-container | enabled | - | xenial | lxd-container | enabled | - | mantic | lxd-container | n/a | - - Scenario Outline: Help command on an attached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro help esm-infra` with sudo - Then I will see the following on stdout: - """ - Name: - esm-infra - - Entitled: - yes - - Status: - enabled - - Help: - Expanded Security Maintenance for Infrastructure provides access to a private - PPA which includes available high and critical CVE fixes for Ubuntu LTS - packages in the Ubuntu Main repository between the end of the standard Ubuntu - LTS security maintenance and its end of life. It is enabled by default with - Ubuntu Pro. You can find out more about the service at - https://ubuntu.com/security/esm - """ - When I run `pro help esm-infra --format json` with sudo - Then I will see the following on stdout: - """ - {"name": "esm-infra", "entitled": "yes", "status": "enabled", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} - """ - And I verify that running `pro help invalid-service` `with sudo` exits `1` - And I will see the following on stderr: - """ - No help available for 'invalid-service' - """ - When I run `pro --help` as non-root - Then stdout matches regexp: - """ - Client to manage Ubuntu Pro services on a machine. - - anbox-cloud: .* - - cc-eal: Common Criteria EAL2 Provisioning Packages - \(https://ubuntu.com/security/cc\) - - esm-apps: Expanded Security Maintenance for Applications - \(https://ubuntu.com/security/esm\) - - esm-infra: Expanded Security Maintenance for Infrastructure - \(https://ubuntu.com/security/esm\) - - fips-preview: .* - .*\(https://ubuntu.com/security/fips\) - - fips-updates: FIPS compliant crypto packages with stable security updates - \(https://ubuntu.com/security/fips\) - - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) - - landscape: Management and administration tool for Ubuntu - \(https://ubuntu.com/landscape\) - - livepatch: Canonical Livepatch service - \(https://ubuntu.com/security/livepatch\) - - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated - \(https://ubuntu.com/realtime-kernel\) - - ros-updates: All Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - - ros: Security Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - - usg: Security compliance and audit tools - \(https://ubuntu.com/security/certifications/docs/usg\) - """ - When I run `pro help` with sudo - Then stdout matches regexp: - """ - Client to manage Ubuntu Pro services on a machine. - - anbox-cloud: .* - - cc-eal: Common Criteria EAL2 Provisioning Packages - \(https://ubuntu.com/security/cc\) - - esm-apps: Expanded Security Maintenance for Applications - \(https://ubuntu.com/security/esm\) - - esm-infra: Expanded Security Maintenance for Infrastructure - \(https://ubuntu.com/security/esm\) - - fips-preview: .* - .*\(https://ubuntu.com/security/fips\) - - fips-updates: FIPS compliant crypto packages with stable security updates - \(https://ubuntu.com/security/fips\) - - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) - - landscape: Management and administration tool for Ubuntu - \(https://ubuntu.com/landscape\) - - livepatch: Canonical Livepatch service - \(https://ubuntu.com/security/livepatch\) - - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated - \(https://ubuntu.com/realtime-kernel\) - - ros-updates: All Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - - ros: Security Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - - usg: Security compliance and audit tools - \(https://ubuntu.com/security/certifications/docs/usg\) - """ - When I run `pro help --all` as non-root - Then stdout matches regexp: - """ - Client to manage Ubuntu Pro services on a machine. - - anbox-cloud: .* - - cc-eal: Common Criteria EAL2 Provisioning Packages - \(https://ubuntu.com/security/cc\) - - esm-apps: Expanded Security Maintenance for Applications - \(https://ubuntu.com/security/esm\) - - esm-infra: Expanded Security Maintenance for Infrastructure - \(https://ubuntu.com/security/esm\) - - fips-preview: .* - .*\(https://ubuntu.com/security/fips\) - - fips-updates: FIPS compliant crypto packages with stable security updates - \(https://ubuntu.com/security/fips\) - - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) - - landscape: Management and administration tool for Ubuntu - \(https://ubuntu.com/landscape\) - - livepatch: Canonical Livepatch service - \(https://ubuntu.com/security/livepatch\) - - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated - \(https://ubuntu.com/realtime-kernel\) - - ros-updates: All Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - - ros: Security Updates for the Robot Operating System - \(https://ubuntu.com/robotics/ros-esm\) - - usg: Security compliance and audit tools - \(https://ubuntu.com/security/certifications/docs/usg\) - """ - - Examples: ubuntu release - | release | machine_type | - | focal | lxd-container | - | jammy | lxd-container | - - Scenario Outline: Run timer script on an attached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `systemctl stop ua-timer.timer` with sudo - And I attach `contract_token` with sudo - Then I verify that running `pro config set update_messaging_timer=-2` `with sudo` exits `1` - And stderr matches regexp: - """ - Cannot set update_messaging_timer to -2: for interval must be a positive integer. - """ - When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo - Then stdout matches regexp: - """ - "update_messaging": - """ - When I run `pro config show` with sudo - Then stdout matches regexp: - """ - update_messaging_timer +21600 - """ - When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` - And I run `pro config set update_messaging_timer=0` with sudo - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo - Then stdout matches regexp: - """ - "update_messaging": null - """ - When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` - And I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { "metering_timer": 0 } - """ - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo - Then stdout matches regexp: - """ - "metering": null - """ - When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` - And I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { "metering_timer": "notanumber", "update_messaging_timer": -10 } - """ - And I run `systemctl start ua-timer.service` with sudo - Then I verify that running `sh -c 'journalctl -u ua-timer.service | grep "Invalid value for update_messaging interval found in config."'` `with sudo` exits `0` - And I verify that the timer interval for `update_messaging` is `21600` - And I verify that the timer interval for `metering` is `14400` - When I create the file `/var/lib/ubuntu-advantage/jobs-status.json` with the following: - """ - {"metering": {"last_run": "2022-11-29T19:15:52.434906+00:00", "next_run": "2022-11-29T23:15:52.434906+00:00"}, "update_messaging": {"last_run": "2022-11-29T19:15:52.434906+00:00", "next_run": "2022-11-30T01:15:52.434906+00:00"}, "update_status": {"last_run": "2022-11-29T19:15:52.434906+00:00", "next_run": "2022-11-30T01:15:52.434906+00:00"}} - """ - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo - Then stdout does not match regexp: - """ - "update_status" - """ - And stdout matches regexp: - """ - "metering" - """ - And stdout matches regexp: - """ - "update_messaging" - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | bionic | wsl | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | - - Scenario Outline: Run timer script to valid machine activity endpoint - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt update - And I apt install `jq` - And I save the `activityInfo.activityToken` value from the contract - And I save the `activityInfo.activityID` value from the contract - # normal metering call when activityId is set by attach response above, expect new - # token and same id - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - Then I verify that `activityInfo.activityToken` value has been updated on the contract - And I verify that `activityInfo.activityID` value has not been updated on the contract - When I restore the saved `activityInfo.activityToken` value on contract - And I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` - # simulate "cloned" metering call where previously used activityToken is sent again, - # expect new token and new id - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - Then I verify that `activityInfo.activityToken` value has been updated on the contract - And I verify that `activityInfo.activityID` value has been updated on the contract - # We are keeping this test to guarantee that the activityPingInterval is also updated - When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: - """ - { - "machineTokenInfo": { - "contractInfo": { - "id": "testCID" - }, - "machineId": "testMID" - } - } - """ - And I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: - """ - { - "https://contracts.canonical.com/v1/contracts/testCID/machine-activity/testMID": [ - { - "code": 200, - "response": { - "activityToken": "test-activity-token", - "activityID": "test-activity-id", - "activityPingInterval": 123456789 + Scenario Outline: Attached refresh in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro refresh` `as non-root` exits `1` + And stderr matches regexp: + """ + This command must be run as root \(try using sudo\). + """ + When I run `pro refresh` with sudo + Then I will see the following on stdout: + """ + Successfully processed your pro configuration. + Successfully refreshed your subscription. + Successfully updated Ubuntu Pro related APT and MOTD messages. + """ + When I run `pro refresh config` with sudo + Then I will see the following on stdout: + """ + Successfully processed your pro configuration. + """ + When I run `pro refresh contract` with sudo + Then I will see the following on stdout: + """ + Successfully refreshed your subscription. + """ + When I run `pro refresh messages` with sudo + Then I will see the following on stdout: + """ + Successfully updated Ubuntu Pro related APT and MOTD messages. + """ + When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + And I run `sh -c "ls /var/log/ubuntu-advantage* | sort -d"` as non-root + Then stdout matches regexp: + """ + /var/log/ubuntu-advantage.log + """ + When I run `logrotate --force /etc/logrotate.d/ubuntu-advantage-tools` with sudo + And I run `sh -c "ls /var/log/ubuntu-advantage* | sort -d"` as non-root + Then stdout matches regexp: + """ + /var/log/ubuntu-advantage.log + /var/log/ubuntu-advantage.log.1 + """ + + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | bionic | wsl | + | focal | lxd-container | + | focal | wsl | + | xenial | lxd-container | + | jammy | lxd-container | + | jammy | wsl | + | mantic | lxd-container | + + Scenario Outline: Disable command on an attached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro disable livepatch` `as non-root` exits `1` + And stderr matches regexp: + """ + This command must be run as root \(try using sudo\). + """ + When I verify that running `pro disable foobar` `as non-root` exits `1` + Then stderr matches regexp: + """ + This command must be run as root \(try using sudo\). + """ + When I verify that running `pro disable livepatch` `with sudo` exits `1` + Then I will see the following on stdout: + """ + Livepatch is not currently enabled + See: sudo pro status + """ + When I verify that running `pro disable foobar` `with sudo` exits `1` + Then stderr matches regexp: + """ + Cannot disable unknown service 'foobar'. + + """ + When I verify that running `pro disable livepatch foobar` `as non-root` exits `1` + Then stderr matches regexp: + """ + This command must be run as root \(try using sudo\) + """ + When I verify that running `pro disable livepatch foobar` `with sudo` exits `1` + Then I will see the following on stdout: + """ + Livepatch is not currently enabled + See: sudo pro status + """ + And stderr matches regexp: + """ + Cannot disable unknown service 'foobar'. + + """ + When I verify that running `pro disable esm-infra` `as non-root` exits `1` + Then stderr matches regexp: + """ + This command must be run as root \(try using sudo\). + """ + When I run `pro disable esm-infra` with sudo + Then I verify that `esm-infra` is disabled + And I verify that running `apt update` `with sudo` exits `0` + + Examples: ubuntu release + | release | machine_type | msg | + | xenial | lxd-container | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | bionic | lxd-container | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | focal | lxd-container | Try anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | + | jammy | lxd-container | Try anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | + + Scenario Outline: Attached disable with json format + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro disable foobar --format json` `as non-root` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + Then I verify that running `pro disable foobar --format json` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + Then I verify that running `pro disable foobar --format json --assume-yes` `as non-root` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + And I verify that running `pro disable foobar --format json --assume-yes` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "disable", "service_msg": "Try "}, "message": "Cannot disable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + And I verify that running `pro disable livepatch --format json --assume-yes` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "Livepatch is not currently enabled\nSee: sudo pro status", "message_code": "service-already-disabled", "service": "livepatch", "type": "service"}], "failed_services": ["livepatch"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + And I verify that running `pro disable esm-infra esm-apps --format json --assume-yes` `with sudo` exits `0` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} + """ + When I run `pro enable esm-infra` with sudo + Then I verify that running `pro disable esm-infra foobar --format json --assume-yes` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "disable", "service_msg": "Try "}, "message": "Cannot disable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "failure", "warnings": []} + """ + + Examples: ubuntu release + | release | machine_type | valid_services | + | xenial | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | bionic | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | focal | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | + | jammy | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | + + Scenario Outline: Attached detach in an ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro api u.pro.status.enabled_services.v1` as non-root + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "esm-apps", "variant_enabled": false, "variant_name": null}, {"name": "esm-infra", "variant_enabled": false, "variant_name": null}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + Then I verify that running `pro detach` `as non-root` exits `1` + And stderr matches regexp: + """ + This command must be run as root \(try using sudo\). + """ + When I run `pro detach --assume-yes` with sudo + Then I will see the following on stdout: + """ + Detach will disable the following services: + esm-apps + esm-infra + Updating package lists + Updating package lists + This machine is now detached. + """ + And the machine is unattached + And I ensure apt update runs without errors + When I attach `contract_token` with sudo + Then I verify that running `pro enable foobar --format json` `as non-root` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + Then I verify that running `pro enable foobar --format json` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + Then I verify that running `pro detach --format json --assume-yes` `as non-root` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + When I run `pro detach --format json --assume-yes` with sudo + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} + """ + And the machine is unattached + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | bionic | wsl | + | focal | lxd-container | + | focal | wsl | + | jammy | lxd-container | + | jammy | wsl | + + Scenario Outline: Attached auto-attach in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro auto-attach` `as non-root` exits `1` + And stderr matches regexp: + """ + This command must be run as root \(try using sudo\). + """ + When I verify that running `pro auto-attach` `with sudo` exits `2` + Then stderr matches regexp: + """ + This machine is already attached to '.+' + To use a different subscription first run: sudo pro detach. + """ + + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + Scenario Outline: Attached show version in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro version` as non-root + Then I will see the uaclient version on stdout + When I run `pro version` with sudo + Then I will see the uaclient version on stdout + When I run `pro --version` as non-root + Then I will see the uaclient version on stdout + When I run `pro --version` with sudo + Then I will see the uaclient version on stdout + + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + Scenario Outline: Attached status in a ubuntu machine with feature overrides + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: + """ + { + "machineTokenInfo": { + "contractInfo": { + "resourceEntitlements": [ + { + "type": "cc-eal", + "entitled": false + } + ] } - }] - } - """ - And I append the following on uaclient config: - """ - features: - machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" - serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" - """ - When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - Then I verify that running `grep -q activityInfo /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` - And I verify that running `grep -q "\"activityToken\": \"test-activity-token\"" /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` - And I verify that running `grep -q "\"activityID\": \"test-activity-id\"" /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` - And I verify that running `grep -q "\"activityPingInterval\": 123456789" /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` - When I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo - Then stdout matches regexp: - """ - \"metering\" - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - - Scenario Outline: Run timer script to valid machine activity endpoint - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `rm /var/lib/ubuntu-advantage/machine-token.json` with sudo - Then the machine is unattached - When I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo - Then I verify that files exist matching `/var/lib/ubuntu-advantage/machine-token.json` - Then the machine is attached - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - - Scenario Outline: Disable with purge does not work with assume-yes - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify that running `pro disable esm-apps --assume-yes --purge` `with sudo` exits `1` - Then stderr contains substring: - """ - Error: Cannot use --purge together with --assume-yes. - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - - Scenario Outline: Disable with purge works and purges repo services not involving a kernel - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt update - And I apt install `ansible` - And I run `pro disable esm-apps --purge` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - \(The --purge flag is still experimental - use with caution\) - - The following package\(s\) will be reinstalled from the archive: - .*ansible.* - - Do you want to proceed\? \(y/N\) - """ - And I verify that `esm-apps` is disabled - And I verify that `ansible` is installed from apt source `http://archive.ubuntu.com/ubuntu /universe` - - Examples: ubuntu release - | release | machine_type | pocket | - # This ends up in GH #943 but maybe can be improved? - | xenial | lxd-container | xenial-backports | - | bionic | lxd-container | bionic-updates | - | bionic | wsl | bionic-updates | - | focal | lxd-container | focal | - | jammy | lxd-container | jammy | - - Scenario Outline: Disable with purge unsupported services - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify that running `pro disable livepatch --purge` `with sudo` exits `1` - Then I will see the following on stdout: - """ - Livepatch does not support being disabled with --purge - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | - | focal | lxd-vm | - | jammy | lxd-vm | - - @slow - Scenario Outline: Disable and purge fips - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt update - And I run `pro enable --assume-yes` with sudo - And I reboot the machine - Then I verify that `` is enabled - When I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - And I verify that `openssh-server` is installed from apt source `` - And I verify that `` is installed from apt source `` - When I run `pro disable --purge` `with sudo` and stdin `y\ny` - Then stdout matches regexp: - """ - \(The --purge flag is still experimental - use with caution\) - - Purging the packages would uninstall the following kernel\(s\): - .* - .* is the current running kernel\. - If you cannot guarantee that other kernels in this system are bootable and - working properly, \*do not proceed\*\. You may end up with an unbootable system\. - Do you want to proceed\? \(y/N\) - """ - And stdout matches regexp: - """ - The following package\(s\) will be REMOVED: - (.|\n)+ - - The following package\(s\) will be reinstalled from the archive: - (.|\n)+ - - Do you want to proceed\? \(y/N\) - """ - When I reboot the machine - Then I verify that `` is disabled - When I run `uname -r` as non-root - Then stdout does not match regexp: - """ - fips - """ - And I verify that `openssh-server` is installed from apt source `` - And I verify that `` is not installed - - Examples: ubuntu release - | release | machine_type | fips-service | fips-name | kernel-package | fips-source | archive-source | - | xenial | lxd-vm | fips | FIPS | linux-fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main | - | xenial | lxd-vm | fips-updates | FIPS Updates | linux-fips | https://esm.ubuntu.com/fips-updates/ubuntu xenial-updates/main | https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main | - | bionic | lxd-vm | fips | FIPS | linux-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | bionic | lxd-vm | fips-updates | FIPS Updates | linux-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | bionic | aws.generic | fips | FIPS | linux-aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | bionic | aws.generic | fips-updates | FIPS Updates | linux-aws-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | bionic | azure.generic | fips | FIPS | linux-azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | bionic | azure.generic | fips-updates | FIPS Updates | linux-azure-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | bionic | gcp.generic | fips | FIPS | linux-gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | bionic | gcp.generic | fips-updates | FIPS Updates | linux-gcp-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | - | focal | lxd-vm | fips | FIPS | linux-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://archive.ubuntu.com/ubuntu focal-updates/main | - | focal | lxd-vm | fips-updates | FIPS Updates | linux-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://archive.ubuntu.com/ubuntu focal-updates/main | - | focal | aws.generic | fips | FIPS | linux-aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main | - | focal | aws.generic | fips-updates | FIPS Updates | linux-aws-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main | - | focal | azure.generic | fips | FIPS | linux-azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main | - | focal | azure.generic | fips-updates | FIPS Updates | linux-azure-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main | - | focal | gcp.generic | fips | FIPS | linux-gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main | - | focal | gcp.generic | fips-updates | FIPS Updates | linux-gcp-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main | - - @slow - Scenario Outline: Disable does not purge if no other kernel found - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt update - And I run `pro enable fips --assume-yes` with sudo - And I reboot the machine - And I run shell command `rm -rf $(find /boot -name 'vmlinuz*[^fips]')` with sudo - And I verify that running `pro disable fips --purge` `with sudo` exits `1` - Then stdout matches regexp: - """ - \(The --purge flag is still experimental - use with caution\) - - Purging the FIPS packages would uninstall the following kernel\(s\): - .* - .* is the current running kernel\. - No other valid Ubuntu kernel was found in the system\. - Removing the package would potentially make the system unbootable\. - Aborting\. - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | - | focal | lxd-vm | + } + } + """ + And I append the following on uaclient config: + """ + features: + machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" + disable_auto_attach: true + other: false + """ + And I attach `contract_token` with sudo + And I run `pro status --all` with sudo + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +.* + cc-eal +no + """ + And stdout matches regexp: + """ + FEATURES + disable_auto_attach: True + machine_token_overlay: /var/lib/ubuntu-advantage/machine-token-overlay.json + other: False + """ + When I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +.* + cc-eal +no + """ + And stdout matches regexp: + """ + FEATURES + disable_auto_attach: True + machine_token_overlay: /var/lib/ubuntu-advantage/machine-token-overlay.json + other: False + """ + When I run `pro detach --assume-yes` with sudo + Then I verify that running `pro auto-attach` `with sudo` exits `1` + Then stderr matches regexp: + """ + features.disable_auto_attach set in config + """ + + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + Scenario Outline: Attached enable when reboot required + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro disable esm-infra` with sudo + And I run `touch /var/run/reboot-required` with sudo + And I run `touch /var/run/reboot-required.pkgs` with sudo + And I run `pro enable esm-infra` with sudo + Then stdout matches regexp: + """ + Updating Ubuntu Pro: ESM Infra package lists + Ubuntu Pro: ESM Infra enabled + """ + And stdout does not match regexp: + """ + A reboot is required to complete install. + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + + Scenario Outline: Help command on an attached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro help esm-infra` with sudo + Then I will see the following on stdout: + """ + Name: + esm-infra + + Entitled: + yes + + Status: + + + Help: + Expanded Security Maintenance for Infrastructure provides access to a private + PPA which includes available high and critical CVE fixes for Ubuntu LTS + packages in the Ubuntu Main repository between the end of the standard Ubuntu + LTS security maintenance and its end of life. It is enabled by default with + Ubuntu Pro. You can find out more about the service at + https://ubuntu.com/security/esm + """ + When I run `pro help esm-infra --format json` with sudo + Then I will see the following on stdout: + """ + {"name": "esm-infra", "entitled": "yes", "status": "", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} + """ + And I verify that running `pro help invalid-service` `with sudo` exits `1` + And I will see the following on stderr: + """ + No help available for 'invalid-service' + """ + When I run `pro --help` as non-root + Then stdout matches regexp: + """ + Client to manage Ubuntu Pro services on a machine. + - anbox-cloud: .* + - cc-eal: Common Criteria EAL2 Provisioning Packages + \(https://ubuntu.com/security/cc\) + - cis: Security compliance and audit tools + \(https://ubuntu.com/security/certifications/docs/usg\) + - esm-apps: Expanded Security Maintenance for Applications + \(https://ubuntu.com/security/esm\) + - esm-infra: Expanded Security Maintenance for Infrastructure + \(https://ubuntu.com/security/esm\) + - fips-preview: .* + .*\(https://ubuntu.com/security/fips\) + - fips-updates: FIPS compliant crypto packages with stable security updates + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) + - landscape: Management and administration tool for Ubuntu + \(https://ubuntu.com/landscape\) + - livepatch: Canonical Livepatch service + \(https://ubuntu.com/security/livepatch\) + """ + When I run `pro help` with sudo + Then stdout matches regexp: + """ + Client to manage Ubuntu Pro services on a machine. + - anbox-cloud: .* + - cc-eal: Common Criteria EAL2 Provisioning Packages + \(https://ubuntu.com/security/cc\) + - cis: Security compliance and audit tools + \(https://ubuntu.com/security/certifications/docs/usg\) + - esm-apps: Expanded Security Maintenance for Applications + \(https://ubuntu.com/security/esm\) + - esm-infra: Expanded Security Maintenance for Infrastructure + \(https://ubuntu.com/security/esm\) + - fips-preview: .* + .*\(https://ubuntu.com/security/fips\) + - fips-updates: FIPS compliant crypto packages with stable security updates + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) + - landscape: Management and administration tool for Ubuntu + \(https://ubuntu.com/landscape\) + - livepatch: Canonical Livepatch service + \(https://ubuntu.com/security/livepatch\) + """ + When I run `pro help --all` as non-root + Then stdout matches regexp: + """ + Client to manage Ubuntu Pro services on a machine. + - anbox-cloud: .* + - cc-eal: Common Criteria EAL2 Provisioning Packages + \(https://ubuntu.com/security/cc\) + - cis: Security compliance and audit tools + \(https://ubuntu.com/security/certifications/docs/usg\) + - esm-apps: Expanded Security Maintenance for Applications + \(https://ubuntu.com/security/esm\) + - esm-infra: Expanded Security Maintenance for Infrastructure + \(https://ubuntu.com/security/esm\) + - fips-preview: .* + .*\(https://ubuntu.com/security/fips\) + - fips-updates: FIPS compliant crypto packages with stable security updates + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) + - landscape: Management and administration tool for Ubuntu + \(https://ubuntu.com/landscape\) + - livepatch: Canonical Livepatch service + \(https://ubuntu.com/security/livepatch\) + - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated + \(https://ubuntu.com/realtime-kernel\) + - ros-updates: All Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + - ros: Security Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + """ + + Examples: ubuntu release + | release | machine_type | infra-status | + | bionic | lxd-container | enabled | + | xenial | lxd-container | enabled | + | mantic | lxd-container | n/a | + + Scenario Outline: Help command on an attached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro help esm-infra` with sudo + Then I will see the following on stdout: + """ + Name: + esm-infra + + Entitled: + yes + + Status: + enabled + + Help: + Expanded Security Maintenance for Infrastructure provides access to a private + PPA which includes available high and critical CVE fixes for Ubuntu LTS + packages in the Ubuntu Main repository between the end of the standard Ubuntu + LTS security maintenance and its end of life. It is enabled by default with + Ubuntu Pro. You can find out more about the service at + https://ubuntu.com/security/esm + """ + When I run `pro help esm-infra --format json` with sudo + Then I will see the following on stdout: + """ + {"name": "esm-infra", "entitled": "yes", "status": "enabled", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} + """ + And I verify that running `pro help invalid-service` `with sudo` exits `1` + And I will see the following on stderr: + """ + No help available for 'invalid-service' + """ + When I run `pro --help` as non-root + Then stdout matches regexp: + """ + Client to manage Ubuntu Pro services on a machine. + - anbox-cloud: .* + - cc-eal: Common Criteria EAL2 Provisioning Packages + \(https://ubuntu.com/security/cc\) + - esm-apps: Expanded Security Maintenance for Applications + \(https://ubuntu.com/security/esm\) + - esm-infra: Expanded Security Maintenance for Infrastructure + \(https://ubuntu.com/security/esm\) + - fips-preview: .* + .*\(https://ubuntu.com/security/fips\) + - fips-updates: FIPS compliant crypto packages with stable security updates + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) + - landscape: Management and administration tool for Ubuntu + \(https://ubuntu.com/landscape\) + - livepatch: Canonical Livepatch service + \(https://ubuntu.com/security/livepatch\) + - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated + \(https://ubuntu.com/realtime-kernel\) + - ros-updates: All Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + - ros: Security Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + - usg: Security compliance and audit tools + \(https://ubuntu.com/security/certifications/docs/usg\) + """ + When I run `pro help` with sudo + Then stdout matches regexp: + """ + Client to manage Ubuntu Pro services on a machine. + - anbox-cloud: .* + - cc-eal: Common Criteria EAL2 Provisioning Packages + \(https://ubuntu.com/security/cc\) + - esm-apps: Expanded Security Maintenance for Applications + \(https://ubuntu.com/security/esm\) + - esm-infra: Expanded Security Maintenance for Infrastructure + \(https://ubuntu.com/security/esm\) + - fips-preview: .* + .*\(https://ubuntu.com/security/fips\) + - fips-updates: FIPS compliant crypto packages with stable security updates + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) + - landscape: Management and administration tool for Ubuntu + \(https://ubuntu.com/landscape\) + - livepatch: Canonical Livepatch service + \(https://ubuntu.com/security/livepatch\) + - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated + \(https://ubuntu.com/realtime-kernel\) + - ros-updates: All Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + - ros: Security Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + - usg: Security compliance and audit tools + \(https://ubuntu.com/security/certifications/docs/usg\) + """ + When I run `pro help --all` as non-root + Then stdout matches regexp: + """ + Client to manage Ubuntu Pro services on a machine. + - anbox-cloud: .* + - cc-eal: Common Criteria EAL2 Provisioning Packages + \(https://ubuntu.com/security/cc\) + - esm-apps: Expanded Security Maintenance for Applications + \(https://ubuntu.com/security/esm\) + - esm-infra: Expanded Security Maintenance for Infrastructure + \(https://ubuntu.com/security/esm\) + - fips-preview: .* + .*\(https://ubuntu.com/security/fips\) + - fips-updates: FIPS compliant crypto packages with stable security updates + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified FIPS crypto packages \(https://ubuntu.com/security/fips\) + - landscape: Management and administration tool for Ubuntu + \(https://ubuntu.com/landscape\) + - livepatch: Canonical Livepatch service + \(https://ubuntu.com/security/livepatch\) + - realtime-kernel: Ubuntu kernel with PREEMPT_RT patches integrated + \(https://ubuntu.com/realtime-kernel\) + - ros-updates: All Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + - ros: Security Updates for the Robot Operating System + \(https://ubuntu.com/robotics/ros-esm\) + - usg: Security compliance and audit tools + \(https://ubuntu.com/security/certifications/docs/usg\) + """ + + Examples: ubuntu release + | release | machine_type | + | focal | lxd-container | + | jammy | lxd-container | + + Scenario Outline: Run timer script on an attached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `systemctl stop ua-timer.timer` with sudo + And I attach `contract_token` with sudo + Then I verify that running `pro config set update_messaging_timer=-2` `with sudo` exits `1` + And stderr matches regexp: + """ + Cannot set update_messaging_timer to -2: for interval must be a positive integer. + """ + When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo + Then stdout matches regexp: + """ + "update_messaging": + """ + When I run `pro config show` with sudo + Then stdout matches regexp: + """ + update_messaging_timer +21600 + """ + When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` + And I run `pro config set update_messaging_timer=0` with sudo + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo + Then stdout matches regexp: + """ + "update_messaging": null + """ + When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` + And I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { "metering_timer": 0 } + """ + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo + Then stdout matches regexp: + """ + "metering": null + """ + When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` + And I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { "metering_timer": "notanumber", "update_messaging_timer": -10 } + """ + And I run `systemctl start ua-timer.service` with sudo + Then I verify that running `sh -c 'journalctl -u ua-timer.service | grep "Invalid value for update_messaging interval found in config."'` `with sudo` exits `0` + And I verify that the timer interval for `update_messaging` is `21600` + And I verify that the timer interval for `metering` is `14400` + When I create the file `/var/lib/ubuntu-advantage/jobs-status.json` with the following: + """ + {"metering": {"last_run": "2022-11-29T19:15:52.434906+00:00", "next_run": "2022-11-29T23:15:52.434906+00:00"}, "update_messaging": {"last_run": "2022-11-29T19:15:52.434906+00:00", "next_run": "2022-11-30T01:15:52.434906+00:00"}, "update_status": {"last_run": "2022-11-29T19:15:52.434906+00:00", "next_run": "2022-11-30T01:15:52.434906+00:00"}} + """ + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo + Then stdout does not match regexp: + """ + "update_status" + """ + And stdout matches regexp: + """ + "metering" + """ + And stdout matches regexp: + """ + "update_messaging" + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | bionic | wsl | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + Scenario Outline: Run timer script to valid machine activity endpoint + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt update + And I apt install `jq` + And I save the `activityInfo.activityToken` value from the contract + And I save the `activityInfo.activityID` value from the contract + # normal metering call when activityId is set by attach response above, expect new + # token and same id + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + Then I verify that `activityInfo.activityToken` value has been updated on the contract + And I verify that `activityInfo.activityID` value has not been updated on the contract + When I restore the saved `activityInfo.activityToken` value on contract + And I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` + # simulate "cloned" metering call where previously used activityToken is sent again, + # expect new token and new id + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + Then I verify that `activityInfo.activityToken` value has been updated on the contract + And I verify that `activityInfo.activityID` value has been updated on the contract + # We are keeping this test to guarantee that the activityPingInterval is also updated + When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: + """ + { + "machineTokenInfo": { + "contractInfo": { + "id": "testCID" + }, + "machineId": "testMID" + } + } + """ + And I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: + """ + { + "https://contracts.canonical.com/v1/contracts/testCID/machine-activity/testMID": [ + { + "code": 200, + "response": { + "activityToken": "test-activity-token", + "activityID": "test-activity-id", + "activityPingInterval": 123456789 + } + }] + } + """ + And I append the following on uaclient config: + """ + features: + machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" + serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" + """ + When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json` + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + Then I verify that running `grep -q activityInfo /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` + And I verify that running `grep -q "\"activityToken\": \"test-activity-token\"" /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` + And I verify that running `grep -q "\"activityID\": \"test-activity-id\"" /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` + And I verify that running `grep -q "\"activityPingInterval\": 123456789" /var/lib/ubuntu-advantage/private/machine-token.json` `with sudo` exits `0` + When I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo + Then stdout matches regexp: + """ + \"metering\" + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + + Scenario Outline: Run timer script to valid machine activity endpoint + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `rm /var/lib/ubuntu-advantage/machine-token.json` with sudo + Then the machine is unattached + When I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo + Then I verify that files exist matching `/var/lib/ubuntu-advantage/machine-token.json` + Then the machine is attached + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + + Scenario Outline: Disable with purge does not work with assume-yes + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify that running `pro disable esm-apps --assume-yes --purge` `with sudo` exits `1` + Then stderr contains substring: + """ + Error: Cannot use --purge together with --assume-yes. + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + + Scenario Outline: Disable with purge works and purges repo services not involving a kernel + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt update + And I apt install `ansible` + And I run `pro disable esm-apps --purge` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + \(The --purge flag is still experimental - use with caution\) + + The following package\(s\) will be reinstalled from the archive: + .*ansible.* + + Do you want to proceed\? \(y/N\) + """ + And I verify that `esm-apps` is disabled + And I verify that `ansible` is installed from apt source `http://archive.ubuntu.com/ubuntu /universe` + + Examples: ubuntu release + | release | machine_type | pocket | + # This ends up in GH #943 but maybe can be improved? + | xenial | lxd-container | xenial-backports | + | bionic | lxd-container | bionic-updates | + | bionic | wsl | bionic-updates | + | focal | lxd-container | focal | + | jammy | lxd-container | jammy | + + Scenario Outline: Disable with purge unsupported services + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify that running `pro disable livepatch --purge` `with sudo` exits `1` + Then I will see the following on stdout: + """ + Livepatch does not support being disabled with --purge + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | + | focal | lxd-vm | + | jammy | lxd-vm | + + @slow + Scenario Outline: Disable and purge fips + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt update + And I run `pro enable --assume-yes` with sudo + And I reboot the machine + Then I verify that `` is enabled + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `` is installed from apt source `` + When I run `pro disable --purge` `with sudo` and stdin `y\ny` + Then stdout matches regexp: + """ + \(The --purge flag is still experimental - use with caution\) + + Purging the packages would uninstall the following kernel\(s\): + .* + .* is the current running kernel\. + If you cannot guarantee that other kernels in this system are bootable and + working properly, \*do not proceed\*\. You may end up with an unbootable system\. + Do you want to proceed\? \(y/N\) + """ + And stdout matches regexp: + """ + The following package\(s\) will be REMOVED: + (.|\n)+ + + The following package\(s\) will be reinstalled from the archive: + (.|\n)+ + + Do you want to proceed\? \(y/N\) + """ + When I reboot the machine + Then I verify that `` is disabled + When I run `uname -r` as non-root + Then stdout does not match regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `` is not installed + + Examples: ubuntu release + | release | machine_type | fips-service | fips-name | kernel-package | fips-source | archive-source | + | xenial | lxd-vm | fips | FIPS | linux-fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main | + | xenial | lxd-vm | fips-updates | FIPS Updates | linux-fips | https://esm.ubuntu.com/fips-updates/ubuntu xenial-updates/main | https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main | + | bionic | lxd-vm | fips | FIPS | linux-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | lxd-vm | fips-updates | FIPS Updates | linux-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | aws.generic | fips | FIPS | linux-aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | aws.generic | fips-updates | FIPS Updates | linux-aws-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | azure.generic | fips | FIPS | linux-azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | azure.generic | fips-updates | FIPS Updates | linux-azure-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | gcp.generic | fips | FIPS | linux-gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | gcp.generic | fips-updates | FIPS Updates | linux-gcp-fips | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | focal | lxd-vm | fips | FIPS | linux-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://archive.ubuntu.com/ubuntu focal-updates/main | + | focal | lxd-vm | fips-updates | FIPS Updates | linux-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://archive.ubuntu.com/ubuntu focal-updates/main | + | focal | aws.generic | fips | FIPS | linux-aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | aws.generic | fips-updates | FIPS Updates | linux-aws-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | azure.generic | fips | FIPS | linux-azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | azure.generic | fips-updates | FIPS Updates | linux-azure-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | gcp.generic | fips | FIPS | linux-gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | gcp.generic | fips-updates | FIPS Updates | linux-gcp-fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main | + + @slow + Scenario Outline: Disable does not purge if no other kernel found + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt update + And I run `pro enable fips --assume-yes` with sudo + And I reboot the machine + And I run shell command `rm -rf $(find /boot -name 'vmlinuz*[^fips]')` with sudo + And I verify that running `pro disable fips --purge` `with sudo` exits `1` + Then stdout matches regexp: + """ + \(The --purge flag is still experimental - use with caution\) + + Purging the FIPS packages would uninstall the following kernel\(s\): + .* + .* is the current running kernel\. + No other valid Ubuntu kernel was found in the system\. + Removing the package would potentially make the system unbootable\. + Aborting\. + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | + | focal | lxd-vm | diff --git a/features/attached_enable.feature b/features/attached_enable.feature index 759380d1ca..ba8ff9ed23 100644 --- a/features/attached_enable.feature +++ b/features/attached_enable.feature @@ -1,1036 +1,1041 @@ @uses.config.contract_token Feature: Enable command behaviour when attached to an Ubuntu Pro subscription - Scenario Outline: Attached enable Common Criteria service in an ubuntu lxd container - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro enable cc-eal` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I run `pro enable cc-eal` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating CC EAL2 package lists - (This will download more than 500MB of packages, so may take some time.) - Updating standard Ubuntu package lists - Installing CC EAL2 packages - CC EAL2 enabled - Please follow instructions in /usr/share/doc/ubuntu-commoncriteria/README to configure EAL2 - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | bionic | wsl | + Scenario Outline: Attached enable Common Criteria service in an ubuntu lxd container + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro enable cc-eal` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I run `pro enable cc-eal` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating CC EAL2 package lists + (This will download more than 500MB of packages, so may take some time.) + Updating standard Ubuntu package lists + Installing CC EAL2 packages + CC EAL2 enabled + Please follow instructions in /usr/share/doc/ubuntu-commoncriteria/README to configure EAL2 + """ - Scenario Outline: Enable cc-eal with --access-only - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I run `pro enable cc-eal --access-only` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating CC EAL2 package lists - Skipping installing packages: ubuntu-commoncriteria - CC EAL2 access enabled - """ - Then I verify that running `apt-get install ubuntu-commoncriteria` `with sudo` exits `0` - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | bionic | wsl | - Scenario Outline: Attached enable Common Criteria service in an ubuntu lxd container - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro enable cc-eal` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro enable cc-eal` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - CC EAL2 is not available for Ubuntu (). - """ - Examples: ubuntu release - | release | machine_type | version | full_name | - | focal | lxd-container | 20.04 LTS | Focal Fossa | - | jammy | lxd-container | 22.04 LTS | Jammy Jellyfish | - | mantic | lxd-container | 23.10 | Mantic Minotaur | + Scenario Outline: Enable cc-eal with --access-only + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I run `pro enable cc-eal --access-only` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating CC EAL2 package lists + Skipping installing packages: ubuntu-commoncriteria + CC EAL2 access enabled + """ + Then I verify that running `apt-get install ubuntu-commoncriteria` `with sudo` exits `0` - Scenario Outline: Empty series affordance means no series, null means all series - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - resourceEntitlements: - - type: esm-infra - affordances: - series: [] - """ - When I verify that running `pro enable esm-infra` `with sudo` exits `1` - Then stdout matches regexp: - """ - One moment, checking your subscription first - Ubuntu Pro: ESM Infra is not available for Ubuntu .* - """ - When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: - """ - { - "machineTokenInfo": { - "contractInfo": { - "resourceEntitlements": [ - { - "type": "esm-infra", - "affordances": { - "series": null - } - } - ] - } - } - } - """ - When I verify that running `pro enable esm-infra` `with sudo` exits `0` - Then stdout matches regexp: - """ - One moment, checking your subscription first - Updating Ubuntu Pro: ESM Infra package lists - Ubuntu Pro: ESM Infra enabled - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | - Scenario Outline: Attached enable of different services using json format - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro enable foobar --format json` `as non-root` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - Then I verify that running `pro enable foobar --format json` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - Then I verify that running `pro enable foobar --format json --assume-yes` `as non-root` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - And I verify that running `pro enable foobar --format json --assume-yes` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "enable", "service_msg": "Try "}, "message": "Cannot enable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - And I verify that running `pro enable blah foobar --format json --assume-yes` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "blah, foobar", "operation": "enable", "service_msg": "Try "}, "message": "Cannot enable unknown service 'blah, foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["blah", "foobar"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - And I verify that running `pro enable esm-infra --format json --assume-yes` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - Then I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "Ubuntu Pro: ESM Infra is already enabled.\nSee: sudo pro status", "message_code": "service-already-enabled", "service": "esm-infra", "type": "service"}], "failed_services": ["esm-infra"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - When I run `pro disable esm-infra` with sudo - And I run `pro enable esm-infra --format json --assume-yes` with sudo - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "success", "warnings": []} - """ - When I run `pro disable esm-infra` with sudo - And I verify that running `pro enable esm-infra foobar --format json --assume-yes` `with sudo` exits `1` - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "enable", "service_msg": "Try "}, "message": "Cannot enable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar"], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "failure", "warnings": []} - """ - When I run `pro disable esm-infra esm-apps` with sudo - And I run `pro enable esm-infra esm-apps --beta --format json --assume-yes` with sudo - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} - """ + Scenario Outline: Attached enable Common Criteria service in an ubuntu lxd container + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro enable cc-eal` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro enable cc-eal` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + CC EAL2 is not available for Ubuntu (). + """ - Examples: ubuntu release - | release | machine_type | valid_services | - | xenial | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | bionic | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | focal | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | - | jammy | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | + Examples: ubuntu release + | release | machine_type | version | full_name | + | focal | lxd-container | 20.04 LTS | Focal Fossa | + | jammy | lxd-container | 22.04 LTS | Jammy Jellyfish | + | mantic | lxd-container | 23.10 | Mantic Minotaur | - Scenario Outline: Attached enable of a service in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro enable foobar` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - And I verify that running `pro enable foobar` `with sudo` exits `1` - And I will see the following on stdout: - """ - One moment, checking your subscription first - """ - And stderr matches regexp: - """ - Cannot enable unknown service 'foobar'. - - """ - And I verify that running `pro enable blah foobar` `with sudo` exits `1` - And I will see the following on stdout: - """ - One moment, checking your subscription first - """ - And stderr matches regexp: - """ - Cannot enable unknown service 'blah, foobar'. - - """ - And I verify that running `pro enable esm-infra` `with sudo` exits `1` - And I will see the following on stdout: - """ - One moment, checking your subscription first - Ubuntu Pro: ESM Infra is already enabled. - See: sudo pro status - """ - When I run `apt-cache policy` with sudo - Then apt-cache policy for the following url has priority `510` - """ - -infra-updates/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - -infra-security/main amd64 Packages - """ - And I ensure apt update runs without errors - When I apt install `` - And I run `apt-cache policy ` as non-root - Then stdout matches regexp: - """ - \s*510 -infra-security/main amd64 Packages - """ + Scenario Outline: Empty series affordance means no series, null means all series + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + resourceEntitlements: + - type: esm-infra + affordances: + series: [] + """ + When I verify that running `pro enable esm-infra` `with sudo` exits `1` + Then stdout matches regexp: + """ + One moment, checking your subscription first + Ubuntu Pro: ESM Infra is not available for Ubuntu .* + """ + When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: + """ + { + "machineTokenInfo": { + "contractInfo": { + "resourceEntitlements": [ + { + "type": "esm-infra", + "affordances": { + "series": null + } + } + ] + } + } + } + """ + When I verify that running `pro enable esm-infra` `with sudo` exits `0` + Then stdout matches regexp: + """ + One moment, checking your subscription first + Updating Ubuntu Pro: ESM Infra package lists + Ubuntu Pro: ESM Infra enabled + """ - Examples: ubuntu release - | release | machine_type | infra-pkg | esm-infra-url | msg | - | xenial | lxd-container | libkrad0 | https://esm.ubuntu.com/infra/ubuntu | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | bionic | lxd-container | libkrad0 | https://esm.ubuntu.com/infra/ubuntu | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | - | focal | lxd-container | hello | https://esm.ubuntu.com/infra/ubuntu | Try anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - Scenario Outline: Attached enable of non-container services in a ubuntu lxd container - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro enable livepatch` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - And I verify that running `pro enable livepatch` `with sudo` exits `1` - And I will see the following on stdout: - """ - One moment, checking your subscription first - Cannot install Livepatch on a container. - """ + Scenario Outline: Attached enable of different services using json format + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro enable foobar --format json` `as non-root` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + Then I verify that running `pro enable foobar --format json` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + Then I verify that running `pro enable foobar --format json --assume-yes` `as non-root` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + And I verify that running `pro enable foobar --format json --assume-yes` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "enable", "service_msg": "Try "}, "message": "Cannot enable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + And I verify that running `pro enable blah foobar --format json --assume-yes` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "blah, foobar", "operation": "enable", "service_msg": "Try "}, "message": "Cannot enable unknown service 'blah, foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["blah", "foobar"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + And I verify that running `pro enable esm-infra --format json --assume-yes` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + Then I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "Ubuntu Pro: ESM Infra is already enabled.\nSee: sudo pro status", "message_code": "service-already-enabled", "service": "esm-infra", "type": "service"}], "failed_services": ["esm-infra"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + When I run `pro disable esm-infra` with sudo + And I run `pro enable esm-infra --format json --assume-yes` with sudo + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "success", "warnings": []} + """ + When I run `pro disable esm-infra` with sudo + And I verify that running `pro enable esm-infra foobar --format json --assume-yes` `with sudo` exits `1` + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "foobar", "operation": "enable", "service_msg": "Try "}, "message": "Cannot enable unknown service 'foobar'.\nTry ", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar"], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "failure", "warnings": []} + """ + When I run `pro disable esm-infra esm-apps` with sudo + And I run `pro enable esm-infra esm-apps --beta --format json --assume-yes` with sudo + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []} + """ - Examples: Un-supported services in containers - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | valid_services | + | xenial | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | bionic | lxd-container | anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | focal | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | + | jammy | lxd-container | anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | - Scenario Outline: Attached enable not entitled service in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - resourceEntitlements: - - type: esm-apps - entitled: false - """ - When I attach `contract_token` with sudo - Then I verify that running `pro enable esm-apps` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - And I verify that running `pro enable esm-apps --beta` `with sudo` exits `1` - And I will see the following on stdout: - """ - One moment, checking your subscription first - This subscription is not entitled to Ubuntu Pro: ESM Apps - View your subscription at: https://ubuntu.com/pro/dashboard - """ + Scenario Outline: Attached enable of a service in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro enable foobar` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + And I verify that running `pro enable foobar` `with sudo` exits `1` + And I will see the following on stdout: + """ + One moment, checking your subscription first + """ + And stderr matches regexp: + """ + Cannot enable unknown service 'foobar'. + + """ + And I verify that running `pro enable blah foobar` `with sudo` exits `1` + And I will see the following on stdout: + """ + One moment, checking your subscription first + """ + And stderr matches regexp: + """ + Cannot enable unknown service 'blah, foobar'. + + """ + And I verify that running `pro enable esm-infra` `with sudo` exits `1` + And I will see the following on stdout: + """ + One moment, checking your subscription first + Ubuntu Pro: ESM Infra is already enabled. + See: sudo pro status + """ + When I run `apt-cache policy` with sudo + Then apt-cache policy for the following url has priority `510` + """ + -infra-updates/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + -infra-security/main amd64 Packages + """ + And I ensure apt update runs without errors + When I apt install `` + And I run `apt-cache policy ` as non-root + Then stdout matches regexp: + """ + \s*510 -infra-security/main amd64 Packages + """ - Examples: not entitled services - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | infra-pkg | esm-infra-url | msg | + | xenial | lxd-container | libkrad0 | https://esm.ubuntu.com/infra/ubuntu | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | bionic | lxd-container | libkrad0 | https://esm.ubuntu.com/infra/ubuntu | Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates. | + | focal | lxd-container | hello | https://esm.ubuntu.com/infra/ubuntu | Try anbox-cloud, cc-eal, esm-apps, esm-infra, fips, fips-preview, fips-updates,\nlandscape, livepatch, realtime-kernel, ros, ros-updates, usg. | - Scenario Outline: Attached enable of cis service in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify that running `pro enable cis --access-only` `with sudo` exits `0` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating CIS Audit package lists - Skipping installing packages: usg-cisbenchmark usg-common - CIS Audit access enabled - Visit https://ubuntu.com/security/cis to learn how to use CIS - """ - When I run `pro disable cis` with sudo - And I verify that running `pro enable cis` `with sudo` exits `0` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating CIS Audit package lists - Updating standard Ubuntu package lists - Installing CIS Audit packages - CIS Audit enabled - Visit https://ubuntu.com/security/cis to learn how to use CIS - """ - When I run `apt-cache policy usg-cisbenchmark` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - And stdout matches regexp: - """ - \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages - """ - When I run `apt-cache policy usg-common` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - And stdout matches regexp: - """ - \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages - """ - When I verify that running `pro enable cis` `with sudo` exits `1` - Then stdout matches regexp - """ - One moment, checking your subscription first - CIS Audit is already enabled. - See: sudo pro status - """ - When I run `cis-audit level1_server` with sudo - Then stdout matches regexp - """ - Title.*Ensure no duplicate UIDs exist - Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* - Result.*pass - """ - And stdout matches regexp: - """ - Title.*Ensure default user umask is 027 or more restrictive - Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* - Result.*fail - """ - And stdout matches regexp - """ - CIS audit scan completed - """ - When I verify that running `/usr/share/ubuntu-scap-security-guides/cis-hardening/ lvl1_server` `with sudo` exits `0` - And I run `cis-audit level1_server` with sudo - Then stdout matches regexp: - """ - Title.*Ensure default user umask is 027 or more restrictive - Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* - Result.*pass - """ - And stdout matches regexp - """ - CIS audit scan completed - """ + Scenario Outline: Attached enable of non-container services in a ubuntu lxd container + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro enable livepatch` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + And I verify that running `pro enable livepatch` `with sudo` exits `1` + And I will see the following on stdout: + """ + One moment, checking your subscription first + Cannot install Livepatch on a container. + """ - Examples: cis script - | release | machine_type | cis_script | - | bionic | lxd-container | Canonical_Ubuntu_18.04_CIS-harden.sh | - | bionic | wsl | Canonical_Ubuntu_18.04_CIS-harden.sh | - | xenial | lxd-container | Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh | + Examples: Un-supported services in containers + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Scenario Outline: Attached enable of cis service in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify that running `pro enable cis` `with sudo` exits `0` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - From Ubuntu 20.04 onward 'pro enable cis' has been - replaced by 'pro enable usg'. See more information at: - https://ubuntu.com/security/certifications/docs/usg - Updating CIS Audit package lists - Updating standard Ubuntu package lists - Installing CIS Audit packages - CIS Audit enabled - Visit https://ubuntu.com/security/cis to learn how to use CIS - """ - When I run `apt-cache policy usg-cisbenchmark` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - And stdout matches regexp: - """ - \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages - """ - When I run `apt-cache policy usg-common` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - And stdout matches regexp: - """ - \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages - """ - When I verify that running `pro enable cis` `with sudo` exits `1` - Then stdout matches regexp - """ - One moment, checking your subscription first - From Ubuntu 20.04 onward 'pro enable cis' has been - replaced by 'pro enable usg'. See more information at: - https://ubuntu.com/security/certifications/docs/usg - CIS Audit is already enabled. - See: sudo pro status - """ - When I run `cis-audit level1_server` with sudo - Then stdout matches regexp - """ - Title.*Ensure no duplicate UIDs exist - Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* - Result.*pass - """ - And stdout matches regexp: - """ - Title.*Ensure default user umask is 027 or more restrictive - Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* - Result.*fail - """ - And stdout matches regexp - """ - CIS audit scan completed - """ - When I verify that running `/usr/share/ubuntu-scap-security-guides/cis-hardening/ lvl1_server` `with sudo` exits `0` - And I run `cis-audit level1_server` with sudo - Then stdout matches regexp: - """ - Title.*Ensure default user umask is 027 or more restrictive - Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* - Result.*pass - """ - And stdout matches regexp - """ - CIS audit scan completed - """ + Scenario Outline: Attached enable not entitled service in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + resourceEntitlements: + - type: esm-apps + entitled: false + """ + When I attach `contract_token` with sudo + Then I verify that running `pro enable esm-apps` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + And I verify that running `pro enable esm-apps --beta` `with sudo` exits `1` + And I will see the following on stdout: + """ + One moment, checking your subscription first + This subscription is not entitled to Ubuntu Pro: ESM Apps + View your subscription at: https://ubuntu.com/pro/dashboard + """ - Examples: cis script - | release | machine_type | cis_script | - | focal | lxd-container | Canonical_Ubuntu_20.04_CIS-harden.sh | + Examples: not entitled services + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - Scenario Outline: Attached enable of usg service in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify that running `pro enable usg` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - """ - And stderr matches regexp: - """ - Cannot enable unknown service 'usg'. - Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates\. - """ + Scenario Outline: Attached enable of cis service in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify that running `pro enable cis --access-only` `with sudo` exits `0` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating CIS Audit package lists + Skipping installing packages: usg-cisbenchmark usg-common + CIS Audit access enabled + Visit https://ubuntu.com/security/cis to learn how to use CIS + """ + When I run `pro disable cis` with sudo + And I verify that running `pro enable cis` `with sudo` exits `0` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating CIS Audit package lists + Updating standard Ubuntu package lists + Installing CIS Audit packages + CIS Audit enabled + Visit https://ubuntu.com/security/cis to learn how to use CIS + """ + When I run `apt-cache policy usg-cisbenchmark` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + And stdout matches regexp: + """ + \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages + """ + When I run `apt-cache policy usg-common` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + And stdout matches regexp: + """ + \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages + """ + When I verify that running `pro enable cis` `with sudo` exits `1` + Then stdout matches regexp + """ + One moment, checking your subscription first + CIS Audit is already enabled. + See: sudo pro status + """ + When I run `cis-audit level1_server` with sudo + Then stdout matches regexp + """ + Title.*Ensure no duplicate UIDs exist + Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* + Result.*pass + """ + And stdout matches regexp: + """ + Title.*Ensure default user umask is 027 or more restrictive + Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* + Result.*fail + """ + And stdout matches regexp + """ + CIS audit scan completed + """ + When I verify that running `/usr/share/ubuntu-scap-security-guides/cis-hardening/ lvl1_server` `with sudo` exits `0` + And I run `cis-audit level1_server` with sudo + Then stdout matches regexp: + """ + Title.*Ensure default user umask is 027 or more restrictive + Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* + Result.*pass + """ + And stdout matches regexp + """ + CIS audit scan completed + """ - Examples: cis service - | release | machine_type | - | bionic | lxd-container | - | xenial | lxd-container | + Examples: cis script + | release | machine_type | cis_script | + | bionic | lxd-container | Canonical_Ubuntu_18.04_CIS-harden.sh | + | bionic | wsl | Canonical_Ubuntu_18.04_CIS-harden.sh | + | xenial | lxd-container | Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh | - Scenario Outline: Attached enable of usg service in a focal machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro enable usg` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating Ubuntu Security Guide package lists - Ubuntu Security Guide enabled - Visit https://ubuntu.com/security/certifications/docs/usg for the next steps - """ - And I verify that `usg` is enabled - When I run `pro disable usg` with sudo - Then stdout matches regexp: - """ - Updating package lists - """ - And I verify that `usg` is disabled - When I run `pro enable cis` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - From Ubuntu 20.04 onward 'pro enable cis' has been - replaced by 'pro enable usg'. See more information at: - https://ubuntu.com/security/certifications/docs/usg - Updating CIS Audit package lists - Updating standard Ubuntu package lists - Installing CIS Audit packages - CIS Audit enabled - Visit https://ubuntu.com/security/cis to learn how to use CIS - """ - And I verify that `usg` is enabled - When I run `pro disable usg` with sudo - Then stdout matches regexp: - """ - Updating package lists - """ - And I verify that `usg` is disabled + Scenario Outline: Attached enable of cis service in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify that running `pro enable cis` `with sudo` exits `0` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + From Ubuntu 20.04 onward 'pro enable cis' has been + replaced by 'pro enable usg'. See more information at: + https://ubuntu.com/security/certifications/docs/usg + Updating CIS Audit package lists + Updating standard Ubuntu package lists + Installing CIS Audit packages + CIS Audit enabled + Visit https://ubuntu.com/security/cis to learn how to use CIS + """ + When I run `apt-cache policy usg-cisbenchmark` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + And stdout matches regexp: + """ + \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages + """ + When I run `apt-cache policy usg-common` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + And stdout matches regexp: + """ + \s* 500 https://esm.ubuntu.com/cis/ubuntu /main amd64 Packages + """ + When I verify that running `pro enable cis` `with sudo` exits `1` + Then stdout matches regexp + """ + One moment, checking your subscription first + From Ubuntu 20.04 onward 'pro enable cis' has been + replaced by 'pro enable usg'. See more information at: + https://ubuntu.com/security/certifications/docs/usg + CIS Audit is already enabled. + See: sudo pro status + """ + When I run `cis-audit level1_server` with sudo + Then stdout matches regexp + """ + Title.*Ensure no duplicate UIDs exist + Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* + Result.*pass + """ + And stdout matches regexp: + """ + Title.*Ensure default user umask is 027 or more restrictive + Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* + Result.*fail + """ + And stdout matches regexp + """ + CIS audit scan completed + """ + When I verify that running `/usr/share/ubuntu-scap-security-guides/cis-hardening/ lvl1_server` `with sudo` exits `0` + And I run `cis-audit level1_server` with sudo + Then stdout matches regexp: + """ + Title.*Ensure default user umask is 027 or more restrictive + Rule.*xccdf_com.ubuntu..cis_rule_CIS-.* + Result.*pass + """ + And stdout matches regexp + """ + CIS audit scan completed + """ - Examples: cis service - | release | machine_type | - | focal | lxd-container | - | focal | wsl | + Examples: cis script + | release | machine_type | cis_script | + | focal | lxd-container | Canonical_Ubuntu_20.04_CIS-harden.sh | - Scenario Outline: Attached disable of livepatch in a lxd vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `livepatch` status is `` - When I run `pro disable livepatch` with sudo - Then I verify that running `canonical-livepatch status` `with sudo` exits `1` - And stderr matches regexp: - """ - Machine is not enabled. Please run 'sudo canonical-livepatch enable' with the - token obtained from https://ubuntu.com/livepatch. - """ - And I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `livepatch` is disabled - When I verify that running `pro enable livepatch --access-only` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Livepatch does not support being enabled with --access-only - """ + Scenario Outline: Attached enable of usg service in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify that running `pro enable usg` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + """ + And stderr matches regexp: + """ + Cannot enable unknown service 'usg'. + Try anbox-cloud, cc-eal, cis, esm-apps, esm-infra, fips, fips-preview,\nfips-updates, landscape, livepatch, realtime-kernel, ros, ros-updates\. + """ - Examples: ubuntu release - | release | machine_type | livepatch_status | - | xenial | lxd-vm | warning | - | bionic | lxd-vm | enabled | + Examples: cis service + | release | machine_type | + | bionic | lxd-container | + | xenial | lxd-container | - Scenario Outline: Attach works when snapd cannot be installed - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt remove `snapd` - And I create the file `/etc/apt/preferences.d/no-snapd` with the following - """ - Package: snapd - Pin: release o=* - Pin-Priority: -10 - """ - And I apt update - When I attempt to attach `contract_token` with sudo - Then I will see the following on stderr: - """ - Enabling default service esm-apps - Enabling default service esm-infra - Enabling default service livepatch - Failed to enable default services, check: sudo pro status - """ - And I verify that `livepatch` is disabled - And I verify that running `pro enable livepatch` `with sudo` exits `1` - And I will see the following on stdout: - """ - One moment, checking your subscription first - Installing snapd - Updating standard Ubuntu package lists - Failed to install snapd on the system - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | + Scenario Outline: Attached enable of usg service in a focal machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro enable usg` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating Ubuntu Security Guide package lists + Ubuntu Security Guide enabled + Visit https://ubuntu.com/security/certifications/docs/usg for the next steps + """ + And I verify that `usg` is enabled + When I run `pro disable usg` with sudo + Then stdout matches regexp: + """ + Updating package lists + """ + And I verify that `usg` is disabled + When I run `pro enable cis` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + From Ubuntu 20.04 onward 'pro enable cis' has been + replaced by 'pro enable usg'. See more information at: + https://ubuntu.com/security/certifications/docs/usg + Updating CIS Audit package lists + Updating standard Ubuntu package lists + Installing CIS Audit packages + CIS Audit enabled + Visit https://ubuntu.com/security/cis to learn how to use CIS + """ + And I verify that `usg` is enabled + When I run `pro disable usg` with sudo + Then stdout matches regexp: + """ + Updating package lists + """ + And I verify that `usg` is disabled - Scenario Outline: Attached enable livepatch - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `canonical-livepatch status` `with sudo` exits `1` - Then I will see the following on stderr: - """ - sudo: canonical-livepatch: command not found - """ - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Installing canonical-livepatch snap - Canonical Livepatch enabled - """ - And I verify that `livepatch` status is `` - When I run `canonical-livepatch status` with sudo - Then stdout matches regexp: - """ - running: true - """ + Examples: cis service + | release | machine_type | + | focal | lxd-container | + | focal | wsl | - Examples: ubuntu release - | release | machine_type | livepatch_status | - | xenial | lxd-vm | warning | - | bionic | lxd-vm | enabled | + Scenario Outline: Attached disable of livepatch in a lxd vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `livepatch` status is `` + When I run `pro disable livepatch` with sudo + Then I verify that running `canonical-livepatch status` `with sudo` exits `1` + And stderr matches regexp: + """ + Machine is not enabled. Please run 'sudo canonical-livepatch enable' with the + token obtained from https://ubuntu.com/livepatch. + """ + And I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `livepatch` is disabled + When I verify that running `pro enable livepatch --access-only` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Livepatch does not support being enabled with --access-only + """ - Scenario Outline: Attached enable livepatch - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Installing canonical-livepatch snap - Canonical Livepatch enabled - """ - And I verify that `livepatch` status is warning - When I run `pro api u.pro.security.status.reboot_required.v1` with sudo - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "no", "reboot_required_packages": {"kernel_packages": null, "standard_packages": null}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - When I run `pro system reboot-required` as non-root - Then I will see the following on stdout: - """ - no - """ - When I apt install `libc6` - And I run `pro api u.pro.security.status.reboot_required.v1` as non-root - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "yes", "reboot_required_packages": {"kernel_packages": \[\], "standard_packages": \["libc6"\]}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - When I run `pro system reboot-required` as non-root - Then I will see the following on stdout: - """ - yes - """ - When I reboot the machine - And I run `pro system reboot-required` as non-root - Then I will see the following on stdout: - """ - no - """ - When I apt install `linux-image-generic` - And I run `pro api u.pro.security.status.reboot_required.v1` as non-root - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "yes", "reboot_required_packages": {"kernel_packages": \["linux-base"\], "standard_packages": \[\]}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - When I run `pro system reboot-required` as non-root - Then I will see the following on stdout: - """ - yes - """ - When I apt install `dbus` - And I run `pro api u.pro.security.status.reboot_required.v1` with sudo - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "yes", "reboot_required_packages": {"kernel_packages": \["linux-base"\], "standard_packages": \["dbus"\]}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - When I run `pro system reboot-required` as non-root - Then I will see the following on stdout: - """ - yes - """ + Examples: ubuntu release + | release | machine_type | livepatch_status | + | xenial | lxd-vm | warning | + | bionic | lxd-vm | enabled | - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | + Scenario Outline: Attach works when snapd cannot be installed + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt remove `snapd` + And I create the file `/etc/apt/preferences.d/no-snapd` with the following + """ + Package: snapd + Pin: release o=* + Pin-Priority: -10 + """ + And I apt update + When I attempt to attach `contract_token` with sudo + Then I will see the following on stderr: + """ + Enabling default service esm-apps + Enabling default service esm-infra + Enabling default service livepatch + Failed to enable default services, check: sudo pro status + """ + And I verify that `livepatch` is disabled + And I verify that running `pro enable livepatch` `with sudo` exits `1` + And I will see the following on stdout: + """ + One moment, checking your subscription first + Installing snapd + Updating standard Ubuntu package lists + Failed to install snapd on the system + """ - @slow - Scenario: Attached enable livepatch on a machine with fips active - Given a `bionic` `lxd-vm` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Updating Ubuntu Pro: ESM Infra package lists - Ubuntu Pro: ESM Infra enabled - Installing snapd snap - Installing canonical-livepatch snap - Canonical Livepatch enabled - """ - When I run `pro disable livepatch` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating FIPS package lists - Installing FIPS packages - Updating standard Ubuntu package lists - FIPS enabled - A reboot is required to complete install. - """ - When I append the following on uaclient config: - """ - features: - block_disable_on_enable: true - """ - Then I verify that running `pro enable livepatch` `with sudo` exits `1` - And I will see the following on stdout - """ - One moment, checking your subscription first - Cannot enable Livepatch when FIPS is enabled. - """ - Then I verify that running `pro enable livepatch --format json --assume-yes` `with sudo` exits `1` - And I will see the following on stdout - """ - {"_schema_version": "0.1", "errors": [{"message": "Cannot enable Livepatch when FIPS is enabled.", "message_code": "livepatch-error-when-fips-enabled", "service": "livepatch", "type": "service"}], "failed_services": ["livepatch"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | - Scenario: Attached enable fips on a machine with livepatch active - Given a `bionic` `lxd-vm` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Updating Ubuntu Pro: ESM Infra package lists - Ubuntu Pro: ESM Infra enabled - Installing snapd snap - Installing canonical-livepatch snap - Canonical Livepatch enabled - """ - When I append the following on uaclient config: - """ - features: - block_disable_on_enable: true - """ - Then I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` - And I will see the following on stdout - """ - One moment, checking your subscription first - Cannot enable FIPS when Livepatch is enabled. - """ - Then I verify that running `pro enable fips --assume-yes --format json` `with sudo` exits `1` - And stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "Cannot enable FIPS when Livepatch is enabled.", "message_code": "incompatible-service-stops-enable", "service": "fips", "type": "service"}], "failed_services": ["fips"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ + Scenario Outline: Attached enable livepatch + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `canonical-livepatch status` `with sudo` exits `1` + Then I will see the following on stderr: + """ + sudo: canonical-livepatch: command not found + """ + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Installing canonical-livepatch snap + Canonical Livepatch enabled + """ + And I verify that `livepatch` status is `` + When I run `canonical-livepatch status` with sudo + Then stdout matches regexp: + """ + running: true + """ - @slow - Scenario Outline: Attached enable fips on a machine with livepatch active - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Updating Ubuntu Pro: ESM Infra package lists - Ubuntu Pro: ESM Infra enabled - """ - And stdout matches regexp: - """ - Installing canonical-livepatch snap - Canonical Livepatch enabled - """ - When I run `pro enable fips --assume-yes` with sudo - Then I will see the following on stdout - """ - One moment, checking your subscription first - Disabling incompatible service: Livepatch - Updating FIPS package lists - Installing FIPS packages - Updating standard Ubuntu package lists - FIPS enabled - A reboot is required to complete install. - """ - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - fips +yes +enabled - """ - And stdout matches regexp: - """ - livepatch +yes +n/a - """ + Examples: ubuntu release + | release | machine_type | livepatch_status | + | xenial | lxd-vm | warning | + | bionic | lxd-vm | enabled | - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-vm | - | xenial | lxd-vm | + Scenario Outline: Attached enable livepatch + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Installing canonical-livepatch snap + Canonical Livepatch enabled + """ + And I verify that `livepatch` status is warning + When I run `pro api u.pro.security.status.reboot_required.v1` with sudo + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "no", "reboot_required_packages": {"kernel_packages": null, "standard_packages": null}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + When I run `pro system reboot-required` as non-root + Then I will see the following on stdout: + """ + no + """ + When I apt install `libc6` + And I run `pro api u.pro.security.status.reboot_required.v1` as non-root + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "yes", "reboot_required_packages": {"kernel_packages": \[\], "standard_packages": \["libc6"\]}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + When I run `pro system reboot-required` as non-root + Then I will see the following on stdout: + """ + yes + """ + When I reboot the machine + And I run `pro system reboot-required` as non-root + Then I will see the following on stdout: + """ + no + """ + When I apt install `linux-image-generic` + And I run `pro api u.pro.security.status.reboot_required.v1` as non-root + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "yes", "reboot_required_packages": {"kernel_packages": \["linux-base"\], "standard_packages": \[\]}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + When I run `pro system reboot-required` as non-root + Then I will see the following on stdout: + """ + yes + """ + When I apt install `dbus` + And I run `pro api u.pro.security.status.reboot_required.v1` with sudo + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"livepatch_enabled": true, "livepatch_enabled_and_kernel_patched": true, "livepatch_state": "applied", "livepatch_support": "kernel-upgrade-required", "reboot_required": "yes", "reboot_required_packages": {"kernel_packages": \["linux-base"\], "standard_packages": \["dbus"\]}}, "meta": {"environment_vars": \[\]}, "type": "RebootRequired"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + When I run `pro system reboot-required` as non-root + Then I will see the following on stdout: + """ + yes + """ - @slow - Scenario Outline: Attached enable fips on a machine with fips-updates active - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Ubuntu Pro: ESM Infra enabled - """ - And stdout matches regexp: - """ - Installing canonical-livepatch snap - Canonical Livepatch enabled - """ - When I run `pro disable livepatch` with sudo - And I run `pro enable fips-updates --assume-yes` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating FIPS Updates package lists - Installing FIPS Updates packages - Updating standard Ubuntu package lists - FIPS Updates enabled - A reboot is required to complete install. - """ - When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` - Then I will see the following on stdout - """ - One moment, checking your subscription first - Cannot enable FIPS when FIPS Updates is enabled. - """ + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-vm | - | xenial | lxd-vm | + @slow + Scenario: Attached enable livepatch on a machine with fips active + Given a `bionic` `lxd-vm` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Updating Ubuntu Pro: ESM Infra package lists + Ubuntu Pro: ESM Infra enabled + Installing snapd snap + Installing canonical-livepatch snap + Canonical Livepatch enabled + """ + When I run `pro disable livepatch` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating FIPS package lists + Installing FIPS packages + Updating standard Ubuntu package lists + FIPS enabled + A reboot is required to complete install. + """ + When I append the following on uaclient config: + """ + features: + block_disable_on_enable: true + """ + Then I verify that running `pro enable livepatch` `with sudo` exits `1` + And I will see the following on stdout + """ + One moment, checking your subscription first + Cannot enable Livepatch when FIPS is enabled. + """ + Then I verify that running `pro enable livepatch --format json --assume-yes` `with sudo` exits `1` + And I will see the following on stdout + """ + {"_schema_version": "0.1", "errors": [{"message": "Cannot enable Livepatch when FIPS is enabled.", "message_code": "livepatch-error-when-fips-enabled", "service": "livepatch", "type": "service"}], "failed_services": ["livepatch"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ - Scenario Outline: Attached enable ros on a machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that `ros` is disabled - When I run `pro enable ros --assume-yes` with sudo - Then I verify that `ros` is enabled - And I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - When I verify that running `pro disable esm-apps` `with sudo` and stdin `N` exits `1` - Then stdout matches regexp - """ - ROS ESM Security Updates depends on Ubuntu Pro: ESM Apps. - Disable ROS ESM Security Updates and proceed to disable Ubuntu Pro: ESM Apps\? \(y\/N\) Cannot disable Ubuntu Pro: ESM Apps when ROS ESM Security Updates is enabled. - """ - When I run `pro disable esm-apps` `with sudo` and stdin `y` - Then stdout matches regexp - """ - ROS ESM Security Updates depends on Ubuntu Pro: ESM Apps. - Disable ROS ESM Security Updates and proceed to disable Ubuntu Pro: ESM Apps\? \(y\/N\) Disabling dependent service: ROS ESM Security Updates - Updating package lists - """ - And I verify that `ros` is disabled - And I verify that `esm-apps` is disabled - When I verify that running `pro enable ros` `with sudo` and stdin `N` exits `1` - Then stdout matches regexp - """ - ROS ESM Security Updates cannot be enabled with Ubuntu Pro: ESM Apps disabled. - Enable Ubuntu Pro: ESM Apps and proceed to enable ROS ESM Security Updates\? \(y\/N\) Cannot enable ROS ESM Security Updates when Ubuntu Pro: ESM Apps is disabled. - """ - When I run `pro enable ros` `with sudo` and stdin `y` - Then stdout matches regexp - """ - One moment, checking your subscription first - ROS ESM Security Updates cannot be enabled with Ubuntu Pro: ESM Apps disabled. - Enable Ubuntu Pro: ESM Apps and proceed to enable ROS ESM Security Updates\? \(y\/N\) Enabling required service: Ubuntu Pro: ESM Apps - Ubuntu Pro: ESM Apps enabled - Updating ROS ESM Security Updates package lists - ROS ESM Security Updates enabled - """ - And I verify that `ros` is enabled - And I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - When I run `apt-cache policy` as non-root - Then apt-cache policy for the following url has priority `500` - """ - amd64 Packages - """ - When I apt install `python3-catkin-pkg` - Then I verify that `python3-catkin-pkg` is installed from apt source `` + Scenario: Attached enable fips on a machine with livepatch active + Given a `bionic` `lxd-vm` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Updating Ubuntu Pro: ESM Infra package lists + Ubuntu Pro: ESM Infra enabled + Installing snapd snap + Installing canonical-livepatch snap + Canonical Livepatch enabled + """ + When I append the following on uaclient config: + """ + features: + block_disable_on_enable: true + """ + Then I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` + And I will see the following on stdout + """ + One moment, checking your subscription first + Cannot enable FIPS when Livepatch is enabled. + """ + Then I verify that running `pro enable fips --assume-yes --format json` `with sudo` exits `1` + And stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "Cannot enable FIPS when Livepatch is enabled.", "message_code": "incompatible-service-stops-enable", "service": "fips", "type": "service"}], "failed_services": ["fips"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ - When I run `pro enable ros-updates --assume-yes` with sudo - Then I verify that `ros-updates` is enabled - When I run `apt-cache policy` as non-root - Then apt-cache policy for the following url has priority `500` - """ - amd64 Packages - """ - When I apt install `python3-catkin-pkg` - Then I verify that `python3-catkin-pkg` is installed from apt source `` - When I run `pro disable ros` `with sudo` and stdin `y` - Then stdout matches regexp - """ - ROS ESM All Updates depends on ROS ESM Security Updates. - Disable ROS ESM All Updates and proceed to disable ROS ESM Security Updates\? \(y\/N\) Disabling dependent service: ROS ESM All Updates - Updating package lists - """ - And I verify that `ros-updates` is disabled - When I run `pro enable ros-updates` `with sudo` and stdin `y` - Then stdout matches regexp - """ - One moment, checking your subscription first - ROS ESM All Updates cannot be enabled with ROS ESM Security Updates disabled. - Enable ROS ESM Security Updates and proceed to enable ROS ESM All Updates\? \(y\/N\) Enabling required service: ROS ESM Security Updates - ROS ESM Security Updates enabled - Updating ROS ESM All Updates package lists - ROS ESM All Updates enabled - """ - And I verify that `ros-updates` is enabled - And I verify that `ros` is enabled - When I run `pro disable ros-updates --assume-yes` with sudo - And I run `pro disable ros --assume-yes` with sudo - And I run `pro disable esm-apps --assume-yes` with sudo - And I run `pro disable esm-infra --assume-yes` with sudo - And I run `pro enable ros-updates --assume-yes` with sudo - Then I verify that `ros-updates` is enabled - And I verify that `ros` is enabled - And I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - When I run `pro detach` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - Updating package lists - Updating package lists - Updating package lists - Updating package lists - This machine is now detached. - """ - And the machine is unattached + @slow + Scenario Outline: Attached enable fips on a machine with livepatch active + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Updating Ubuntu Pro: ESM Infra package lists + Ubuntu Pro: ESM Infra enabled + """ + And stdout matches regexp: + """ + Installing canonical-livepatch snap + Canonical Livepatch enabled + """ + When I run `pro enable fips --assume-yes` with sudo + Then I will see the following on stdout + """ + One moment, checking your subscription first + Disabling incompatible service: Livepatch + Updating FIPS package lists + Installing FIPS packages + Updating standard Ubuntu package lists + FIPS enabled + A reboot is required to complete install. + """ + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + fips +yes +enabled + """ + And stdout matches regexp: + """ + livepatch +yes +n/a + """ - Examples: ubuntu release - | release | machine_type | ros-security-source | ros-updates-source | - | xenial | lxd-container | https://esm.ubuntu.com/ros/ubuntu xenial-security/main | https://esm.ubuntu.com/ros-updates/ubuntu xenial-updates/main | - | bionic | lxd-container | https://esm.ubuntu.com/ros/ubuntu bionic-security/main | https://esm.ubuntu.com/ros-updates/ubuntu bionic-updates/main | - | bionic | wsl | https://esm.ubuntu.com/ros/ubuntu bionic-security/main | https://esm.ubuntu.com/ros-updates/ubuntu bionic-updates/main | + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-vm | + | xenial | lxd-vm | - # Overall test for overrides; in the future, when many services - # have overrides, we can consider removing this - # esm-infra is a good choice because it doesn't already have - # other overrides that would interfere with the test - Scenario: Cloud overrides for a generic aws Focal instance - Given a `focal` `aws.generic` machine with ubuntu-advantage-tools installed - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - resourceEntitlements: - - type: esm-infra - overrides: - - selector: - series: focal - directives: - additionalPackages: - - some-package-focal - - selector: - cloud: aws - directives: - additionalPackages: - - some-package-aws - """ - And I attach `contract_token` with sudo and options `--no-auto-enable` - And I verify that running `pro enable esm-infra` `with sudo` exits `1` - Then stdout matches regexp: - """ - E: Unable to locate package some-package-aws - """ + @slow + Scenario Outline: Attached enable fips on a machine with fips-updates active + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Ubuntu Pro: ESM Infra enabled + """ + And stdout matches regexp: + """ + Installing canonical-livepatch snap + Canonical Livepatch enabled + """ + When I run `pro disable livepatch` with sudo + And I run `pro enable fips-updates --assume-yes` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating FIPS Updates package lists + Installing FIPS Updates packages + Updating standard Ubuntu package lists + FIPS Updates enabled + A reboot is required to complete install. + """ + When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` + Then I will see the following on stdout + """ + One moment, checking your subscription first + Cannot enable FIPS when FIPS Updates is enabled. + """ - Scenario Outline: APT auth file is edited correctly on enable - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo - Then I will see the following on stdout: - """ - 2 /etc/apt/auth.conf.d/90ubuntu-advantage - """ - # simulate a scenario where the line should get replaced - When I run `cp /etc/apt/auth.conf.d/90ubuntu-advantage /etc/apt/auth.conf.d/90ubuntu-advantage.backup` with sudo - When I run `pro disable esm-infra` with sudo - When I run `cp /etc/apt/auth.conf.d/90ubuntu-advantage.backup /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo - When I run `pro enable esm-infra` with sudo - When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo - Then I will see the following on stdout: - """ - 2 /etc/apt/auth.conf.d/90ubuntu-advantage - """ - When I run `pro enable cis` with sudo - When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo - Then I will see the following on stdout: - """ - 3 /etc/apt/auth.conf.d/90ubuntu-advantage - """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.generic | + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-vm | + | xenial | lxd-vm | - Scenario Outline: Attached enable esm-apps on a machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that `esm-apps` is enabled - And I ensure apt update runs without errors - When I run `apt-cache policy` as non-root - Then apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/apps/ubuntu -apps-updates/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages - """ - And I ensure apt update runs without errors - When I apt install `` - And I run `apt-cache policy ` as non-root - Then stdout matches regexp: - """ - Version table: - \s*\*\*\* .* 510 - \s*510 https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages - """ - When I verify that running `pro enable esm-apps` `with sudo` exits `1` - Then stdout matches regexp - """ - One moment, checking your subscription first - Ubuntu Pro: ESM Apps is already enabled. - See: sudo pro status - """ + Scenario Outline: Attached enable ros on a machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that `ros` is disabled + When I run `pro enable ros --assume-yes` with sudo + Then I verify that `ros` is enabled + And I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + When I verify that running `pro disable esm-apps` `with sudo` and stdin `N` exits `1` + Then stdout matches regexp + """ + ROS ESM Security Updates depends on Ubuntu Pro: ESM Apps. + Disable ROS ESM Security Updates and proceed to disable Ubuntu Pro: ESM Apps\? \(y\/N\) Cannot disable Ubuntu Pro: ESM Apps when ROS ESM Security Updates is enabled. + """ + When I run `pro disable esm-apps` `with sudo` and stdin `y` + Then stdout matches regexp + """ + ROS ESM Security Updates depends on Ubuntu Pro: ESM Apps. + Disable ROS ESM Security Updates and proceed to disable Ubuntu Pro: ESM Apps\? \(y\/N\) Disabling dependent service: ROS ESM Security Updates + Updating package lists + """ + And I verify that `ros` is disabled + And I verify that `esm-apps` is disabled + When I verify that running `pro enable ros` `with sudo` and stdin `N` exits `1` + Then stdout matches regexp + """ + ROS ESM Security Updates cannot be enabled with Ubuntu Pro: ESM Apps disabled. + Enable Ubuntu Pro: ESM Apps and proceed to enable ROS ESM Security Updates\? \(y\/N\) Cannot enable ROS ESM Security Updates when Ubuntu Pro: ESM Apps is disabled. + """ + When I run `pro enable ros` `with sudo` and stdin `y` + Then stdout matches regexp + """ + One moment, checking your subscription first + ROS ESM Security Updates cannot be enabled with Ubuntu Pro: ESM Apps disabled. + Enable Ubuntu Pro: ESM Apps and proceed to enable ROS ESM Security Updates\? \(y\/N\) Enabling required service: Ubuntu Pro: ESM Apps + Ubuntu Pro: ESM Apps enabled + Updating ROS ESM Security Updates package lists + ROS ESM Security Updates enabled + """ + And I verify that `ros` is enabled + And I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + When I run `apt-cache policy` as non-root + Then apt-cache policy for the following url has priority `500` + """ + amd64 Packages + """ + When I apt install `python3-catkin-pkg` + Then I verify that `python3-catkin-pkg` is installed from apt source `` + When I run `pro enable ros-updates --assume-yes` with sudo + Then I verify that `ros-updates` is enabled + When I run `apt-cache policy` as non-root + Then apt-cache policy for the following url has priority `500` + """ + amd64 Packages + """ + When I apt install `python3-catkin-pkg` + Then I verify that `python3-catkin-pkg` is installed from apt source `` + When I run `pro disable ros` `with sudo` and stdin `y` + Then stdout matches regexp + """ + ROS ESM All Updates depends on ROS ESM Security Updates. + Disable ROS ESM All Updates and proceed to disable ROS ESM Security Updates\? \(y\/N\) Disabling dependent service: ROS ESM All Updates + Updating package lists + """ + And I verify that `ros-updates` is disabled + When I run `pro enable ros-updates` `with sudo` and stdin `y` + Then stdout matches regexp + """ + One moment, checking your subscription first + ROS ESM All Updates cannot be enabled with ROS ESM Security Updates disabled. + Enable ROS ESM Security Updates and proceed to enable ROS ESM All Updates\? \(y\/N\) Enabling required service: ROS ESM Security Updates + ROS ESM Security Updates enabled + Updating ROS ESM All Updates package lists + ROS ESM All Updates enabled + """ + And I verify that `ros-updates` is enabled + And I verify that `ros` is enabled + When I run `pro disable ros-updates --assume-yes` with sudo + And I run `pro disable ros --assume-yes` with sudo + And I run `pro disable esm-apps --assume-yes` with sudo + And I run `pro disable esm-infra --assume-yes` with sudo + And I run `pro enable ros-updates --assume-yes` with sudo + Then I verify that `ros-updates` is enabled + And I verify that `ros` is enabled + And I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + When I run `pro detach` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + Updating package lists + Updating package lists + Updating package lists + Updating package lists + This machine is now detached. + """ + And the machine is unattached - Examples: ubuntu release - | release | machine_type | apps-pkg | - | xenial | lxd-container | jq | - | bionic | lxd-container | bundler | - | focal | lxd-container | ant | + Examples: ubuntu release + | release | machine_type | ros-security-source | ros-updates-source | + | xenial | lxd-container | https://esm.ubuntu.com/ros/ubuntu xenial-security/main | https://esm.ubuntu.com/ros-updates/ubuntu xenial-updates/main | + | bionic | lxd-container | https://esm.ubuntu.com/ros/ubuntu bionic-security/main | https://esm.ubuntu.com/ros-updates/ubuntu bionic-updates/main | + | bionic | wsl | https://esm.ubuntu.com/ros/ubuntu bionic-security/main | https://esm.ubuntu.com/ros-updates/ubuntu bionic-updates/main | - Scenario Outline: Attached enable with corrupt lock - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro disable esm-infra --assume-yes` with sudo - And I create the file `/var/lib/ubuntu-advantage/lock` with the following: - """ - corrupted - """ - Then I verify that running `pro enable esm-infra --assume-yes` `with sudo` exits `1` - And stderr matches regexp: - """ - There is a corrupted lock file in the system. To continue, please remove it - from the system by running: + # Overall test for overrides; in the future, when many services + # have overrides, we can consider removing this + # esm-infra is a good choice because it doesn't already have + # other overrides that would interfere with the test + Scenario: Cloud overrides for a generic aws Focal instance + Given a `focal` `aws.generic` machine with ubuntu-advantage-tools installed + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + resourceEntitlements: + - type: esm-infra + overrides: + - selector: + series: focal + directives: + additionalPackages: + - some-package-focal + - selector: + cloud: aws + directives: + additionalPackages: + - some-package-aws + """ + And I attach `contract_token` with sudo and options `--no-auto-enable` + And I verify that running `pro enable esm-infra` `with sudo` exits `1` + Then stdout matches regexp: + """ + E: Unable to locate package some-package-aws + """ - \$ sudo rm /var/lib/ubuntu-advantage/lock - """ + Scenario Outline: APT auth file is edited correctly on enable + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo + Then I will see the following on stdout: + """ + 2 /etc/apt/auth.conf.d/90ubuntu-advantage + """ + # simulate a scenario where the line should get replaced + When I run `cp /etc/apt/auth.conf.d/90ubuntu-advantage /etc/apt/auth.conf.d/90ubuntu-advantage.backup` with sudo + When I run `pro disable esm-infra` with sudo + When I run `cp /etc/apt/auth.conf.d/90ubuntu-advantage.backup /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo + When I run `pro enable esm-infra` with sudo + When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo + Then I will see the following on stdout: + """ + 2 /etc/apt/auth.conf.d/90ubuntu-advantage + """ + When I run `pro enable cis` with sudo + When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo + Then I will see the following on stdout: + """ + 3 /etc/apt/auth.conf.d/90ubuntu-advantage + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | aws.generic | + + Scenario Outline: Attached enable esm-apps on a machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that `esm-apps` is enabled + And I ensure apt update runs without errors + When I run `apt-cache policy` as non-root + Then apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/apps/ubuntu -apps-updates/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages + """ + And I ensure apt update runs without errors + When I apt install `` + And I run `apt-cache policy ` as non-root + Then stdout matches regexp: + """ + Version table: + \s*\*\*\* .* 510 + \s*510 https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages + """ + When I verify that running `pro enable esm-apps` `with sudo` exits `1` + Then stdout matches regexp + """ + One moment, checking your subscription first + Ubuntu Pro: ESM Apps is already enabled. + See: sudo pro status + """ + + Examples: ubuntu release + | release | machine_type | apps-pkg | + | xenial | lxd-container | jq | + | bionic | lxd-container | bundler | + | focal | lxd-container | ant | + + Scenario Outline: Attached enable with corrupt lock + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro disable esm-infra --assume-yes` with sudo + And I create the file `/var/lib/ubuntu-advantage/lock` with the following: + """ + corrupted + """ + Then I verify that running `pro enable esm-infra --assume-yes` `with sudo` exits `1` + And stderr matches regexp: + """ + There is a corrupted lock file in the system. To continue, please remove it + from the system by running: + + \$ sudo rm /var/lib/ubuntu-advantage/lock + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | diff --git a/features/attached_status.feature b/features/attached_status.feature index 834b84800c..8dda950446 100644 --- a/features/attached_status.feature +++ b/features/attached_status.feature @@ -1,429 +1,429 @@ Feature: Attached status - @uses.config.contract_token - Scenario Outline: Attached status in a ubuntu machine - formatted - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro status --format json` as non-root - Then stdout is a json matching the `ua_status` schema - When I run `pro status --format yaml` as non-root - Then stdout is a yaml matching the `ua_status` schema + @uses.config.contract_token + Scenario Outline: Attached status in a ubuntu machine - formatted + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro status --format json` as non-root + Then stdout is a json matching the `ua_status` schema + When I run `pro status --format yaml` as non-root + Then stdout is a yaml matching the `ua_status` schema + When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: + """ + { + "machineTokenInfo": { + "contractInfo": { + "effectiveTo": null + } + } + } + """ + And I append the following on uaclient config: + """ + features: + machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" + """ + And I run `pro status` with sudo + Then stdout contains substring: + """ + Valid until: Unknown/Expired + """ - When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: - """ - { - "machineTokenInfo": { - "contractInfo": { - "effectiveTo": null - } - } - } - """ - And I append the following on uaclient config: - """ - features: - machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" - """ - And I run `pro status` with sudo - Then stdout contains substring: - """ - Valid until: Unknown/Expired - """ + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + @uses.config.contract_token + Scenario Outline: Non-root status can see in-progress operations + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I run shell command `sudo pro enable cis >/dev/null & pro status` as non-root + Then stdout matches regexp: + """ + NOTICES + Operation in progress: pro enable + """ + When I run `pro status --wait` as non-root + When I run `pro disable cis --assume-yes` with sudo + When I run shell command `sudo pro enable cis & pro status --wait` as non-root + Then stdout matches regexp: + """ + One moment, checking your subscription first + Updating CIS Audit package lists + Updating standard Ubuntu package lists + Installing CIS Audit packages + CIS Audit enabled + Visit https://ubuntu.com/security/cis to learn how to use CIS + \.+ + SERVICE +ENTITLED +STATUS +DESCRIPTION + """ + Then stdout does not match regexp: + """ + NOTICES + Operation in progress: pro enable + """ + When I run `pro disable cis --assume-yes` with sudo + When I apt install `jq` + When I run shell command `sudo pro enable cis >/dev/null & pro status --format json | jq -r .execution_status` as non-root + Then I will see the following on stdout: + """ + active + """ - @uses.config.contract_token - Scenario Outline: Non-root status can see in-progress operations - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I run shell command `sudo pro enable cis >/dev/null & pro status` as non-root - Then stdout matches regexp: - """ - NOTICES - Operation in progress: pro enable - """ - When I run `pro status --wait` as non-root - When I run `pro disable cis --assume-yes` with sudo - When I run shell command `sudo pro enable cis & pro status --wait` as non-root - Then stdout matches regexp: - """ - One moment, checking your subscription first - Updating CIS Audit package lists - Updating standard Ubuntu package lists - Installing CIS Audit packages - CIS Audit enabled - Visit https://ubuntu.com/security/cis to learn how to use CIS - \.+ - SERVICE +ENTITLED +STATUS +DESCRIPTION - """ - Then stdout does not match regexp: - """ - NOTICES - Operation in progress: pro enable - """ - When I run `pro disable cis --assume-yes` with sudo - When I apt install `jq` - When I run shell command `sudo pro enable cis >/dev/null & pro status --format json | jq -r .execution_status` as non-root - Then I will see the following on stdout: - """ - active - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | - Scenario Outline: Attached status in a ubuntu Pro machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - When I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - livepatch +yes +enabled +Canonical Livepatch service - """ - When I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +n/a +Scalable Android in the cloud - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - livepatch +yes +enabled +Canonical Livepatch service - """ + Scenario Outline: Attached status in a ubuntu Pro machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + When I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + livepatch +yes +enabled +Canonical Livepatch service + """ + When I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +n/a +Scalable Android in the cloud + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + livepatch +yes +enabled +Canonical Livepatch service + """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.pro | - | xenial | azure.pro | + Examples: ubuntu release + | release | machine_type | + | xenial | aws.pro | + | xenial | azure.pro | - Scenario Outline: Attached status in a ubuntu Pro machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - livepatch +yes +warning +Current kernel is not supported - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +n/a +Scalable Android in the cloud - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +n/a +NIST-certified FIPS crypto packages - fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +n/a +FIPS compliant crypto packages with stable security updates - livepatch +yes +warning +Current kernel is not supported - """ + Scenario Outline: Attached status in a ubuntu Pro machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + livepatch +yes +warning +Current kernel is not supported + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +n/a +Scalable Android in the cloud + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +n/a +NIST-certified FIPS crypto packages + fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +n/a +FIPS compliant crypto packages with stable security updates + livepatch +yes +warning +Current kernel is not supported + """ - Examples: ubuntu release - | release | machine_type | - | xenial | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | xenial | gcp.pro | - Scenario Outline: Attached status in a ubuntu Pro machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - livepatch +yes +enabled +Canonical Livepatch service - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +n/a +Scalable Android in the cloud - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - livepatch +yes +enabled +Canonical Livepatch service - """ + Scenario Outline: Attached status in a ubuntu Pro machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + livepatch +yes +enabled +Canonical Livepatch service + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +n/a +Scalable Android in the cloud + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + livepatch +yes +enabled +Canonical Livepatch service + """ - Examples: ubuntu release - | release | machine_type | - | bionic | aws.pro | - | bionic | azure.pro | - | bionic | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | bionic | aws.pro | + | bionic | azure.pro | + | bionic | gcp.pro | - Scenario Outline: Attached status in a ubuntu Pro machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +Scalable Android in the cloud - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - livepatch +yes +enabled +Canonical Livepatch service - usg +yes +disabled +Security compliance and audit tools - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +Scalable Android in the cloud - cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - livepatch +yes +enabled +Canonical Livepatch service - usg +yes +disabled +Security compliance and audit tools - """ + Scenario Outline: Attached status in a ubuntu Pro machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +Scalable Android in the cloud + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + livepatch +yes +enabled +Canonical Livepatch service + usg +yes +disabled +Security compliance and audit tools + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +Scalable Android in the cloud + cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + livepatch +yes +enabled +Canonical Livepatch service + usg +yes +disabled +Security compliance and audit tools + """ - Examples: ubuntu release - | release | machine_type | - | focal | aws.pro | - | focal | azure.pro | - | focal | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | focal | aws.pro | + | focal | azure.pro | + | focal | gcp.pro | - Scenario Outline: Attached status in a ubuntu Pro machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +Scalable Android in the cloud - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST - livepatch +yes +enabled +Canonical Livepatch service - usg +yes +disabled +Security compliance and audit tools - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +Scalable Android in the cloud - cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +n/a +NIST-certified FIPS crypto packages - fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +n/a +FIPS compliant crypto packages with stable security updates - livepatch +yes +enabled +Canonical Livepatch service - usg +yes +disabled +Security compliance and audit tools - """ + Scenario Outline: Attached status in a ubuntu Pro machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +Scalable Android in the cloud + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST + livepatch +yes +enabled +Canonical Livepatch service + usg +yes +disabled +Security compliance and audit tools + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +Scalable Android in the cloud + cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +n/a +NIST-certified FIPS crypto packages + fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +n/a +FIPS compliant crypto packages with stable security updates + livepatch +yes +enabled +Canonical Livepatch service + usg +yes +disabled +Security compliance and audit tools + """ - Examples: ubuntu release - | release | machine_type | - | jammy | aws.pro | - | jammy | azure.pro | - | jammy | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | jammy | aws.pro | + | jammy | azure.pro | + | jammy | gcp.pro | - @uses.config.contract_token - Scenario Outline: Attached status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - ros +yes +disabled +Security Updates for the Robot Operating System - ros-updates +yes +disabled +All Updates for the Robot Operating System + @uses.config.contract_token + Scenario Outline: Attached status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + ros +yes +disabled +Security Updates for the Robot Operating System + ros-updates +yes +disabled +All Updates for the Robot Operating System - For a list of all Ubuntu Pro services, run 'pro status --all' - Enable services with: pro enable - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +n/a +.* - cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages - cis +yes +disabled +Security compliance and audit tools - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - landscape +yes +n/a +Management and administration tool for Ubuntu - livepatch +yes +n/a +Canonical Livepatch service - realtime-kernel +yes +n/a +Ubuntu kernel with PREEMPT_RT patches integrated - ros +yes +disabled +Security Updates for the Robot Operating System - ros-updates +yes +disabled +All Updates for the Robot Operating System + For a list of all Ubuntu Pro services, run 'pro status --all' + Enable services with: pro enable + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +n/a +.* + cc-eal +yes +disabled +Common Criteria EAL2 Provisioning Packages + cis +yes +disabled +Security compliance and audit tools + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + landscape +yes +n/a +Management and administration tool for Ubuntu + livepatch +yes +n/a +Canonical Livepatch service + realtime-kernel +yes +n/a +Ubuntu kernel with PREEMPT_RT patches integrated + ros +yes +disabled +Security Updates for the Robot Operating System + ros-updates +yes +disabled +All Updates for the Robot Operating System - Enable services with: pro enable - """ + Enable services with: pro enable + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | bionic | wsl | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | bionic | wsl | - @uses.config.contract_token - Scenario Outline: Attached status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +.* - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - ros +yes +disabled +Security Updates for the Robot Operating System - usg +yes +disabled +Security compliance and audit tools + @uses.config.contract_token + Scenario Outline: Attached status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +.* + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + ros +yes +disabled +Security Updates for the Robot Operating System + usg +yes +disabled +Security compliance and audit tools - For a list of all Ubuntu Pro services, run 'pro status --all' - Enable services with: pro enable - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +.* - cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +disabled +NIST-certified FIPS crypto packages - fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - landscape +yes +n/a +Management and administration tool for Ubuntu - livepatch +yes +n/a +Canonical Livepatch service - realtime-kernel +yes +n/a +Ubuntu kernel with PREEMPT_RT patches integrated - ros +yes +disabled +Security Updates for the Robot Operating System - ros-updates +yes +n/a +All Updates for the Robot Operating System - usg +yes +disabled +Security compliance and audit tools + For a list of all Ubuntu Pro services, run 'pro status --all' + Enable services with: pro enable + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +.* + cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +disabled +NIST-certified FIPS crypto packages + fips-preview +yes +n/a +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + landscape +yes +n/a +Management and administration tool for Ubuntu + livepatch +yes +n/a +Canonical Livepatch service + realtime-kernel +yes +n/a +Ubuntu kernel with PREEMPT_RT patches integrated + ros +yes +disabled +Security Updates for the Robot Operating System + ros-updates +yes +n/a +All Updates for the Robot Operating System + usg +yes +disabled +Security compliance and audit tools - Enable services with: pro enable - """ + Enable services with: pro enable + """ - Examples: ubuntu release - | release | machine_type | - | focal | lxd-container | - | focal | wsl | + Examples: ubuntu release + | release | machine_type | + | focal | lxd-container | + | focal | wsl | - @uses.config.contract_token - Scenario Outline: Attached status in the latest LTS ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +.* - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - usg +yes +disabled +Security compliance and audit tools + @uses.config.contract_token + Scenario Outline: Attached status in the latest LTS ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +.* + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + usg +yes +disabled +Security compliance and audit tools - For a list of all Ubuntu Pro services, run 'pro status --all' - Enable services with: pro enable - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +ENTITLED +STATUS +DESCRIPTION - anbox-cloud +yes +disabled +.* - cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +enabled +Expanded Security Maintenance for Applications - esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure - fips +yes +n/a +NIST-certified FIPS crypto packages - fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates - landscape +yes +n/a +Management and administration tool for Ubuntu - livepatch +yes +n/a +Canonical Livepatch service - realtime-kernel +yes +n/a +Ubuntu kernel with PREEMPT_RT patches integrated - ├ generic +yes +n/a +Generic version of the RT kernel \(default\) - └ intel-iotg +yes +n/a +RT kernel optimized for Intel IOTG platform - ros +yes +n/a +Security Updates for the Robot Operating System - ros-updates +yes +n/a +All Updates for the Robot Operating System - usg +yes +disabled +Security compliance and audit tools + For a list of all Ubuntu Pro services, run 'pro status --all' + Enable services with: pro enable + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +ENTITLED +STATUS +DESCRIPTION + anbox-cloud +yes +disabled +.* + cc-eal +yes +n/a +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +enabled +Expanded Security Maintenance for Applications + esm-infra +yes +enabled +Expanded Security Maintenance for Infrastructure + fips +yes +n/a +NIST-certified FIPS crypto packages + fips-preview +yes +disabled +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +disabled +FIPS compliant crypto packages with stable security updates + landscape +yes +n/a +Management and administration tool for Ubuntu + livepatch +yes +n/a +Canonical Livepatch service + realtime-kernel +yes +n/a +Ubuntu kernel with PREEMPT_RT patches integrated + ├ generic +yes +n/a +Generic version of the RT kernel \(default\) + └ intel-iotg +yes +n/a +RT kernel optimized for Intel IOTG platform + ros +yes +n/a +Security Updates for the Robot Operating System + ros-updates +yes +n/a +All Updates for the Robot Operating System + usg +yes +disabled +Security compliance and audit tools - Enable services with: pro enable - """ + Enable services with: pro enable + """ - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | diff --git a/features/cloud_pro_clone.feature b/features/cloud_pro_clone.feature index ca42829a09..9642934625 100644 --- a/features/cloud_pro_clone.feature +++ b/features/cloud_pro_clone.feature @@ -1,55 +1,56 @@ Feature: Creating golden images based on Cloud Ubuntu Pro instances - Scenario Outline: Create a Pro fips-updates image and launch - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - When I run `pro auto-attach` with sudo - Then the machine is attached - When I apt install `jq` - When I save the `activityInfo.activityToken` value from the contract - When I save the `activityInfo.activityID` value from the contract - When I run `pro enable fips-updates --assume-yes` with sudo - And I run `pro status --format yaml` with sudo - Then stdout matches regexp: - """ - name: fips-updates - status: enabled - """ - When I reboot the machine - When I take a snapshot of the machine - When I reboot the machine - When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - Then I verify that `activityInfo.activityToken` value has been updated on the contract - Then I verify that `activityInfo.activityID` value has not been updated on the contract - When I launch a `` `` machine named `clone` from the snapshot of `system-under-test` - # The clone will run auto-attach on boot - When I run `pro status --wait` `with sudo` on the `clone` machine - Then the machine is attached - When I run `python3 /usr/lib/ubuntu-advantage/timer.py` `with sudo` on the `clone` machine - Then I verify that `activityInfo.activityToken` value has been updated on the contract on the `clone` machine - Then I verify that `activityInfo.activityID` value has been updated on the contract on the `clone` machine - When I run `pro status --format yaml` `with sudo` on the `clone` machine - Then stdout matches regexp: - """ - name: fips-updates - status: enabled - """ - When I reboot the `clone` machine - When I run `pro status --format yaml` `with sudo` on the `clone` machine - Then stdout matches regexp: - """ - name: fips-updates - status: enabled - """ - Examples: ubuntu release - | release | machine_type | - | bionic | aws.pro | - | bionic | gcp.pro | - | focal | aws.pro | - | focal | gcp.pro | + Scenario Outline: Create a Pro fips-updates image and launch + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + When I run `pro auto-attach` with sudo + Then the machine is attached + When I apt install `jq` + When I save the `activityInfo.activityToken` value from the contract + When I save the `activityInfo.activityID` value from the contract + When I run `pro enable fips-updates --assume-yes` with sudo + And I run `pro status --format yaml` with sudo + Then stdout matches regexp: + """ + name: fips-updates + status: enabled + """ + When I reboot the machine + When I take a snapshot of the machine + When I reboot the machine + When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + Then I verify that `activityInfo.activityToken` value has been updated on the contract + Then I verify that `activityInfo.activityID` value has not been updated on the contract + When I launch a `` `` machine named `clone` from the snapshot of `system-under-test` + # The clone will run auto-attach on boot + When I run `pro status --wait` `with sudo` on the `clone` machine + Then the machine is attached + When I run `python3 /usr/lib/ubuntu-advantage/timer.py` `with sudo` on the `clone` machine + Then I verify that `activityInfo.activityToken` value has been updated on the contract on the `clone` machine + Then I verify that `activityInfo.activityID` value has been updated on the contract on the `clone` machine + When I run `pro status --format yaml` `with sudo` on the `clone` machine + Then stdout matches regexp: + """ + name: fips-updates + status: enabled + """ + When I reboot the `clone` machine + When I run `pro status --format yaml` `with sudo` on the `clone` machine + Then stdout matches regexp: + """ + name: fips-updates + status: enabled + """ + + Examples: ubuntu release + | release | machine_type | + | bionic | aws.pro | + | bionic | gcp.pro | + | focal | aws.pro | + | focal | gcp.pro | diff --git a/features/collect_logs.feature b/features/collect_logs.feature index 7201ce2003..75272cc069 100644 --- a/features/collect_logs.feature +++ b/features/collect_logs.feature @@ -1,94 +1,96 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription - Scenario Outline: Run collect-logs on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - # simulate logrotate - When I run `touch /var/log/ubuntu-advantage.log.1` with sudo - When I run `touch /var/log/ubuntu-advantage.log.2.gz` with sudo - When I run `pro collect-logs` as non-root - Then I verify that files exist matching `pro_logs.tar.gz` - When I run `tar zxf pro_logs.tar.gz` with sudo - Then I verify that files exist matching `logs/` - When I run `sh -c "ls -1 logs/ | sort -d"` as non-root - # On Xenial, the return value for inexistent services is the same as for dead ones (3). - # So the -error suffix does not appear there. - Then stdout matches regexp: - """ - apt-news.service.txt - build.info - cloud-id.txt - cloud-init-journal.txt - environment_vars.json - esm-cache.service.txt - jobs-status.json - livepatch-status.txt-error - pro-journal.txt - pro-status.json - systemd-timers.txt - ua-auto-attach.path.txt(-error)? - ua-auto-attach.service.txt(-error)? - uaclient.conf - ua-reboot-cmds.service.txt - ua-timer.service.txt - ua-timer.timer.txt - ubuntu-advantage.log - ubuntu-advantage.log.1 - ubuntu-advantage.log.2.gz - ubuntu-advantage.service.txt - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Scenario Outline: Run collect-logs on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + # simulate logrotate + When I run `touch /var/log/ubuntu-advantage.log.1` with sudo + When I run `touch /var/log/ubuntu-advantage.log.2.gz` with sudo + When I run `pro collect-logs` as non-root + Then I verify that files exist matching `pro_logs.tar.gz` + When I run `tar zxf pro_logs.tar.gz` with sudo + Then I verify that files exist matching `logs/` + When I run `sh -c "ls -1 logs/ | sort -d"` as non-root + # On Xenial, the return value for inexistent services is the same as for dead ones (3). + # So the -error suffix does not appear there. + Then stdout matches regexp: + """ + apt-news.service.txt + build.info + cloud-id.txt + cloud-init-journal.txt + environment_vars.json + esm-cache.service.txt + jobs-status.json + livepatch-status.txt-error + pro-journal.txt + pro-status.json + systemd-timers.txt + ua-auto-attach.path.txt(-error)? + ua-auto-attach.service.txt(-error)? + uaclient.conf + ua-reboot-cmds.service.txt + ua-timer.service.txt + ua-timer.timer.txt + ubuntu-advantage.log + ubuntu-advantage.log.1 + ubuntu-advantage.log.2.gz + ubuntu-advantage.service.txt + """ - @uses.config.contract_token - Scenario Outline: Run collect-logs on an attached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo - # simulate logrotate - When I run `touch /var/log/ubuntu-advantage.log.1` with sudo - When I run `touch /var/log/ubuntu-advantage.log.2.gz` with sudo - When I run `pro collect-logs` as non-root - Then I verify that files exist matching `pro_logs.tar.gz` - When I run `tar zxf pro_logs.tar.gz` as non-root - Then I verify that files exist matching `logs/` - When I run `sh -c "ls -1 logs/ | sort -d"` as non-root - # On Xenial, the return value for inexistent services is the same as for dead ones (3). - # So the -error suffix does not appear there. - Then stdout matches regexp: - """ - apt-news.service.txt - build.info - cloud-id.txt - cloud-init-journal.txt - environment_vars.json - esm-cache.service.txt - jobs-status.json - livepatch-status.txt-error - pro-journal.txt - pro-status.json - systemd-timers.txt - ua-auto-attach.path.txt(-error)? - ua-auto-attach.service.txt(-error)? - uaclient.conf - ua-reboot-cmds.service.txt - ua-timer.service.txt - ua-timer.timer.txt - ubuntu-advantage.log - ubuntu-advantage.log.1 - ubuntu-advantage.log.2.gz - ubuntu-advantage.service.txt - ubuntu-esm-apps.list - ubuntu-esm-infra.list - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + @uses.config.contract_token + Scenario Outline: Run collect-logs on an attached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo + # simulate logrotate + When I run `touch /var/log/ubuntu-advantage.log.1` with sudo + When I run `touch /var/log/ubuntu-advantage.log.2.gz` with sudo + When I run `pro collect-logs` as non-root + Then I verify that files exist matching `pro_logs.tar.gz` + When I run `tar zxf pro_logs.tar.gz` as non-root + Then I verify that files exist matching `logs/` + When I run `sh -c "ls -1 logs/ | sort -d"` as non-root + # On Xenial, the return value for inexistent services is the same as for dead ones (3). + # So the -error suffix does not appear there. + Then stdout matches regexp: + """ + apt-news.service.txt + build.info + cloud-id.txt + cloud-init-journal.txt + environment_vars.json + esm-cache.service.txt + jobs-status.json + livepatch-status.txt-error + pro-journal.txt + pro-status.json + systemd-timers.txt + ua-auto-attach.path.txt(-error)? + ua-auto-attach.service.txt(-error)? + uaclient.conf + ua-reboot-cmds.service.txt + ua-timer.service.txt + ua-timer.timer.txt + ubuntu-advantage.log + ubuntu-advantage.log.1 + ubuntu-advantage.log.2.gz + ubuntu-advantage.service.txt + ubuntu-esm-apps.list + ubuntu-esm-infra.list + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | diff --git a/features/config.feature b/features/config.feature index 48ca6394f5..a4371ea64e 100644 --- a/features/config.feature +++ b/features/config.feature @@ -1,52 +1,53 @@ Feature: pro config sub-command - # earliest, latest lts[, latest stable] - Scenario Outline: old ua_config in uaclient.conf is still supported - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro config show` with sudo - Then I will see the following on stdout: - """ - http_proxy None - https_proxy None - apt_http_proxy None - apt_https_proxy None - ua_apt_http_proxy None - ua_apt_https_proxy None - global_apt_http_proxy None - global_apt_https_proxy None - update_messaging_timer 21600 - metering_timer 14400 - apt_news True - apt_news_url https://motd.ubuntu.com/aptnews.json - """ - Then I will see the following on stderr: - """ - """ - When I append the following on uaclient config: - """ - ua_config: {apt_news: false} - """ - When I run `pro config show` with sudo - Then I will see the following on stdout: - """ - http_proxy None - https_proxy None - apt_http_proxy None - apt_https_proxy None - ua_apt_http_proxy None - ua_apt_https_proxy None - global_apt_http_proxy None - global_apt_https_proxy None - update_messaging_timer 21600 - metering_timer 14400 - apt_news False - apt_news_url https://motd.ubuntu.com/aptnews.json - """ - Then I will see the following on stderr: - """ - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + # earliest, latest lts[, latest stable] + Scenario Outline: old ua_config in uaclient.conf is still supported + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro config show` with sudo + Then I will see the following on stdout: + """ + http_proxy None + https_proxy None + apt_http_proxy None + apt_https_proxy None + ua_apt_http_proxy None + ua_apt_https_proxy None + global_apt_http_proxy None + global_apt_https_proxy None + update_messaging_timer 21600 + metering_timer 14400 + apt_news True + apt_news_url https://motd.ubuntu.com/aptnews.json + """ + Then I will see the following on stderr: + """ + """ + When I append the following on uaclient config: + """ + ua_config: {apt_news: false} + """ + When I run `pro config show` with sudo + Then I will see the following on stdout: + """ + http_proxy None + https_proxy None + apt_http_proxy None + apt_https_proxy None + ua_apt_http_proxy None + ua_apt_https_proxy None + global_apt_http_proxy None + global_apt_https_proxy None + update_messaging_timer 21600 + metering_timer 14400 + apt_news False + apt_news_url https://motd.ubuntu.com/aptnews.json + """ + Then I will see the following on stderr: + """ + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/daemon.feature b/features/daemon.feature index 7b2a174c25..a66ac189f5 100644 --- a/features/daemon.feature +++ b/features/daemon.feature @@ -1,407 +1,406 @@ Feature: Pro Upgrade Daemon only runs in environments where necessary - @uses.config.contract_token - Scenario Outline: cloud-id-shim service is not installed on anything other than xenial - Given a `` `` machine with ubuntu-advantage-tools installed - Then I verify that running `systemctl status ubuntu-advantage-cloud-id-shim.service` `with sudo` exits `4` - Then stderr matches regexp: - """ - Unit ubuntu-advantage-cloud-id-shim.service could not be found. - """ - Examples: version - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + @uses.config.contract_token + Scenario Outline: cloud-id-shim service is not installed on anything other than xenial + Given a `` `` machine with ubuntu-advantage-tools installed + Then I verify that running `systemctl status ubuntu-advantage-cloud-id-shim.service` `with sudo` exits `4` + Then stderr matches regexp: + """ + Unit ubuntu-advantage-cloud-id-shim.service could not be found. + """ - @uses.config.contract_token - Scenario Outline: cloud-id-shim should run in postinst and on boot - Given a `` `` machine with ubuntu-advantage-tools installed - # verify installing pro created the cloud-id file - When I run `cat /run/cloud-init/cloud-id` with sudo - Then I will see the following on stdout - """ - lxd - """ - When I run `cat /run/cloud-init/cloud-id-lxd` with sudo - Then I will see the following on stdout - """ - lxd - """ - # verify the shim service runs on boot and creates the cloud-id file - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage-cloud-id-shim.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - (code=exited, status=0/SUCCESS) - """ - When I run `cat /run/cloud-init/cloud-id` with sudo - Then I will see the following on stdout - """ - lxd - """ - When I run `cat /run/cloud-init/cloud-id-lxd` with sudo - Then I will see the following on stdout - """ - lxd - """ - Examples: version - | release | machine_type | - | xenial | lxd-container | + Examples: version + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - @uses.config.contract_token - Scenario Outline: daemon should run when appropriate on gcp generic lts - Given a `` `` machine with ubuntu-advantage-tools installed - # verify its enabled, but stops itself when not configured to poll - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout contains substring: - """ - daemon starting - """ - Then stdout contains substring: - """ - Configured to not poll for pro license, shutting down - """ - Then stdout contains substring: - """ - daemon ending - """ - When I run `systemctl is-enabled ubuntu-advantage.service` with sudo - Then stdout matches regexp: - """ - enabled - """ - Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` - Then stdout matches regexp: - """ - inactive - """ + @uses.config.contract_token + Scenario Outline: cloud-id-shim should run in postinst and on boot + Given a `` `` machine with ubuntu-advantage-tools installed + # verify installing pro created the cloud-id file + When I run `cat /run/cloud-init/cloud-id` with sudo + Then I will see the following on stdout + """ + lxd + """ + When I run `cat /run/cloud-init/cloud-id-lxd` with sudo + Then I will see the following on stdout + """ + lxd + """ + # verify the shim service runs on boot and creates the cloud-id file + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage-cloud-id-shim.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + (code=exited, status=0/SUCCESS) + """ + When I run `cat /run/cloud-init/cloud-id` with sudo + Then I will see the following on stdout + """ + lxd + """ + When I run `cat /run/cloud-init/cloud-id-lxd` with sudo + Then I will see the following on stdout + """ + lxd + """ - # verify it stays on when configured to do so - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { "poll_for_pro_license": true } - """ - # Turn on memory accounting - When I run `sed -i s/#DefaultMemoryAccounting=no/DefaultMemoryAccounting=yes/ /etc/systemd/system.conf` with sudo - When I run `systemctl daemon-reexec` with sudo + Examples: version + | release | machine_type | + | xenial | lxd-container | - # on bionic, systemd version=237; which does not allow for log rotation + vacuum in same line e.g. - # journalctl --flush --rotate --vacuum-time=1s - When I run `journalctl --flush --rotate` with sudo - When I run `journalctl --vacuum-time=1s` with sudo - When I run `systemctl restart ubuntu-advantage.service` with sudo + @uses.config.contract_token + Scenario Outline: daemon should run when appropriate on gcp generic lts + Given a `` `` machine with ubuntu-advantage-tools installed + # verify its enabled, but stops itself when not configured to poll + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout contains substring: + """ + daemon starting + """ + Then stdout contains substring: + """ + Configured to not poll for pro license, shutting down + """ + Then stdout contains substring: + """ + daemon ending + """ + When I run `systemctl is-enabled ubuntu-advantage.service` with sudo + Then stdout matches regexp: + """ + enabled + """ + Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` + Then stdout matches regexp: + """ + inactive + """ + # verify it stays on when configured to do so + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { "poll_for_pro_license": true } + """ + # Turn on memory accounting + When I run `sed -i s/#DefaultMemoryAccounting=no/DefaultMemoryAccounting=yes/ /etc/systemd/system.conf` with sudo + When I run `systemctl daemon-reexec` with sudo + # on bionic, systemd version=237; which does not allow for log rotation + vacuum in same line e.g. + # journalctl --flush --rotate --vacuum-time=1s + When I run `journalctl --flush --rotate` with sudo + When I run `journalctl --vacuum-time=1s` with sudo + When I run `systemctl restart ubuntu-advantage.service` with sudo + # wait to get memory after it has settled/after startup checks + When I wait `5` seconds + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + # TODO find out what caused memory to go up, try to lower it again + Then on `xenial`, systemd status output says memory usage is less than `17` MB + Then on `bionic`, systemd status output says memory usage is less than `15` MB + Then on `focal`, systemd status output says memory usage is less than `13` MB + Then on `jammy`, systemd status output says memory usage is less than `14` MB + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout contains substring: + """ + daemon starting + """ + Then stdout does not contain substring: + """ + daemon ending + """ + When I run `systemctl is-enabled ubuntu-advantage.service` with sudo + Then stdout matches regexp: + """ + enabled + """ + Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` + Then stdout matches regexp: + """ + active + """ + # verify attach stops it immediately and doesn't restart after reboot + When I attach `contract_token` with sudo + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + """ + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + \s*Condition: start condition failed.* + .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met + """ + # verify detach starts it and it starts again after reboot + When I run `journalctl --flush --rotate` with sudo + When I run `journalctl --vacuum-time=1s` with sudo + When I run `pro detach --assume-yes` with sudo + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout contains substring: + """ + daemon starting + """ + Then stdout does not contain substring: + """ + daemon ending + """ + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout contains substring: + """ + daemon starting + """ + Then stdout does not contain substring: + """ + daemon ending + """ + # Verify manual stop & disable persists across reconfigure + When I run `systemctl stop ubuntu-advantage.service` with sudo + When I run `systemctl disable ubuntu-advantage.service` with sudo + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + """ + When I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + """ + # Verify manual stop & disable persists across reboot + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + """ - # wait to get memory after it has settled/after startup checks - When I wait `5` seconds - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - # TODO find out what caused memory to go up, try to lower it again - Then on `xenial`, systemd status output says memory usage is less than `17` MB - Then on `bionic`, systemd status output says memory usage is less than `15` MB - Then on `focal`, systemd status output says memory usage is less than `13` MB - Then on `jammy`, systemd status output says memory usage is less than `14` MB + Examples: version + | release | machine_type | + | xenial | gcp.generic | + | bionic | gcp.generic | + | focal | gcp.generic | + | jammy | gcp.generic | - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout contains substring: - """ - daemon starting - """ - Then stdout does not contain substring: - """ - daemon ending - """ - When I run `systemctl is-enabled ubuntu-advantage.service` with sudo - Then stdout matches regexp: - """ - enabled - """ - Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` - Then stdout matches regexp: - """ - active - """ + @uses.config.contract_token + Scenario Outline: daemon should run when appropriate on azure generic lts + Given a `` `` machine with ubuntu-advantage-tools installed + # verify its enabled, but stops itself when not configured to poll + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout contains substring: + """ + daemon starting + """ + Then stdout contains substring: + """ + Configured to not poll for pro license, shutting down + """ + Then stdout contains substring: + """ + daemon ending + """ + When I run `systemctl is-enabled ubuntu-advantage.service` with sudo + Then stdout matches regexp: + """ + enabled + """ + Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` + Then stdout matches regexp: + """ + inactive + """ + # verify it stays on when configured to do so + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { "poll_for_pro_license": true } + """ + When I run `systemctl restart ubuntu-advantage.service` with sudo + # give it time to get past the initial request + When I wait `5` seconds + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout contains substring: + """ + daemon starting + """ + Then stdout contains substring: + """ + Cancelling polling + """ + Then stdout contains substring: + """ + daemon ending + """ + When I run `systemctl is-enabled ubuntu-advantage.service` with sudo + Then stdout matches regexp: + """ + enabled + """ + Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` + Then stdout matches regexp: + """ + inactive + """ - # verify attach stops it immediately and doesn't restart after reboot - When I attach `contract_token` with sudo - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - """ - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - \s*Condition: start condition failed.* - .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met - """ + Examples: version + | release | machine_type | + | xenial | azure.generic | + | bionic | azure.generic | + | focal | azure.generic | + | jammy | azure.generic | - # verify detach starts it and it starts again after reboot - When I run `journalctl --flush --rotate` with sudo - When I run `journalctl --vacuum-time=1s` with sudo - When I run `pro detach --assume-yes` with sudo - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout contains substring: - """ - daemon starting - """ - Then stdout does not contain substring: - """ - daemon ending - """ - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout contains substring: - """ - daemon starting - """ - Then stdout does not contain substring: - """ - daemon ending - """ + @uses.config.contract_token + Scenario Outline: daemon does not start on gcp,azure generic non lts + Given a `` `` machine with ubuntu-advantage-tools installed + When I wait `1` seconds + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout contains substring: + """ + daemon starting + """ + Then stdout contains substring: + """ + Not on LTS, shutting down + """ + Then stdout contains substring: + """ + daemon ending + """ - # Verify manual stop & disable persists across reconfigure - When I run `systemctl stop ubuntu-advantage.service` with sudo - When I run `systemctl disable ubuntu-advantage.service` with sudo - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - """ - When I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - """ + Examples: version + | release | machine_type | + | mantic | azure.generic | + | mantic | gcp.generic | - # Verify manual stop & disable persists across reboot - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - """ - Examples: version - | release | machine_type | - | xenial | gcp.generic | - | bionic | gcp.generic | - | focal | gcp.generic | - | jammy | gcp.generic | + @uses.config.contract_token + Scenario Outline: daemon does not start when not on gcpgeneric or azuregeneric + Given a `` `` machine with ubuntu-advantage-tools installed + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + \s*Condition: start condition failed.* + """ + When I attach `contract_token` with sudo + When I run `pro detach --assume-yes` with sudo + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + \s*Condition: start condition failed.* + """ - @uses.config.contract_token - Scenario Outline: daemon should run when appropriate on azure generic lts - Given a `` `` machine with ubuntu-advantage-tools installed - # verify its enabled, but stops itself when not configured to poll - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout contains substring: - """ - daemon starting - """ - Then stdout contains substring: - """ - Configured to not poll for pro license, shutting down - """ - Then stdout contains substring: - """ - daemon ending - """ - When I run `systemctl is-enabled ubuntu-advantage.service` with sudo - Then stdout matches regexp: - """ - enabled - """ - Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` - Then stdout matches regexp: - """ - inactive - """ + Examples: version + | release | machine_type | + | xenial | lxd-container | + | xenial | lxd-vm | + | xenial | aws.generic | + | bionic | lxd-container | + | bionic | lxd-vm | + | bionic | aws.generic | + | focal | lxd-container | + | focal | lxd-vm | + | focal | aws.generic | + | jammy | lxd-container | + | jammy | lxd-vm | + | jammy | aws.generic | + | mantic | lxd-container | + | mantic | lxd-vm | + | mantic | aws.generic | - # verify it stays on when configured to do so - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { "poll_for_pro_license": true } - """ - When I run `systemctl restart ubuntu-advantage.service` with sudo - # give it time to get past the initial request - When I wait `5` seconds - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout contains substring: - """ - daemon starting - """ - Then stdout contains substring: - """ - Cancelling polling - """ - Then stdout contains substring: - """ - daemon ending - """ - When I run `systemctl is-enabled ubuntu-advantage.service` with sudo - Then stdout matches regexp: - """ - enabled - """ - Then I verify that running `systemctl is-failed ubuntu-advantage.service` `with sudo` exits `1` - Then stdout matches regexp: - """ - inactive - """ - Examples: version - | release | machine_type | - | xenial | azure.generic | - | bionic | azure.generic | - | focal | azure.generic | - | jammy | azure.generic | + Scenario Outline: daemon does not start when not on gcpgeneric or azuregeneric + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + When I run `pro auto-attach` with sudo + When I run `systemctl restart ubuntu-advantage.service` with sudo + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + \s*Condition: start condition failed.* + """ + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + \s*Condition: start condition failed.* + """ - @uses.config.contract_token - Scenario Outline: daemon does not start on gcp,azure generic non lts - Given a `` `` machine with ubuntu-advantage-tools installed - When I wait `1` seconds - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout contains substring: - """ - daemon starting - """ - Then stdout contains substring: - """ - Not on LTS, shutting down - """ - Then stdout contains substring: - """ - daemon ending - """ - Examples: version - | release | machine_type | - | mantic | azure.generic | - | mantic | gcp.generic | + Examples: version + | release | machine_type | + | xenial | aws.pro | + | bionic | aws.pro | + | focal | aws.pro | - @uses.config.contract_token - Scenario Outline: daemon does not start when not on gcpgeneric or azuregeneric - Given a `` `` machine with ubuntu-advantage-tools installed - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - \s*Condition: start condition failed.* - """ - When I attach `contract_token` with sudo - When I run `pro detach --assume-yes` with sudo - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - \s*Condition: start condition failed.* - """ - Examples: version - | release | machine_type | - | xenial | lxd-container | - | xenial | lxd-vm | - | xenial | aws.generic | - | bionic | lxd-container | - | bionic | lxd-vm | - | bionic | aws.generic | - | focal | lxd-container | - | focal | lxd-vm | - | focal | aws.generic | - | jammy | lxd-container | - | jammy | lxd-vm | - | jammy | aws.generic | - | mantic | lxd-container | - | mantic | lxd-vm | - | mantic | aws.generic | + Scenario Outline: daemon does not start when not on gcpgeneric or azuregeneric + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + When I run `pro auto-attach` with sudo + When I run `journalctl --flush --rotate` with sudo + When I run `journalctl --vacuum-time=1s` with sudo + When I run `systemctl restart ubuntu-advantage.service` with sudo + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\).* + \s*Condition: start condition failed.* + .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met + """ + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout does not contain substring: + """ + daemon starting + """ + When I reboot the machine + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout matches regexp: + """ + Active: inactive \(dead\) + \s*Condition: start condition failed.* + .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met + """ + When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo + Then stdout does not contain substring: + """ + daemon starting + """ - Scenario Outline: daemon does not start when not on gcpgeneric or azuregeneric - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - When I run `pro auto-attach` with sudo - When I run `systemctl restart ubuntu-advantage.service` with sudo - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - \s*Condition: start condition failed.* - """ - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - \s*Condition: start condition failed.* - """ - Examples: version - | release | machine_type | - | xenial | aws.pro | - | bionic | aws.pro | - | focal | aws.pro | - - Scenario Outline: daemon does not start when not on gcpgeneric or azuregeneric - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - When I run `pro auto-attach` with sudo - When I run `journalctl --flush --rotate` with sudo - When I run `journalctl --vacuum-time=1s` with sudo - When I run `systemctl restart ubuntu-advantage.service` with sudo - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\).* - \s*Condition: start condition failed.* - .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met - """ - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout does not contain substring: - """ - daemon starting - """ - When I reboot the machine - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout matches regexp: - """ - Active: inactive \(dead\) - \s*Condition: start condition failed.* - .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met - """ - When I run `journalctl -o cat -u ubuntu-advantage.service` with sudo - Then stdout does not contain substring: - """ - daemon starting - """ - Examples: version - | release | machine_type | - | xenial | azure.pro | - | xenial | gcp.pro | - | bionic | azure.pro | - | bionic | gcp.pro | - | focal | azure.pro | - | focal | gcp.pro | + Examples: version + | release | machine_type | + | xenial | azure.pro | + | xenial | gcp.pro | + | bionic | azure.pro | + | bionic | gcp.pro | + | focal | azure.pro | + | focal | gcp.pro | diff --git a/features/detached_auto_attach.feature b/features/detached_auto_attach.feature index 56c47f02a0..0cbc02129f 100644 --- a/features/detached_auto_attach.feature +++ b/features/detached_auto_attach.feature @@ -1,32 +1,32 @@ @uses.config.contract_token Feature: Attached cloud does not detach when auto-attaching after manually attaching - Scenario Outline: No detaching on manually attached machine on all clouds - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro refresh` with sudo - Then I will see the following on stdout: - """ - Successfully processed your pro configuration. - Successfully refreshed your subscription. - Successfully updated Ubuntu Pro related APT and MOTD messages. - """ - When I verify that running `pro auto-attach` `with sudo` exits `2` - Then stderr matches regexp: - """ - This machine is already attached to '.+' - To use a different subscription first run: sudo pro detach. - """ - And I verify that `esm-infra` is enabled + Scenario Outline: No detaching on manually attached machine on all clouds + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro refresh` with sudo + Then I will see the following on stdout: + """ + Successfully processed your pro configuration. + Successfully refreshed your subscription. + Successfully updated Ubuntu Pro related APT and MOTD messages. + """ + When I verify that running `pro auto-attach` `with sudo` exits `2` + Then stderr matches regexp: + """ + This machine is already attached to '.+' + To use a different subscription first run: sudo pro detach. + """ + And I verify that `esm-infra` is enabled - Examples: ubuntu release - | release | machine_type | - | xenial | aws.generic | - | xenial | azure.generic | - | xenial | gcp.generic | - | bionic | aws.generic | - | bionic | azure.generic | - | bionic | gcp.generic | - | focal | aws.generic | - | focal | azure.generic | - | focal | gcp.generic | + Examples: ubuntu release + | release | machine_type | + | xenial | aws.generic | + | xenial | azure.generic | + | xenial | gcp.generic | + | bionic | aws.generic | + | bionic | azure.generic | + | bionic | gcp.generic | + | focal | aws.generic | + | focal | azure.generic | + | focal | gcp.generic | diff --git a/features/docker.feature b/features/docker.feature index bb03ce3739..bb9a77a403 100644 --- a/features/docker.feature +++ b/features/docker.feature @@ -1,165 +1,159 @@ Feature: Build docker images with pro services - @slow - @uses.config.contract_token - Scenario Outline: Build docker images with pro services - Given a `` `` machine with ubuntu-advantage-tools installed - When I have the `` debs under test in `/home/ubuntu` - When I apt install `docker.io docker-buildx jq` - When I create the file `/home/ubuntu/Dockerfile` with the following: - """ - FROM ubuntu: - - COPY ./ubuntu-advantage-tools.deb /ua.deb - - RUN --mount=type=secret,id=ua-attach-config \ - apt-get update \ - && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ - - && ((dpkg -i /ua.deb || true)) \ - - && apt-get install -f \ - - && pro attach --attach-config /run/secrets/ua-attach-config \ - - # Normally an apt upgrade is recommended, but we dont do that here - # in order to measure the image size bloat from just the enablement - # process - # && apt-get upgrade -y \ - - && apt-get install -y \ - - # If you need ca-certificates, remove it from this line - && apt-get purge --auto-remove -y ubuntu-advantage-tools ca-certificates \ - - && rm -rf /var/lib/apt/lists/* - """ - When I create the file `/home/ubuntu/ua-attach-config.yaml` with the following: - """ - token: - enable_services: - """ - When I replace `` in `/home/ubuntu/ua-attach-config.yaml` with token `contract_token` - - # Build succeeds - When I run shell command `DOCKER_BUILDKIT=1 docker build . --secret id=ua-attach-config,src=ua-attach-config.yaml -t ua-test` with sudo - - # Bloat is minimal (new size == original size + deb size + test package size) - Then docker image `ua-test` is not significantly larger than `ubuntu:` with `` installed - - # No secrets or artifacts leftover - Then `90ubuntu-advantage` is not present in any docker image layer - Then `machine-token.json` is not present in any docker image layer - Then `ubuntu-advantage.log` is not present in any docker image layer - Then `uaclient.conf` is not present in any docker image layer - - # Service successfully enabled (Correct version of package installed) - When I run `docker run ua-test dpkg-query --showformat='${Version}' --show ` with sudo - Then stdout matches regexp: - """ - - """ - - # Invalid attach config file causes build to fail - When I create the file `/home/ubuntu/ua-attach-config.yaml` with the following: - """ - token: - enable_services: { fips: true } - """ - When I replace `` in `/home/ubuntu/ua-attach-config.yaml` with token `contract_token` - Then I verify that running `DOCKER_BUILDKIT=1 docker build . --no-cache --secret id=ua-attach-config,src=ua-attach-config.yaml -t ua-test` `with sudo` exits `1` - - Examples: ubuntu release - | release | machine_type | container_release |enable_services | test_package_name | test_package_version | - | mantic | lxd-vm | xenial | [ esm-infra ] | curl | esm | - | mantic | lxd-vm | bionic | [ fips ] | openssl | fips | - | mantic | lxd-vm | focal | [ esm-apps ] | hello | esm | - - Scenario Outline: Build pro docker images auto-attached instances - settings_overrides method - Given a `` `` machine with ubuntu-advantage-tools installed - When I have the `` debs under test in `/home/ubuntu` - When I run `apt-get update` with sudo - When I apt install `docker.io docker-buildx` - When I create the file `/home/ubuntu/Dockerfile` with the following: - """ - FROM ubuntu: - ARG PRO_CLOUD_OVERRIDE= - - COPY ./ubuntu-advantage-tools.deb /ua.deb - - RUN --mount=type=secret,id=ua-attach-config \ - apt-get update \ - && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ - - && ((dpkg -i /ua.deb || true)) \ - - && apt-get install -f \ - - && echo "settings_overrides: { cloud_type: $PRO_CLOUD_OVERRIDE }" >> /etc/ubuntu-advantage/uaclient.conf \ - && pro api u.pro.attach.auto.full_auto_attach.v1 --data '{"enable": }' \ - - && apt-get install -y \ - - # If you need ca-certificates, remove it from this line - && apt-get purge --auto-remove -y ubuntu-advantage-tools ca-certificates \ - - && rm -rf /var/lib/apt/lists/* - """ - # Build succeeds - When I run shell command `DOCKER_BUILDKIT=1 docker build . -t test --build-arg PRO_CLOUD_OVERRIDE= ` with sudo - - # Service successfully enabled (Correct version of package installed) - When I run `docker run test dpkg-query --showformat='${Version}' --show ` with sudo - Then stdout matches regexp: - """ - - """ - Examples: ubuntu release - | release | machine_type | cloud_override | container_release | enable_services | test_package_name | test_package_version | extra_build_args | - | jammy | aws.pro | aws | xenial | [ "esm-infra" ] | curl | esm | --network=host | - | jammy | azure.pro | azure | bionic | [ "fips" ] | openssl | fips | | - | jammy | gcp.pro | gce | focal | [ "esm-apps" ] | hello | esm | | - - Scenario Outline: Build pro docker images auto-attached instances - API arg method - Given a `` `` machine with ubuntu-advantage-tools installed - When I have the `` debs under test in `/home/ubuntu` - When I run `apt-get update` with sudo - When I apt install `docker.io docker-buildx` - When I create the file `/home/ubuntu/Dockerfile` with the following: - """ - FROM ubuntu: - ARG PRO_CLOUD_OVERRIDE= - - COPY ./ubuntu-advantage-tools.deb /ua.deb - - RUN --mount=type=secret,id=ua-attach-config \ - apt-get update \ - && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ - - && ((dpkg -i /ua.deb || true)) \ - - && apt-get install -f \ - - && pro --debug api u.pro.attach.auto.full_auto_attach.v1 --data "{\"cloud_override\": \"$PRO_CLOUD_OVERRIDE\", \"enable\": }" \ - - && apt-get install -y \ - - # If you need ca-certificates, remove it from this line - && apt-get purge --auto-remove -y ubuntu-advantage-tools ca-certificates \ - - && rm -rf /var/lib/apt/lists/* - """ - # Build succeeds - When I run shell command `DOCKER_BUILDKIT=1 docker build . -t test --build-arg PRO_CLOUD_OVERRIDE= ` with sudo - - # Service successfully enabled (Correct version of package installed) - When I run `docker run test dpkg-query --showformat='${Version}' --show ` with sudo - Then stdout matches regexp: - """ - - """ - Examples: ubuntu release - | release | machine_type | cloud_override | container_release | enable_services | test_package_name | test_package_version | extra_build_args | - | jammy | aws.pro | aws | xenial | [ \"esm-infra\" ] | curl | esm | --network=host | - | jammy | azure.pro | azure | bionic | [ \"fips\" ] | openssl | fips | | - | jammy | gcp.pro | gce | focal | [ \"esm-apps\" ] | hello | esm | | + @slow @uses.config.contract_token + Scenario Outline: Build docker images with pro services + Given a `` `` machine with ubuntu-advantage-tools installed + When I have the `` debs under test in `/home/ubuntu` + When I apt install `docker.io docker-buildx jq` + When I create the file `/home/ubuntu/Dockerfile` with the following: + """ + FROM ubuntu: + + COPY ./ubuntu-advantage-tools.deb /ua.deb + + RUN --mount=type=secret,id=ua-attach-config \ + apt-get update \ + && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ + + && ((dpkg -i /ua.deb || true)) \ + + && apt-get install -f \ + + && pro attach --attach-config /run/secrets/ua-attach-config \ + + # Normally an apt upgrade is recommended, but we dont do that here + # in order to measure the image size bloat from just the enablement + # process + # && apt-get upgrade -y \ + + && apt-get install -y \ + + # If you need ca-certificates, remove it from this line + && apt-get purge --auto-remove -y ubuntu-advantage-tools ca-certificates \ + + && rm -rf /var/lib/apt/lists/* + """ + When I create the file `/home/ubuntu/ua-attach-config.yaml` with the following: + """ + token: + enable_services: + """ + When I replace `` in `/home/ubuntu/ua-attach-config.yaml` with token `contract_token` + # Build succeeds + When I run shell command `DOCKER_BUILDKIT=1 docker build . --secret id=ua-attach-config,src=ua-attach-config.yaml -t ua-test` with sudo + # Bloat is minimal (new size == original size + deb size + test package size) + Then docker image `ua-test` is not significantly larger than `ubuntu:` with `` installed + # No secrets or artifacts leftover + Then `90ubuntu-advantage` is not present in any docker image layer + Then `machine-token.json` is not present in any docker image layer + Then `ubuntu-advantage.log` is not present in any docker image layer + Then `uaclient.conf` is not present in any docker image layer + # Service successfully enabled (Correct version of package installed) + When I run `docker run ua-test dpkg-query --showformat='${Version}' --show ` with sudo + Then stdout matches regexp: + """ + + """ + # Invalid attach config file causes build to fail + When I create the file `/home/ubuntu/ua-attach-config.yaml` with the following: + """ + token: + enable_services: { fips: true } + """ + When I replace `` in `/home/ubuntu/ua-attach-config.yaml` with token `contract_token` + Then I verify that running `DOCKER_BUILDKIT=1 docker build . --no-cache --secret id=ua-attach-config,src=ua-attach-config.yaml -t ua-test` `with sudo` exits `1` + + Examples: ubuntu release + | release | machine_type | container_release | enable_services | test_package_name | test_package_version | + | mantic | lxd-vm | xenial | [ esm-infra ] | curl | esm | + | mantic | lxd-vm | bionic | [ fips ] | openssl | fips | + | mantic | lxd-vm | focal | [ esm-apps ] | hello | esm | + + Scenario Outline: Build pro docker images auto-attached instances - settings_overrides method + Given a `` `` machine with ubuntu-advantage-tools installed + When I have the `` debs under test in `/home/ubuntu` + When I run `apt-get update` with sudo + When I apt install `docker.io docker-buildx` + When I create the file `/home/ubuntu/Dockerfile` with the following: + """ + FROM ubuntu: + ARG PRO_CLOUD_OVERRIDE= + + COPY ./ubuntu-advantage-tools.deb /ua.deb + + RUN --mount=type=secret,id=ua-attach-config \ + apt-get update \ + && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ + + && ((dpkg -i /ua.deb || true)) \ + + && apt-get install -f \ + + && echo "settings_overrides: { cloud_type: $PRO_CLOUD_OVERRIDE }" >> /etc/ubuntu-advantage/uaclient.conf \ + && pro api u.pro.attach.auto.full_auto_attach.v1 --data '{"enable": }' \ + + && apt-get install -y \ + + # If you need ca-certificates, remove it from this line + && apt-get purge --auto-remove -y ubuntu-advantage-tools ca-certificates \ + + && rm -rf /var/lib/apt/lists/* + """ + # Build succeeds + When I run shell command `DOCKER_BUILDKIT=1 docker build . -t test --build-arg PRO_CLOUD_OVERRIDE= ` with sudo + # Service successfully enabled (Correct version of package installed) + When I run `docker run test dpkg-query --showformat='${Version}' --show ` with sudo + Then stdout matches regexp: + """ + + """ + + Examples: ubuntu release + | release | machine_type | cloud_override | container_release | enable_services | test_package_name | test_package_version | extra_build_args | + | jammy | aws.pro | aws | xenial | [ "esm-infra" ] | curl | esm | --network=host | + | jammy | azure.pro | azure | bionic | [ "fips" ] | openssl | fips | | + | jammy | gcp.pro | gce | focal | [ "esm-apps" ] | hello | esm | | + + Scenario Outline: Build pro docker images auto-attached instances - API arg method + Given a `` `` machine with ubuntu-advantage-tools installed + When I have the `` debs under test in `/home/ubuntu` + When I run `apt-get update` with sudo + When I apt install `docker.io docker-buildx` + When I create the file `/home/ubuntu/Dockerfile` with the following: + """ + FROM ubuntu: + ARG PRO_CLOUD_OVERRIDE= + + COPY ./ubuntu-advantage-tools.deb /ua.deb + + RUN --mount=type=secret,id=ua-attach-config \ + apt-get update \ + && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ + + && ((dpkg -i /ua.deb || true)) \ + + && apt-get install -f \ + + && pro --debug api u.pro.attach.auto.full_auto_attach.v1 --data "{\"cloud_override\": \"$PRO_CLOUD_OVERRIDE\", \"enable\": }" \ + + && apt-get install -y \ + + # If you need ca-certificates, remove it from this line + && apt-get purge --auto-remove -y ubuntu-advantage-tools ca-certificates \ + + && rm -rf /var/lib/apt/lists/* + """ + # Build succeeds + When I run shell command `DOCKER_BUILDKIT=1 docker build . -t test --build-arg PRO_CLOUD_OVERRIDE= ` with sudo + # Service successfully enabled (Correct version of package installed) + When I run `docker run test dpkg-query --showformat='${Version}' --show ` with sudo + Then stdout matches regexp: + """ + + """ + + Examples: ubuntu release + | release | machine_type | cloud_override | container_release | enable_services | test_package_name | test_package_version | extra_build_args | + | jammy | aws.pro | aws | xenial | [ \\"esm-infra\\" ] | curl | esm | --network=host | + | jammy | azure.pro | azure | bionic | [ \\"fips\\" ] | openssl | fips | | + | jammy | gcp.pro | gce | focal | [ \\"esm-apps\\" ] | hello | esm | | diff --git a/features/enable_fips_cloud.feature b/features/enable_fips_cloud.feature index 050bd2b661..1b9a0941e2 100644 --- a/features/enable_fips_cloud.feature +++ b/features/enable_fips_cloud.feature @@ -1,289 +1,288 @@ @uses.config.contract_token Feature: FIPS enablement in cloud based machines - Scenario Outline: Attached enable of FIPS services in an ubuntu gcp vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that running `pro enable --assume-yes` `with sudo` exits `1` - And stdout matches regexp: - """ - Ubuntu does not provide a GCP optimized FIPS kernel - """ + Scenario Outline: Attached enable of FIPS services in an ubuntu gcp vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that running `pro enable --assume-yes` `with sudo` exits `1` + And stdout matches regexp: + """ + Ubuntu does not provide a GCP optimized FIPS kernel + """ - Examples: fips - | release | machine_type | release_title | fips_service | - | xenial | gcp.generic | Xenial | fips | - | xenial | gcp.generic | Xenial | fips-updates | + Examples: fips + | release | machine_type | release_title | fips_service | + | xenial | gcp.generic | Xenial | fips | + | xenial | gcp.generic | Xenial | fips-updates | - Scenario Outline: FIPS unholds packages - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt install `openssh-client openssh-server strongswan` - And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `openssh-server-hmac` is installed from apt source `` - And I verify that `openssh-client-hmac` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` - When I run `pro disable fips --assume-yes` with sudo - And I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo - Then I will see the following on stdout: - """ - openssh-client was already not hold. - openssh-server was already not hold. - strongswan was already not hold. - """ - When I reboot the machine - Then I verify that `openssh-server` installed version matches regexp `fips` - And I verify that `openssh-client` installed version matches regexp `fips` - And I verify that `strongswan` installed version matches regexp `fips` - And I verify that `openssh-server-hmac` installed version matches regexp `fips` - And I verify that `openssh-client-hmac` installed version matches regexp `fips` - And I verify that `strongswan-hmac` installed version matches regexp `fips` + Scenario Outline: FIPS unholds packages + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt install `openssh-client openssh-server strongswan` + And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `openssh-server-hmac` is installed from apt source `` + And I verify that `openssh-client-hmac` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` + When I run `pro disable fips --assume-yes` with sudo + And I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo + Then I will see the following on stdout: + """ + openssh-client was already not hold. + openssh-server was already not hold. + strongswan was already not hold. + """ + When I reboot the machine + Then I verify that `openssh-server` installed version matches regexp `fips` + And I verify that `openssh-client` installed version matches regexp `fips` + And I verify that `strongswan` installed version matches regexp `fips` + And I verify that `openssh-server-hmac` installed version matches regexp `fips` + And I verify that `openssh-client-hmac` installed version matches regexp `fips` + And I verify that `strongswan-hmac` installed version matches regexp `fips` - Examples: ubuntu release - | release | machine_type | fips-apt-source | - | xenial | aws.generic | https://esm.ubuntu.com/fips/ubuntu xenial/main | - | xenial | azure.generic | https://esm.ubuntu.com/fips/ubuntu xenial/main | + Examples: ubuntu release + | release | machine_type | fips-apt-source | + | xenial | aws.generic | https://esm.ubuntu.com/fips/ubuntu xenial/main | + | xenial | azure.generic | https://esm.ubuntu.com/fips/ubuntu xenial/main | + Scenario Outline: FIPS unholds packages + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt install `openssh-client openssh-server strongswan` + And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `openssh-server-hmac` is installed from apt source `` + And I verify that `openssh-client-hmac` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` + When I run `pro disable fips --assume-yes` with sudo + And I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo + Then I will see the following on stdout: + """ + openssh-client was already not hold. + openssh-server was already not hold. + strongswan was already not hold. + """ + When I reboot the machine + Then I verify that `openssh-server` installed version matches regexp `fips` + And I verify that `openssh-client` installed version matches regexp `fips` + And I verify that `strongswan` installed version matches regexp `fips` + And I verify that `openssh-server-hmac` installed version matches regexp `fips` + And I verify that `openssh-client-hmac` installed version matches regexp `fips` + And I verify that `strongswan-hmac` installed version matches regexp `fips` - Scenario Outline: FIPS unholds packages - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt install `openssh-client openssh-server strongswan` - And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `openssh-server-hmac` is installed from apt source `` - And I verify that `openssh-client-hmac` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` - When I run `pro disable fips --assume-yes` with sudo - And I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo - Then I will see the following on stdout: - """ - openssh-client was already not hold. - openssh-server was already not hold. - strongswan was already not hold. - """ - When I reboot the machine - Then I verify that `openssh-server` installed version matches regexp `fips` - And I verify that `openssh-client` installed version matches regexp `fips` - And I verify that `strongswan` installed version matches regexp `fips` - And I verify that `openssh-server-hmac` installed version matches regexp `fips` - And I verify that `openssh-client-hmac` installed version matches regexp `fips` - And I verify that `strongswan-hmac` installed version matches regexp `fips` + Examples: ubuntu release + | release | machine_type | fips-apt-source | + | bionic | aws.generic | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | azure.generic | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | gcp.generic | https://esm.ubuntu.com/fips/ubuntu bionic/main | - Examples: ubuntu release - | release | machine_type | fips-apt-source | - | bionic | aws.generic | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | azure.generic | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | gcp.generic | https://esm.ubuntu.com/fips/ubuntu bionic/main | + Scenario Outline: FIPS unholds packages + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt install `openssh-client openssh-server strongswan` + And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` + When I run `pro disable fips --assume-yes` with sudo + And I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo + Then I will see the following on stdout: + """ + openssh-client was already not hold. + openssh-server was already not hold. + strongswan was already not hold. + """ + When I reboot the machine + Then I verify that `openssh-server` installed version matches regexp `fips` + And I verify that `openssh-client` installed version matches regexp `fips` + And I verify that `strongswan` installed version matches regexp `fips` + And I verify that `strongswan-hmac` installed version matches regexp `fips` - Scenario Outline: FIPS unholds packages - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt install `openssh-client openssh-server strongswan` - And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` - When I run `pro disable fips --assume-yes` with sudo - And I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo - Then I will see the following on stdout: - """ - openssh-client was already not hold. - openssh-server was already not hold. - strongswan was already not hold. - """ - When I reboot the machine - Then I verify that `openssh-server` installed version matches regexp `fips` - And I verify that `openssh-client` installed version matches regexp `fips` - And I verify that `strongswan` installed version matches regexp `fips` - And I verify that `strongswan-hmac` installed version matches regexp `fips` + Examples: ubuntu release + | release | machine_type | fips-apt-source | + | focal | aws.generic | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | azure.generic | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | gcp.generic | https://esm.ubuntu.com/fips/ubuntu focal/main | - Examples: ubuntu release - | release | machine_type | fips-apt-source | - | focal | aws.generic | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | azure.generic | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | gcp.generic | https://esm.ubuntu.com/fips/ubuntu focal/main | + @slow + Scenario Outline: Enable FIPS in a cloud VM + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro enable --assume-yes` with sudo + Then stdout contains substring: + """ + Updating package lists + Installing packages + Updating standard Ubuntu package lists + enabled + A reboot is required to complete install + """ + And I verify that `` is enabled + And I ensure apt update runs without errors + And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` + When I run `apt-cache policy ` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + When I run `pro disable --assume-yes` with sudo + Then stdout matches regexp: + """ + Updating package lists + """ + When I run `apt-cache policy ` as non-root + Then stdout matches regexp: + """ + .*Installed: \(none\) + """ + When I reboot the machine + Then I verify that `` is disabled - @slow - Scenario Outline: Enable FIPS in a cloud VM - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro enable --assume-yes` with sudo - Then stdout contains substring: - """ - Updating package lists - Installing packages - Updating standard Ubuntu package lists - enabled - A reboot is required to complete install - """ - And I verify that `` is enabled - And I ensure apt update runs without errors - And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` - When I run `apt-cache policy ` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - When I run `pro disable --assume-yes` with sudo - Then stdout matches regexp: - """ - Updating package lists - """ - When I run `apt-cache policy ` as non-root - Then stdout matches regexp: - """ - .*Installed: \(none\) - """ - When I reboot the machine - Then I verify that `` is disabled + Examples: ubuntu release + | release | machine_type | fips-name | fips-service | fips-package | fips-kernel | fips-apt-source | + | xenial | azure.generic | FIPS | fips | ubuntu-fips | fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | + | xenial | azure.generic | FIPS Updates | fips-updates | ubuntu-fips | fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | + | xenial | aws.generic | FIPS | fips | ubuntu-fips | fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | + | bionic | azure.generic | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | azure.generic | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | aws.generic | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | aws.generic | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | gcp.generic | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | gcp.generic | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | focal | azure.generic | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | azure.generic | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | aws.generic | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | aws.generic | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | gcp.generic | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | gcp.generic | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - Examples: ubuntu release - | release | machine_type | fips-name | fips-service | fips-package | fips-kernel | fips-apt-source | - | xenial | azure.generic | FIPS | fips | ubuntu-fips | fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | - | xenial | azure.generic | FIPS Updates | fips-updates | ubuntu-fips | fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | - | xenial | aws.generic | FIPS | fips | ubuntu-fips | fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | - | bionic | azure.generic | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | azure.generic | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | aws.generic | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | aws.generic | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | gcp.generic | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | gcp.generic | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | focal | azure.generic | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | azure.generic | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | aws.generic | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | aws.generic | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | gcp.generic | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | gcp.generic | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + @slow + Scenario Outline: Attached enable of FIPS in an ubuntu image with cloud-init disabled + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `touch /etc/cloud/cloud-init.disabled` with sudo + And I reboot the machine + And I verify that running `cloud-id` `with sudo` exits `1` + Then stderr matches regexp: + """ + File not found '/run/cloud-init/instance-data.json'. Provide a path to instance data json file using --instance-data + """ + When I attach `contract_token` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then stdout contains substring: + """ + Could not determine cloud, defaulting to generic FIPS package. + Updating FIPS package lists + Installing FIPS packages + Updating standard Ubuntu package lists + FIPS enabled + A reboot is required to complete install. + """ + When I run `apt-cache policy ubuntu-fips` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout does not match regexp: + """ + aws-fips + """ + And stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ - @slow - Scenario Outline: Attached enable of FIPS in an ubuntu image with cloud-init disabled - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `touch /etc/cloud/cloud-init.disabled` with sudo - And I reboot the machine - And I verify that running `cloud-id` `with sudo` exits `1` - Then stderr matches regexp: - """ - File not found '/run/cloud-init/instance-data.json'. Provide a path to instance data json file using --instance-data - """ - When I attach `contract_token` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then stdout contains substring: - """ - Could not determine cloud, defaulting to generic FIPS package. - Updating FIPS package lists - Installing FIPS packages - Updating standard Ubuntu package lists - FIPS enabled - A reboot is required to complete install. - """ - When I run `apt-cache policy ubuntu-fips` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout does not match regexp: - """ - aws-fips - """ - And stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ + Examples: ubuntu release + | release | machine_type | + | xenial | aws.generic | - Examples: ubuntu release - | release | machine_type | - | xenial | aws.generic | + @slow + Scenario Outline: Attached enable of FIPS in an ubuntu image with cloud-init disabled + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `touch /etc/cloud/cloud-init.disabled` with sudo + And I reboot the machine + And I verify that running `cloud-id` `with sudo` exits `2` + Then I will see the following on stdout: + """ + disabled + """ + When I attach `contract_token` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then stdout matches regexp: + """ + Could not determine cloud, defaulting to generic FIPS package. + Updating FIPS package lists + Installing FIPS packages + Updating standard Ubuntu package lists + FIPS enabled + A reboot is required to complete install. + """ + When I run `apt-cache policy ubuntu-fips` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout does not match regexp: + """ + aws-fips + """ + And stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ - @slow - Scenario Outline: Attached enable of FIPS in an ubuntu image with cloud-init disabled - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `touch /etc/cloud/cloud-init.disabled` with sudo - And I reboot the machine - And I verify that running `cloud-id` `with sudo` exits `2` - Then I will see the following on stdout: - """ - disabled - """ - When I attach `contract_token` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then stdout matches regexp: - """ - Could not determine cloud, defaulting to generic FIPS package. - Updating FIPS package lists - Installing FIPS packages - Updating standard Ubuntu package lists - FIPS enabled - A reboot is required to complete install. - """ - When I run `apt-cache policy ubuntu-fips` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout does not match regexp: - """ - aws-fips - """ - And stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ + Examples: ubuntu release + | release | machine_type | + | bionic | aws.generic | + | focal | aws.generic | - Examples: ubuntu release - | release | machine_type | - | bionic | aws.generic | - | focal | aws.generic | + Scenario Outline: Attached enable of FIPS in an ubuntu GCP vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I verify that running `pro enable fips-updates --assume-yes` `with sudo` exits `1` + Then stdout matches regexp: + """ + FIPS Updates is not available for Ubuntu 22.04 LTS \(Jammy Jellyfish\) + """ + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + fips-updates +yes +n/a + """ - Scenario Outline: Attached enable of FIPS in an ubuntu GCP vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I verify that running `pro enable fips-updates --assume-yes` `with sudo` exits `1` - Then stdout matches regexp: - """ - FIPS Updates is not available for Ubuntu 22.04 LTS \(Jammy Jellyfish\) - """ - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - fips-updates +yes +n/a - """ - - Examples: ubuntu release - | release | machine_type | - | jammy | aws.generic | - | jammy | azure.generic | + Examples: ubuntu release + | release | machine_type | + | jammy | aws.generic | + | jammy | azure.generic | diff --git a/features/enable_fips_container.feature b/features/enable_fips_container.feature index 62523cacef..c1b78a0085 100644 --- a/features/enable_fips_container.feature +++ b/features/enable_fips_container.feature @@ -1,116 +1,116 @@ @uses.config.contract_token Feature: FIPS enablement in lxd containers - Scenario Outline: Attached enable of FIPS in an ubuntu lxd container - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt install `openssh-client openssh-server strongswan openssl libgcrypt20` - And I run `pro enable fips` `with sudo` and stdin `y\ny` - Then stdout matches regexp: - """ - Warning: Enabling in a container. - This will install the FIPS packages but not the kernel. - This container must run on a host with enabled to be - compliant. - Warning: This action can take some time and cannot be undone. - """ - And stdout contains substring: - """ - Installing packages - enabled - A reboot is required to complete install. - Please run `apt upgrade` to ensure all FIPS packages are updated to the correct - version. - """ - And I verify that `fips` is enabled - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - FIPS support requires system reboot to complete configuration - """ - And I ensure apt update runs without errors - And I verify that `openssh-server` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - And I verify that `openssh-client` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - And I verify that `strongswan` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - And I verify that `strongswan-hmac` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - And I verify that `openssl` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - And I verify that `` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - And I verify that `-hmac` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - And I verify that `` are installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` - When I reboot the machine - When I run `pro status --all` with sudo - Then stdout does not match regexp: - """ - FIPS support requires system reboot to complete configuration - """ - When I run `pro disable fips` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - This will disable the entitlement but the packages will remain installed. - """ - And stdout matches regexp: - """ - Updating package lists - """ - And stdout does not match regexp: - """ - A reboot is required to complete disable operation - """ - And I verify that `fips` is disabled - When I run `pro status --all` with sudo - Then stdout does not match regexp: - """ - Disabling requires system reboot to complete operation - """ - When I run `apt-cache policy ubuntu-fips` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - Then I verify that `openssh-server` installed version matches regexp `fips` - And I verify that `openssh-client` installed version matches regexp `fips` - And I verify that `strongswan` installed version matches regexp `fips` - And I verify that `strongswan-hmac` installed version matches regexp `fips` - And I verify that `openssl` installed version matches regexp `fips` - And I verify that `` installed version matches regexp `fips` - And I verify that `-hmac` installed version matches regexp `fips` - And I verify that packages `` installed versions match regexp `fips` + Scenario Outline: Attached enable of FIPS in an ubuntu lxd container + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt install `openssh-client openssh-server strongswan openssl libgcrypt20` + And I run `pro enable fips` `with sudo` and stdin `y\ny` + Then stdout matches regexp: + """ + Warning: Enabling in a container. + This will install the FIPS packages but not the kernel. + This container must run on a host with enabled to be + compliant. + Warning: This action can take some time and cannot be undone. + """ + And stdout contains substring: + """ + Installing packages + enabled + A reboot is required to complete install. + Please run `apt upgrade` to ensure all FIPS packages are updated to the correct + version. + """ + And I verify that `fips` is enabled + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + FIPS support requires system reboot to complete configuration + """ + And I ensure apt update runs without errors + And I verify that `openssh-server` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + And I verify that `openssh-client` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + And I verify that `strongswan` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + And I verify that `strongswan-hmac` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + And I verify that `openssl` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + And I verify that `` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + And I verify that `-hmac` is installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + And I verify that `` are installed from apt source `https://esm.ubuntu.com/fips/ubuntu /main` + When I reboot the machine + When I run `pro status --all` with sudo + Then stdout does not match regexp: + """ + FIPS support requires system reboot to complete configuration + """ + When I run `pro disable fips` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + This will disable the entitlement but the packages will remain installed. + """ + And stdout matches regexp: + """ + Updating package lists + """ + And stdout does not match regexp: + """ + A reboot is required to complete disable operation + """ + And I verify that `fips` is disabled + When I run `pro status --all` with sudo + Then stdout does not match regexp: + """ + Disabling requires system reboot to complete operation + """ + When I run `apt-cache policy ubuntu-fips` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + Then I verify that `openssh-server` installed version matches regexp `fips` + And I verify that `openssh-client` installed version matches regexp `fips` + And I verify that `strongswan` installed version matches regexp `fips` + And I verify that `strongswan-hmac` installed version matches regexp `fips` + And I verify that `openssl` installed version matches regexp `fips` + And I verify that `` installed version matches regexp `fips` + And I verify that `-hmac` installed version matches regexp `fips` + And I verify that packages `` installed versions match regexp `fips` - Examples: ubuntu release - | release | machine_type | fips-name | updates | libssl | additional-fips-packages | - | xenial | lxd-container | FIPS | | libssl1.0.0 | openssh-server-hmac openssh-client-hmac | - | xenial | lxd-container | FIPS Updates | -updates | libssl1.0.0 | openssh-server-hmac openssh-client-hmac | - | bionic | lxd-container | FIPS | | libssl1.1 | openssh-server-hmac openssh-client-hmac libgcrypt20 libgcrypt20-hmac | - | bionic | lxd-container | FIPS Updates | -updates | libssl1.1 | openssh-server-hmac openssh-client-hmac libgcrypt20 libgcrypt20-hmac | - | focal | lxd-container | FIPS | | libssl1.1 | libgcrypt20 libgcrypt20-hmac | - | focal | lxd-container | FIPS Updates | -updates | libssl1.1 | libgcrypt20 libgcrypt20-hmac | + Examples: ubuntu release + | release | machine_type | fips-name | updates | libssl | additional-fips-packages | + | xenial | lxd-container | FIPS | | libssl1.0.0 | openssh-server-hmac openssh-client-hmac | + | xenial | lxd-container | FIPS Updates | -updates | libssl1.0.0 | openssh-server-hmac openssh-client-hmac | + | bionic | lxd-container | FIPS | | libssl1.1 | openssh-server-hmac openssh-client-hmac libgcrypt20 libgcrypt20-hmac | + | bionic | lxd-container | FIPS Updates | -updates | libssl1.1 | openssh-server-hmac openssh-client-hmac libgcrypt20 libgcrypt20-hmac | + | focal | lxd-container | FIPS | | libssl1.1 | libgcrypt20 libgcrypt20-hmac | + | focal | lxd-container | FIPS Updates | -updates | libssl1.1 | libgcrypt20 libgcrypt20-hmac | - Scenario Outline: Try to enable FIPS after FIPS Updates in a lxd container - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that `fips-updates` is disabled - And I verify that `fips` is disabled - When I run `pro enable fips-updates --assume-yes` with sudo - Then I verify that `fips-updates` is enabled - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - fips +yes +n/a - """ - When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` - Then stdout matches regexp: - """ - Cannot enable FIPS when FIPS Updates is enabled. - """ - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - fips +yes +n/a - """ - And I verify that `fips-updates` is enabled + Scenario Outline: Try to enable FIPS after FIPS Updates in a lxd container + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that `fips-updates` is disabled + And I verify that `fips` is disabled + When I run `pro enable fips-updates --assume-yes` with sudo + Then I verify that `fips-updates` is enabled + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + fips +yes +n/a + """ + When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` + Then stdout matches regexp: + """ + Cannot enable FIPS when FIPS Updates is enabled. + """ + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + fips +yes +n/a + """ + And I verify that `fips-updates` is enabled - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | diff --git a/features/enable_fips_pro.feature b/features/enable_fips_pro.feature index a3b47ab79d..82ac9629a9 100644 --- a/features/enable_fips_pro.feature +++ b/features/enable_fips_pro.feature @@ -1,60 +1,60 @@ Feature: FIPS enablement in PRO cloud based machines - @slow - Scenario Outline: Attached enable of FIPS in an ubuntu Aws PRO vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - Then I verify that `fips` is disabled - And I verify that `fips-updates` is disabled - When I run `pro enable --assume-yes` with sudo - Then stdout matches regexp: - """ - Updating package lists - Installing packages - This will downgrade the kernel from .+ to .+\. - Warning: Downgrading the kernel may cause hardware failures. Please ensure the - hardware is compatible with the new kernel version before proceeding. + @slow + Scenario Outline: Attached enable of FIPS in an ubuntu Aws PRO vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + Then I verify that `fips` is disabled + And I verify that `fips-updates` is disabled + When I run `pro enable --assume-yes` with sudo + Then stdout matches regexp: + """ + Updating package lists + Installing packages + This will downgrade the kernel from .+ to .+\. + Warning: Downgrading the kernel may cause hardware failures. Please ensure the + hardware is compatible with the new kernel version before proceeding. - Updating standard Ubuntu package lists(\n.*)? - enabled - A reboot is required to complete install - """ - And I verify that `` is enabled - And I ensure apt update runs without errors - And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` - When I run `apt-cache policy ` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ + Updating standard Ubuntu package lists(\n.*)? + enabled + A reboot is required to complete install + """ + And I verify that `` is enabled + And I ensure apt update runs without errors + And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` + When I run `apt-cache policy ` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ - Examples: ubuntu release - | release | machine_type | fips-name | fips-service | package-name | kernel-name | fips-apt-source | - | bionic | aws.pro | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | aws.pro | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | azure.pro | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | azure.pro | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | gcp.pro | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | gcp.pro | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | focal | aws.pro | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | aws.pro | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | azure.pro | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | azure.pro | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | gcp.pro | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | gcp.pro | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + Examples: ubuntu release + | release | machine_type | fips-name | fips-service | package-name | kernel-name | fips-apt-source | + | bionic | aws.pro | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | aws.pro | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | azure.pro | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | azure.pro | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | gcp.pro | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | gcp.pro | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | focal | aws.pro | FIPS | fips | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | aws.pro | FIPS Updates | fips-updates | ubuntu-aws-fips | aws-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | azure.pro | FIPS | fips | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | azure.pro | FIPS Updates | fips-updates | ubuntu-azure-fips | azure-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | gcp.pro | FIPS | fips | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | gcp.pro | FIPS Updates | fips-updates | ubuntu-gcp-fips | gcp-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | diff --git a/features/enable_fips_vm.feature b/features/enable_fips_vm.feature index 2ad4c18424..be1ef13554 100644 --- a/features/enable_fips_vm.feature +++ b/features/enable_fips_vm.feature @@ -1,493 +1,493 @@ @uses.config.contract_token Feature: FIPS enablement in lxd VMs - @slow - Scenario Outline: Attached enable of FIPS in an ubuntu lxd vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I run `pro status --format json` with sudo - Then stdout contains substring - """ - {"available": "yes", "blocked_by": [{"name": "livepatch", "reason": "Livepatch cannot be enabled while running the official FIPS certified kernel. If you would like a FIPS compliant kernel with additional bug fixes and security updates, you can use the FIPS Updates service with Livepatch.", "reason_code": "livepatch-invalidates-fips"}], "description": "NIST-certified FIPS crypto packages", "description_override": null, "entitled": "yes", "name": "fips", "status": "disabled", "status_details": "FIPS is not configured", "warning": null} - """ - When I run `pro disable livepatch` with sudo - And I apt install `openssh-client openssh-server strongswan` - And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo - And I run `pro enable ` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - This will install the FIPS packages. The Livepatch service will be unavailable. - Warning: This action can take some time and cannot be undone. - """ - And stdout contains substring: - """ - Updating package lists - Installing packages - Updating standard Ubuntu package lists - enabled - A reboot is required to complete install. - """ - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - FIPS support requires system reboot to complete configuration - """ - And I ensure apt update runs without errors - And I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `openssh-server-hmac` is installed from apt source `` - And I verify that `openssh-client-hmac` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` - When I run `pro status --format json --all` with sudo - Then stdout contains substring: - """ - {"available": "no", "blocked_by": [{"name": "fips", "reason": "Livepatch cannot be enabled while running the official FIPS certified kernel. If you would like a FIPS compliant kernel with additional bug fixes and security updates, you can use the FIPS Updates service with Livepatch.", "reason_code": "livepatch-invalidates-fips"}], "description": "Canonical Livepatch service", "description_override": null, "entitled": "yes", "name": "livepatch", "status": "n/a", "status_details": "Cannot enable Livepatch when FIPS is enabled.", "warning": null} - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - When I run `pro status --all` with sudo - Then stdout does not match regexp: - """ - FIPS support requires system reboot to complete configuration - """ - When I run `pro disable ` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - This will disable the FIPS entitlement but the FIPS packages will remain installed. - """ - And stdout matches regexp: - """ - Updating package lists - A reboot is required to complete disable operation - """ - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - Disabling FIPS requires system reboot to complete operation - """ - When I run `apt-cache policy ubuntu-fips` as non-root - Then stdout matches regexp: - """ - .*Installed: \(none\) - """ - When I reboot the machine - Then I verify that `openssh-server` installed version matches regexp `fips` - And I verify that `openssh-client` installed version matches regexp `fips` - And I verify that `strongswan` installed version matches regexp `fips` - And I verify that `openssh-server-hmac` installed version matches regexp `fips` - And I verify that `openssh-client-hmac` installed version matches regexp `fips` - And I verify that `strongswan-hmac` installed version matches regexp `fips` - When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo - Then I will see the following on stdout: - """ - openssh-client was already not hold. - openssh-server was already not hold. - strongswan was already not hold. - """ - And I verify that `` is disabled - When I run `pro status --all` with sudo - Then stdout does not match regexp: - """ - Disabling FIPS requires system reboot to complete operation - """ - When I run `pro enable --assume-yes --format json --assume-yes` with sudo - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} - """ - When I reboot the machine - And I run `pro disable --assume-yes --format json` with sudo - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} - """ - And I verify that `` is disabled + @slow + Scenario Outline: Attached enable of FIPS in an ubuntu lxd vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I run `pro status --format json` with sudo + Then stdout contains substring + """ + {"available": "yes", "blocked_by": [{"name": "livepatch", "reason": "Livepatch cannot be enabled while running the official FIPS certified kernel. If you would like a FIPS compliant kernel with additional bug fixes and security updates, you can use the FIPS Updates service with Livepatch.", "reason_code": "livepatch-invalidates-fips"}], "description": "NIST-certified FIPS crypto packages", "description_override": null, "entitled": "yes", "name": "fips", "status": "disabled", "status_details": "FIPS is not configured", "warning": null} + """ + When I run `pro disable livepatch` with sudo + And I apt install `openssh-client openssh-server strongswan` + And I run `apt-mark hold openssh-client openssh-server strongswan` with sudo + And I run `pro enable ` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + This will install the FIPS packages. The Livepatch service will be unavailable. + Warning: This action can take some time and cannot be undone. + """ + And stdout contains substring: + """ + Updating package lists + Installing packages + Updating standard Ubuntu package lists + enabled + A reboot is required to complete install. + """ + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + FIPS support requires system reboot to complete configuration + """ + And I ensure apt update runs without errors + And I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `openssh-server-hmac` is installed from apt source `` + And I verify that `openssh-client-hmac` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` + When I run `pro status --format json --all` with sudo + Then stdout contains substring: + """ + {"available": "no", "blocked_by": [{"name": "fips", "reason": "Livepatch cannot be enabled while running the official FIPS certified kernel. If you would like a FIPS compliant kernel with additional bug fixes and security updates, you can use the FIPS Updates service with Livepatch.", "reason_code": "livepatch-invalidates-fips"}], "description": "Canonical Livepatch service", "description_override": null, "entitled": "yes", "name": "livepatch", "status": "n/a", "status_details": "Cannot enable Livepatch when FIPS is enabled.", "warning": null} + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + When I run `pro status --all` with sudo + Then stdout does not match regexp: + """ + FIPS support requires system reboot to complete configuration + """ + When I run `pro disable ` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + This will disable the FIPS entitlement but the FIPS packages will remain installed. + """ + And stdout matches regexp: + """ + Updating package lists + A reboot is required to complete disable operation + """ + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + Disabling FIPS requires system reboot to complete operation + """ + When I run `apt-cache policy ubuntu-fips` as non-root + Then stdout matches regexp: + """ + .*Installed: \(none\) + """ + When I reboot the machine + Then I verify that `openssh-server` installed version matches regexp `fips` + And I verify that `openssh-client` installed version matches regexp `fips` + And I verify that `strongswan` installed version matches regexp `fips` + And I verify that `openssh-server-hmac` installed version matches regexp `fips` + And I verify that `openssh-client-hmac` installed version matches regexp `fips` + And I verify that `strongswan-hmac` installed version matches regexp `fips` + When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo + Then I will see the following on stdout: + """ + openssh-client was already not hold. + openssh-server was already not hold. + strongswan was already not hold. + """ + And I verify that `` is disabled + When I run `pro status --all` with sudo + Then stdout does not match regexp: + """ + Disabling FIPS requires system reboot to complete operation + """ + When I run `pro enable --assume-yes --format json --assume-yes` with sudo + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} + """ + When I reboot the machine + And I run `pro disable --assume-yes --format json` with sudo + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} + """ + And I verify that `` is disabled - Examples: ubuntu release - | release | machine_type | fips-name | fips-service |fips-apt-source | - | xenial | lxd-vm | FIPS | fips |https://esm.ubuntu.com/fips/ubuntu xenial/main | - | bionic | lxd-vm | FIPS | fips |https://esm.ubuntu.com/fips/ubuntu bionic/main | + Examples: ubuntu release + | release | machine_type | fips-name | fips-service | fips-apt-source | + | xenial | lxd-vm | FIPS | fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | + | bionic | lxd-vm | FIPS | fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - @slow - Scenario Outline: Attached enable of FIPS-updates in an ubuntu lxd vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro disable livepatch` with sudo - And I apt install `openssh-client openssh-server strongswan` - When I run `pro enable ` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - This will install the FIPS packages including security updates. - Warning: This action can take some time and cannot be undone. - """ - And stdout contains substring: - """ - Updating package lists - Installing packages - Updating standard Ubuntu package lists - enabled - A reboot is required to complete install. - """ - And I verify that `` is enabled - And I ensure apt update runs without errors - And I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `openssh-server-hmac` is installed from apt source `` - And I verify that `openssh-client-hmac` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` - When I run `pro status --all --format json` with sudo - Then stdout contains substring: - """ - {"available": "no", "blocked_by": [{"name": "fips-updates", "reason": "FIPS cannot be enabled if FIPS Updates has ever been enabled because FIPS Updates installs security patches that aren't officially certified.", "reason_code": "fips-updates-invalidates-fips"}], "description": "NIST-certified FIPS crypto packages", "description_override": null, "entitled": "yes", "name": "fips", "status": "n/a", "status_details": "Cannot enable FIPS when FIPS Updates is enabled.", "warning": null} - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - When I run `pro disable ` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - This will disable the FIPS Updates entitlement but the FIPS Updates packages will remain installed. - """ - And stdout matches regexp: - """ - Updating package lists - A reboot is required to complete disable operation - """ - When I reboot the machine - Then I verify that `openssh-server` installed version matches regexp `fips` - And I verify that `openssh-client` installed version matches regexp `fips` - And I verify that `strongswan` installed version matches regexp `fips` - And I verify that `openssh-server-hmac` installed version matches regexp `fips` - And I verify that `openssh-client-hmac` installed version matches regexp `fips` - And I verify that `strongswan-hmac` installed version matches regexp `fips` - When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo - Then I will see the following on stdout: - """ - openssh-client was already not hold. - openssh-server was already not hold. - strongswan was already not hold. - """ - And I verify that `` is disabled - When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` - Then stdout matches regexp: - """ - Cannot enable FIPS because FIPS Updates was once enabled. - """ - And I verify that files exist matching `/var/lib/ubuntu-advantage/services-once-enabled` - When I run `pro enable --assume-yes` with sudo - And I reboot the machine - Then I verify that `` is enabled - And I verify that `livepatch` is disabled - When I run `pro enable livepatch --assume-yes` with sudo - Then I verify that `` is enabled - And I verify that `livepatch` is enabled - When I run `pro status --all --format json` with sudo - Then stdout contains substring: - """ - {"available": "no", "blocked_by": [{"name": "livepatch", "reason": "Livepatch cannot be enabled while running the official FIPS certified kernel. If you would like a FIPS compliant kernel with additional bug fixes and security updates, you can use the FIPS Updates service with Livepatch.", "reason_code": "livepatch-invalidates-fips"}, {"name": "fips-updates", "reason": "FIPS cannot be enabled if FIPS Updates has ever been enabled because FIPS Updates installs security patches that aren't officially certified.", "reason_code": "fips-updates-invalidates-fips"}], "description": "NIST-certified FIPS crypto packages", "description_override": null, "entitled": "yes", "name": "fips", "status": "n/a", "status_details": "Cannot enable FIPS when FIPS Updates is enabled.", "warning": null} - """ - When I run `pro disable --assume-yes` with sudo - And I run `pro enable --assume-yes --format json --assume-yes` with sudo - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} - """ - When I reboot the machine - And I run `pro disable --assume-yes --format json` with sudo - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} - """ - And I verify that `` is disabled + @slow + Scenario Outline: Attached enable of FIPS-updates in an ubuntu lxd vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro disable livepatch` with sudo + And I apt install `openssh-client openssh-server strongswan` + When I run `pro enable ` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + This will install the FIPS packages including security updates. + Warning: This action can take some time and cannot be undone. + """ + And stdout contains substring: + """ + Updating package lists + Installing packages + Updating standard Ubuntu package lists + enabled + A reboot is required to complete install. + """ + And I verify that `` is enabled + And I ensure apt update runs without errors + And I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `openssh-server-hmac` is installed from apt source `` + And I verify that `openssh-client-hmac` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` + When I run `pro status --all --format json` with sudo + Then stdout contains substring: + """ + {"available": "no", "blocked_by": [{"name": "fips-updates", "reason": "FIPS cannot be enabled if FIPS Updates has ever been enabled because FIPS Updates installs security patches that aren't officially certified.", "reason_code": "fips-updates-invalidates-fips"}], "description": "NIST-certified FIPS crypto packages", "description_override": null, "entitled": "yes", "name": "fips", "status": "n/a", "status_details": "Cannot enable FIPS when FIPS Updates is enabled.", "warning": null} + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + When I run `pro disable ` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + This will disable the FIPS Updates entitlement but the FIPS Updates packages will remain installed. + """ + And stdout matches regexp: + """ + Updating package lists + A reboot is required to complete disable operation + """ + When I reboot the machine + Then I verify that `openssh-server` installed version matches regexp `fips` + And I verify that `openssh-client` installed version matches regexp `fips` + And I verify that `strongswan` installed version matches regexp `fips` + And I verify that `openssh-server-hmac` installed version matches regexp `fips` + And I verify that `openssh-client-hmac` installed version matches regexp `fips` + And I verify that `strongswan-hmac` installed version matches regexp `fips` + When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo + Then I will see the following on stdout: + """ + openssh-client was already not hold. + openssh-server was already not hold. + strongswan was already not hold. + """ + And I verify that `` is disabled + When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` + Then stdout matches regexp: + """ + Cannot enable FIPS because FIPS Updates was once enabled. + """ + And I verify that files exist matching `/var/lib/ubuntu-advantage/services-once-enabled` + When I run `pro enable --assume-yes` with sudo + And I reboot the machine + Then I verify that `` is enabled + And I verify that `livepatch` is disabled + When I run `pro enable livepatch --assume-yes` with sudo + Then I verify that `` is enabled + And I verify that `livepatch` is enabled + When I run `pro status --all --format json` with sudo + Then stdout contains substring: + """ + {"available": "no", "blocked_by": [{"name": "livepatch", "reason": "Livepatch cannot be enabled while running the official FIPS certified kernel. If you would like a FIPS compliant kernel with additional bug fixes and security updates, you can use the FIPS Updates service with Livepatch.", "reason_code": "livepatch-invalidates-fips"}, {"name": "fips-updates", "reason": "FIPS cannot be enabled if FIPS Updates has ever been enabled because FIPS Updates installs security patches that aren't officially certified.", "reason_code": "fips-updates-invalidates-fips"}], "description": "NIST-certified FIPS crypto packages", "description_override": null, "entitled": "yes", "name": "fips", "status": "n/a", "status_details": "Cannot enable FIPS when FIPS Updates is enabled.", "warning": null} + """ + When I run `pro disable --assume-yes` with sudo + And I run `pro enable --assume-yes --format json --assume-yes` with sudo + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} + """ + When I reboot the machine + And I run `pro disable --assume-yes --format json` with sudo + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": true, "processed_services": [""], "result": "success", "warnings": []} + """ + And I verify that `` is disabled - Examples: ubuntu release - | release | machine_type | fips-name | fips-service |fips-apt-source | - | xenial | lxd-vm | FIPS Updates | fips-updates |https://esm.ubuntu.com/fips-updates/ubuntu xenial-updates/main | - | bionic | lxd-vm | FIPS Updates | fips-updates |https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | + Examples: ubuntu release + | release | machine_type | fips-name | fips-service | fips-apt-source | + | xenial | lxd-vm | FIPS Updates | fips-updates | https://esm.ubuntu.com/fips-updates/ubuntu xenial-updates/main | + | bionic | lxd-vm | FIPS Updates | fips-updates | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | - @slow - Scenario Outline: Attached enable FIPS-updates while livepatch is enabled - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that `fips-updates` is disabled - And I verify that `livepatch` is enabled - When I run `pro enable fips-updates --assume-yes` with sudo - Then stdout contains substring: - """ - Updating FIPS Updates package lists - Installing FIPS Updates packages - Updating standard Ubuntu package lists - FIPS Updates enabled - A reboot is required to complete install. - """ - And I verify that `fips-updates` is enabled - And I verify that `livepatch` is enabled - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - And I verify that `fips-updates` is enabled - And I verify that `livepatch` is enabled + @slow + Scenario Outline: Attached enable FIPS-updates while livepatch is enabled + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that `fips-updates` is disabled + And I verify that `livepatch` is enabled + When I run `pro enable fips-updates --assume-yes` with sudo + Then stdout contains substring: + """ + Updating FIPS Updates package lists + Installing FIPS Updates packages + Updating standard Ubuntu package lists + FIPS Updates enabled + A reboot is required to complete install. + """ + And I verify that `fips-updates` is enabled + And I verify that `livepatch` is enabled + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + And I verify that `fips-updates` is enabled + And I verify that `livepatch` is enabled - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | - @slow - Scenario Outline: Attached enable of FIPS in an ubuntu lxd vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt install `openssh-client openssh-server strongswan` - When I run `pro enable --assume-yes` with sudo - Then stdout contains substring: - """ - Updating package lists - Installing packages - Updating standard Ubuntu package lists - enabled - A reboot is required to complete install. - """ - And I verify that `` is enabled - And I ensure apt update runs without errors - And I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - When I run `pro disable --assume-yes` with sudo - Then stdout matches regexp: - """ - Updating package lists - A reboot is required to complete disable operation - """ - When I reboot the machine - Then I verify that `openssh-server` installed version matches regexp `fips` - And I verify that `openssh-client` installed version matches regexp `fips` - And I verify that `strongswan` installed version matches regexp `fips` - And I verify that `strongswan-hmac` installed version matches regexp `fips` - When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo - Then I will see the following on stdout: - """ - openssh-client was already not hold. - openssh-server was already not hold. - strongswan was already not hold. - """ - And I verify that `` is disabled + @slow + Scenario Outline: Attached enable of FIPS in an ubuntu lxd vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt install `openssh-client openssh-server strongswan` + When I run `pro enable --assume-yes` with sudo + Then stdout contains substring: + """ + Updating package lists + Installing packages + Updating standard Ubuntu package lists + enabled + A reboot is required to complete install. + """ + And I verify that `` is enabled + And I ensure apt update runs without errors + And I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + When I run `pro disable --assume-yes` with sudo + Then stdout matches regexp: + """ + Updating package lists + A reboot is required to complete disable operation + """ + When I reboot the machine + Then I verify that `openssh-server` installed version matches regexp `fips` + And I verify that `openssh-client` installed version matches regexp `fips` + And I verify that `strongswan` installed version matches regexp `fips` + And I verify that `strongswan-hmac` installed version matches regexp `fips` + When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo + Then I will see the following on stdout: + """ + openssh-client was already not hold. + openssh-server was already not hold. + strongswan was already not hold. + """ + And I verify that `` is disabled - Examples: ubuntu release - | release | machine_type | fips-name | fips-service |fips-apt-source | - | focal | lxd-vm | FIPS | fips |https://esm.ubuntu.com/fips/ubuntu focal/main | + Examples: ubuntu release + | release | machine_type | fips-name | fips-service | fips-apt-source | + | focal | lxd-vm | FIPS | fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - @slow - Scenario Outline: Attached enable of FIPS-updates in an ubuntu lxd vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt install `openssh-client openssh-server strongswan` - When I run `pro enable --assume-yes` with sudo - Then stdout contains substring: - """ - Updating package lists - Installing packages - Updating standard Ubuntu package lists - enabled - A reboot is required to complete install. - """ - And I verify that `` is enabled - And I ensure apt update runs without errors - And I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - When I run `pro disable --assume-yes` with sudo - Then stdout matches regexp: - """ - Updating package lists - A reboot is required to complete disable operation - """ - When I reboot the machine - Then I verify that `openssh-server` installed version matches regexp `` - And I verify that `openssh-client` installed version matches regexp `` - And I verify that `strongswan` installed version matches regexp `` - And I verify that `strongswan-hmac` installed version matches regexp `` - When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo - Then stdout matches regexp: - """ - openssh-client was already (not|not on) hold. - openssh-server was already (not|not on) hold. - strongswan was already (not|not on) hold. - """ - And I verify that `` is disabled - When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` - Then stdout matches regexp: - """ - Cannot enable FIPS because FIPS Updates was once enabled. - """ - And I verify that files exist matching `/var/lib/ubuntu-advantage/services-once-enabled` + @slow + Scenario Outline: Attached enable of FIPS-updates in an ubuntu lxd vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt install `openssh-client openssh-server strongswan` + When I run `pro enable --assume-yes` with sudo + Then stdout contains substring: + """ + Updating package lists + Installing packages + Updating standard Ubuntu package lists + enabled + A reboot is required to complete install. + """ + And I verify that `` is enabled + And I ensure apt update runs without errors + And I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + When I run `pro disable --assume-yes` with sudo + Then stdout matches regexp: + """ + Updating package lists + A reboot is required to complete disable operation + """ + When I reboot the machine + Then I verify that `openssh-server` installed version matches regexp `` + And I verify that `openssh-client` installed version matches regexp `` + And I verify that `strongswan` installed version matches regexp `` + And I verify that `strongswan-hmac` installed version matches regexp `` + When I run `apt-mark unhold openssh-client openssh-server strongswan` with sudo + Then stdout matches regexp: + """ + openssh-client was already (not|not on) hold. + openssh-server was already (not|not on) hold. + strongswan was already (not|not on) hold. + """ + And I verify that `` is disabled + When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1` + Then stdout matches regexp: + """ + Cannot enable FIPS because FIPS Updates was once enabled. + """ + And I verify that files exist matching `/var/lib/ubuntu-advantage/services-once-enabled` - Examples: ubuntu release - | release | machine_type | fips-name | fips-service | fips-package-str | fips-apt-source | - | focal | lxd-vm | FIPS Updates | fips-updates | fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | - | jammy | lxd-vm | FIPS Updates | fips-updates | Fips | https://esm.ubuntu.com/fips-updates/ubuntu jammy-updates/main | + Examples: ubuntu release + | release | machine_type | fips-name | fips-service | fips-package-str | fips-apt-source | + | focal | lxd-vm | FIPS Updates | fips-updates | fips | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | + | jammy | lxd-vm | FIPS Updates | fips-updates | Fips | https://esm.ubuntu.com/fips-updates/ubuntu jammy-updates/main | - @slow - Scenario Outline: Attached enable fips-updates on fips enabled vm - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then stdout contains substring: - """ - Updating FIPS package lists - Installing FIPS packages - Updating standard Ubuntu package lists - FIPS enabled - A reboot is required to complete install. - """ - And I verify that `fips` is enabled - And I verify that `livepatch` is disabled - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I verify that running `pro enable fips-updates --assume-yes` `with sudo` exits `0` - Then stdout contains substring: - """ - One moment, checking your subscription first - Disabling incompatible service: FIPS - Updating FIPS Updates package lists - Installing FIPS Updates packages - Updating standard Ubuntu package lists - FIPS Updates enabled - A reboot is required to complete install. - """ - And I verify that `fips-updates` is enabled - And I verify that `fips` is disabled - When I reboot the machine - And I run `pro enable livepatch` with sudo - Then I verify that `fips-updates` is enabled - And I verify that `fips` is disabled - And I verify that `livepatch` is enabled - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - fips +yes +n/a - """ - When I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ + @slow + Scenario Outline: Attached enable fips-updates on fips enabled vm + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then stdout contains substring: + """ + Updating FIPS package lists + Installing FIPS packages + Updating standard Ubuntu package lists + FIPS enabled + A reboot is required to complete install. + """ + And I verify that `fips` is enabled + And I verify that `livepatch` is disabled + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I verify that running `pro enable fips-updates --assume-yes` `with sudo` exits `0` + Then stdout contains substring: + """ + One moment, checking your subscription first + Disabling incompatible service: FIPS + Updating FIPS Updates package lists + Installing FIPS Updates packages + Updating standard Ubuntu package lists + FIPS Updates enabled + A reboot is required to complete install. + """ + And I verify that `fips-updates` is enabled + And I verify that `fips` is disabled + When I reboot the machine + And I run `pro enable livepatch` with sudo + Then I verify that `fips-updates` is enabled + And I verify that `fips` is disabled + And I verify that `livepatch` is enabled + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + fips +yes +n/a + """ + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | - | focal | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | + | focal | lxd-vm | - @slow - Scenario Outline: FIPS enablement message when cloud init didn't run properly - Given a `` `` machine with ubuntu-advantage-tools installed - When I delete the file `/run/cloud-init/instance-data.json` - And I attach `contract_token` with sudo - And I run `pro enable fips --assume-yes` with sudo - Then stdout matches regexp: - """ - Could not determine cloud, defaulting to generic FIPS package. - """ - And I verify that `fips` is enabled + @slow + Scenario Outline: FIPS enablement message when cloud init didn't run properly + Given a `` `` machine with ubuntu-advantage-tools installed + When I delete the file `/run/cloud-init/instance-data.json` + And I attach `contract_token` with sudo + And I run `pro enable fips --assume-yes` with sudo + Then stdout matches regexp: + """ + Could not determine cloud, defaulting to generic FIPS package. + """ + And I verify that `fips` is enabled - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | - | focal | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | + | focal | lxd-vm | - @slow - Scenario Outline: Attached enable fips-preview - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - Then I verify that `fips-preview` is disabled - When I verify that running `pro enable fips-preview` `with sudo` and stdin `N` exits `1` - Then stdout matches regexp: - """ - FIPS Preview cannot be enabled with Livepatch. - """ - When I run `pro disable livepatch` with sudo - And I verify that running `pro enable fips-preview` `with sudo` and stdin `N` exits `1` - Then stdout matches regexp: - """ - This will install crypto packages that have been submitted to NIST for review - but do not have FIPS certification yet. Use this for early access to the FIPS - modules. - Please note that the Livepatch service will be unavailable after - this operation. - Warning: This action can take some time and cannot be undone. - """ - When I run `pro enable realtime-kernel --assume-yes` with sudo - And I verify that running `pro enable fips-preview` `with sudo` and stdin `N` exits `1` - Then stdout matches regexp: - """ - FIPS Preview cannot be enabled with Real-time kernel. - """ + @slow + Scenario Outline: Attached enable fips-preview + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + Then I verify that `fips-preview` is disabled + When I verify that running `pro enable fips-preview` `with sudo` and stdin `N` exits `1` + Then stdout matches regexp: + """ + FIPS Preview cannot be enabled with Livepatch. + """ + When I run `pro disable livepatch` with sudo + And I verify that running `pro enable fips-preview` `with sudo` and stdin `N` exits `1` + Then stdout matches regexp: + """ + This will install crypto packages that have been submitted to NIST for review + but do not have FIPS certification yet. Use this for early access to the FIPS + modules. + Please note that the Livepatch service will be unavailable after + this operation. + Warning: This action can take some time and cannot be undone. + """ + When I run `pro enable realtime-kernel --assume-yes` with sudo + And I verify that running `pro enable fips-preview` `with sudo` and stdin `N` exits `1` + Then stdout matches regexp: + """ + FIPS Preview cannot be enabled with Real-time kernel. + """ - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-vm | diff --git a/features/fix.feature b/features/fix.feature index d01739dc4e..a2f8cb8829 100644 --- a/features/fix.feature +++ b/features/fix.feature @@ -1,903 +1,904 @@ Feature: Ua fix command behaviour - Scenario Outline: Useful SSL failure message when there aren't any ca-certs - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt remove `ca-certificates` - When I run `rm -f /etc/ssl/certs/ca-certificates.crt` with sudo - When I verify that running `ua fix CVE-1800-123456` `as non-root` exits `1` - Then stderr matches regexp: - """ - Failed to access URL: https://.* - Cannot verify certificate of server - Please install "ca-certificates" and try again. - """ - When I apt install `ca-certificates` - When I run `mv /etc/ssl/certs /etc/ssl/wronglocation` with sudo - When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` - Then stderr matches regexp: - """ - Failed to access URL: https://.* - Cannot verify certificate of server - Please check your openssl configuration. - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | - - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: CVE-1800-123456 not found. - """ - When I verify that running `pro fix USN-12345-12` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: USN-12345-12 not found. - """ - When I verify that running `pro fix CVE-12345678-12` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: issue "CVE-12345678-12" is not recognized. - Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" - """ - When I verify that running `pro fix USN-12345678-12` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: issue "USN-12345678-12" is not recognized. - Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" - """ - When I apt install `libawl-php=0.60-1` - And I run `pro fix USN-4539-1` with sudo - Then stdout matches regexp: - """ - USN-4539-1: AWL vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2020-11728 - - Fixing requested USN-4539-1 - 1 affected source package is installed: awl - \(1/1\) awl: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y libawl-php \}.* - - .*✔.* USN-4539-1 is resolved. - """ - When I run `pro fix CVE-2020-28196` as non-root - Then stdout matches regexp: - """ - CVE-2020-28196: Kerberos vulnerability - - https://ubuntu.com/security/CVE-2020-28196 - - 1 affected source package is installed: krb5 - \(1/1\) krb5: - A fix is available in Ubuntu standard updates. - The update is already installed. - - .*✔.* CVE-2020-28196 is resolved. - """ - When I run `pro fix CVE-2022-24959` as non-root - Then stdout matches regexp: - """ - CVE-2022-24959: Linux kernel vulnerabilities - - https://ubuntu.com/security/CVE-2022-24959 - - No affected source packages are installed. - - .*✔.* CVE-2022-24959 does not affect your system. - """ - When I apt install `rsync=3.1.3-8 zlib1g=1:1.2.11.dfsg-2ubuntu1` - And I run `pro fix USN-5573-1` with sudo - Then stdout matches regexp: - """ - USN-5573-1: rsync vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2022-37434 - - Fixing requested USN-5573-1 - 1 affected source package is installed: rsync - \(1/1\) rsync: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y rsync \}.* - - .*✔.* USN-5573-1 is resolved. - - Found related USNs: - - USN-5570-1 - - USN-5570-2 - - Fixing related USNs: - - USN-5570-1 - No affected source packages are installed. - - .*✔.* USN-5570-1 does not affect your system. - - - USN-5570-2 - 1 affected source package is installed: zlib - \(1/1\) zlib: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y zlib1g \}.* - - .*✔.* USN-5570-2 is resolved. - - Summary: - .*✔.* USN-5573-1 \[requested\] is resolved. - .*✔.* USN-5570-1 \[related\] does not affect your system. - .*✔.* USN-5570-2 \[related\] is resolved. - """ - When I run `pro fix USN-5573-1` with sudo - Then stdout matches regexp: - """ - USN-5573-1: rsync vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2022-37434 - - Fixing requested USN-5573-1 - 1 affected source package is installed: rsync - \(1/1\) rsync: - A fix is available in Ubuntu standard updates. - The update is already installed. - - .*✔.* USN-5573-1 is resolved. - - Found related USNs: - - USN-5570-1 - - USN-5570-2 - - Fixing related USNs: - - USN-5570-1 - No affected source packages are installed. - - .*✔.* USN-5570-1 does not affect your system. - - - USN-5570-2 - 1 affected source package is installed: zlib - \(1/1\) zlib: - A fix is available in Ubuntu standard updates. - The update is already installed. - - .*✔.* USN-5570-2 is resolved. - - Summary: - .*✔.* USN-5573-1 \[requested\] is resolved. - .*✔.* USN-5570-1 \[related\] does not affect your system. - .*✔.* USN-5570-2 \[related\] is resolved. - """ - When I run `pro fix USN-5573-1 --no-related` with sudo - Then stdout matches regexp: - """ - USN-5573-1: rsync vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2022-37434 - - Fixing requested USN-5573-1 - 1 affected source package is installed: rsync - \(1/1\) rsync: - A fix is available in Ubuntu standard updates. - The update is already installed. - - .*✔.* USN-5573-1 is resolved. - """ - - Examples: ubuntu release details - | release | machine_type | - | focal | lxd-container | - | focal | wsl | - - @uses.config.contract_token - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: CVE-1800-123456 not found. - """ - When I verify that running `pro fix USN-12345-12` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: USN-12345-12 not found. - """ - # Make sure esm cache is empty - # Technically a folder right, but this works - When I delete the file `/var/lib/ubuntu-advantage/apt-esm/` - When I delete the file `/var/lib/apt/periodic/update-success-stamp` - And I verify that running `pro fix USN-5079-2 --dry-run` `as non-root` exits `1` - Then stdout matches regexp: - """ - .*WARNING: The option --dry-run is being used. - No packages will be installed when running this command..* - USN-5079-2: curl vulnerabilities - Associated CVEs: - - https://ubuntu.com/security/CVE-2021-22946 - - https://ubuntu.com/security/CVE-2021-22947 - - Fixing requested USN-5079-2 - 1 affected source package is installed: curl - - .*WARNING: Unable to update ESM cache when running as non-root, - please run sudo apt update and try again if packages cannot be found..* - - \(1/1\) curl: - A fix is available in Ubuntu Pro: ESM Infra. - - Cannot install package curl version .* - - Cannot install package libcurl3-gnutls version .* - - .*The machine is not attached to an Ubuntu Pro subscription. - To proceed with the fix, a prompt would ask for a valid Ubuntu Pro token. - { pro attach TOKEN }.* - - .*Ubuntu Pro service: esm-infra is not enabled. - To proceed with the fix, a prompt would ask permission to automatically enable - this service. - { pro enable esm-infra }.* - - 1 package is still affected: curl - .*USN-5079-2 is not resolved. - """ - When I apt update - # We just need to await for the esm-cache to be populated - And I run `sleep 5` as non-root - And I run `pro fix USN-5079-2 --dry-run` as non-root - Then stdout matches regexp: - """ - .*WARNING: The option --dry-run is being used. - No packages will be installed when running this command..* - USN-5079-2: curl vulnerabilities - Associated CVEs: - - https://ubuntu.com/security/CVE-2021-22946 - - https://ubuntu.com/security/CVE-2021-22947 - - Fixing requested USN-5079-2 - 1 affected source package is installed: curl - \(1/1\) curl: - A fix is available in Ubuntu Pro: ESM Infra. - - .*The machine is not attached to an Ubuntu Pro subscription. - To proceed with the fix, a prompt would ask for a valid Ubuntu Pro token. - \{ pro attach TOKEN \}.* - - .*Ubuntu Pro service: esm-infra is not enabled. - To proceed with the fix, a prompt would ask permission to automatically enable - this service. - \{ pro enable esm-infra \}.* - .*\{ apt update && apt install --only-upgrade -y curl libcurl3-gnutls \}.* - - .*USN-5079-2 is resolved. - - Found related USNs: - - USN-5079-1 - - Fixing related USNs: - - USN-5079-1 - No affected source packages are installed. - - .*USN-5079-1 does not affect your system. - - Summary: - .*USN-5079-2 \[requested\] is resolved. - .*USN-5079-1 \[related\] does not affect your system. - """ - When I apt install `libawl-php` - And I reboot the machine - And I run `pro fix USN-4539-1` as non-root - Then stdout matches regexp: - """ - USN-4539-1: AWL vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2020-11728 - - Fixing requested USN-4539-1 - No affected source packages are installed. - - .*✔.* USN-4539-1 does not affect your system. - """ - When I run `pro fix CVE-2020-15180` as non-root - Then stdout matches regexp: - """ - CVE-2020-15180: MariaDB vulnerabilities - - https://ubuntu.com/security/CVE-2020-15180 - - No affected source packages are installed. - - .*✔.* CVE-2020-15180 does not affect your system. - """ - When I run `pro fix CVE-2020-28196` as non-root - Then stdout matches regexp: - """ - CVE-2020-28196: Kerberos vulnerability - - https://ubuntu.com/security/CVE-2020-28196 - - 1 affected source package is installed: krb5 - \(1/1\) krb5: - A fix is available in Ubuntu standard updates. - The update is already installed. - - .*✔.* CVE-2020-28196 is resolved. - """ - When I apt install `expat=2.1.0-7 swish-e matanza ghostscript` - And I verify that running `pro fix CVE-2017-9233 --dry-run` `as non-root` exits `1` - Then stdout matches regexp: - """ - .*WARNING: The option --dry-run is being used. - No packages will be installed when running this command..* - CVE-2017-9233: Expat vulnerability - - https://ubuntu.com/security/CVE-2017-9233 - - 3 affected source packages are installed: expat, matanza, swish-e - \(1/3, 2/3\) matanza, swish-e: - Ubuntu security engineers are investigating this issue. - \(3/3\) expat: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y expat \}.* - - 2 packages are still affected: matanza, swish-e - .*✘.* CVE-2017-9233 is not resolved. - """ - When I verify that running `pro fix CVE-2017-9233` `with sudo` exits `1` - Then stdout matches regexp: - """ - CVE-2017-9233: Expat vulnerability - - https://ubuntu.com/security/CVE-2017-9233 - - 3 affected source packages are installed: expat, matanza, swish-e - \(1/3, 2/3\) matanza, swish-e: - Ubuntu security engineers are investigating this issue. - \(3/3\) expat: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y expat \}.* - - 2 packages are still affected: matanza, swish-e - .*✘.* CVE-2017-9233 is not resolved. - """ - When I fix `USN-5079-2` by attaching to a subscription with `contract_token_staging_expired` - Then stdout matches regexp - """ - USN-5079-2: curl vulnerabilities - Associated CVEs: - - https://ubuntu.com/security/CVE-2021-22946 - - https://ubuntu.com/security/CVE-2021-22947 - - Fixing requested USN-5079-2 - 1 affected source package is installed: curl - \(1/1\) curl: - A fix is available in Ubuntu Pro: ESM Infra. - The update is not installed because this system is not attached to a - subscription. - - Choose: \[S\]ubscribe at https://ubuntu.com/pro/subscribe \[A\]ttach existing token \[C\]ancel - > Enter your token \(from https://ubuntu.com/pro/dashboard\) to attach this system: - > .*\{ pro attach .*\}.* - Attach denied: - Contract ".*" expired on .* - Visit https://ubuntu.com/pro/dashboard to manage contract tokens. - - 1 package is still affected: curl - .*✘.* USN-5079-2 is not resolved. - """ - When I fix `USN-5079-2` by attaching to a subscription with `contract_token` - Then stdout matches regexp: - """ - USN-5079-2: curl vulnerabilities - Associated CVEs: - - https://ubuntu.com/security/CVE-2021-22946 - - https://ubuntu.com/security/CVE-2021-22947 - - Fixing requested USN-5079-2 - 1 affected source package is installed: curl - \(1/1\) curl: - A fix is available in Ubuntu Pro: ESM Infra. - The update is not installed because this system is not attached to a - subscription. - - Choose: \[S\]ubscribe at https://ubuntu.com/pro/subscribe \[A\]ttach existing token \[C\]ancel - > Enter your token \(from https://ubuntu.com/pro/dashboard\) to attach this system: - > .*\{ pro attach .*\}.* - Updating Ubuntu Pro: ESM Apps package lists - Ubuntu Pro: ESM Apps enabled - Updating Ubuntu Pro: ESM Infra package lists - Ubuntu Pro: ESM Infra enabled - """ - And stdout matches regexp: - """ - .*\{ apt update && apt install --only-upgrade -y curl libcurl3-gnutls \}.* - - .*✔.* USN-5079-2 is resolved. - - Found related USNs: - - USN-5079-1 - - Fixing related USNs: - - USN-5079-1 - No affected source packages are installed. - - .*✔.* USN-5079-1 does not affect your system. - - Summary: - .*✔.* USN-5079-2 \[requested\] is resolved. - .*✔.* USN-5079-1 \[related\] does not affect your system. - """ - When I verify that running `pro fix USN-5051-2` `with sudo` exits `2` - Then stdout matches regexp: - """ - USN-5051-2: OpenSSL vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2021-3712 - - Fixing requested USN-5051-2 - 1 affected source package is installed: openssl - \(1/1\) openssl: - A fix is available in Ubuntu Pro: ESM Infra. - .*\{ apt update && apt install --only-upgrade -y libssl1.0.0 openssl \}.* - - A reboot is required to complete fix operation. - .*✘.* USN-5051-2 is not resolved. - """ - When I run `pro disable esm-infra` with sudo - # Allow esm-cache to be populated - And I run `sleep 5` as non-root - And I apt install `gzip` - And I run `pro fix USN-5378-4 --dry-run` as non-root - Then stdout matches regexp: - """ - .*WARNING: The option --dry-run is being used. - No packages will be installed when running this command..* - USN-5378-4: Gzip vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2022-1271 - - Fixing requested USN-5378-4 - 1 affected source package is installed: gzip - \(1/1\) gzip: - A fix is available in Ubuntu Pro: ESM Infra. - - .*Ubuntu Pro service: esm-infra is not enabled. - To proceed with the fix, a prompt would ask permission to automatically enable - this service. - \{ pro enable esm-infra \}.* - .*\{ apt update && apt install --only-upgrade -y gzip \}.* - - .*✔.* USN-5378-4 is resolved. - - Found related USNs: - - USN-5378-1 - - USN-5378-2 - - USN-5378-3 - - Fixing related USNs: - - USN-5378-1 - No affected source packages are installed. - - .*✔.* USN-5378-1 does not affect your system. - - - USN-5378-2 - No affected source packages are installed. - - .*✔.* USN-5378-2 does not affect your system. - - - USN-5378-3 - 1 affected source package is installed: xz-utils - \(1/1\) xz-utils: - A fix is available in Ubuntu Pro: ESM Infra. - - .*Ubuntu Pro service: esm-infra is not enabled. - To proceed with the fix, a prompt would ask permission to automatically enable - this service. - \{ pro enable esm-infra \}.* - .*\{ apt update && apt install --only-upgrade -y liblzma5 xz-utils \}.* - - .*✔.* USN-5378-3 is resolved. - - Summary: - .*✔.* USN-5378-4 \[requested\] is resolved. - .*✔.* USN-5378-1 \[related\] does not affect your system. - .*✔.* USN-5378-2 \[related\] does not affect your system. - .*✔.* USN-5378-3 \[related\] is resolved. - """ - When I run `pro fix USN-5378-4` `with sudo` and stdin `E` - Then stdout matches regexp: - """ - USN-5378-4: Gzip vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2022-1271 - - Fixing requested USN-5378-4 - 1 affected source package is installed: gzip - \(1/1\) gzip: - A fix is available in Ubuntu Pro: ESM Infra. - The update is not installed because this system does not have - esm-infra enabled. - - Choose: \[E\]nable esm-infra \[C\]ancel - > .*\{ pro enable esm-infra \}.* - Updating Ubuntu Pro: ESM Infra package lists - Ubuntu Pro: ESM Infra enabled - .*\{ apt update && apt install --only-upgrade -y gzip \}.* - - .*✔.* USN-5378-4 is resolved. - - Found related USNs: - - USN-5378-1 - - USN-5378-2 - - USN-5378-3 - - Fixing related USNs: - - USN-5378-1 - No affected source packages are installed. - - .*✔.* USN-5378-1 does not affect your system. - - - USN-5378-2 - No affected source packages are installed. - - .*✔.* USN-5378-2 does not affect your system. - - - USN-5378-3 - 1 affected source package is installed: xz-utils - \(1/1\) xz-utils: - A fix is available in Ubuntu Pro: ESM Infra. - .*\{ apt update && apt install --only-upgrade -y liblzma5 xz-utils \}.* - - .*✔.* USN-5378-3 is resolved. - - Summary: - .*✔.* USN-5378-4 \[requested\] is resolved. - .*✔.* USN-5378-1 \[related\] does not affect your system. - .*✔.* USN-5378-2 \[related\] does not affect your system. - .*✔.* USN-5378-3 \[related\] is resolved. - """ - When I run `pro detach --assume-yes` with sudo - And I run `sed -i "/xenial-updates/d" /etc/apt/sources.list` with sudo - And I run `sed -i "/xenial-security/d" /etc/apt/sources.list` with sudo - And I apt update - And I apt install `squid` - And I verify that running `pro fix CVE-2020-25097` `as non-root` exits `1` - Then stdout matches regexp: - """ - CVE-2020-25097: Squid vulnerabilities - - https://ubuntu.com/security/CVE-2020-25097 - - 1 affected source package is installed: squid3 - \(1/1\) squid3: - A fix is available in Ubuntu standard updates. - - Cannot install package squid version 3.5.12-1ubuntu7.16 - - Cannot install package squid-common version 3.5.12-1ubuntu7.16 - - 1 package is still affected: squid3 - .*✘.* CVE-2020-25097 is not resolved - """ - - Examples: ubuntu release details - | release | machine_type | - | xenial | lxd-container | - - Scenario Outline: Fix command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: CVE-1800-123456 not found. - """ - When I verify that running `pro fix USN-12345-12` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: USN-12345-12 not found. - """ - When I verify that running `pro fix CVE-12345678-12` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: issue "CVE-12345678-12" is not recognized. - Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" - """ - When I verify that running `pro fix USN-12345678-12` `as non-root` exits `1` - Then I will see the following on stderr: - """ - Error: issue "USN-12345678-12" is not recognized. - Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" - """ - When I apt install `libawl-php` - And I run `pro fix USN-4539-1 --dry-run` as non-root - Then stdout matches regexp: - """ - .*WARNING: The option --dry-run is being used. - No packages will be installed when running this command..* - USN-4539-1: AWL vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2020-11728 - - Fixing requested USN-4539-1 - No affected source packages are installed. - - .*✔.* USN-4539-1 does not affect your system. - """ - When I run `pro fix USN-4539-1` as non-root - Then stdout matches regexp: - """ - USN-4539-1: AWL vulnerability - Associated CVEs: - - https://ubuntu.com/security/CVE-2020-11728 - - Fixing requested USN-4539-1 - No affected source packages are installed. - - .*✔.* USN-4539-1 does not affect your system. - """ - When I run `pro fix CVE-2020-28196` as non-root - Then stdout matches regexp: - """ - CVE-2020-28196: Kerberos vulnerability - - https://ubuntu.com/security/CVE-2020-28196 - - 1 affected source package is installed: krb5 - \(1/1\) krb5: - A fix is available in Ubuntu standard updates. - The update is already installed. - - .*✔.* CVE-2020-28196 is resolved. - """ - When I apt install `xterm=330-1ubuntu2` - And I verify that running `pro fix CVE-2021-27135` `as non-root` exits `1` - Then stdout matches regexp: - """ - CVE-2021-27135: xterm vulnerability - - https://ubuntu.com/security/CVE-2021-27135 - - 1 affected source package is installed: xterm - \(1/1\) xterm: - A fix is available in Ubuntu standard updates. - Package fixes cannot be installed. - To install them, run this command as root \(try using sudo\) - - 1 package is still affected: xterm - .*✘.* CVE-2021-27135 is not resolved. - """ - When I run `pro fix CVE-2021-27135 --dry-run` with sudo - Then stdout matches regexp: - """ - .*WARNING: The option --dry-run is being used. - No packages will be installed when running this command..* - CVE-2021-27135: xterm vulnerability - - https://ubuntu.com/security/CVE-2021-27135 - - 1 affected source package is installed: xterm - \(1/1\) xterm: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y xterm \}.* - - .*✔.* CVE-2021-27135 is resolved. - """ - When I run `pro fix CVE-2021-27135` with sudo - Then stdout matches regexp: - """ - CVE-2021-27135: xterm vulnerability - - https://ubuntu.com/security/CVE-2021-27135 - - 1 affected source package is installed: xterm - \(1/1\) xterm: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y xterm \}.* - - .*✔.* CVE-2021-27135 is resolved. - """ - When I run `pro fix CVE-2021-27135` with sudo - Then stdout matches regexp: - """ - CVE-2021-27135: xterm vulnerability - - https://ubuntu.com/security/CVE-2021-27135 - - 1 affected source package is installed: xterm - \(1/1\) xterm: - A fix is available in Ubuntu standard updates. - The update is already installed. - - .*✔.* CVE-2021-27135 is resolved. - """ - When I apt install `libbz2-1.0=1.0.6-8.1 bzip2=1.0.6-8.1` - And I run `pro fix USN-4038-3` with sudo - Then stdout matches regexp: - """ - USN-4038-3: bzip2 regression - Found Launchpad bugs: - - https://launchpad.net/bugs/1834494 - - Fixing requested USN-4038-3 - 1 affected source package is installed: bzip2 - \(1/1\) bzip2: - A fix is available in Ubuntu standard updates. - .*\{ apt update && apt install --only-upgrade -y bzip2 libbz2-1.0 \}.* - - .*✔.* USN-4038-3 is resolved. - """ - When I run `pro fix USN-6130-1` as non-root - Then stdout matches regexp: - """ - USN-6130-1: Linux kernel vulnerabilities - Associated CVEs: - - https://ubuntu.com/security/CVE-2023-30456 - - https://ubuntu.com/security/CVE-2023-1380 - - https://ubuntu.com/security/CVE-2023-32233 - - https://ubuntu.com/security/CVE-2023-31436 - - Fixing requested USN-6130-1 - No affected source packages are installed. - - .*✔.* USN-6130-1 does not affect your system. - - Found related USNs: - - USN-6033-1 - - USN-6122-1 - - USN-6123-1 - - USN-6124-1 - - USN-6127-1 - - USN-6131-1 - - USN-6132-1 - - USN-6135-1 - - USN-6149-1 - - USN-6150-1 - - USN-6162-1 - - USN-6173-1 - - USN-6175-1 - - USN-6186-1 - - USN-6222-1 - - USN-6256-1 - - USN-6385-1 - - USN-6460-1 - - Fixing related USNs: - - USN-6033-1 - No affected source packages are installed. - - .*✔.* USN-6033-1 does not affect your system. - - - USN-6122-1 - No affected source packages are installed. - - .*✔.* USN-6122-1 does not affect your system. - - - USN-6123-1 - No affected source packages are installed. - - .*✔.* USN-6123-1 does not affect your system. - - - USN-6124-1 - No affected source packages are installed. - - .*✔.* USN-6124-1 does not affect your system. - - - USN-6127-1 - No affected source packages are installed. - - .*✔.* USN-6127-1 does not affect your system. - - - USN-6131-1 - No affected source packages are installed. + Scenario Outline: Useful SSL failure message when there aren't any ca-certs + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt remove `ca-certificates` + When I run `rm -f /etc/ssl/certs/ca-certificates.crt` with sudo + When I verify that running `ua fix CVE-1800-123456` `as non-root` exits `1` + Then stderr matches regexp: + """ + Failed to access URL: https://.* + Cannot verify certificate of server + Please install "ca-certificates" and try again. + """ + When I apt install `ca-certificates` + When I run `mv /etc/ssl/certs /etc/ssl/wronglocation` with sudo + When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` + Then stderr matches regexp: + """ + Failed to access URL: https://.* + Cannot verify certificate of server + Please check your openssl configuration. + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: CVE-1800-123456 not found. + """ + When I verify that running `pro fix USN-12345-12` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: USN-12345-12 not found. + """ + When I verify that running `pro fix CVE-12345678-12` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: issue "CVE-12345678-12" is not recognized. + Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" + """ + When I verify that running `pro fix USN-12345678-12` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: issue "USN-12345678-12" is not recognized. + Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" + """ + When I apt install `libawl-php=0.60-1` + And I run `pro fix USN-4539-1` with sudo + Then stdout matches regexp: + """ + USN-4539-1: AWL vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2020-11728 + + Fixing requested USN-4539-1 + 1 affected source package is installed: awl + \(1/1\) awl: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y libawl-php \}.* + + .*✔.* USN-4539-1 is resolved. + """ + When I run `pro fix CVE-2020-28196` as non-root + Then stdout matches regexp: + """ + CVE-2020-28196: Kerberos vulnerability + - https://ubuntu.com/security/CVE-2020-28196 + + 1 affected source package is installed: krb5 + \(1/1\) krb5: + A fix is available in Ubuntu standard updates. + The update is already installed. + + .*✔.* CVE-2020-28196 is resolved. + """ + When I run `pro fix CVE-2022-24959` as non-root + Then stdout matches regexp: + """ + CVE-2022-24959: Linux kernel vulnerabilities + - https://ubuntu.com/security/CVE-2022-24959 + + No affected source packages are installed. + + .*✔.* CVE-2022-24959 does not affect your system. + """ + When I apt install `rsync=3.1.3-8 zlib1g=1:1.2.11.dfsg-2ubuntu1` + And I run `pro fix USN-5573-1` with sudo + Then stdout matches regexp: + """ + USN-5573-1: rsync vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2022-37434 + + Fixing requested USN-5573-1 + 1 affected source package is installed: rsync + \(1/1\) rsync: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y rsync \}.* + + .*✔.* USN-5573-1 is resolved. + + Found related USNs: + - USN-5570-1 + - USN-5570-2 + + Fixing related USNs: + - USN-5570-1 + No affected source packages are installed. + + .*✔.* USN-5570-1 does not affect your system. + + - USN-5570-2 + 1 affected source package is installed: zlib + \(1/1\) zlib: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y zlib1g \}.* + + .*✔.* USN-5570-2 is resolved. + + Summary: + .*✔.* USN-5573-1 \[requested\] is resolved. + .*✔.* USN-5570-1 \[related\] does not affect your system. + .*✔.* USN-5570-2 \[related\] is resolved. + """ + When I run `pro fix USN-5573-1` with sudo + Then stdout matches regexp: + """ + USN-5573-1: rsync vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2022-37434 + + Fixing requested USN-5573-1 + 1 affected source package is installed: rsync + \(1/1\) rsync: + A fix is available in Ubuntu standard updates. + The update is already installed. + + .*✔.* USN-5573-1 is resolved. + + Found related USNs: + - USN-5570-1 + - USN-5570-2 + + Fixing related USNs: + - USN-5570-1 + No affected source packages are installed. + + .*✔.* USN-5570-1 does not affect your system. + + - USN-5570-2 + 1 affected source package is installed: zlib + \(1/1\) zlib: + A fix is available in Ubuntu standard updates. + The update is already installed. + + .*✔.* USN-5570-2 is resolved. + + Summary: + .*✔.* USN-5573-1 \[requested\] is resolved. + .*✔.* USN-5570-1 \[related\] does not affect your system. + .*✔.* USN-5570-2 \[related\] is resolved. + """ + When I run `pro fix USN-5573-1 --no-related` with sudo + Then stdout matches regexp: + """ + USN-5573-1: rsync vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2022-37434 + + Fixing requested USN-5573-1 + 1 affected source package is installed: rsync + \(1/1\) rsync: + A fix is available in Ubuntu standard updates. + The update is already installed. + + .*✔.* USN-5573-1 is resolved. + """ + + Examples: ubuntu release details + | release | machine_type | + | focal | lxd-container | + | focal | wsl | + + @uses.config.contract_token + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: CVE-1800-123456 not found. + """ + When I verify that running `pro fix USN-12345-12` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: USN-12345-12 not found. + """ + # Make sure esm cache is empty + # Technically a folder right, but this works + When I delete the file `/var/lib/ubuntu-advantage/apt-esm/` + When I delete the file `/var/lib/apt/periodic/update-success-stamp` + And I verify that running `pro fix USN-5079-2 --dry-run` `as non-root` exits `1` + Then stdout matches regexp: + """ + .*WARNING: The option --dry-run is being used. + No packages will be installed when running this command..* + USN-5079-2: curl vulnerabilities + Associated CVEs: + - https://ubuntu.com/security/CVE-2021-22946 + - https://ubuntu.com/security/CVE-2021-22947 + + Fixing requested USN-5079-2 + 1 affected source package is installed: curl + + .*WARNING: Unable to update ESM cache when running as non-root, + please run sudo apt update and try again if packages cannot be found..* + + \(1/1\) curl: + A fix is available in Ubuntu Pro: ESM Infra. + - Cannot install package curl version .* + - Cannot install package libcurl3-gnutls version .* + + .*The machine is not attached to an Ubuntu Pro subscription. + To proceed with the fix, a prompt would ask for a valid Ubuntu Pro token. + { pro attach TOKEN }.* + + .*Ubuntu Pro service: esm-infra is not enabled. + To proceed with the fix, a prompt would ask permission to automatically enable + this service. + { pro enable esm-infra }.* + + 1 package is still affected: curl + .*USN-5079-2 is not resolved. + """ + When I apt update + # We just need to await for the esm-cache to be populated + And I run `sleep 5` as non-root + And I run `pro fix USN-5079-2 --dry-run` as non-root + Then stdout matches regexp: + """ + .*WARNING: The option --dry-run is being used. + No packages will be installed when running this command..* + USN-5079-2: curl vulnerabilities + Associated CVEs: + - https://ubuntu.com/security/CVE-2021-22946 + - https://ubuntu.com/security/CVE-2021-22947 + + Fixing requested USN-5079-2 + 1 affected source package is installed: curl + \(1/1\) curl: + A fix is available in Ubuntu Pro: ESM Infra. + + .*The machine is not attached to an Ubuntu Pro subscription. + To proceed with the fix, a prompt would ask for a valid Ubuntu Pro token. + \{ pro attach TOKEN \}.* + + .*Ubuntu Pro service: esm-infra is not enabled. + To proceed with the fix, a prompt would ask permission to automatically enable + this service. + \{ pro enable esm-infra \}.* + .*\{ apt update && apt install --only-upgrade -y curl libcurl3-gnutls \}.* + + .*USN-5079-2 is resolved. + + Found related USNs: + - USN-5079-1 + + Fixing related USNs: + - USN-5079-1 + No affected source packages are installed. + + .*USN-5079-1 does not affect your system. + + Summary: + .*USN-5079-2 \[requested\] is resolved. + .*USN-5079-1 \[related\] does not affect your system. + """ + When I apt install `libawl-php` + And I reboot the machine + And I run `pro fix USN-4539-1` as non-root + Then stdout matches regexp: + """ + USN-4539-1: AWL vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2020-11728 + + Fixing requested USN-4539-1 + No affected source packages are installed. + + .*✔.* USN-4539-1 does not affect your system. + """ + When I run `pro fix CVE-2020-15180` as non-root + Then stdout matches regexp: + """ + CVE-2020-15180: MariaDB vulnerabilities + - https://ubuntu.com/security/CVE-2020-15180 + + No affected source packages are installed. + + .*✔.* CVE-2020-15180 does not affect your system. + """ + When I run `pro fix CVE-2020-28196` as non-root + Then stdout matches regexp: + """ + CVE-2020-28196: Kerberos vulnerability + - https://ubuntu.com/security/CVE-2020-28196 + + 1 affected source package is installed: krb5 + \(1/1\) krb5: + A fix is available in Ubuntu standard updates. + The update is already installed. + + .*✔.* CVE-2020-28196 is resolved. + """ + When I apt install `expat=2.1.0-7 swish-e matanza ghostscript` + And I verify that running `pro fix CVE-2017-9233 --dry-run` `as non-root` exits `1` + Then stdout matches regexp: + """ + .*WARNING: The option --dry-run is being used. + No packages will be installed when running this command..* + CVE-2017-9233: Expat vulnerability + - https://ubuntu.com/security/CVE-2017-9233 + + 3 affected source packages are installed: expat, matanza, swish-e + \(1/3, 2/3\) matanza, swish-e: + Ubuntu security engineers are investigating this issue. + \(3/3\) expat: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y expat \}.* + + 2 packages are still affected: matanza, swish-e + .*✘.* CVE-2017-9233 is not resolved. + """ + When I verify that running `pro fix CVE-2017-9233` `with sudo` exits `1` + Then stdout matches regexp: + """ + CVE-2017-9233: Expat vulnerability + - https://ubuntu.com/security/CVE-2017-9233 + + 3 affected source packages are installed: expat, matanza, swish-e + \(1/3, 2/3\) matanza, swish-e: + Ubuntu security engineers are investigating this issue. + \(3/3\) expat: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y expat \}.* + + 2 packages are still affected: matanza, swish-e + .*✘.* CVE-2017-9233 is not resolved. + """ + When I fix `USN-5079-2` by attaching to a subscription with `contract_token_staging_expired` + Then stdout matches regexp + """ + USN-5079-2: curl vulnerabilities + Associated CVEs: + - https://ubuntu.com/security/CVE-2021-22946 + - https://ubuntu.com/security/CVE-2021-22947 + + Fixing requested USN-5079-2 + 1 affected source package is installed: curl + \(1/1\) curl: + A fix is available in Ubuntu Pro: ESM Infra. + The update is not installed because this system is not attached to a + subscription. + + Choose: \[S\]ubscribe at https://ubuntu.com/pro/subscribe \[A\]ttach existing token \[C\]ancel + > Enter your token \(from https://ubuntu.com/pro/dashboard\) to attach this system: + > .*\{ pro attach .*\}.* + Attach denied: + Contract ".*" expired on .* + Visit https://ubuntu.com/pro/dashboard to manage contract tokens. + + 1 package is still affected: curl + .*✘.* USN-5079-2 is not resolved. + """ + When I fix `USN-5079-2` by attaching to a subscription with `contract_token` + Then stdout matches regexp: + """ + USN-5079-2: curl vulnerabilities + Associated CVEs: + - https://ubuntu.com/security/CVE-2021-22946 + - https://ubuntu.com/security/CVE-2021-22947 + + Fixing requested USN-5079-2 + 1 affected source package is installed: curl + \(1/1\) curl: + A fix is available in Ubuntu Pro: ESM Infra. + The update is not installed because this system is not attached to a + subscription. + + Choose: \[S\]ubscribe at https://ubuntu.com/pro/subscribe \[A\]ttach existing token \[C\]ancel + > Enter your token \(from https://ubuntu.com/pro/dashboard\) to attach this system: + > .*\{ pro attach .*\}.* + Updating Ubuntu Pro: ESM Apps package lists + Ubuntu Pro: ESM Apps enabled + Updating Ubuntu Pro: ESM Infra package lists + Ubuntu Pro: ESM Infra enabled + """ + And stdout matches regexp: + """ + .*\{ apt update && apt install --only-upgrade -y curl libcurl3-gnutls \}.* + + .*✔.* USN-5079-2 is resolved. + + Found related USNs: + - USN-5079-1 + + Fixing related USNs: + - USN-5079-1 + No affected source packages are installed. + + .*✔.* USN-5079-1 does not affect your system. + + Summary: + .*✔.* USN-5079-2 \[requested\] is resolved. + .*✔.* USN-5079-1 \[related\] does not affect your system. + """ + When I verify that running `pro fix USN-5051-2` `with sudo` exits `2` + Then stdout matches regexp: + """ + USN-5051-2: OpenSSL vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2021-3712 + + Fixing requested USN-5051-2 + 1 affected source package is installed: openssl + \(1/1\) openssl: + A fix is available in Ubuntu Pro: ESM Infra. + .*\{ apt update && apt install --only-upgrade -y libssl1.0.0 openssl \}.* + + A reboot is required to complete fix operation. + .*✘.* USN-5051-2 is not resolved. + """ + When I run `pro disable esm-infra` with sudo + # Allow esm-cache to be populated + And I run `sleep 5` as non-root + And I apt install `gzip` + And I run `pro fix USN-5378-4 --dry-run` as non-root + Then stdout matches regexp: + """ + .*WARNING: The option --dry-run is being used. + No packages will be installed when running this command..* + USN-5378-4: Gzip vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2022-1271 + + Fixing requested USN-5378-4 + 1 affected source package is installed: gzip + \(1/1\) gzip: + A fix is available in Ubuntu Pro: ESM Infra. + + .*Ubuntu Pro service: esm-infra is not enabled. + To proceed with the fix, a prompt would ask permission to automatically enable + this service. + \{ pro enable esm-infra \}.* + .*\{ apt update && apt install --only-upgrade -y gzip \}.* + + .*✔.* USN-5378-4 is resolved. + + Found related USNs: + - USN-5378-1 + - USN-5378-2 + - USN-5378-3 + + Fixing related USNs: + - USN-5378-1 + No affected source packages are installed. + + .*✔.* USN-5378-1 does not affect your system. + + - USN-5378-2 + No affected source packages are installed. + + .*✔.* USN-5378-2 does not affect your system. + + - USN-5378-3 + 1 affected source package is installed: xz-utils + \(1/1\) xz-utils: + A fix is available in Ubuntu Pro: ESM Infra. + + .*Ubuntu Pro service: esm-infra is not enabled. + To proceed with the fix, a prompt would ask permission to automatically enable + this service. + \{ pro enable esm-infra \}.* + .*\{ apt update && apt install --only-upgrade -y liblzma5 xz-utils \}.* + + .*✔.* USN-5378-3 is resolved. + + Summary: + .*✔.* USN-5378-4 \[requested\] is resolved. + .*✔.* USN-5378-1 \[related\] does not affect your system. + .*✔.* USN-5378-2 \[related\] does not affect your system. + .*✔.* USN-5378-3 \[related\] is resolved. + """ + When I run `pro fix USN-5378-4` `with sudo` and stdin `E` + Then stdout matches regexp: + """ + USN-5378-4: Gzip vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2022-1271 + + Fixing requested USN-5378-4 + 1 affected source package is installed: gzip + \(1/1\) gzip: + A fix is available in Ubuntu Pro: ESM Infra. + The update is not installed because this system does not have + esm-infra enabled. + + Choose: \[E\]nable esm-infra \[C\]ancel + > .*\{ pro enable esm-infra \}.* + Updating Ubuntu Pro: ESM Infra package lists + Ubuntu Pro: ESM Infra enabled + .*\{ apt update && apt install --only-upgrade -y gzip \}.* + + .*✔.* USN-5378-4 is resolved. + + Found related USNs: + - USN-5378-1 + - USN-5378-2 + - USN-5378-3 + + Fixing related USNs: + - USN-5378-1 + No affected source packages are installed. + + .*✔.* USN-5378-1 does not affect your system. + + - USN-5378-2 + No affected source packages are installed. + + .*✔.* USN-5378-2 does not affect your system. + + - USN-5378-3 + 1 affected source package is installed: xz-utils + \(1/1\) xz-utils: + A fix is available in Ubuntu Pro: ESM Infra. + .*\{ apt update && apt install --only-upgrade -y liblzma5 xz-utils \}.* + + .*✔.* USN-5378-3 is resolved. + + Summary: + .*✔.* USN-5378-4 \[requested\] is resolved. + .*✔.* USN-5378-1 \[related\] does not affect your system. + .*✔.* USN-5378-2 \[related\] does not affect your system. + .*✔.* USN-5378-3 \[related\] is resolved. + """ + When I run `pro detach --assume-yes` with sudo + And I run `sed -i "/xenial-updates/d" /etc/apt/sources.list` with sudo + And I run `sed -i "/xenial-security/d" /etc/apt/sources.list` with sudo + And I apt update + And I apt install `squid` + And I verify that running `pro fix CVE-2020-25097` `as non-root` exits `1` + Then stdout matches regexp: + """ + CVE-2020-25097: Squid vulnerabilities + - https://ubuntu.com/security/CVE-2020-25097 + + 1 affected source package is installed: squid3 + \(1/1\) squid3: + A fix is available in Ubuntu standard updates. + - Cannot install package squid version 3.5.12-1ubuntu7.16 + - Cannot install package squid-common version 3.5.12-1ubuntu7.16 + + 1 package is still affected: squid3 + .*✘.* CVE-2020-25097 is not resolved + """ + + Examples: ubuntu release details + | release | machine_type | + | xenial | lxd-container | + + Scenario Outline: Fix command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro fix CVE-1800-123456` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: CVE-1800-123456 not found. + """ + When I verify that running `pro fix USN-12345-12` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: USN-12345-12 not found. + """ + When I verify that running `pro fix CVE-12345678-12` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: issue "CVE-12345678-12" is not recognized. + Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" + """ + When I verify that running `pro fix USN-12345678-12` `as non-root` exits `1` + Then I will see the following on stderr: + """ + Error: issue "USN-12345678-12" is not recognized. + Usage: "pro fix CVE-yyyy-nnnn" or "pro fix USN-nnnn" + """ + When I apt install `libawl-php` + And I run `pro fix USN-4539-1 --dry-run` as non-root + Then stdout matches regexp: + """ + .*WARNING: The option --dry-run is being used. + No packages will be installed when running this command..* + USN-4539-1: AWL vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2020-11728 + + Fixing requested USN-4539-1 + No affected source packages are installed. + + .*✔.* USN-4539-1 does not affect your system. + """ + When I run `pro fix USN-4539-1` as non-root + Then stdout matches regexp: + """ + USN-4539-1: AWL vulnerability + Associated CVEs: + - https://ubuntu.com/security/CVE-2020-11728 + + Fixing requested USN-4539-1 + No affected source packages are installed. + + .*✔.* USN-4539-1 does not affect your system. + """ + When I run `pro fix CVE-2020-28196` as non-root + Then stdout matches regexp: + """ + CVE-2020-28196: Kerberos vulnerability + - https://ubuntu.com/security/CVE-2020-28196 + + 1 affected source package is installed: krb5 + \(1/1\) krb5: + A fix is available in Ubuntu standard updates. + The update is already installed. + + .*✔.* CVE-2020-28196 is resolved. + """ + When I apt install `xterm=330-1ubuntu2` + And I verify that running `pro fix CVE-2021-27135` `as non-root` exits `1` + Then stdout matches regexp: + """ + CVE-2021-27135: xterm vulnerability + - https://ubuntu.com/security/CVE-2021-27135 + + 1 affected source package is installed: xterm + \(1/1\) xterm: + A fix is available in Ubuntu standard updates. + Package fixes cannot be installed. + To install them, run this command as root \(try using sudo\) + + 1 package is still affected: xterm + .*✘.* CVE-2021-27135 is not resolved. + """ + When I run `pro fix CVE-2021-27135 --dry-run` with sudo + Then stdout matches regexp: + """ + .*WARNING: The option --dry-run is being used. + No packages will be installed when running this command..* + CVE-2021-27135: xterm vulnerability + - https://ubuntu.com/security/CVE-2021-27135 + + 1 affected source package is installed: xterm + \(1/1\) xterm: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y xterm \}.* + + .*✔.* CVE-2021-27135 is resolved. + """ + When I run `pro fix CVE-2021-27135` with sudo + Then stdout matches regexp: + """ + CVE-2021-27135: xterm vulnerability + - https://ubuntu.com/security/CVE-2021-27135 + + 1 affected source package is installed: xterm + \(1/1\) xterm: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y xterm \}.* + + .*✔.* CVE-2021-27135 is resolved. + """ + When I run `pro fix CVE-2021-27135` with sudo + Then stdout matches regexp: + """ + CVE-2021-27135: xterm vulnerability + - https://ubuntu.com/security/CVE-2021-27135 + + 1 affected source package is installed: xterm + \(1/1\) xterm: + A fix is available in Ubuntu standard updates. + The update is already installed. + + .*✔.* CVE-2021-27135 is resolved. + """ + When I apt install `libbz2-1.0=1.0.6-8.1 bzip2=1.0.6-8.1` + And I run `pro fix USN-4038-3` with sudo + Then stdout matches regexp: + """ + USN-4038-3: bzip2 regression + Found Launchpad bugs: + - https://launchpad.net/bugs/1834494 + + Fixing requested USN-4038-3 + 1 affected source package is installed: bzip2 + \(1/1\) bzip2: + A fix is available in Ubuntu standard updates. + .*\{ apt update && apt install --only-upgrade -y bzip2 libbz2-1.0 \}.* + + .*✔.* USN-4038-3 is resolved. + """ + When I run `pro fix USN-6130-1` as non-root + Then stdout matches regexp: + """ + USN-6130-1: Linux kernel vulnerabilities + Associated CVEs: + - https://ubuntu.com/security/CVE-2023-30456 + - https://ubuntu.com/security/CVE-2023-1380 + - https://ubuntu.com/security/CVE-2023-32233 + - https://ubuntu.com/security/CVE-2023-31436 + + Fixing requested USN-6130-1 + No affected source packages are installed. + + .*✔.* USN-6130-1 does not affect your system. + + Found related USNs: + - USN-6033-1 + - USN-6122-1 + - USN-6123-1 + - USN-6124-1 + - USN-6127-1 + - USN-6131-1 + - USN-6132-1 + - USN-6135-1 + - USN-6149-1 + - USN-6150-1 + - USN-6162-1 + - USN-6173-1 + - USN-6175-1 + - USN-6186-1 + - USN-6222-1 + - USN-6256-1 + - USN-6385-1 + - USN-6460-1 + + Fixing related USNs: + - USN-6033-1 + No affected source packages are installed. + + .*✔.* USN-6033-1 does not affect your system. + + - USN-6122-1 + No affected source packages are installed. + + .*✔.* USN-6122-1 does not affect your system. + + - USN-6123-1 + No affected source packages are installed. + + .*✔.* USN-6123-1 does not affect your system. + + - USN-6124-1 + No affected source packages are installed. + + .*✔.* USN-6124-1 does not affect your system. + + - USN-6127-1 + No affected source packages are installed. + + .*✔.* USN-6127-1 does not affect your system. + + - USN-6131-1 + No affected source packages are installed. - .*✔.* USN-6131-1 does not affect your system. - - - USN-6132-1 - No affected source packages are installed. - - .*✔.* USN-6132-1 does not affect your system. - - - USN-6135-1 - No affected source packages are installed. - - .*✔.* USN-6135-1 does not affect your system. - - - USN-6149-1 - No affected source packages are installed. - - .*✔.* USN-6149-1 does not affect your system. - - - USN-6150-1 - No affected source packages are installed. - - .*✔.* USN-6150-1 does not affect your system. - - - USN-6162-1 - No affected source packages are installed. - - .*✔.* USN-6162-1 does not affect your system. + .*✔.* USN-6131-1 does not affect your system. + + - USN-6132-1 + No affected source packages are installed. + + .*✔.* USN-6132-1 does not affect your system. + + - USN-6135-1 + No affected source packages are installed. + + .*✔.* USN-6135-1 does not affect your system. + + - USN-6149-1 + No affected source packages are installed. + + .*✔.* USN-6149-1 does not affect your system. + + - USN-6150-1 + No affected source packages are installed. + + .*✔.* USN-6150-1 does not affect your system. + + - USN-6162-1 + No affected source packages are installed. + + .*✔.* USN-6162-1 does not affect your system. - - USN-6173-1 - No affected source packages are installed. - - .*✔.* USN-6173-1 does not affect your system. + - USN-6173-1 + No affected source packages are installed. + + .*✔.* USN-6173-1 does not affect your system. - - USN-6175-1 - No affected source packages are installed. + - USN-6175-1 + No affected source packages are installed. - .*✔.* USN-6175-1 does not affect your system. + .*✔.* USN-6175-1 does not affect your system. - - USN-6186-1 - No affected source packages are installed. + - USN-6186-1 + No affected source packages are installed. - .*✔.* USN-6186-1 does not affect your system. + .*✔.* USN-6186-1 does not affect your system. - - USN-6222-1 - No affected source packages are installed. + - USN-6222-1 + No affected source packages are installed. - .*✔.* USN-6222-1 does not affect your system. + .*✔.* USN-6222-1 does not affect your system. - - USN-6256-1 - No affected source packages are installed. + - USN-6256-1 + No affected source packages are installed. - .*✔.* USN-6256-1 does not affect your system. + .*✔.* USN-6256-1 does not affect your system. - - USN-6385-1 - No affected source packages are installed. + - USN-6385-1 + No affected source packages are installed. - .*✔.* USN-6385-1 does not affect your system. + .*✔.* USN-6385-1 does not affect your system. - - USN-6460-1 - No affected source packages are installed. + - USN-6460-1 + No affected source packages are installed. - .*✔.* USN-6460-1 does not affect your system. + .*✔.* USN-6460-1 does not affect your system. - Summary: - .*✔.* USN-6130-1 \[requested\] does not affect your system. - .*✔.* USN-6033-1 \[related\] does not affect your system. - .*✔.* USN-6122-1 \[related\] does not affect your system. - .*✔.* USN-6123-1 \[related\] does not affect your system. - .*✔.* USN-6124-1 \[related\] does not affect your system. - .*✔.* USN-6127-1 \[related\] does not affect your system. - .*✔.* USN-6131-1 \[related\] does not affect your system. - .*✔.* USN-6132-1 \[related\] does not affect your system. - .*✔.* USN-6135-1 \[related\] does not affect your system. - .*✔.* USN-6149-1 \[related\] does not affect your system. - .*✔.* USN-6150-1 \[related\] does not affect your system. - .*✔.* USN-6162-1 \[related\] does not affect your system. - .*✔.* USN-6173-1 \[related\] does not affect your system. - .*✔.* USN-6175-1 \[related\] does not affect your system. - .*✔.* USN-6186-1 \[related\] does not affect your system. - .*✔.* USN-6222-1 \[related\] does not affect your system. - .*✔.* USN-6256-1 \[related\] does not affect your system. - .*✔.* USN-6385-1 \[related\] does not affect your system. - .*✔.* USN-6460-1 \[related\] does not affect your system. - """ - When I run `pro fix CVE-2023-42752` with sudo - Then stdout matches regexp: - """ - CVE-2023-42752: Linux kernel \(NVIDIA\) vulnerabilities - - https://ubuntu.com/security/CVE-2023-42752 + Summary: + .*✔.* USN-6130-1 \[requested\] does not affect your system. + .*✔.* USN-6033-1 \[related\] does not affect your system. + .*✔.* USN-6122-1 \[related\] does not affect your system. + .*✔.* USN-6123-1 \[related\] does not affect your system. + .*✔.* USN-6124-1 \[related\] does not affect your system. + .*✔.* USN-6127-1 \[related\] does not affect your system. + .*✔.* USN-6131-1 \[related\] does not affect your system. + .*✔.* USN-6132-1 \[related\] does not affect your system. + .*✔.* USN-6135-1 \[related\] does not affect your system. + .*✔.* USN-6149-1 \[related\] does not affect your system. + .*✔.* USN-6150-1 \[related\] does not affect your system. + .*✔.* USN-6162-1 \[related\] does not affect your system. + .*✔.* USN-6173-1 \[related\] does not affect your system. + .*✔.* USN-6175-1 \[related\] does not affect your system. + .*✔.* USN-6186-1 \[related\] does not affect your system. + .*✔.* USN-6222-1 \[related\] does not affect your system. + .*✔.* USN-6256-1 \[related\] does not affect your system. + .*✔.* USN-6385-1 \[related\] does not affect your system. + .*✔.* USN-6460-1 \[related\] does not affect your system. + """ + When I run `pro fix CVE-2023-42752` with sudo + Then stdout matches regexp: + """ + CVE-2023-42752: Linux kernel \(NVIDIA\) vulnerabilities + - https://ubuntu.com/security/CVE-2023-42752 - No affected source packages are installed. + No affected source packages are installed. - .*✔.* CVE-2023-42752 does not affect your system. - """ + .*✔.* CVE-2023-42752 does not affect your system. + """ - Examples: ubuntu release details - | release | machine_type | - | bionix | lxd-container | - | bionic | wsl | + Examples: ubuntu release details + | release | machine_type | + | bionix | lxd-container | + | bionic | wsl | - Scenario Outline: Fix command on a machine without security/updates source lists - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `sed -i "/bionic-updates/d" /etc/apt/sources.list` with sudo - And I run `sed -i "/bionic-security/d" /etc/apt/sources.list` with sudo - And I apt update - And I run `wget -O pkg.deb https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.14/+build/22454675/+files/openssl_1.1.1-1ubuntu2.1~18.04.14_amd64.deb` as non-root - And I run `dpkg -i pkg.deb` with sudo - And I verify that running `pro fix CVE-2023-0286` `as non-root` exits `1` - Then stdout matches regexp: - """ - CVE-2023-0286: OpenSSL vulnerabilities - - https://ubuntu.com/security/CVE-2023-0286 + Scenario Outline: Fix command on a machine without security/updates source lists + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `sed -i "/bionic-updates/d" /etc/apt/sources.list` with sudo + And I run `sed -i "/bionic-security/d" /etc/apt/sources.list` with sudo + And I apt update + And I run `wget -O pkg.deb https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.14/+build/22454675/+files/openssl_1.1.1-1ubuntu2.1~18.04.14_amd64.deb` as non-root + And I run `dpkg -i pkg.deb` with sudo + And I verify that running `pro fix CVE-2023-0286` `as non-root` exits `1` + Then stdout matches regexp: + """ + CVE-2023-0286: OpenSSL vulnerabilities + - https://ubuntu.com/security/CVE-2023-0286 - 2 affected source packages are installed: openssl, openssl1.0 - \(1/2, 2/2\) openssl, openssl1.0: - A fix is available in Ubuntu standard updates. - - Cannot install package openssl version 1.1.1-1ubuntu2.1~18.04.21 - - 1 package is still affected: openssl - .*✘.* CVE-2023-0286 is not resolved. - """ - - Examples: ubuntu release details - | release | machine_type | - | bionix | lxd-container | - | bionic | wsl | + 2 affected source packages are installed: openssl, openssl1.0 + \(1/2, 2/2\) openssl, openssl1.0: + A fix is available in Ubuntu standard updates. + - Cannot install package openssl version 1.1.1-1ubuntu2.1~18.04.21 + + 1 package is still affected: openssl + .*✘.* CVE-2023-0286 is not resolved. + """ + + Examples: ubuntu release details + | release | machine_type | + | bionix | lxd-container | + | bionic | wsl | diff --git a/features/i18n.feature b/features/i18n.feature index b7d1f40ec4..7c5bc14b94 100644 --- a/features/i18n.feature +++ b/features/i18n.feature @@ -1,223 +1,228 @@ Feature: Pro supports multiple languages - Scenario Outline: Translation works - Given a `` `` machine with ubuntu-advantage-tools installed - When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root - Then stdout contains substring: - """ - Esta máquina NÃO está vinculada a uma assinatura do Ubuntu Pro. - """ - When I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --all` as non-root - Then stdout contains substring: - """ - sim - """ - Then stdout contains substring: - """ - não - """ - When I apt install `jq` - And I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --format json | jq .services[0].available` as non-root - Then I will see the following on stdout: - """ - "yes" - """ - When I apt remove `ubuntu-pro-client-l10n` - When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root - Then stdout contains substring: - """ - This machine is NOT attached to an Ubuntu Pro subscription. - """ - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Scenario Outline: Translation works + Given a `` `` machine with ubuntu-advantage-tools installed + When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root + Then stdout contains substring: + """ + Esta máquina NÃO está vinculada a uma assinatura do Ubuntu Pro. + """ + When I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --all` as non-root + Then stdout contains substring: + """ + sim + """ + Then stdout contains substring: + """ + não + """ + When I apt install `jq` + And I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --format json | jq .services[0].available` as non-root + Then I will see the following on stdout: + """ + "yes" + """ + When I apt remove `ubuntu-pro-client-l10n` + When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root + Then stdout contains substring: + """ + This machine is NOT attached to an Ubuntu Pro subscription. + """ - Scenario Outline: Translation works - Given a `` `` machine with ubuntu-advantage-tools installed - When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root - Then stdout contains substring: - """ - Ubuntu Pro não está disponível para versões do Ubuntu não LTS. - """ - When I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --all` as non-root - Then stdout contains substring: - """ - não - """ - When I apt install `jq` - And I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --format json | jq .result` as non-root - Then I will see the following on stdout: - """ - "success" - """ - When I apt remove `ubuntu-pro-client-l10n` - When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root - Then stdout contains substring: - """ - Ubuntu Pro is not available for non-LTS releases. - """ - Examples: ubuntu release - | release | machine_type | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - # Note: Translations do work on xenial, but our test environment triggers a bug in python that - # causes it to think we're in an ascii-only environment - Scenario Outline: Translation doesn't error when python thinks it's ascii only - Given a `` `` machine with ubuntu-advantage-tools installed - When I run shell command `env LC_CTYPE=pt_BR.UTF-8 LANGUAGE=pt_BR.UTF-8 python3 -c \"import sys; print(sys.stdout.encoding)\"` as non-root - Then I will see the following on stdout: - """ - ANSI_X3.4-1968 - """ - When I run shell command `env LC_CTYPE=pt_BR.UTF-8 LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root - Then stdout contains substring: - """ - This machine is NOT attached to an Ubuntu Pro subscription. - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | + Scenario Outline: Translation works + Given a `` `` machine with ubuntu-advantage-tools installed + When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root + Then stdout contains substring: + """ + Ubuntu Pro não está disponível para versões do Ubuntu não LTS. + """ + When I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --all` as non-root + Then stdout contains substring: + """ + não + """ + When I apt install `jq` + And I run shell command `LANGUAGE=pt_BR.UTF-8 pro status --format json | jq .result` as non-root + Then I will see the following on stdout: + """ + "success" + """ + When I apt remove `ubuntu-pro-client-l10n` + When I run shell command `LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root + Then stdout contains substring: + """ + Ubuntu Pro is not available for non-LTS releases. + """ - Scenario Outline: apt-hook translations work - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I apt upgrade - When I run `pro detach --assume-yes` with sudo - When I apt update - When I apt install `hello` - When I attach `contract_token` with sudo - # Didn't call the step specifically because of the language environment - When I run shell command `LANGUAGE=pt_BR.UTF-8 apt upgrade -y` with sudo - Then stdout matches regexp: - """ - 1 atualização de segurança do esm-apps - """ - Examples: ubuntu release - | release | machine_type | - | focal | lxd-container | + Examples: ubuntu release + | release | machine_type | + | mantic | lxd-container | - @uses.config.contract_token - Scenario Outline: Pro client's commands run successfully in a different locale - Given a `` `` machine with ubuntu-advantage-tools installed - ## Change the locale - When I apt install `language-pack-fr` - And I run `update-locale LANG=fr_FR.UTF-8` with sudo - And I reboot the machine - And I run `cat /etc/default/locale` as non-root - Then stdout matches regexp: - """ - LANG=fr_FR.UTF-8 - """ - #Attach invalid token - When I verify that running `pro attach INVALID_TOKEN` `with sudo` exits `1` - Then stderr matches regexp: - """ - Invalid token. See https://ubuntu.com/pro - """ - When I run `lscpu` as non-root - Then stdout does not match regexp: - """ - Architecture: - """ - When I apt update - Then stdout does not match regexp: - """ - Hit - """ - When I verify that running `pro attach INVALID_TOKEN` `as non-root` exits `1` - Then I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro attach invalid-token --format json` `with sudo` exits `1` - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - When I attach `contract_token` with sudo - # Refresh command - When I run `pro refresh` with sudo - Then I will see the following on stdout: - """ - Successfully processed your pro configuration. - Successfully refreshed your subscription. - Successfully updated Ubuntu Pro related APT and MOTD messages. - """ + # Note: Translations do work on xenial, but our test environment triggers a bug in python that + # causes it to think we're in an ascii-only environment + Scenario Outline: Translation doesn't error when python thinks it's ascii only + Given a `` `` machine with ubuntu-advantage-tools installed + When I run shell command `env LC_CTYPE=pt_BR.UTF-8 LANGUAGE=pt_BR.UTF-8 python3 -c \"import sys; print(sys.stdout.encoding)\"` as non-root + Then I will see the following on stdout: + """ + ANSI_X3.4-1968 + """ + When I run shell command `env LC_CTYPE=pt_BR.UTF-8 LANGUAGE=pt_BR.UTF-8 pro security-status` as non-root + Then stdout contains substring: + """ + This machine is NOT attached to an Ubuntu Pro subscription. + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + + Scenario Outline: apt-hook translations work + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I apt upgrade + When I run `pro detach --assume-yes` with sudo + When I apt update + When I apt install `hello` + When I attach `contract_token` with sudo + # Didn't call the step specifically because of the language environment + When I run shell command `LANGUAGE=pt_BR.UTF-8 apt upgrade -y` with sudo + Then stdout matches regexp: + """ + 1 atualização de segurança do esm-apps + """ + + Examples: ubuntu release + | release | machine_type | + | focal | lxd-container | + + @uses.config.contract_token + Scenario Outline: Pro client's commands run successfully in a different locale + Given a `` `` machine with ubuntu-advantage-tools installed + # # Change the locale + When I apt install `language-pack-fr` + And I run `update-locale LANG=fr_FR.UTF-8` with sudo + And I reboot the machine + And I run `cat /etc/default/locale` as non-root + Then stdout matches regexp: + """ + LANG=fr_FR.UTF-8 + """ + # Attach invalid token + When I verify that running `pro attach INVALID_TOKEN` `with sudo` exits `1` + Then stderr matches regexp: + """ + Invalid token. See https://ubuntu.com/pro + """ + When I run `lscpu` as non-root + Then stdout does not match regexp: + """ + Architecture: + """ + When I apt update + Then stdout does not match regexp: + """ + Hit + """ + When I verify that running `pro attach INVALID_TOKEN` `as non-root` exits `1` + Then I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro attach invalid-token --format json` `with sudo` exits `1` + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + When I attach `contract_token` with sudo + # Refresh command + When I run `pro refresh` with sudo + Then I will see the following on stdout: + """ + Successfully processed your pro configuration. + Successfully refreshed your subscription. + Successfully updated Ubuntu Pro related APT and MOTD messages. + """ # auto-attach command - When I verify that running `pro auto-attach` `with sudo` exits `2` - Then stderr matches regexp: - """ - This machine is already attached to '.+' - To use a different subscription first run: sudo pro detach. - """ - # status command - When I run `pro status --format json` as non-root - Then stdout is a json matching the `ua_status` schema - When I run `pro status --format yaml` as non-root - Then stdout is a yaml matching the `ua_status` schema - When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: - """ - { - "machineTokenInfo": { - "contractInfo": { - "effectiveTo": null - } - } - } - """ - And I append the following on uaclient config: - """ - features: - machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" - """ - And I run `pro status` with sudo - Then stdout contains substring: - """ - Valid until: Unknown/Expired - """ - # api command invalid endpoint - When I verify that running `pro api invalid.endpoint` `with sudo` exits `1` - Then stdout matches regexp: - """ - {\"_schema_version\": \"v1\", \"data\": {\"meta\": {\"environment_vars\": \[]}}, \"errors\": \[{\"code\": \"api\-invalid\-endpoint", \"meta\": {\"endpoint\": \"invalid.endpoint\"}, \"title\": \"'invalid\.endpoint' is not a valid endpoint\"}], \"result\": \"failure\", \"version\": \".*\", \"warnings\": \[]} - """ - When I verify that running `pro api u.pro.version.v1 --args extra=arg` `with sudo` exits `1` - Then stdout matches regexp: - """ - {\"_schema_version\": \"v1\", \"data\": {\"meta\": {\"environment_vars\": \[]}}, \"errors\": \[{\"code\": \"api\-no\-argument\-for\-endpoint\", \"meta\": {\"endpoint\": \"u.pro.version.v1\"}, \"title\": \"u\.pro\.version\.v1 accepts no arguments\"}], \"result\": \"failure\", \"version\": \".*\", \"warnings\": \[]} - """ - # api command valid endpoint - When I run `pro api u.pro.version.v1` with sudo - Then stdout matches regexp: - """ - {\"_schema_version\": \"v1\", \"data\": {\"attributes\": {\"installed_version\": \".*\"}, \"meta\": {\"environment_vars\": \[]}, \"type\": \"Version\"}, \"errors\": \[], \"result\": \"success\", \"version\": \".*\", \"warnings\": \[]} - """ - When I run `UA_LOG_FILE=/tmp/some_file OTHER_ENVVAR=not_there pro api u.pro.version.v1` with sudo - Then stdout matches regexp: - """ - {\"_schema_version\": \"v1\", \"data\": {\"attributes\": {\"installed_version\": \".*\"}, \"meta\": {\"environment_vars\": \[{\"name\": \"UA_LOG_FILE\", \"value\": \"\/tmp\/some_file\"}]}, \"type\": \"Version\"}, \"errors\": \[], \"result\": \"success\", \"version\": \".*\", \"warnings\": \[]} - """ - When I run `ua api u.pro.attach.auto.should_auto_attach.v1` with sudo - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"should_auto_attach": false}, "meta": {"environment_vars": \[\]}, "type": "ShouldAutoAttach"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - # version - When I run `pro version` as non-root - Then I will see the uaclient version on stdout - When I run `pro version` with sudo - Then I will see the uaclient version on stdout - When I run `pro --version` as non-root - Then I will see the uaclient version on stdout - When I run `pro --version` with sudo - Then I will see the uaclient version on stdout - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + When I verify that running `pro auto-attach` `with sudo` exits `2` + Then stderr matches regexp: + """ + This machine is already attached to '.+' + To use a different subscription first run: sudo pro detach. + """ + # status command + When I run `pro status --format json` as non-root + Then stdout is a json matching the `ua_status` schema + When I run `pro status --format yaml` as non-root + Then stdout is a yaml matching the `ua_status` schema + When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: + """ + { + "machineTokenInfo": { + "contractInfo": { + "effectiveTo": null + } + } + } + """ + And I append the following on uaclient config: + """ + features: + machine_token_overlay: "/var/lib/ubuntu-advantage/machine-token-overlay.json" + """ + And I run `pro status` with sudo + Then stdout contains substring: + """ + Valid until: Unknown/Expired + """ + # api command invalid endpoint + When I verify that running `pro api invalid.endpoint` `with sudo` exits `1` + Then stdout matches regexp: + """ + {\"_schema_version\": \"v1\", \"data\": {\"meta\": {\"environment_vars\": \[]}}, \"errors\": \[{\"code\": \"api\-invalid\-endpoint", \"meta\": {\"endpoint\": \"invalid.endpoint\"}, \"title\": \"'invalid\.endpoint' is not a valid endpoint\"}], \"result\": \"failure\", \"version\": \".*\", \"warnings\": \[]} + """ + When I verify that running `pro api u.pro.version.v1 --args extra=arg` `with sudo` exits `1` + Then stdout matches regexp: + """ + {\"_schema_version\": \"v1\", \"data\": {\"meta\": {\"environment_vars\": \[]}}, \"errors\": \[{\"code\": \"api\-no\-argument\-for\-endpoint\", \"meta\": {\"endpoint\": \"u.pro.version.v1\"}, \"title\": \"u\.pro\.version\.v1 accepts no arguments\"}], \"result\": \"failure\", \"version\": \".*\", \"warnings\": \[]} + """ + # api command valid endpoint + When I run `pro api u.pro.version.v1` with sudo + Then stdout matches regexp: + """ + {\"_schema_version\": \"v1\", \"data\": {\"attributes\": {\"installed_version\": \".*\"}, \"meta\": {\"environment_vars\": \[]}, \"type\": \"Version\"}, \"errors\": \[], \"result\": \"success\", \"version\": \".*\", \"warnings\": \[]} + """ + When I run `UA_LOG_FILE=/tmp/some_file OTHER_ENVVAR=not_there pro api u.pro.version.v1` with sudo + Then stdout matches regexp: + """ + {\"_schema_version\": \"v1\", \"data\": {\"attributes\": {\"installed_version\": \".*\"}, \"meta\": {\"environment_vars\": \[{\"name\": \"UA_LOG_FILE\", \"value\": \"\/tmp\/some_file\"}]}, \"type\": \"Version\"}, \"errors\": \[], \"result\": \"success\", \"version\": \".*\", \"warnings\": \[]} + """ + When I run `ua api u.pro.attach.auto.should_auto_attach.v1` with sudo + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"should_auto_attach": false}, "meta": {"environment_vars": \[\]}, "type": "ShouldAutoAttach"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + # version + When I run `pro version` as non-root + Then I will see the uaclient version on stdout + When I run `pro version` with sudo + Then I will see the uaclient version on stdout + When I run `pro --version` as non-root + Then I will see the uaclient version on stdout + When I run `pro --version` with sudo + Then I will see the uaclient version on stdout + + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/install_uninstall.feature b/features/install_uninstall.feature index 55b6aa7fee..48209787cc 100644 --- a/features/install_uninstall.feature +++ b/features/install_uninstall.feature @@ -1,83 +1,82 @@ Feature: Pro Install and Uninstall related tests - Scenario Outline: Do not fail on postinst when cloud-id returns error - Given a `` `` machine with ubuntu-advantage-tools installed - When I delete the file `/run/cloud-init/instance-data.json` - Then I verify that running `dpkg-reconfigure ubuntu-advantage-tools` `with sudo` exits `0` + Scenario Outline: Do not fail on postinst when cloud-id returns error + Given a `` `` machine with ubuntu-advantage-tools installed + When I delete the file `/run/cloud-init/instance-data.json` + Then I verify that running `dpkg-reconfigure ubuntu-advantage-tools` `with sudo` exits `0` - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - @uses.config.contract_token - Scenario Outline: Purge package after attaching it to a machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `touch /etc/apt/preferences.d/ubuntu-esm-infra` with sudo - Then I verify that files exist matching `/var/log/ubuntu-advantage.log` - And I verify that running `test -d /var/lib/ubuntu-advantage` `with sudo` exits `0` - And I verify that files exist matching `/etc/apt/auth.conf.d/90ubuntu-advantage` - And I verify that files exist matching `/etc/apt/trusted.gpg.d/ubuntu-pro-esm-infra.gpg` - And I verify that files exist matching `/etc/apt/sources.list.d/ubuntu-esm-infra.list` - And I verify that files exist matching `/etc/apt/preferences.d/ubuntu-esm-infra` - When I run `apt purge ubuntu-advantage-tools -y` with sudo, retrying exit [100] - Then stdout matches regexp: - """ - Purging configuration files for ubuntu-advantage-tools - """ - And I verify that no files exist matching `/var/log/ubuntu-advantage.log` - And I verify that no files exist matching `/var/lib/ubuntu-advantage` - And I verify that no files exist matching `/etc/apt/auth.conf.d/90ubuntu-advantage` - And I verify that no files exist matching `/etc/apt/sources.list.d/ubuntu-*` - And I verify that no files exist matching `/etc/apt/trusted.gpg.d/ubuntu-pro-*` - And I verify that no files exist matching `/etc/apt/preferences.d/ubuntu-*` + @uses.config.contract_token + Scenario Outline: Purge package after attaching it to a machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `touch /etc/apt/preferences.d/ubuntu-esm-infra` with sudo + Then I verify that files exist matching `/var/log/ubuntu-advantage.log` + And I verify that running `test -d /var/lib/ubuntu-advantage` `with sudo` exits `0` + And I verify that files exist matching `/etc/apt/auth.conf.d/90ubuntu-advantage` + And I verify that files exist matching `/etc/apt/trusted.gpg.d/ubuntu-pro-esm-infra.gpg` + And I verify that files exist matching `/etc/apt/sources.list.d/ubuntu-esm-infra.list` + And I verify that files exist matching `/etc/apt/preferences.d/ubuntu-esm-infra` + When I run `apt purge ubuntu-advantage-tools -y` with sudo, retrying exit [100] + Then stdout matches regexp: + """ + Purging configuration files for ubuntu-advantage-tools + """ + And I verify that no files exist matching `/var/log/ubuntu-advantage.log` + And I verify that no files exist matching `/var/lib/ubuntu-advantage` + And I verify that no files exist matching `/etc/apt/auth.conf.d/90ubuntu-advantage` + And I verify that no files exist matching `/etc/apt/sources.list.d/ubuntu-*` + And I verify that no files exist matching `/etc/apt/trusted.gpg.d/ubuntu-pro-*` + And I verify that no files exist matching `/etc/apt/preferences.d/ubuntu-*` - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - @slow - Scenario Outline: Do not fail during postinst with nonstandard python setup - Given a `` `` machine with ubuntu-advantage-tools installed - # Works when in a python virtualenv - When I apt install `python3-venv` - And I run `python3 -m venv env` with sudo - Then I verify that running `bash -c ". env/bin/activate && python3 -c 'import uaclient'"` `with sudo` exits `1` - Then stderr matches regexp: - """ - No module named 'uaclient' - """ - Then I verify that running `bash -c ". env/bin/activate && dpkg-reconfigure ubuntu-advantage-tools"` `with sudo` exits `0` + @slow + Scenario Outline: Do not fail during postinst with nonstandard python setup + Given a `` `` machine with ubuntu-advantage-tools installed + # Works when in a python virtualenv + When I apt install `python3-venv` + And I run `python3 -m venv env` with sudo + Then I verify that running `bash -c ". env/bin/activate && python3 -c 'import uaclient'"` `with sudo` exits `1` + Then stderr matches regexp: + """ + No module named 'uaclient' + """ + Then I verify that running `bash -c ". env/bin/activate && dpkg-reconfigure ubuntu-advantage-tools"` `with sudo` exits `0` + # Works with python built/installed from source + When I run `wget https://www.python.org/ftp/python/3.10.0/Python-3.10.0.tgz` with sudo + When I run `tar -xvf Python-3.10.0.tgz` with sudo + When I apt install `build-essential zlib1g-dev` + When I run `sh -c "cd Python-3.10.0 && ./configure"` with sudo + When I run `make -C Python-3.10.0` with sudo + When I run `make -C Python-3.10.0 install` with sudo + When I run `python3 --version` with sudo + Then I will see the following on stdout + """ + Python 3.10.0 + """ + Then I verify that running `python3 -c "import uaclient"` `with sudo` exits `1` + Then stderr matches regexp: + """ + No module named 'uaclient' + """ + Then I verify that running `dpkg-reconfigure ubuntu-advantage-tools` `with sudo` exits `0` - # Works with python built/installed from source - When I run `wget https://www.python.org/ftp/python/3.10.0/Python-3.10.0.tgz` with sudo - When I run `tar -xvf Python-3.10.0.tgz` with sudo - When I apt install `build-essential zlib1g-dev` - When I run `sh -c "cd Python-3.10.0 && ./configure"` with sudo - When I run `make -C Python-3.10.0` with sudo - When I run `make -C Python-3.10.0 install` with sudo - When I run `python3 --version` with sudo - Then I will see the following on stdout - """ - Python 3.10.0 - """ - Then I verify that running `python3 -c "import uaclient"` `with sudo` exits `1` - Then stderr matches regexp: - """ - No module named 'uaclient' - """ - Then I verify that running `dpkg-reconfigure ubuntu-advantage-tools` `with sudo` exits `0` - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | diff --git a/features/landscape.feature b/features/landscape.feature index 2b502a66fd..a5d339a402 100644 --- a/features/landscape.feature +++ b/features/landscape.feature @@ -1,355 +1,330 @@ -@uses.config.contract_token -@uses.config.landscape_registration_key -@uses.config.landscape_api_access_key -@uses.config.landscape_api_secret_key +@uses.config.contract_token @uses.config.landscape_registration_key @uses.config.landscape_api_access_key @uses.config.landscape_api_secret_key Feature: Enable landscape on Ubuntu - Scenario Outline: Enable Landscape non-interactively - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - - Then I verify that running `pro enable landscape` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - - When I run `pro enable landscape -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key} --silent` with sudo - Then stdout contains substring: - """ - One moment, checking your subscription first - Updating standard Ubuntu package lists - Installing landscape-client - Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` - """ - Then stdout contains substring - """ - Registration request sent successfully. - """ - And I verify that `landscape` is enabled - - When I run `sudo pro disable landscape` with sudo - Then I verify that `landscape` is disabled - - # Enable with assume-yes - When I run `pro enable landscape --assume-yes -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key}` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating standard Ubuntu package lists - Installing landscape-client - Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` - Landscape enabled - """ - And I verify that `landscape` is enabled - - # stopping the service effectively disables it - When I run `systemctl stop landscape-client` with sudo - Then I verify that `landscape` is disabled - When I verify that running `sudo pro disable landscape` `with sudo` exits `1` - Then I will see the following on stdout: - """ - Landscape is not currently enabled - See: sudo pro status - """ - - # Fail to enable with assume-yes - When I verify that running `pro enable landscape --assume-yes -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key wrong` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating standard Ubuntu package lists - Installing landscape-client - Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` - Invalid account name or registration key. - Could not enable Landscape. - """ - # This will become obsolete soon: #2864 - When I run `pro status` with sudo - # I am keeping this check until the non-root landscape-config check works as expected - Then stdout matches regexp: - """ - landscape +yes +warning - """ - Then stdout contains substring: - """ - Landscape is installed and configured but not registered. - Run `sudo landscape-config` to register, or run `sudo pro disable landscape` - """ - When I run `sudo pro disable landscape` with sudo - When I run `pro status` with sudo - Then stdout matches regexp: - """ - landscape +yes +disabled - """ - - # Enable with assume-yes and format json - When I run `pro enable landscape --assume-yes --format=json -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key}` with sudo - Then I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["landscape"], "result": "success", "warnings": []} - """ - And I verify that `landscape` is enabled - When I run `sudo pro disable landscape` with sudo - - # Fail to enable with assume-yes and format json - When I verify that running `pro enable landscape --assume-yes --format=json -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key wrong` `with sudo` exits `1` - Then I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"stderr": "Invalid account name or registration key.", "stdout": ""}, "message": "landscape-config command failed", "message_code": "landscape-config-failed", "service": "landscape", "type": "service"}], "failed_services": ["landscape"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - # This will become obsolete soon: #2864 - When I run `pro status` with sudo - # I am keeping this check until the non-root landscape-config check works as expected - Then stdout matches regexp: - """ - landscape +yes +warning - """ - Then stdout contains substring: - """ - Landscape is installed and configured but not registered. - Run `sudo landscape-config` to register, or run `sudo pro disable landscape` - """ - Examples: ubuntu release - | release | machine_type | - | mantic | lxd-container | - - Scenario Outline: Enable Landscape interactively - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - - Then I verify that running `pro enable landscape` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - - When I run `pro enable landscape` `with sudo` and the following stdin - # This will change in the future, but right now the lines are: - # use self-hosted? - # computer title - # account name - # registration key - # confirm registration key - # http proxy - # https proxy - # request registration - """ - n - $behave_var{machine-name system-under-test} - pro-client-qa - $behave_var{config landscape_registration_key} - $behave_var{config landscape_registration_key} - - - y - """ - Then stdout contains substring: - """ - One moment, checking your subscription first - Updating standard Ubuntu package lists - Installing landscape-client - Executing `landscape-config` - """ - Then stdout contains substring: - """ - Registration request sent successfully. - """ - And I verify that `landscape` is enabled - When I run `pro disable landscape` with sudo - - When I verify that running `pro enable landscape` `with sudo` and the following stdin exits `1` - """ - n - $behave_var{machine-name system-under-test} - pro-client-qa - wrong - wrong - - - y - """ - Then stdout contains substring: - """ - One moment, checking your subscription first - Updating standard Ubuntu package lists - Installing landscape-client - Executing `landscape-config` - """ - And stderr contains substring: - """ - Invalid account name or registration key. - """ - When I run `pro status` with sudo - Then stdout contains substring: - """ - Landscape is installed and configured but not registered. - Run `sudo landscape-config` to register, or run `sudo pro disable landscape` - """ - Examples: ubuntu release - | release | machine_type | - | mantic | lxd-container | - - Scenario Outline: Easily re-enable Landscape non-interactively after a disable - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - - When I run `pro enable landscape --assume-yes -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key}` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Updating standard Ubuntu package lists - Installing landscape-client - Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` - Landscape enabled - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - landscape +yes +enabled - """ - - When I run `pro disable landscape` with sudo - Then I will see the following on stdout: - """ - Executing `landscape-config --disable` - /etc/landscape/client.conf contains your landscape-client configuration. - To re-enable Landscape with the same configuration, run: - sudo pro enable landscape --assume-yes - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - landscape +yes +disabled - """ - - When I run `pro enable landscape --assume-yes` with sudo - When I run `pro status` with sudo - Then stdout matches regexp: - """ - landscape +yes +enabled - """ - When I run shell command `cat /etc/landscape/client.conf | grep computer_title` with sudo - Then I will see the following on stdout: - """ - computer_title = $behave_var{machine-name system-under-test} - """ - When I run shell command `cat /etc/landscape/client.conf | grep account_name` with sudo - Then I will see the following on stdout: - """ - account_name = pro-client-qa - """ - - # Now do the same test but with a full detach - When I run `pro detach --assume-yes` with sudo - Then I will see the following on stdout: - """ - Detach will disable the following service: - landscape - Executing `landscape-config --disable` - /etc/landscape/client.conf contains your landscape-client configuration. - To re-enable Landscape with the same configuration, run: - sudo pro enable landscape --assume-yes - - This machine is now detached. - """ - When I run `pro api u.pro.status.is_attached.v1` with sudo - Then stdout contains substring: - """ - "is_attached": false - """ - - When I attach `contract_token` with sudo and options `--no-auto-enable` - When I run `pro enable landscape --assume-yes` with sudo - When I run `pro status` with sudo - Then stdout matches regexp: - """ - landscape +yes +enabled - """ - When I run shell command `cat /etc/landscape/client.conf | grep computer_title` with sudo - Then I will see the following on stdout: - """ - computer_title = $behave_var{machine-name system-under-test} - """ - When I run shell command `cat /etc/landscape/client.conf | grep account_name` with sudo - Then I will see the following on stdout: - """ - account_name = pro-client-qa - """ - Examples: ubuntu release - | release | machine_type | - | mantic | lxd-container | - - Scenario Outline: Detaching/reattaching on an unsupported release does not affect landscape - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - When I run `pro status` with sudo - Then stdout does not contain substring: - """ - landscape - """ - - When I apt install `landscape-client` - - # assert pre-enabled state - When I verify that running `systemctl is-active landscape-client` `with sudo` exits `3` - Then I will see the following on stdout: - """ - inactive - """ - - # enable with landscape-config directly - When I run `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key} --silent` with sudo - Then I will see the following on stdout: - """ - Please wait... - System successfully registered. - """ - - # assert that landscape is running, but pro doesn't care - When I verify that running `systemctl is-active landscape-client` `with sudo` exits `0` - Then I will see the following on stdout: - """ - active - """ - When I run `pro status` with sudo - Then stdout does not contain substring: - """ - landscape - """ - - # disable refuses - When I verify that running `pro disable landscape` `with sudo` exits `1` - Then I will see the following on stdout: - """ - Disabling Landscape with pro is not supported. - See: sudo pro status - """ - - # detach doesn't touch it - When I run `pro detach --assume-yes` with sudo - Then I will see the following on stdout: - """ - This machine is now detached. - """ - - # still running - When I verify that running `systemctl is-active landscape-client` `with sudo` exits `0` - Then I will see the following on stdout: - """ - active - """ - - # re-attaching doesn't affect it either - When I attach `contract_token` with sudo and options `--no-auto-enable` - - # still running - When I verify that running `systemctl is-active landscape-client` `with sudo` exits `0` - Then I will see the following on stdout: - """ - active - """ - - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | + Scenario Outline: Enable Landscape non-interactively + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + Then I verify that running `pro enable landscape` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I run `pro enable landscape -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key} --silent` with sudo + Then stdout contains substring: + """ + One moment, checking your subscription first + Updating standard Ubuntu package lists + Installing landscape-client + Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` + """ + Then stdout contains substring + """ + Registration request sent successfully. + """ + And I verify that `landscape` is enabled + When I run `sudo pro disable landscape` with sudo + Then I verify that `landscape` is disabled + # Enable with assume-yes + When I run `pro enable landscape --assume-yes -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key}` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating standard Ubuntu package lists + Installing landscape-client + Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` + Landscape enabled + """ + And I verify that `landscape` is enabled + # stopping the service effectively disables it + When I run `systemctl stop landscape-client` with sudo + Then I verify that `landscape` is disabled + When I verify that running `sudo pro disable landscape` `with sudo` exits `1` + Then I will see the following on stdout: + """ + Landscape is not currently enabled + See: sudo pro status + """ + # Fail to enable with assume-yes + When I verify that running `pro enable landscape --assume-yes -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key wrong` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating standard Ubuntu package lists + Installing landscape-client + Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` + Invalid account name or registration key. + Could not enable Landscape. + """ + # This will become obsolete soon: #2864 + When I run `pro status` with sudo + # I am keeping this check until the non-root landscape-config check works as expected + Then stdout matches regexp: + """ + landscape +yes +warning + """ + Then stdout contains substring: + """ + Landscape is installed and configured but not registered. + Run `sudo landscape-config` to register, or run `sudo pro disable landscape` + """ + When I run `sudo pro disable landscape` with sudo + When I run `pro status` with sudo + Then stdout matches regexp: + """ + landscape +yes +disabled + """ + # Enable with assume-yes and format json + When I run `pro enable landscape --assume-yes --format=json -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key}` with sudo + Then I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["landscape"], "result": "success", "warnings": []} + """ + And I verify that `landscape` is enabled + When I run `sudo pro disable landscape` with sudo + # Fail to enable with assume-yes and format json + When I verify that running `pro enable landscape --assume-yes --format=json -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key wrong` `with sudo` exits `1` + Then I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"stderr": "Invalid account name or registration key.", "stdout": ""}, "message": "landscape-config command failed", "message_code": "landscape-config-failed", "service": "landscape", "type": "service"}], "failed_services": ["landscape"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + # This will become obsolete soon: #2864 + When I run `pro status` with sudo + # I am keeping this check until the non-root landscape-config check works as expected + Then stdout matches regexp: + """ + landscape +yes +warning + """ + Then stdout contains substring: + """ + Landscape is installed and configured but not registered. + Run `sudo landscape-config` to register, or run `sudo pro disable landscape` + """ + + Examples: ubuntu release + | release | machine_type | + | mantic | lxd-container | + + Scenario Outline: Enable Landscape interactively + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + Then I verify that running `pro enable landscape` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I run `pro enable landscape` `with sudo` and the following stdin + # This will change in the future, but right now the lines are: + # use self-hosted? + # computer title + # account name + # registration key + # confirm registration key + # http proxy + # https proxy + # request registration + """ + n + $behave_var{machine-name system-under-test} + pro-client-qa + $behave_var{config landscape_registration_key} + $behave_var{config landscape_registration_key} + + + y + """ + Then stdout contains substring: + """ + One moment, checking your subscription first + Updating standard Ubuntu package lists + Installing landscape-client + Executing `landscape-config` + """ + Then stdout contains substring: + """ + Registration request sent successfully. + """ + And I verify that `landscape` is enabled + When I run `pro disable landscape` with sudo + When I verify that running `pro enable landscape` `with sudo` and the following stdin exits `1` + """ + n + $behave_var{machine-name system-under-test} + pro-client-qa + wrong + wrong + + + y + """ + Then stdout contains substring: + """ + One moment, checking your subscription first + Updating standard Ubuntu package lists + Installing landscape-client + Executing `landscape-config` + """ + And stderr contains substring: + """ + Invalid account name or registration key. + """ + When I run `pro status` with sudo + Then stdout contains substring: + """ + Landscape is installed and configured but not registered. + Run `sudo landscape-config` to register, or run `sudo pro disable landscape` + """ + + Examples: ubuntu release + | release | machine_type | + | mantic | lxd-container | + + Scenario Outline: Easily re-enable Landscape non-interactively after a disable + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + When I run `pro enable landscape --assume-yes -- --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key}` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Updating standard Ubuntu package lists + Installing landscape-client + Executing `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key --silent` + Landscape enabled + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + landscape +yes +enabled + """ + When I run `pro disable landscape` with sudo + Then I will see the following on stdout: + """ + Executing `landscape-config --disable` + /etc/landscape/client.conf contains your landscape-client configuration. + To re-enable Landscape with the same configuration, run: + sudo pro enable landscape --assume-yes + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + landscape +yes +disabled + """ + When I run `pro enable landscape --assume-yes` with sudo + When I run `pro status` with sudo + Then stdout matches regexp: + """ + landscape +yes +enabled + """ + When I run shell command `cat /etc/landscape/client.conf | grep computer_title` with sudo + Then I will see the following on stdout: + """ + computer_title = $behave_var{machine-name system-under-test} + """ + When I run shell command `cat /etc/landscape/client.conf | grep account_name` with sudo + Then I will see the following on stdout: + """ + account_name = pro-client-qa + """ + # Now do the same test but with a full detach + When I run `pro detach --assume-yes` with sudo + Then I will see the following on stdout: + """ + Detach will disable the following service: + landscape + Executing `landscape-config --disable` + /etc/landscape/client.conf contains your landscape-client configuration. + To re-enable Landscape with the same configuration, run: + sudo pro enable landscape --assume-yes + + This machine is now detached. + """ + When I run `pro api u.pro.status.is_attached.v1` with sudo + Then stdout contains substring: + """ + "is_attached": false + """ + When I attach `contract_token` with sudo and options `--no-auto-enable` + When I run `pro enable landscape --assume-yes` with sudo + When I run `pro status` with sudo + Then stdout matches regexp: + """ + landscape +yes +enabled + """ + When I run shell command `cat /etc/landscape/client.conf | grep computer_title` with sudo + Then I will see the following on stdout: + """ + computer_title = $behave_var{machine-name system-under-test} + """ + When I run shell command `cat /etc/landscape/client.conf | grep account_name` with sudo + Then I will see the following on stdout: + """ + account_name = pro-client-qa + """ + + Examples: ubuntu release + | release | machine_type | + | mantic | lxd-container | + + Scenario Outline: Detaching/reattaching on an unsupported release does not affect landscape + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + When I run `pro status` with sudo + Then stdout does not contain substring: + """ + landscape + """ + When I apt install `landscape-client` + # assert pre-enabled state + When I verify that running `systemctl is-active landscape-client` `with sudo` exits `3` + Then I will see the following on stdout: + """ + inactive + """ + # enable with landscape-config directly + When I run `landscape-config --computer-title $behave_var{machine-name system-under-test} --account-name pro-client-qa --registration-key $behave_var{config landscape_registration_key} --silent` with sudo + Then I will see the following on stdout: + """ + Please wait... + System successfully registered. + """ + # assert that landscape is running, but pro doesn't care + When I verify that running `systemctl is-active landscape-client` `with sudo` exits `0` + Then I will see the following on stdout: + """ + active + """ + When I run `pro status` with sudo + Then stdout does not contain substring: + """ + landscape + """ + # disable refuses + When I verify that running `pro disable landscape` `with sudo` exits `1` + Then I will see the following on stdout: + """ + Disabling Landscape with pro is not supported. + See: sudo pro status + """ + # detach doesn't touch it + When I run `pro detach --assume-yes` with sudo + Then I will see the following on stdout: + """ + This machine is now detached. + """ + # still running + When I verify that running `systemctl is-active landscape-client` `with sudo` exits `0` + Then I will see the following on stdout: + """ + active + """ + # re-attaching doesn't affect it either + When I attach `contract_token` with sudo and options `--no-auto-enable` + # still running + When I verify that running `systemctl is-active landscape-client` `with sudo` exits `0` + Then I will see the following on stdout: + """ + active + """ + + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | diff --git a/features/livepatch.feature b/features/livepatch.feature index dfd7993c22..30e426f2ff 100644 --- a/features/livepatch.feature +++ b/features/livepatch.feature @@ -1,203 +1,208 @@ @uses.config.contract_token Feature: Livepatch - Scenario Outline: Unattached livepatch status shows warning when on unsupported kernel - Given a `` `` machine with ubuntu-advantage-tools installed - When I change config key `livepatch_url` to use value `` - Then I verify that no files exist matching `/home/ubuntu/.cache/ubuntu-pro/livepatch-kernel-support-cache.json` - # This is needed because `apt update` creates this file before, and we need to make sure it is created correctly later - When I delete the file `/run/ubuntu-advantage/livepatch-kernel-support-cache.json` - When I run `pro status` as non-root - Then I verify that files exist matching `/home/ubuntu/.cache/ubuntu-pro/livepatch-kernel-support-cache.json` - Then I verify that no files exist matching `/run/ubuntu-advantage/livepatch-kernel-support-cache.json` - When I run `pro status` with sudo - Then stdout matches regexp: - """ - livepatch +yes +Current kernel is not supported - """ - Then stdout contains substring: - """ - Supported livepatch kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels - """ - Then I verify that files exist matching `/run/ubuntu-advantage/livepatch-kernel-support-cache.json` - When I apt install `linux-generic` - When I apt remove `linux-image*-kvm` - When I run `update-grub` with sudo - When I reboot the machine - When I run `pro status` with sudo - Then stdout matches regexp: - """ - livepatch +yes +Canonical Livepatch service - """ - Then stdout does not contain substring: - """ - Supported livepatch kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels - """ - Examples: ubuntu release - | release | machine_type | livepatch_url | - | focal | lxd-vm | https://livepatch.canonical.com | - | focal | lxd-vm | https://livepatch.staging.canonical.com | + Scenario Outline: Unattached livepatch status shows warning when on unsupported kernel + Given a `` `` machine with ubuntu-advantage-tools installed + When I change config key `livepatch_url` to use value `` + Then I verify that no files exist matching `/home/ubuntu/.cache/ubuntu-pro/livepatch-kernel-support-cache.json` + # This is needed because `apt update` creates this file before, and we need to make sure it is created correctly later + When I delete the file `/run/ubuntu-advantage/livepatch-kernel-support-cache.json` + When I run `pro status` as non-root + Then I verify that files exist matching `/home/ubuntu/.cache/ubuntu-pro/livepatch-kernel-support-cache.json` + Then I verify that no files exist matching `/run/ubuntu-advantage/livepatch-kernel-support-cache.json` + When I run `pro status` with sudo + Then stdout matches regexp: + """ + livepatch +yes +Current kernel is not supported + """ + Then stdout contains substring: + """ + Supported livepatch kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels + """ + Then I verify that files exist matching `/run/ubuntu-advantage/livepatch-kernel-support-cache.json` + When I apt install `linux-generic` + When I apt remove `linux-image*-kvm` + When I run `update-grub` with sudo + When I reboot the machine + When I run `pro status` with sudo + Then stdout matches regexp: + """ + livepatch +yes +Canonical Livepatch service + """ + Then stdout does not contain substring: + """ + Supported livepatch kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels + """ - Scenario Outline: Attached livepatch status shows warning when on unsupported kernel - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I run `pro status` with sudo - Then stdout matches regexp: - """ - livepatch +yes +warning +Current kernel is not supported - """ - Then stdout matches regexp: - """ - NOTICES - The current kernel \(5.4.0-(\d+)-kvm, x86_64\) is not supported by livepatch. - Supported kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels - Either switch to a supported kernel or `sudo pro disable livepatch` to dismiss this warning. - """ - When I run `pro disable livepatch` with sudo - When I run `pro status` with sudo - Then stdout matches regexp: - """ - livepatch +yes +disabled +Current kernel is not supported - """ - Then stdout does not match regexp: - """ - NOTICES - The current kernel \(5.4.0-(\d+)-kvm, x86_64\) is not supported by livepatch. - Supported kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels - Either switch to a supported kernel or `sudo pro disable livepatch` to dismiss this warning. - """ - When I apt install `linux-generic` - When I apt remove `linux-image*-kvm` - When I run `update-grub` with sudo - When I reboot the machine - When I run `pro status` with sudo - Then stdout matches regexp: - """ - livepatch +yes +disabled +Canonical Livepatch service - """ - When I run `pro enable livepatch` with sudo - When I run `pro status` with sudo - Then stdout matches regexp: - """ - livepatch +yes +enabled +Canonical Livepatch service - """ - Examples: ubuntu release - | release | machine_type | - | focal | lxd-vm | + Examples: ubuntu release + | release | machine_type | livepatch_url | + | focal | lxd-vm | https://livepatch.canonical.com | + | focal | lxd-vm | https://livepatch.staging.canonical.com | - Scenario Outline: Attached livepatch status shows upgrade required when on an old kernel - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token_staging` with sudo - When I apt install `linux-headers- linux-image-` - When I apt remove `linux-image*-gcp` - When I run `update-grub` with sudo - When I reboot the machine - When I run `uname -r` with sudo - Then stdout contains substring: - """ - - """ - And I verify that `livepatch` status is warning - When I run `pro status` with sudo - Then stdout contains substring: - """ - NOTICES - The running kernel has reached the end of its active livepatch window. - Please upgrade the kernel with apt and reboot for continued livepatch support. - """ - When I apt install `linux-headers-generic linux-image-generic` - When I reboot the machine - When I run `uname -r` with sudo - Then stdout does not contain substring: - """ - - """ - And I verify that `livepatch` is enabled - Then stdout does not contain substring: - """ - NOTICES - The running kernel has reached the end of its active livepatch window. - Please upgrade the kernel with apt and reboot for continued livepatch support. - """ - Examples: ubuntu release - | release | machine_type | old_kernel_version | - | focal | gcp.generic | 5.4.0-28-generic | + Scenario Outline: Attached livepatch status shows warning when on unsupported kernel + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I run `pro status` with sudo + Then stdout matches regexp: + """ + livepatch +yes +warning +Current kernel is not supported + """ + Then stdout matches regexp: + """ + NOTICES + The current kernel \(5.4.0-(\d+)-kvm, x86_64\) is not supported by livepatch. + Supported kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels + Either switch to a supported kernel or `sudo pro disable livepatch` to dismiss this warning. + """ + When I run `pro disable livepatch` with sudo + When I run `pro status` with sudo + Then stdout matches regexp: + """ + livepatch +yes +disabled +Current kernel is not supported + """ + Then stdout does not match regexp: + """ + NOTICES + The current kernel \(5.4.0-(\d+)-kvm, x86_64\) is not supported by livepatch. + Supported kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels + Either switch to a supported kernel or `sudo pro disable livepatch` to dismiss this warning. + """ + When I apt install `linux-generic` + When I apt remove `linux-image*-kvm` + When I run `update-grub` with sudo + When I reboot the machine + When I run `pro status` with sudo + Then stdout matches regexp: + """ + livepatch +yes +disabled +Canonical Livepatch service + """ + When I run `pro enable livepatch` with sudo + When I run `pro status` with sudo + Then stdout matches regexp: + """ + livepatch +yes +enabled +Canonical Livepatch service + """ - Scenario Outline: Livepatch is not enabled by default and can't be enabled on interim releases - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - livepatch +no +Current kernel is not supported - """ - When I attach `contract_token` with sudo - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - livepatch +yes +n/a +Canonical Livepatch service - """ - When I verify that running `pro enable livepatch` `with sudo` exits `1` - Then stdout contains substring: - """ - Livepatch is not available for Ubuntu . - """ - When I run `pro status --all` with sudo - Then stdout matches regexp: - """ - livepatch +yes +n/a +Canonical Livepatch service - """ - Examples: ubuntu release - | release | machine_type | pretty_name | - | mantic | lxd-vm | 23.10 (Mantic Minotaur) | + Examples: ubuntu release + | release | machine_type | + | focal | lxd-vm | - Scenario Outline: Livepatch is supported on interim HWE kernel - # This test is intended to ensure that an interim HWE kernel has the correct support status - # It should be kept up to date so that it runs on the latest LTS and installs the latest - # HWE kernel for that release. - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt install `linux-generic-hwe-` - When I apt remove `linux-image*-kvm` - When I run `update-grub` with sudo - When I reboot the machine - When I attach `contract_token` with sudo - When I run `pro status` with sudo - Then I verify that `livepatch` is enabled + Scenario Outline: Attached livepatch status shows upgrade required when on an old kernel + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token_staging` with sudo + When I apt install `linux-headers- linux-image-` + When I apt remove `linux-image*-gcp` + When I run `update-grub` with sudo + When I reboot the machine + When I run `uname -r` with sudo + Then stdout contains substring: + """ + + """ + And I verify that `livepatch` status is warning + When I run `pro status` with sudo + Then stdout contains substring: + """ + NOTICES + The running kernel has reached the end of its active livepatch window. + Please upgrade the kernel with apt and reboot for continued livepatch support. + """ + When I apt install `linux-headers-generic linux-image-generic` + When I reboot the machine + When I run `uname -r` with sudo + Then stdout does not contain substring: + """ + + """ + And I verify that `livepatch` is enabled + Then stdout does not contain substring: + """ + NOTICES + The running kernel has reached the end of its active livepatch window. + Please upgrade the kernel with apt and reboot for continued livepatch support. + """ - Examples: ubuntu release - | release | machine_type | release_num | - | jammy | lxd-vm | 22.04 | + Examples: ubuntu release + | release | machine_type | old_kernel_version | + | focal | gcp.generic | 5.4.0-28-generic | - Scenario Outline: snapd installed as a snap if necessary - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `snap list` with sudo - Then stdout does not contain substring: - """ - snapd - """ - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - resourceEntitlements: - - type: livepatch - directives: - requiredSnaps: - - name: core22 - """ - When I attach `contract_token` with sudo - Then stdout contains substring: - """ - Installing snapd snap - """ - When I run `snap list` with sudo - Then stdout contains substring: - """ - snapd - """ - And stdout contains substring: - """ - core22 - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | + Scenario Outline: Livepatch is not enabled by default and can't be enabled on interim releases + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + livepatch +no +Current kernel is not supported + """ + When I attach `contract_token` with sudo + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + livepatch +yes +n/a +Canonical Livepatch service + """ + When I verify that running `pro enable livepatch` `with sudo` exits `1` + Then stdout contains substring: + """ + Livepatch is not available for Ubuntu . + """ + When I run `pro status --all` with sudo + Then stdout matches regexp: + """ + livepatch +yes +n/a +Canonical Livepatch service + """ + + Examples: ubuntu release + | release | machine_type | pretty_name | + | mantic | lxd-vm | 23.10 (Mantic Minotaur) | + + Scenario Outline: Livepatch is supported on interim HWE kernel + # This test is intended to ensure that an interim HWE kernel has the correct support status + # It should be kept up to date so that it runs on the latest LTS and installs the latest + # HWE kernel for that release. + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt install `linux-generic-hwe-` + When I apt remove `linux-image*-kvm` + When I run `update-grub` with sudo + When I reboot the machine + When I attach `contract_token` with sudo + When I run `pro status` with sudo + Then I verify that `livepatch` is enabled + + Examples: ubuntu release + | release | machine_type | release_num | + | jammy | lxd-vm | 22.04 | + + Scenario Outline: snapd installed as a snap if necessary + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `snap list` with sudo + Then stdout does not contain substring: + """ + snapd + """ + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + resourceEntitlements: + - type: livepatch + directives: + requiredSnaps: + - name: core22 + """ + When I attach `contract_token` with sudo + Then stdout contains substring: + """ + Installing snapd snap + """ + When I run `snap list` with sudo + Then stdout contains substring: + """ + snapd + """ + And stdout contains substring: + """ + core22 + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | diff --git a/features/logs.feature b/features/logs.feature index d4aff3427a..e6b2a688e6 100644 --- a/features/logs.feature +++ b/features/logs.feature @@ -1,81 +1,84 @@ Feature: Logs in Json Array Formatter - @uses.config.contract_token - Scenario Outline: The log file can be successfully parsed as json array - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt install `jq` - And I verify that running `pro status` `with sudo` exits `0` - And I verify that running `pro enable test_entitlement` `with sudo` exits `1` - And I run shell command `tail /var/log/ubuntu-advantage.log | jq -r .` as non-root - Then I will see the following on stderr - """ - """ - When I attach `contract_token` with sudo - And I verify that running `pro refresh` `with sudo` exits `0` - And I verify that running `pro status` `with sudo` exits `0` - And I verify that running `pro enable test_entitlement` `with sudo` exits `1` - And I run shell command `tail /var/log/ubuntu-advantage.log | jq -r .` as non-root - Then I will see the following on stderr - """ - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + @uses.config.contract_token + Scenario Outline: The log file can be successfully parsed as json array + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt install `jq` + And I verify that running `pro status` `with sudo` exits `0` + And I verify that running `pro enable test_entitlement` `with sudo` exits `1` + And I run shell command `tail /var/log/ubuntu-advantage.log | jq -r .` as non-root + Then I will see the following on stderr + """ + """ + When I attach `contract_token` with sudo + And I verify that running `pro refresh` `with sudo` exits `0` + And I verify that running `pro status` `with sudo` exits `0` + And I verify that running `pro enable test_entitlement` `with sudo` exits `1` + And I run shell command `tail /var/log/ubuntu-advantage.log | jq -r .` as non-root + Then I will see the following on stderr + """ + """ - Scenario Outline: Non-root user and root user log files are different - Given a `` `` machine with ubuntu-advantage-tools installed - # Confirm user log file does not exist - When I run `truncate -s 0 /var/log/ubuntu-advantage.log` with sudo - And I verify `/var/log/ubuntu-advantage.log` is empty - Then I verify that no files exist matching `/home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` - When I verify that running `pro status` `as non-root` exits `0` - Then I verify that files exist matching `/home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` - When I verify `/var/log/ubuntu-advantage.log` is empty - And I run `cat /home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` as non-root - Then stdout contains substring - """ - Executed with sys.argv: ['/usr/bin/pro', 'status'] - """ - When I run `truncate -s 0 /home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` with sudo - And I attach `contract_token` with sudo - And I verify `/home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` is empty - And I run `cat /var/log/ubuntu-advantage.log` as non-root - Then stdout contains substring - """ - Executed with sys.argv: ['/usr/bin/pro', 'attach' - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Scenario Outline: Non-root user log files included in collect logs - Given a `` `` machine with ubuntu-advantage-tools installed - When i verify that running `pro status` `with sudo` exits `0` - And I verify that running `pro collect-logs` `with sudo` exits `0` - And I run `tar -tf pro_logs.tar.gz` as non-root - Then stdout does not contain substring - """ - user0.log - """ - When i verify that running `pro status` `as non-root` exits `0` - And I verify that running `pro collect-logs` `with sudo` exits `0` - And I run `tar -tf pro_logs.tar.gz` as non-root - Then stdout contains substring - """ - user0.log - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Scenario Outline: Non-root user and root user log files are different + Given a `` `` machine with ubuntu-advantage-tools installed + # Confirm user log file does not exist + When I run `truncate -s 0 /var/log/ubuntu-advantage.log` with sudo + And I verify `/var/log/ubuntu-advantage.log` is empty + Then I verify that no files exist matching `/home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` + When I verify that running `pro status` `as non-root` exits `0` + Then I verify that files exist matching `/home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` + When I verify `/var/log/ubuntu-advantage.log` is empty + And I run `cat /home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` as non-root + Then stdout contains substring + """ + Executed with sys.argv: ['/usr/bin/pro', 'status'] + """ + When I run `truncate -s 0 /home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` with sudo + And I attach `contract_token` with sudo + And I verify `/home/ubuntu/.cache/ubuntu-pro/ubuntu-pro.log` is empty + And I run `cat /var/log/ubuntu-advantage.log` as non-root + Then stdout contains substring + """ + Executed with sys.argv: ['/usr/bin/pro', 'attach' + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + Scenario Outline: Non-root user log files included in collect logs + Given a `` `` machine with ubuntu-advantage-tools installed + When i verify that running `pro status` `with sudo` exits `0` + And I verify that running `pro collect-logs` `with sudo` exits `0` + And I run `tar -tf pro_logs.tar.gz` as non-root + Then stdout does not contain substring + """ + user0.log + """ + When i verify that running `pro status` `as non-root` exits `0` + And I verify that running `pro collect-logs` `with sudo` exits `0` + And I run `tar -tf pro_logs.tar.gz` as non-root + Then stdout contains substring + """ + user0.log + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/magic_attach.feature b/features/magic_attach.feature index ec0dc704ae..f43761f30b 100644 --- a/features/magic_attach.feature +++ b/features/magic_attach.feature @@ -1,54 +1,54 @@ Feature: Magic attach flow related tests - Scenario Outline: Attach using the magic attach flow - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/tmp/response-overlay.json` with the following: - """ - { - "https://contracts.canonical.com/v1/magic-attach": [ - { + Scenario Outline: Attach using the magic attach flow + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/tmp/response-overlay.json` with the following: + """ + { + "https://contracts.canonical.com/v1/magic-attach": [ + { + "code": 200, + "response": { + "userCode": "123", + "token": "testToken", + "expires": "expire-date", + "expiresIn": 2000 + } + }, + { "code": 200, "response": { - "userCode": "123", - "token": "testToken", - "expires": "expire-date", - "expiresIn": 2000 + "userCode": "123", + "token": "testToken", + "expires": "expire-date", + "expiresIn": 2000, + "contractID": "test-contract-id", + "contractToken": "$behave_var{contract_token}" } - }, - { - "code": 200, - "response": { - "userCode": "123", - "token": "testToken", - "expires": "expire-date", - "expiresIn": 2000, - "contractID": "test-contract-id", - "contractToken": "$behave_var{contract_token}" - } - }] - } - """ - And I append the following on uaclient config: - """ - features: - serviceclient_url_responses: "/tmp/response-overlay.json" - """ - And I run `pro attach` with sudo - Then stdout matches regexp: - """ - Initiating attach operation... + }] + } + """ + And I append the following on uaclient config: + """ + features: + serviceclient_url_responses: "/tmp/response-overlay.json" + """ + And I run `pro attach` with sudo + Then stdout matches regexp: + """ + Initiating attach operation... - Please sign in to your Ubuntu Pro account at this link: - https://ubuntu.com/pro/attach - And provide the following code: .*123.* + Please sign in to your Ubuntu Pro account at this link: + https://ubuntu.com/pro/attach + And provide the following code: .*123.* - Attaching the machine... - """ - And the machine is attached + Attaching the machine... + """ + And the machine is attached - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | diff --git a/features/motd_messages.feature b/features/motd_messages.feature index 1eded714c9..b28c55209f 100644 --- a/features/motd_messages.feature +++ b/features/motd_messages.feature @@ -1,142 +1,142 @@ Feature: MOTD Messages - @uses.config.contract_token - Scenario Outline: Contract update prevents contract expiration messages - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I update contract to use `effectiveTo` as `$behave_var{today +2}` - When I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout does not match regexp: - """ - [\w\d.]+ + @uses.config.contract_token + Scenario Outline: Contract update prevents contract expiration messages + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I update contract to use `effectiveTo` as `$behave_var{today +2}` + When I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout does not match regexp: + """ + [\w\d.]+ - CAUTION: Your Ubuntu Pro subscription will expire in 2 days. - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure - continued security coverage for your applications. + CAUTION: Your Ubuntu Pro subscription will expire in 2 days. + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure + continued security coverage for your applications. - [\w\d.]+ - """ - When I update contract to use `effectiveTo` as `$behave_var{today -3}` - When I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout does not match regexp: - """ - [\w\d.]+ + [\w\d.]+ + """ + When I update contract to use `effectiveTo` as `$behave_var{today -3}` + When I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout does not match regexp: + """ + [\w\d.]+ - CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+. - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure - continued security coverage for your applications. - Your grace period will expire in 11 days. + CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+. + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure + continued security coverage for your applications. + Your grace period will expire in 11 days. - [\w\d.]+ - """ - When I update contract to use `effectiveTo` as `$behave_var{today -20}` - When I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout does not match regexp: - """ - [\w\d.]+ + [\w\d.]+ + """ + When I update contract to use `effectiveTo` as `$behave_var{today -20}` + When I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout does not match regexp: + """ + [\w\d.]+ - \*Your Ubuntu Pro subscription has EXPIRED\* - \d+ additional security updates require Ubuntu Pro with '' enabled. - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard + \*Your Ubuntu Pro subscription has EXPIRED\* + \d+ additional security updates require Ubuntu Pro with '' enabled. + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard - [\w\d.]+ - """ - Examples: ubuntu release - | release | machine_type | service | - | xenial | lxd-container | esm-infra | - | bionic | lxd-container | esm-apps | - | bionic | wsl | esm-apps | + [\w\d.]+ + """ + Examples: ubuntu release + | release | machine_type | service | + | xenial | lxd-container | esm-infra | + | bionic | lxd-container | esm-apps | + | bionic | wsl | esm-apps | - Scenario Outline: Contract Expiration Messages - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt install `ansible` - And I attach `contract_token` with sudo - And I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - effectiveTo: $behave_var{today +2} - """ - And I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - [\w\d.]+ + Scenario Outline: Contract Expiration Messages + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt install `ansible` + And I attach `contract_token` with sudo + And I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + effectiveTo: $behave_var{today +2} + """ + And I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + [\w\d.]+ - CAUTION: Your Ubuntu Pro subscription will expire in 2 days. - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure - continued security coverage for your applications. - """ - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - effectiveTo: $behave_var{today -3} - """ - When I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - [\w\d.]+ - - CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+. - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure - continued security coverage for your applications. - Your grace period will expire in 11 days. - """ - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - effectiveTo: $behave_var{today -20} - """ - When I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - [\w\d.]+ - - \*Your Ubuntu Pro subscription has EXPIRED\* - \d+ additional security updates require Ubuntu Pro with '' enabled. - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard - """ - When I apt upgrade - When I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - [\w\d.]+ - - \*Your Ubuntu Pro subscription has EXPIRED\* - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard - """ - When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: - """ - { - "machineTokenInfo": { - "contractInfo": { - "effectiveTo": null - } - } - } - """ - When I wait `1` seconds - When I run `pro refresh messages` with sudo - And I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - [\w\d.]+ - - \*Your Ubuntu Pro subscription has EXPIRED\* - Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard - """ + CAUTION: Your Ubuntu Pro subscription will expire in 2 days. + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure + continued security coverage for your applications. + """ + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + effectiveTo: $behave_var{today -3} + """ + When I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + [\w\d.]+ - Examples: ubuntu release - | release | machine_type | service | - | xenial | lxd-container | esm-infra | - | bionic | lxd-container | esm-infra | - | bionic | wsl | esm-infra | + CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+. + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard to ensure + continued security coverage for your applications. + Your grace period will expire in 11 days. + """ + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + effectiveTo: $behave_var{today -20} + """ + When I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + [\w\d.]+ + + \*Your Ubuntu Pro subscription has EXPIRED\* + \d+ additional security updates require Ubuntu Pro with '' enabled. + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard + """ + When I apt upgrade + When I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + [\w\d.]+ + + \*Your Ubuntu Pro subscription has EXPIRED\* + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard + """ + When I create the file `/var/lib/ubuntu-advantage/machine-token-overlay.json` with the following: + """ + { + "machineTokenInfo": { + "contractInfo": { + "effectiveTo": null + } + } + } + """ + When I wait `1` seconds + When I run `pro refresh messages` with sudo + And I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + [\w\d.]+ + + \*Your Ubuntu Pro subscription has EXPIRED\* + Renew your subscription at https:\/\/ubuntu.com\/pro\/dashboard + """ + + Examples: ubuntu release + | release | machine_type | service | + | xenial | lxd-container | esm-infra | + | bionic | lxd-container | esm-infra | + | bionic | wsl | esm-infra | diff --git a/features/proxy_config.feature b/features/proxy_config.feature index b648854eed..d079999e65 100644 --- a/features/proxy_config.feature +++ b/features/proxy_config.feature @@ -1,1297 +1,1286 @@ @uses.config.contract_token Feature: Proxy configuration - @slow - Scenario Outline: Attach command when proxy is configured for uaclient - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT api.snapcraft.io.* - """ - When I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://api.snapcraft.io.* - """ - When I attach `contract_token` with sudo and options `--no-auto-enable` - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - And the machine is attached - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting UA-scoped APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://archive.ubuntu.com.* - """ - When I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting UA-scoped APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT esm.ubuntu.com.* - """ - Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy::esm.ubuntu.com \".*\"; - Acquire::https::Proxy::esm.ubuntu.com \".*\"; - """ - When I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout does not match regexp: - """ - .*GET.*ubuntu.com/ubuntu/dists.* - """ - Then stdout does not match regexp: - """ - .*GET.*archive.ubuntu.com.* - """ - Then stdout does not match regexp: - """ - .*GET.*security.ubuntu.com.* - """ - When I run `pro config unset ua_apt_http_proxy` with sudo - And I run `pro config unset ua_apt_https_proxy` with sudo - And I run `pro refresh config` with sudo - Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "ua_apt_http_proxy": "invalidurl", - "ua_apt_https_proxy": "invalidurls" - } - """ - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"invalidurl\" is not a valid url. Not setting as proxy. - """ - When I verify that running `pro config set http_proxy=http://host:port` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"http://host:port\" is not a valid url. Not setting as proxy - """ - When I apt install `python3-pycurl` - And I verify that running `pro config set ua_apt_https_proxy=https://localhost:12345` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"https://localhost:12345\" is not working. Not setting as proxy. - """ - When I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy::esm.ubuntu.com \".*\"; - Acquire::https::Proxy::esm.ubuntu.com \".*\"; - """ + @slow + Scenario Outline: Attach command when proxy is configured for uaclient + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT api.snapcraft.io.* + """ + When I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://api.snapcraft.io.* + """ + When I attach `contract_token` with sudo and options `--no-auto-enable` + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + And the machine is attached + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting UA-scoped APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://archive.ubuntu.com.* + """ + When I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting UA-scoped APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT esm.ubuntu.com.* + """ + Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy::esm.ubuntu.com \".*\"; + Acquire::https::Proxy::esm.ubuntu.com \".*\"; + """ + When I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout does not match regexp: + """ + .*GET.*ubuntu.com/ubuntu/dists.* + """ + Then stdout does not match regexp: + """ + .*GET.*archive.ubuntu.com.* + """ + Then stdout does not match regexp: + """ + .*GET.*security.ubuntu.com.* + """ + When I run `pro config unset ua_apt_http_proxy` with sudo + And I run `pro config unset ua_apt_https_proxy` with sudo + And I run `pro refresh config` with sudo + Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "ua_apt_http_proxy": "invalidurl", + "ua_apt_https_proxy": "invalidurls" + } + """ + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"invalidurl\" is not a valid url. Not setting as proxy. + """ + When I verify that running `pro config set http_proxy=http://host:port` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"http://host:port\" is not a valid url. Not setting as proxy + """ + When I apt install `python3-pycurl` + And I verify that running `pro config set ua_apt_https_proxy=https://localhost:12345` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"https://localhost:12345\" is not working. Not setting as proxy. + """ + When I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy::esm.ubuntu.com \".*\"; + Acquire::https::Proxy::esm.ubuntu.com \".*\"; + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - @slow - Scenario Outline: Attach command when proxy is configured - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT api.snapcraft.io.* - """ - When I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - Then stdout matches regexp: - """ - Setting Livepatch proxy - """ - When I run `canonical-livepatch config check-interval=0` with sudo - And I run `canonical-livepatch refresh` with sudo - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - And stdout matches regexp: - """ - .*CONNECT api.snapcraft.io:443.* - """ - When I run `sleep 120` as non-root - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT livepatch.canonical.com:443.* - """ - When I run `pro refresh config` with sudo - Then I will see the following on stdout: - """ - Setting snap proxy - Setting Livepatch proxy - Successfully processed your pro configuration. - """ - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "http_proxy": "", - "https_proxy": "" - } - """ - And I run `pro refresh config` with sudo - Then I will see the following on stdout: - """ - No proxy set in config; however, proxy is configured for: snap, livepatch. - See https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/configure_proxies.html for more information on pro proxy configuration. - - Successfully processed your pro configuration. - """ - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "http_proxy": "invalidurl", - "https_proxy": "invalidurls" - } - """ - And I apt install `python3-pycurl` - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"invalidurl\" is not a valid url. Not setting as proxy. - """ - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "https_proxy": "https://localhost:12345" - } - """ - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"https://localhost:12345\" is not working. Not setting as proxy. - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | + @slow + Scenario Outline: Attach command when proxy is configured + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT api.snapcraft.io.* + """ + When I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + Then stdout matches regexp: + """ + Setting Livepatch proxy + """ + When I run `canonical-livepatch config check-interval=0` with sudo + And I run `canonical-livepatch refresh` with sudo + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + And stdout matches regexp: + """ + .*CONNECT api.snapcraft.io:443.* + """ + When I run `sleep 120` as non-root + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT livepatch.canonical.com:443.* + """ + When I run `pro refresh config` with sudo + Then I will see the following on stdout: + """ + Setting snap proxy + Setting Livepatch proxy + Successfully processed your pro configuration. + """ + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "http_proxy": "", + "https_proxy": "" + } + """ + And I run `pro refresh config` with sudo + Then I will see the following on stdout: + """ + No proxy set in config; however, proxy is configured for: snap, livepatch. + See https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/configure_proxies.html for more information on pro proxy configuration. - @slow - Scenario Outline: Attach command when authenticated proxy is configured for uaclient - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid apache2-utils` on the `proxy` machine - And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - When I run `pro config set https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT api.snapcraft.io.* - """ - When I run `pro config set http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://api.snapcraft.io.* - """ - When I attach `contract_token` with sudo - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - When I run `pro config set ua_apt_http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting UA-scoped APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://archive.ubuntu.com.* - """ - When I run `pro config set ua_apt_https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting UA-scoped APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT esm.ubuntu.com.* - """ - When I run `pro refresh config` with sudo - And I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout does not match regexp: - """ - .*GET.*ubuntu.com/ubuntu/dists.* - """ - Then stdout does not match regexp: - """ - .*GET.*archive.ubuntu.com.* - """ - Then stdout does not match regexp: - """ - .*GET.*security.ubuntu.com.* - """ - And I verify that running `pro config set ua_apt_https_proxy=http://wronguser:wrongpassword@$behave_var{machine-ip proxy}:3128` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"http://wronguser:wrongpassword@.*:3128\" is not working. Not setting as proxy. - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Successfully processed your pro configuration. + """ + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "http_proxy": "invalidurl", + "https_proxy": "invalidurls" + } + """ + And I apt install `python3-pycurl` + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"invalidurl\" is not a valid url. Not setting as proxy. + """ + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "https_proxy": "https://localhost:12345" + } + """ + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"https://localhost:12345\" is not working. Not setting as proxy. + """ - @slow - Scenario Outline: Attach command when authenticated proxy is configured - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid apache2-utils` on the `proxy` machine - And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro config set http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - And I attach `contract_token` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - Then stdout matches regexp: - """ - Setting Livepatch proxy - """ - When I run `canonical-livepatch config check-interval=0` with sudo - And I run `canonical-livepatch refresh` with sudo - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT api.snapcraft.io:443.* - """ - When I run `sleep 120` as non-root - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT livepatch.canonical.com:443.* - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-vm | - | bionic | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | - @slow - Scenario Outline: Attach command when proxy is configured manually via conf file for uaclient - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "http_proxy": "http://$behave_var{machine-ip proxy}:3128", - "https_proxy": "http://$behave_var{machine-ip proxy}:3128" - } - """ - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - # We need this for the route command - And I attach `contract_token` with sudo and options `--no-auto-enable` - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - And the machine is attached - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "ua_apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128", - "ua_apt_https_proxy": "http://$behave_var{machine-ip proxy}:3128" - } - """ - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I run `pro refresh config` with sudo - Then stdout matches regexp: - """ - Setting UA-scoped APT proxy - """ - Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy::esm.ubuntu.com \".*\"; - Acquire::https::Proxy::esm.ubuntu.com \".*\"; - """ - When I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout does not match regexp: - """ - .*GET.*ubuntu.com/ubuntu/dists.* - """ - Then stdout does not match regexp: - """ - .*GET.*archive.ubuntu.com.* - """ - Then stdout does not match regexp: - """ - .*GET.*security.ubuntu.com.* - """ - When I run `pro config unset ua_apt_http_proxy` with sudo - And I run `pro config unset ua_apt_https_proxy` with sudo - And I run `pro refresh config` with sudo - Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "ua_apt_http_proxy": "invalidurl", - "ua_apt_https_proxy": "invalidurls" - } - """ - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"invalidurl\" is not a valid url. Not setting as proxy. - """ - When I verify that running `pro config set http_proxy=http://host:port` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"http://host:port\" is not a valid url. Not setting as proxy - """ - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "ua_apt_https_proxy": "https://localhost:12345" - } - """ - And I apt install `python3-pycurl` - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"https://localhost:12345\" is not working. Not setting as proxy. - """ - When I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy::esm.ubuntu.com \".*\"; - Acquire::https::Proxy::esm.ubuntu.com \".*\"; - """ + @slow + Scenario Outline: Attach command when authenticated proxy is configured for uaclient + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid apache2-utils` on the `proxy` machine + And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + When I run `pro config set https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT api.snapcraft.io.* + """ + When I run `pro config set http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://api.snapcraft.io.* + """ + When I attach `contract_token` with sudo + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + When I run `pro config set ua_apt_http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting UA-scoped APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://archive.ubuntu.com.* + """ + When I run `pro config set ua_apt_https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting UA-scoped APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT esm.ubuntu.com.* + """ + When I run `pro refresh config` with sudo + And I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout does not match regexp: + """ + .*GET.*ubuntu.com/ubuntu/dists.* + """ + Then stdout does not match regexp: + """ + .*GET.*archive.ubuntu.com.* + """ + Then stdout does not match regexp: + """ + .*GET.*security.ubuntu.com.* + """ + And I verify that running `pro config set ua_apt_https_proxy=http://wronguser:wrongpassword@$behave_var{machine-ip proxy}:3128` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"http://wronguser:wrongpassword@.*:3128\" is not working. Not setting as proxy. + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - @slow - Scenario Outline: Attach command when authenticated proxy is configured manually for uaclient - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid apache2-utils` on the `proxy` machine - And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "http_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128", - "https_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128" - } - """ - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I attach `contract_token` with sudo - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "ua_apt_http_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128", - "ua_apt_https_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128" - } - """ - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro refresh config` with sudo - And I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout does not match regexp: - """ - .*GET.*ubuntu.com/ubuntu/dists.* - """ - Then stdout does not match regexp: - """ - .*GET.*archive.ubuntu.com.* - """ - Then stdout does not match regexp: - """ - .*GET.*security.ubuntu.com.* - """ - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "ua_apt_https_proxy": "http://wronguser:wrongpassword@$behave_var{machine-ip proxy}:3128" - } - """ - And I apt install `python3-pycurl` - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"http://wronguser:wrongpassword@.*:3128\" is not working. Not setting as proxy. - """ + @slow + Scenario Outline: Attach command when authenticated proxy is configured + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid apache2-utils` on the `proxy` machine + And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro config set http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + And I attach `contract_token` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + Then stdout matches regexp: + """ + Setting Livepatch proxy + """ + When I run `canonical-livepatch config check-interval=0` with sudo + And I run `canonical-livepatch refresh` with sudo + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT api.snapcraft.io:443.* + """ + When I run `sleep 120` as non-root + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT livepatch.canonical.com:443.* + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-vm | + | bionic | lxd-vm | - @slow - Scenario Outline: Attach command when proxy is configured globally - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT api.snapcraft.io.* - """ - When I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://api.snapcraft.io.* - """ - # We need this for the route command - When I apt install `net-tools` - # We will guarantee that the machine will only use the proxy when - # running the pro commands - And I run `route del default` with sudo - And I attach `contract_token` with sudo and options `--no-auto-enable` - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - And the machine is attached - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting global APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://archive.ubuntu.com.* - """ - When I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting global APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT esm.ubuntu.com.* - """ - # TODO No longer empty, needs researching - Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy \".*\"; - Acquire::https::Proxy \".*\"; - """ - When I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout matches regexp: - """ - .*GET.*ubuntu.com/ubuntu/dists.* - """ - Then stdout matches regexp: - """ - .*GET.*archive.ubuntu.com.* - """ - Then stdout matches regexp: - """ - .*GET.*security.ubuntu.com.* - """ - When I run `pro config unset global_apt_http_proxy` with sudo - And I run `pro config unset global_apt_https_proxy` with sudo - And I run `pro refresh config` with sudo - Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "global_apt_http_proxy": "invalidurl", - "global_https_proxy": "invalidurls" - } - """ - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"invalidurl\" is not a valid url. Not setting as proxy. - """ - When I verify that running `pro config set http_proxy=http://host:port` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"http://host:port\" is not a valid url. Not setting as proxy - """ - When I apt install `python3-pycurl` - And I verify that running `pro config set global_apt_https_proxy=https://localhost:12345` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"https://localhost:12345\" is not working. Not setting as proxy. - """ - When I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy \".*\"; - Acquire::https::Proxy \".*\"; - """ + @slow + Scenario Outline: Attach command when proxy is configured manually via conf file for uaclient + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "http_proxy": "http://$behave_var{machine-ip proxy}:3128", + "https_proxy": "http://$behave_var{machine-ip proxy}:3128" + } + """ + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + # We need this for the route command + And I attach `contract_token` with sudo and options `--no-auto-enable` + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + And the machine is attached + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "ua_apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128", + "ua_apt_https_proxy": "http://$behave_var{machine-ip proxy}:3128" + } + """ + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I run `pro refresh config` with sudo + Then stdout matches regexp: + """ + Setting UA-scoped APT proxy + """ + Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy::esm.ubuntu.com \".*\"; + Acquire::https::Proxy::esm.ubuntu.com \".*\"; + """ + When I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout does not match regexp: + """ + .*GET.*ubuntu.com/ubuntu/dists.* + """ + Then stdout does not match regexp: + """ + .*GET.*archive.ubuntu.com.* + """ + Then stdout does not match regexp: + """ + .*GET.*security.ubuntu.com.* + """ + When I run `pro config unset ua_apt_http_proxy` with sudo + And I run `pro config unset ua_apt_https_proxy` with sudo + And I run `pro refresh config` with sudo + Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "ua_apt_http_proxy": "invalidurl", + "ua_apt_https_proxy": "invalidurls" + } + """ + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"invalidurl\" is not a valid url. Not setting as proxy. + """ + When I verify that running `pro config set http_proxy=http://host:port` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"http://host:port\" is not a valid url. Not setting as proxy + """ + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "ua_apt_https_proxy": "https://localhost:12345" + } + """ + And I apt install `python3-pycurl` + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"https://localhost:12345\" is not working. Not setting as proxy. + """ + When I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy::esm.ubuntu.com \".*\"; + Acquire::https::Proxy::esm.ubuntu.com \".*\"; + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - @slow - Scenario Outline: Attach command when authenticated proxy is configured globally - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid apache2-utils` on the `proxy` machine - And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - When I run `pro config set https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT api.snapcraft.io.* - """ - When I run `pro config set http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting snap proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://api.snapcraft.io.* - """ - When I apt install `net-tools` - # We will guarantee that the machine will only use the proxy when - # running the pro commands - And I run `route del default` with sudo - And I attach `contract_token` with sudo and options `--no-auto-enable` - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - When I run `pro config set global_apt_http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting global APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://archive.ubuntu.com.* - """ - When I run `pro config set global_apt_https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Setting global APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT esm.ubuntu.com.* - """ - When I run `pro refresh config` with sudo - And I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout matches regexp: - """ - .*GET.*ubuntu.com/ubuntu/dists.* - """ - Then stdout matches regexp: - """ - .*GET.*archive.ubuntu.com.* - """ - Then stdout matches regexp: - """ - .*GET.*security.ubuntu.com.* - """ - And I verify that running `pro config set global_apt_https_proxy=http://wronguser:wrongpassword@$behave_var{machine-ip proxy}:3128` `with sudo` exits `1` - Then stderr matches regexp: - """ - \"http://wronguser:wrongpassword@.*:3128\" is not working. Not setting as proxy. - """ + @slow + Scenario Outline: Attach command when authenticated proxy is configured manually for uaclient + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid apache2-utils` on the `proxy` machine + And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "http_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128", + "https_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128" + } + """ + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I attach `contract_token` with sudo + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "ua_apt_http_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128", + "ua_apt_https_proxy": "http://someuser:somepassword@$behave_var{machine-ip proxy}:3128" + } + """ + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro refresh config` with sudo + And I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout does not match regexp: + """ + .*GET.*ubuntu.com/ubuntu/dists.* + """ + Then stdout does not match regexp: + """ + .*GET.*archive.ubuntu.com.* + """ + Then stdout does not match regexp: + """ + .*GET.*security.ubuntu.com.* + """ + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "ua_apt_https_proxy": "http://wronguser:wrongpassword@$behave_var{machine-ip proxy}:3128" + } + """ + And I apt install `python3-pycurl` + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"http://wronguser:wrongpassword@.*:3128\" is not working. Not setting as proxy. + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - @slow - Scenario Outline: Get warning when configuring global or uaclient proxy - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy \".*\"; - Acquire::https::Proxy \".*\"; - """ - When I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout matches regexp: - """ - .*GET.*ubuntu.com/ubuntu/dists.* - """ - Then stdout matches regexp: - """ - .*GET.*archive.ubuntu.com.* - """ - Then stdout matches regexp: - """ - .*GET.*security.ubuntu.com.* - """ - When I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Warning: Setting the pro scoped apt proxy will overwrite the global apt - proxy previously set via `pro config`. - """ - When I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout does not match regexp: - """ - Warning: Setting the pro scoped apt proxy will overwrite the global apt - proxy previously set via `pro config`. - """ - When I run `pro config show` with sudo - Then stdout matches regexp: - """ - global_apt_http_proxy +None - """ - Then stdout matches regexp: - """ - global_apt_https_proxy +None - """ - When I run `pro config unset ua_apt_http_proxy` with sudo - And I run `pro config unset ua_apt_https_proxy` with sudo - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128" - } - """ - And I verify that running `pro refresh config` `with sudo` exits `0` - Then stdout matches regexp: - """ - Using deprecated "apt_http_proxy" config field. - Please migrate to using "global_apt_http_proxy" - """ - When I run `pro config show` with sudo - Then stdout matches regexp: - """ - global_apt_http_proxy +http://$behave_var{machine-ip proxy}:3128 - """ - Then stdout matches regexp: - """ - apt_http_proxy +None - """ - When I run `pro config unset global_apt_http_proxy` with sudo - And I run `pro config unset global_apt_https_proxy` with sudo - And I run `pro config unset ua_apt_http_proxy` with sudo - And I run `pro config unset ua_apt_https_proxy` with sudo - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "global_apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128", - "ua_apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128" - } - """ - And I verify that running `pro refresh config` `with sudo` exits `1` - Then stderr matches regexp: - """ - Error: Setting global apt proxy and pro scoped apt proxy - at the same time is unsupported. - Cancelling config process operation. - """ - When I run `pro config show` with sudo - Then stdout matches regexp: - """ - global_apt_http_proxy +http://$behave_var{machine-ip proxy}:3128 - """ - Then stdout matches regexp: - """ - ua_apt_http_proxy +http://$behave_var{machine-ip proxy}:3128 - """ - Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy \".*\"; - Acquire::https::Proxy \".*\"; - """ + @slow + Scenario Outline: Attach command when proxy is configured globally + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT api.snapcraft.io.* + """ + When I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://api.snapcraft.io.* + """ + # We need this for the route command + When I apt install `net-tools` + # We will guarantee that the machine will only use the proxy when + # running the pro commands + And I run `route del default` with sudo + And I attach `contract_token` with sudo and options `--no-auto-enable` + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + And the machine is attached + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting global APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://archive.ubuntu.com.* + """ + When I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting global APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT esm.ubuntu.com.* + """ + # TODO No longer empty, needs researching + Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy \".*\"; + Acquire::https::Proxy \".*\"; + """ + When I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout matches regexp: + """ + .*GET.*ubuntu.com/ubuntu/dists.* + """ + Then stdout matches regexp: + """ + .*GET.*archive.ubuntu.com.* + """ + Then stdout matches regexp: + """ + .*GET.*security.ubuntu.com.* + """ + When I run `pro config unset global_apt_http_proxy` with sudo + And I run `pro config unset global_apt_https_proxy` with sudo + And I run `pro refresh config` with sudo + Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "global_apt_http_proxy": "invalidurl", + "global_https_proxy": "invalidurls" + } + """ + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"invalidurl\" is not a valid url. Not setting as proxy. + """ + When I verify that running `pro config set http_proxy=http://host:port` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"http://host:port\" is not a valid url. Not setting as proxy + """ + When I apt install `python3-pycurl` + And I verify that running `pro config set global_apt_https_proxy=https://localhost:12345` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"https://localhost:12345\" is not working. Not setting as proxy. + """ + When I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy \".*\"; + Acquire::https::Proxy \".*\"; + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - @slow - Scenario Outline: apt_http(s)_proxy still works - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I attach `contract_token` with sudo - Then the machine is attached - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - And I run `pro config set apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Warning: apt_http_proxy has been renamed to global_apt_http_proxy. - Setting global APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*HEAD http://archive.ubuntu.com.* - """ - When I run `pro config set apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - Then stdout matches regexp: - """ - Warning: apt_https_proxy has been renamed to global_apt_https_proxy. - Setting global APT proxy - """ - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com - """ - Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy \".*:3128\"; - Acquire::https::Proxy \".*:3128\"; - """ - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - When I apt update - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - CONNECT esm.ubuntu.com:443 - """ - Then stdout matches regexp: - """ - GET.*ubuntu.com/ubuntu/dists - """ - Then stdout matches regexp: - """ - GET.*archive.ubuntu.com - """ - Then stdout matches regexp: - """ - GET.*security.ubuntu.com - """ - When I run `pro config unset apt_http_proxy` with sudo - And I run `pro config unset apt_https_proxy` with sudo - And I run `pro refresh config` with sudo - Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` - When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: - """ - { - "apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128", - "apt_https_proxy": "http://$behave_var{machine-ip proxy}:3128" - } - """ - When I run `pro refresh config` with sudo - Then stdout matches regexp: - """ - Using deprecated "apt_http_proxy" config field. - Please migrate to using "global_apt_http_proxy" + @slow + Scenario Outline: Attach command when authenticated proxy is configured globally + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid apache2-utils` on the `proxy` machine + And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwordfile\nacl topsecret proxy_auth REQUIRED\nhttp_access allow topsecret + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + When I run `pro config set https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT api.snapcraft.io.* + """ + When I run `pro config set http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting snap proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://api.snapcraft.io.* + """ + When I apt install `net-tools` + # We will guarantee that the machine will only use the proxy when + # running the pro commands + And I run `route del default` with sudo + And I attach `contract_token` with sudo and options `--no-auto-enable` + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + When I run `pro config set global_apt_http_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting global APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://archive.ubuntu.com.* + """ + When I run `pro config set global_apt_https_proxy=http://someuser:somepassword@$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Setting global APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT esm.ubuntu.com.* + """ + When I run `pro refresh config` with sudo + And I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout matches regexp: + """ + .*GET.*ubuntu.com/ubuntu/dists.* + """ + Then stdout matches regexp: + """ + .*GET.*archive.ubuntu.com.* + """ + Then stdout matches regexp: + """ + .*GET.*security.ubuntu.com.* + """ + And I verify that running `pro config set global_apt_https_proxy=http://wronguser:wrongpassword@$behave_var{machine-ip proxy}:3128` `with sudo` exits `1` + Then stderr matches regexp: + """ + \"http://wronguser:wrongpassword@.*:3128\" is not working. Not setting as proxy. + """ - Using deprecated "apt_https_proxy" config field. - Please migrate to using "global_apt_https_proxy" + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - Setting global APT proxy - Successfully processed your pro configuration. - """ - When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo - Then stdout matches regexp: - """ - /\* - \* Autogenerated by ubuntu-advantage-tools - \* Do not edit this file directly - \* - \* To change what ubuntu-advantage-tools sets, use the `pro config set` - \* or the `pro config unset` commands to set/unset either: - \* global_apt_http_proxy and global_apt_https_proxy - \* for a global apt proxy - \* or - \* ua_apt_http_proxy and ua_apt_https_proxy - \* for an apt proxy that only applies to Ubuntu Pro related repos. - \*/ - Acquire::http::Proxy \".*:3128\"; - Acquire::https::Proxy \".*:3128\"; - """ - When I apt install `python3-pycurl` - And I verify that running `pro config set apt_https_proxy=https://localhost:12345` `with sudo` exits `1` - Then stdout matches regexp: - """ - Warning: apt_https_proxy has been renamed to global_apt_https_proxy. - """ - Then stderr matches regexp: - """ - \"https://localhost:12345\" is not working. Not setting as proxy. - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + @slow + Scenario Outline: Get warning when configuring global or uaclient proxy + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy \".*\"; + Acquire::https::Proxy \".*\"; + """ + When I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout matches regexp: + """ + .*GET.*ubuntu.com/ubuntu/dists.* + """ + Then stdout matches regexp: + """ + .*GET.*archive.ubuntu.com.* + """ + Then stdout matches regexp: + """ + .*GET.*security.ubuntu.com.* + """ + When I run `pro config set ua_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Warning: Setting the pro scoped apt proxy will overwrite the global apt + proxy previously set via `pro config`. + """ + When I run `pro config set ua_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout does not match regexp: + """ + Warning: Setting the pro scoped apt proxy will overwrite the global apt + proxy previously set via `pro config`. + """ + When I run `pro config show` with sudo + Then stdout matches regexp: + """ + global_apt_http_proxy +None + """ + Then stdout matches regexp: + """ + global_apt_https_proxy +None + """ + When I run `pro config unset ua_apt_http_proxy` with sudo + And I run `pro config unset ua_apt_https_proxy` with sudo + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128" + } + """ + And I verify that running `pro refresh config` `with sudo` exits `0` + Then stdout matches regexp: + """ + Using deprecated "apt_http_proxy" config field. + Please migrate to using "global_apt_http_proxy" + """ + When I run `pro config show` with sudo + Then stdout matches regexp: + """ + global_apt_http_proxy +http://$behave_var{machine-ip proxy}:3128 + """ + Then stdout matches regexp: + """ + apt_http_proxy +None + """ + When I run `pro config unset global_apt_http_proxy` with sudo + And I run `pro config unset global_apt_https_proxy` with sudo + And I run `pro config unset ua_apt_http_proxy` with sudo + And I run `pro config unset ua_apt_https_proxy` with sudo + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "global_apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128", + "ua_apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128" + } + """ + And I verify that running `pro refresh config` `with sudo` exits `1` + Then stderr matches regexp: + """ + Error: Setting global apt proxy and pro scoped apt proxy + at the same time is unsupported. + Cancelling config process operation. + """ + When I run `pro config show` with sudo + Then stdout matches regexp: + """ + global_apt_http_proxy +http://$behave_var{machine-ip proxy}:3128 + """ + Then stdout matches regexp: + """ + ua_apt_http_proxy +http://$behave_var{machine-ip proxy}:3128 + """ + Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy \".*\"; + Acquire::https::Proxy \".*\"; + """ - @slow - Scenario: Enable realtime kernel through proxy on a machine with no internet - Given a `jammy` `lxd-vm` machine with ubuntu-advantage-tools installed - When I disable any internet connection on the machine - Given a `focal` `lxd-container` machine named `proxy` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo - And I attach `contract_token` with sudo - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - When I run `pro disable livepatch --assume-yes` with sudo - When I run `pro enable realtime-kernel` `with sudo` and stdin `y` - Then stdout contains substring: - """ - Installing Real-time kernel packages - Real-time kernel enabled - A reboot is required to complete install. - """ + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - Scenario Outline: Support HTTPS-in-HTTPS proxies - Given a `` `` machine with ubuntu-advantage-tools installed + @slow + Scenario Outline: apt_http(s)_proxy still works + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I attach `contract_token` with sudo + Then the machine is attached + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + And I run `pro config set apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Warning: apt_http_proxy has been renamed to global_apt_http_proxy. + Setting global APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*HEAD http://archive.ubuntu.com.* + """ + When I run `pro config set apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + Then stdout matches regexp: + """ + Warning: apt_https_proxy has been renamed to global_apt_https_proxy. + Setting global APT proxy + """ + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com + """ + Then I verify that files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy \".*:3128\"; + Acquire::https::Proxy \".*:3128\"; + """ + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + When I apt update + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + CONNECT esm.ubuntu.com:443 + """ + Then stdout matches regexp: + """ + GET.*ubuntu.com/ubuntu/dists + """ + Then stdout matches regexp: + """ + GET.*archive.ubuntu.com + """ + Then stdout matches regexp: + """ + GET.*security.ubuntu.com + """ + When I run `pro config unset apt_http_proxy` with sudo + And I run `pro config unset apt_https_proxy` with sudo + And I run `pro refresh config` with sudo + Then I verify that no files exist matching `/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` + When I create the file `/var/lib/ubuntu-advantage/user-config.json` with the following: + """ + { + "apt_http_proxy": "http://$behave_var{machine-ip proxy}:3128", + "apt_https_proxy": "http://$behave_var{machine-ip proxy}:3128" + } + """ + When I run `pro refresh config` with sudo + Then stdout matches regexp: + """ + Using deprecated "apt_http_proxy" config field. + Please migrate to using "global_apt_http_proxy" - # set up a HTTPS proxy - Given a `jammy` `` machine named `proxy` - When I apt install `openssl libssl-dev ssl-cert squid-openssl apache2-utils` on the `proxy` machine - And I run `openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/C=CN/ST=BJ/O=STS/CN=CA"` `with sudo` on the `proxy` machine - And I run `openssl genrsa -out $behave_var{machine-name proxy}.lxd.key` `with sudo` on the `proxy` machine - And I run `openssl req -new -key $behave_var{machine-name proxy}.lxd.key -out $behave_var{machine-name proxy}.lxd.csr -subj "/C=CN/ST=BJ/O=STS/CN=$behave_var{machine-name proxy}.lxd"` `with sudo` on the `proxy` machine - And I create the file `/home/ubuntu/data.ext` on the `proxy` machine with the following - """ - authorityKeyIdentifier=keyid,issuer - basicConstraints=CA:FALSE - subjectAltName = @alt_names - [alt_names] - DNS.1 = $behave_var{machine-name proxy}.lxd - """ - And I run `openssl x509 -req -in $behave_var{machine-name proxy}.lxd.csr -out $behave_var{machine-name proxy}.lxd.crt -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile data.ext` `with sudo` on the `proxy` machine - And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine - And I create the file `/etc/squid/squid.conf` on the `proxy` machine with the following: - """ - dns_v4_first on - auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwordfile - acl topsecret proxy_auth REQUIRED - acl all src 0.0.0.0/0 - http_access allow topsecret - http_access deny all - via off - forwarded_for delete - https_port 0.0.0.0:3129 cert=/home/ubuntu/$behave_var{machine-name proxy}.lxd.crt key=/home/ubuntu/$behave_var{machine-name proxy}.lxd.key - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + Using deprecated "apt_https_proxy" config field. + Please migrate to using "global_apt_https_proxy" - # Configure system-under-test to trust the HTTPS proxy - When I move `proxy` `/home/ubuntu/ca.crt` to `system-under-test` `/usr/local/share/ca-certificates/ca.crt` - And I run `update-ca-certificates` with sudo - And I run `systemctl restart snapd.service` with sudo + Setting global APT proxy + Successfully processed your pro configuration. + """ + When I run `cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy` with sudo + Then stdout matches regexp: + """ + /\* + \* Autogenerated by ubuntu-advantage-tools + \* Do not edit this file directly + \* + \* To change what ubuntu-advantage-tools sets, use the `pro config set` + \* or the `pro config unset` commands to set/unset either: + \* global_apt_http_proxy and global_apt_https_proxy + \* for a global apt proxy + \* or + \* ua_apt_http_proxy and ua_apt_https_proxy + \* for an apt proxy that only applies to Ubuntu Pro related repos. + \*/ + Acquire::http::Proxy \".*:3128\"; + Acquire::https::Proxy \".*:3128\"; + """ + When I apt install `python3-pycurl` + And I verify that running `pro config set apt_https_proxy=https://localhost:12345` `with sudo` exits `1` + Then stdout matches regexp: + """ + Warning: apt_https_proxy has been renamed to global_apt_https_proxy. + """ + Then stderr matches regexp: + """ + \"https://localhost:12345\" is not working. Not setting as proxy. + """ - # error message to install pycurl - When I verify that running `pro config set https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` `with sudo` exits `1` - Then I will see the following on stderr - """ - To use an HTTPS proxy for HTTPS connections, please install pycurl with `apt install python3-pycurl` - """ + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - When I apt install `python3-pycurl` + @slow + Scenario: Enable realtime kernel through proxy on a machine with no internet + Given a `jammy` `lxd-vm` machine with ubuntu-advantage-tools installed + When I disable any internet connection on the machine + Given a `focal` `lxd-container` machine named `proxy` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + And I run `pro config set https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set global_apt_http_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I run `pro config set global_apt_https_proxy=http://$behave_var{machine-ip proxy}:3128` with sudo + And I attach `contract_token` with sudo + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + When I run `pro disable livepatch --assume-yes` with sudo + When I run `pro enable realtime-kernel` `with sudo` and stdin `y` + Then stdout contains substring: + """ + Installing Real-time kernel packages + Real-time kernel enabled + A reboot is required to complete install. + """ - # error message on failed auth - When I verify that running `pro config set https_proxy=https://someuser:wrongpassword@$behave_var{machine-name proxy}.lxd:3129` `with sudo` exits `1` - Then I will see the following on stderr - """ - Proxy authentication failed - """ + Scenario Outline: Support HTTPS-in-HTTPS proxies + Given a `` `` machine with ubuntu-advantage-tools installed + # set up a HTTPS proxy + Given a `jammy` `` machine named `proxy` + When I apt install `openssl libssl-dev ssl-cert squid-openssl apache2-utils` on the `proxy` machine + And I run `openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/C=CN/ST=BJ/O=STS/CN=CA"` `with sudo` on the `proxy` machine + And I run `openssl genrsa -out $behave_var{machine-name proxy}.lxd.key` `with sudo` on the `proxy` machine + And I run `openssl req -new -key $behave_var{machine-name proxy}.lxd.key -out $behave_var{machine-name proxy}.lxd.csr -subj "/C=CN/ST=BJ/O=STS/CN=$behave_var{machine-name proxy}.lxd"` `with sudo` on the `proxy` machine + And I create the file `/home/ubuntu/data.ext` on the `proxy` machine with the following + """ + authorityKeyIdentifier=keyid,issuer + basicConstraints=CA:FALSE + subjectAltName = @alt_names + [alt_names] + DNS.1 = $behave_var{machine-name proxy}.lxd + """ + And I run `openssl x509 -req -in $behave_var{machine-name proxy}.lxd.csr -out $behave_var{machine-name proxy}.lxd.crt -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile data.ext` `with sudo` on the `proxy` machine + And I run `htpasswd -bc /etc/squid/passwordfile someuser somepassword` `with sudo` on the `proxy` machine + And I create the file `/etc/squid/squid.conf` on the `proxy` machine with the following: + """ + dns_v4_first on + auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwordfile + acl topsecret proxy_auth REQUIRED + acl all src 0.0.0.0/0 + http_access allow topsecret + http_access deny all + via off + forwarded_for delete + https_port 0.0.0.0:3129 cert=/home/ubuntu/$behave_var{machine-name proxy}.lxd.crt key=/home/ubuntu/$behave_var{machine-name proxy}.lxd.key + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + # Configure system-under-test to trust the HTTPS proxy + When I move `proxy` `/home/ubuntu/ca.crt` to `system-under-test` `/usr/local/share/ca-certificates/ca.crt` + And I run `update-ca-certificates` with sudo + And I run `systemctl restart snapd.service` with sudo + # error message to install pycurl + When I verify that running `pro config set https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` `with sudo` exits `1` + Then I will see the following on stderr + """ + To use an HTTPS proxy for HTTPS connections, please install pycurl with `apt install python3-pycurl` + """ + When I apt install `python3-pycurl` + # error message on failed auth + When I verify that running `pro config set https_proxy=https://someuser:wrongpassword@$behave_var{machine-name proxy}.lxd:3129` `with sudo` exits `1` + Then I will see the following on stderr + """ + Proxy authentication failed + """ + When I apt remove `ca-certificates` + And I run `rm -f /etc/ssl/certs/ca-certificates.crt` with sudo + And I verify that running `pro config set https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` `with sudo` exits `1` + Then stderr matches regexp: + """ + Failed to access URL: https://.* + Cannot verify certificate of server + Please install "ca-certificates" and try again. + """ + When I apt install `ca-certificates` + And I run `update-ca-certificates` with sudo + And I run `pro config set https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` with sudo + And I run `pro config set ua_apt_https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` with sudo + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I attach `contract_token` with sudo and options `--no-auto-enable` + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout contains substring + """ + CONNECT contracts.canonical.com:443 someuser + """ + And stdout does not contain substring + """ + error:transaction-end-before-headers + """ + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I run `pro enable esm-infra` with sudo + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout contains substring + """ + CONNECT esm.ubuntu.com:443 someuser + """ + And stdout does not contain substring + """ + error:transaction-end-before-headers + """ + # Pre-install canonical-livepatch to tell it to trust the cert + When I apt install `snapd` + And I run `snap install canonical-livepatch` with sudo + And I run shell command `canonical-livepatch config ca-certs=@stdin < /usr/local/share/ca-certificates/ca.crt` with sudo + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I run `pro enable livepatch` with sudo + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout contains substring + """ + CONNECT api.snapcraft.io:443 someuser + """ + And stdout does not contain substring + """ + error:transaction-end-before-headers + """ + When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine + And I apt install `hello` + And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout contains substring + """ + CONNECT esm.ubuntu.com:443 someuser + """ - When I apt remove `ca-certificates` - And I run `rm -f /etc/ssl/certs/ca-certificates.crt` with sudo - And I verify that running `pro config set https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` `with sudo` exits `1` - Then stderr matches regexp: - """ - Failed to access URL: https://.* - Cannot verify certificate of server - Please install "ca-certificates" and try again. - """ - - When I apt install `ca-certificates` - And I run `update-ca-certificates` with sudo - And I run `pro config set https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` with sudo - And I run `pro config set ua_apt_https_proxy=https://someuser:somepassword@$behave_var{machine-name proxy}.lxd:3129` with sudo - - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I attach `contract_token` with sudo and options `--no-auto-enable` - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout contains substring - """ - CONNECT contracts.canonical.com:443 someuser - """ - And stdout does not contain substring - """ - error:transaction-end-before-headers - """ - - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I run `pro enable esm-infra` with sudo - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout contains substring - """ - CONNECT esm.ubuntu.com:443 someuser - """ - And stdout does not contain substring - """ - error:transaction-end-before-headers - """ - - # Pre-install canonical-livepatch to tell it to trust the cert - When I apt install `snapd` - And I run `snap install canonical-livepatch` with sudo - And I run shell command `canonical-livepatch config ca-certs=@stdin < /usr/local/share/ca-certificates/ca.crt` with sudo - - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I run `pro enable livepatch` with sudo - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout contains substring - """ - CONNECT api.snapcraft.io:443 someuser - """ - And stdout does not contain substring - """ - error:transaction-end-before-headers - """ - - When I run `truncate -s 0 /var/log/squid/access.log` `with sudo` on the `proxy` machine - And I apt install `hello` - And I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout contains substring - """ - CONNECT esm.ubuntu.com:443 someuser - """ - - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-vm | - | focal | lxd-vm | - | jammy | lxd-vm | - | mantic | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-vm | + | focal | lxd-vm | + | jammy | lxd-vm | + | mantic | lxd-vm | diff --git a/features/realtime_kernel.feature b/features/realtime_kernel.feature index c89b40460f..16f048258e 100644 --- a/features/realtime_kernel.feature +++ b/features/realtime_kernel.feature @@ -1,367 +1,368 @@ @uses.config.contract_token Feature: Enable command behaviour when attached to an Ubuntu Pro subscription - Scenario Outline: Enable Real-time kernel service in a container - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - Then I verify that running `pro enable realtime-kernel` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - Then I verify that running `pro enable realtime-kernel --beta` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Cannot install Real-time kernel on a container. - """ - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | + Scenario Outline: Enable Real-time kernel service in a container + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + Then I verify that running `pro enable realtime-kernel` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + Then I verify that running `pro enable realtime-kernel --beta` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Cannot install Real-time kernel on a container. + """ - Scenario Outline: Enable Real-time kernel service on unsupported release - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - Then I verify that running `pro enable realtime-kernel` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - Then I verify that running `pro enable realtime-kernel --beta` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Real-time kernel is not available for Ubuntu (). - """ - Examples: ubuntu release - | release | machine_type | version | full_name | - | xenial | lxd-vm | 16.04 LTS | Xenial Xerus | - | bionic | lxd-vm | 18.04 LTS | Bionic Beaver | - | focal | lxd-vm | 20.04 LTS | Focal Fossa | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | - Scenario Outline: Enable Real-time kernel service - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - Then I verify that running `pro enable realtime-kernel` `as non-root` exits `1` - And I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I run `pro enable realtime-kernel` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - One moment, checking your subscription first - The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. + Scenario Outline: Enable Real-time kernel service on unsupported release + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + Then I verify that running `pro enable realtime-kernel` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + Then I verify that running `pro enable realtime-kernel --beta` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Real-time kernel is not available for Ubuntu (). + """ - .*This will change your kernel. To revert to your original kernel, you will need - to make the change manually..* + Examples: ubuntu release + | release | machine_type | version | full_name | + | xenial | lxd-vm | 16.04 LTS | Xenial Xerus | + | bionic | lxd-vm | 18.04 LTS | Bionic Beaver | + | focal | lxd-vm | 20.04 LTS | Focal Fossa | - Do you want to continue\? \[ default = Yes \]: \(Y/n\) Updating Real-time kernel package lists - Updating standard Ubuntu package lists - Installing Real-time kernel packages - Real-time kernel enabled - A reboot is required to complete install\. - """ - When I run `apt-cache policy ubuntu-realtime` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - And stdout matches regexp: - """ - \s* 500 https://esm.ubuntu.com/realtime/ubuntu /main amd64 Packages - """ - When I run `pro api u.pro.status.enabled_services.v1` as non-root - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "realtime-kernel", "variant_enabled": true, "variant_name": "generic"}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - When I verify that running `pro enable realtime-kernel` `with sudo` exits `1` - Then stdout matches regexp - """ - One moment, checking your subscription first - Real-time kernel is already enabled. - See: sudo pro status - """ - When I reboot the machine - When I run `uname -r` as non-root - Then stdout matches regexp: - """ - realtime - """ - When I run `pro disable realtime-kernel` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - This will remove the boot order preference for the Real-time kernel and - disable updates to the Real-time kernel. + Scenario Outline: Enable Real-time kernel service + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + Then I verify that running `pro enable realtime-kernel` `as non-root` exits `1` + And I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I run `pro enable realtime-kernel` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + One moment, checking your subscription first + The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. - This will NOT fully remove the kernel from your system. + .*This will change your kernel. To revert to your original kernel, you will need + to make the change manually..* - After this operation is complete you must: - - Ensure a different kernel is installed and configured to boot - - Reboot into that kernel - - Fully remove the realtime kernel packages from your system - - This might look something like `apt remove linux\*realtime`, - but you must ensure this is correct before running it. - """ - When I run `apt-cache policy ubuntu-realtime` as non-root - Then stdout contains substring - """ - Installed: (none) - """ - When I verify that running `pro enable realtime-kernel --access-only --variant nvidia-tegra` `with sudo` exits `1` - Then I will see the following on stderr: - """ - Error: Cannot use --access-only together with --variant. - """ + Do you want to continue\? \[ default = Yes \]: \(Y/n\) Updating Real-time kernel package lists + Updating standard Ubuntu package lists + Installing Real-time kernel packages + Real-time kernel enabled + A reboot is required to complete install\. + """ + When I run `apt-cache policy ubuntu-realtime` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + And stdout matches regexp: + """ + \s* 500 https://esm.ubuntu.com/realtime/ubuntu /main amd64 Packages + """ + When I run `pro api u.pro.status.enabled_services.v1` as non-root + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "realtime-kernel", "variant_enabled": true, "variant_name": "generic"}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + When I verify that running `pro enable realtime-kernel` `with sudo` exits `1` + Then stdout matches regexp + """ + One moment, checking your subscription first + Real-time kernel is already enabled. + See: sudo pro status + """ + When I reboot the machine + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + realtime + """ + When I run `pro disable realtime-kernel` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + This will remove the boot order preference for the Real-time kernel and + disable updates to the Real-time kernel. - # Test one variant - # We need to disable this job before adding the overlay, because we might - # write the machine token to disk with the override content - When I run `pro config set update_messaging_timer=0` with sudo - And I run `pro enable realtime-kernel --assume-yes` with sudo - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated - ├ generic yes +enabled +Generic version of the RT kernel \(default\) - └ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform - """ - When I run `pro api u.pro.status.enabled_services.v1` as non-root - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "realtime-kernel", "variant_enabled": true, "variant_name": "generic"}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - When I run `pro enable realtime-kernel --variant intel-iotg` `with sudo` and stdin `y\ny\n` - Then stdout contains substring: - """ - Real-time Intel IOTG Kernel cannot be enabled with Real-time kernel. - Disable Real-time kernel and proceed to enable Real-time Intel IOTG Kernel? (y/N) - """ - When I run `apt-cache policy ubuntu-intel-iot-realtime` as non-root - Then stdout does not match regexp: - """ - Installed: \(none\) - """ - When I run `pro status --all` as non-root - Then stdout matches regexp: - """ - realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated - ├ generic yes +disabled +Generic version of the RT kernel \(default\) - └ intel-iotg yes +enabled +RT kernel optimized for Intel IOTG platform - """ - When I run `pro api u.pro.status.enabled_services.v1` as non-root - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "realtime-kernel", "variant_enabled": true, "variant_name": "intel-iotg"}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - intel - """ - When I run `pro enable realtime-kernel --variant generic` `with sudo` and stdin `y\ny\n` - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated - ├ generic yes +enabled +Generic version of the RT kernel \(default\) - └ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform - """ - When I run `pro enable realtime-kernel --variant intel-iotg` `with sudo` and stdin `y\ny\n` - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated - ├ generic yes +disabled +Generic version of the RT kernel \(default\) - └ intel-iotg yes +enabled +RT kernel optimized for Intel IOTG platform - """ - When I verify that running `pro enable realtime-kernel` `with sudo` exits `1` - Then stdout contains substring: - """ - Real-time kernel is already enabled. - """ - When I run `pro disable realtime-kernel --assume-yes` with sudo - When I run `apt-cache policy ubuntu-intel-iot-realtime` as non-root - Then stdout contains substring: - """ - Installed: (none) - """ + This will NOT fully remove the kernel from your system. - # Test multiple variants - When I set the machine token overlay to the following yaml - """ - machineTokenInfo: - contractInfo: - resourceEntitlements: - - type: realtime-kernel - overrides: - - directives: - additionalPackages: - - nvidia-prime - selector: - variant: nvidia-tegra - """ - When I run `pro enable realtime-kernel --variant nvidia-tegra` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - One moment, checking your subscription first - The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. + After this operation is complete you must: + - Ensure a different kernel is installed and configured to boot + - Reboot into that kernel + - Fully remove the realtime kernel packages from your system + - This might look something like `apt remove linux\*realtime`, + but you must ensure this is correct before running it. + """ + When I run `apt-cache policy ubuntu-realtime` as non-root + Then stdout contains substring + """ + Installed: (none) + """ + When I verify that running `pro enable realtime-kernel --access-only --variant nvidia-tegra` `with sudo` exits `1` + Then I will see the following on stderr: + """ + Error: Cannot use --access-only together with --variant. + """ + # Test one variant + # We need to disable this job before adding the overlay, because we might + # write the machine token to disk with the override content + When I run `pro config set update_messaging_timer=0` with sudo + And I run `pro enable realtime-kernel --assume-yes` with sudo + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated + ├ generic yes +enabled +Generic version of the RT kernel \(default\) + └ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform + """ + When I run `pro api u.pro.status.enabled_services.v1` as non-root + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "realtime-kernel", "variant_enabled": true, "variant_name": "generic"}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + When I run `pro enable realtime-kernel --variant intel-iotg` `with sudo` and stdin `y\ny\n` + Then stdout contains substring: + """ + Real-time Intel IOTG Kernel cannot be enabled with Real-time kernel. + Disable Real-time kernel and proceed to enable Real-time Intel IOTG Kernel? (y/N) + """ + When I run `apt-cache policy ubuntu-intel-iot-realtime` as non-root + Then stdout does not match regexp: + """ + Installed: \(none\) + """ + When I run `pro status --all` as non-root + Then stdout matches regexp: + """ + realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated + ├ generic yes +disabled +Generic version of the RT kernel \(default\) + └ intel-iotg yes +enabled +RT kernel optimized for Intel IOTG platform + """ + When I run `pro api u.pro.status.enabled_services.v1` as non-root + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"enabled_services": \[{"name": "realtime-kernel", "variant_enabled": true, "variant_name": "intel-iotg"}\]}, "meta": {"environment_vars": \[\]}, "type": "EnabledServices"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + intel + """ + When I run `pro enable realtime-kernel --variant generic` `with sudo` and stdin `y\ny\n` + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated + ├ generic yes +enabled +Generic version of the RT kernel \(default\) + └ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform + """ + When I run `pro enable realtime-kernel --variant intel-iotg` `with sudo` and stdin `y\ny\n` + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated + ├ generic yes +disabled +Generic version of the RT kernel \(default\) + └ intel-iotg yes +enabled +RT kernel optimized for Intel IOTG platform + """ + When I verify that running `pro enable realtime-kernel` `with sudo` exits `1` + Then stdout contains substring: + """ + Real-time kernel is already enabled. + """ + When I run `pro disable realtime-kernel --assume-yes` with sudo + When I run `apt-cache policy ubuntu-intel-iot-realtime` as non-root + Then stdout contains substring: + """ + Installed: (none) + """ + # Test multiple variants + When I set the machine token overlay to the following yaml + """ + machineTokenInfo: + contractInfo: + resourceEntitlements: + - type: realtime-kernel + overrides: + - directives: + additionalPackages: + - nvidia-prime + selector: + variant: nvidia-tegra + """ + When I run `pro enable realtime-kernel --variant nvidia-tegra` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + One moment, checking your subscription first + The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. - .*This will change your kernel. To revert to your original kernel, you will need - to make the change manually..* + .*This will change your kernel. To revert to your original kernel, you will need + to make the change manually..* - Do you want to continue\? \[ default = Yes \]: \(Y/n\) Updating Real-time NVIDIA Tegra Kernel package lists - Updating standard Ubuntu package lists - Installing Real-time NVIDIA Tegra Kernel packages - Real-time NVIDIA Tegra Kernel enabled - """ - When I run `pro status` as non-root - Then stdout matches regexp: - """ - realtime-kernel\* yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated - usg +yes +disabled +Security compliance and audit tools + Do you want to continue\? \[ default = Yes \]: \(Y/n\) Updating Real-time NVIDIA Tegra Kernel package lists + Updating standard Ubuntu package lists + Installing Real-time NVIDIA Tegra Kernel packages + Real-time NVIDIA Tegra Kernel enabled + """ + When I run `pro status` as non-root + Then stdout matches regexp: + """ + realtime-kernel\* yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated + usg +yes +disabled +Security compliance and audit tools - \* Service has variants - """ - Then stdout contains substring: - """ - For a list of all Ubuntu Pro services and variants, run 'pro status --all' - """ - When I run `pro status --all` as non-root - Then stdout matches regexp: - """ - realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated - ├ generic yes +disabled +Generic version of the RT kernel \(default\) - ├ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform - └ nvidia-tegra yes +enabled +RT kernel optimized for NVIDIA Tegra platform - """ - When I verify that running `pro enable realtime-kernel --variant intel-iotg` `with sudo` and stdin `N` exits `1` - Then stdout matches regexp: - """ - Real-time Intel IOTG Kernel cannot be enabled with Real-time NVIDIA Tegra Kernel. - Disable Real-time NVIDIA Tegra Kernel and proceed to enable Real-time Intel IOTG Kernel\? \(y/N\) - """ - And stdout matches regexp: - """ - Cannot enable Real-time Intel IOTG Kernel when Real-time NVIDIA Tegra Kernel is enabled. - """ - When I run `pro help realtime-kernel` as non-root - Then I will see the following on stdout: - """ - Name: - realtime-kernel + \* Service has variants + """ + Then stdout contains substring: + """ + For a list of all Ubuntu Pro services and variants, run 'pro status --all' + """ + When I run `pro status --all` as non-root + Then stdout matches regexp: + """ + realtime-kernel yes +enabled +Ubuntu kernel with PREEMPT_RT patches integrated + ├ generic yes +disabled +Generic version of the RT kernel \(default\) + ├ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform + └ nvidia-tegra yes +enabled +RT kernel optimized for NVIDIA Tegra platform + """ + When I verify that running `pro enable realtime-kernel --variant intel-iotg` `with sudo` and stdin `N` exits `1` + Then stdout matches regexp: + """ + Real-time Intel IOTG Kernel cannot be enabled with Real-time NVIDIA Tegra Kernel. + Disable Real-time NVIDIA Tegra Kernel and proceed to enable Real-time Intel IOTG Kernel\? \(y/N\) + """ + And stdout matches regexp: + """ + Cannot enable Real-time Intel IOTG Kernel when Real-time NVIDIA Tegra Kernel is enabled. + """ + When I run `pro help realtime-kernel` as non-root + Then I will see the following on stdout: + """ + Name: + realtime-kernel - Entitled: - yes + Entitled: + yes - Status: - enabled + Status: + enabled - Help: - The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. It - services latency-dependent use cases by providing deterministic response times. - The Real-time kernel meets stringent preemption specifications and is suitable - for telco applications and dedicated devices in industrial automation and - robotics. The Real-time kernel is currently incompatible with FIPS and - Livepatch. + Help: + The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. It + services latency-dependent use cases by providing deterministic response times. + The Real-time kernel meets stringent preemption specifications and is suitable + for telco applications and dedicated devices in industrial automation and + robotics. The Real-time kernel is currently incompatible with FIPS and + Livepatch. - Variants: + Variants: - * generic: Generic version of the RT kernel (default) - * intel-iotg: RT kernel optimized for Intel IOTG platform - * nvidia-tegra: RT kernel optimized for NVIDIA Tegra platform - """ - When I run `pro disable realtime-kernel` `with sudo` and stdin `y` - Then stdout matches regexp: - """ - This will remove the boot order preference for the Real-time kernel and - disable updates to the Real-time kernel. + * generic: Generic version of the RT kernel (default) + * intel-iotg: RT kernel optimized for Intel IOTG platform + * nvidia-tegra: RT kernel optimized for NVIDIA Tegra platform + """ + When I run `pro disable realtime-kernel` `with sudo` and stdin `y` + Then stdout matches regexp: + """ + This will remove the boot order preference for the Real-time kernel and + disable updates to the Real-time kernel. - This will NOT fully remove the kernel from your system. + This will NOT fully remove the kernel from your system. - After this operation is complete you must: - - Ensure a different kernel is installed and configured to boot - - Reboot into that kernel - - Fully remove the realtime kernel packages from your system - - This might look something like `apt remove linux\*realtime`, - but you must ensure this is correct before running it. - """ - When I run `pro status` as non-root - Then stdout matches regexp: - """ - realtime-kernel\* +yes +disabled +Ubuntu kernel with PREEMPT_RT patches integrated - """ - When I run `pro status --all` as non-root - Then stdout matches regexp: - """ - realtime-kernel yes +disabled +Ubuntu kernel with PREEMPT_RT patches integrated - ├ generic yes +disabled +Generic version of the RT kernel \(default\) - ├ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform - └ nvidia-tegra yes +disabled +RT kernel optimized for NVIDIA Tegra platform - """ - When I verify that running `pro enable realtime-kernel --variant nonexistent` `with sudo` exits `1` - Then I will see the following on stdout: - """ - One moment, checking your subscription first - could not find entitlement named "nonexistent" - """ - When I run `pro detach --assume-yes` with sudo - And I run `pro status` as non-root - Then stdout matches regexp: - """ - realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated - """ - When I run `pro status --all` as non-root - Then stdout matches regexp: - """ - realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated - """ - And stdout does not match regexp: - """ - nvidia-tegra - """ - And stdout does not match regexp: - """ - intel-iotg - """ + After this operation is complete you must: + - Ensure a different kernel is installed and configured to boot + - Reboot into that kernel + - Fully remove the realtime kernel packages from your system + - This might look something like `apt remove linux\*realtime`, + but you must ensure this is correct before running it. + """ + When I run `pro status` as non-root + Then stdout matches regexp: + """ + realtime-kernel\* +yes +disabled +Ubuntu kernel with PREEMPT_RT patches integrated + """ + When I run `pro status --all` as non-root + Then stdout matches regexp: + """ + realtime-kernel yes +disabled +Ubuntu kernel with PREEMPT_RT patches integrated + ├ generic yes +disabled +Generic version of the RT kernel \(default\) + ├ intel-iotg yes +disabled +RT kernel optimized for Intel IOTG platform + └ nvidia-tegra yes +disabled +RT kernel optimized for NVIDIA Tegra platform + """ + When I verify that running `pro enable realtime-kernel --variant nonexistent` `with sudo` exits `1` + Then I will see the following on stdout: + """ + One moment, checking your subscription first + could not find entitlement named "nonexistent" + """ + When I run `pro detach --assume-yes` with sudo + And I run `pro status` as non-root + Then stdout matches regexp: + """ + realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated + """ + When I run `pro status --all` as non-root + Then stdout matches regexp: + """ + realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated + """ + And stdout does not match regexp: + """ + nvidia-tegra + """ + And stdout does not match regexp: + """ + intel-iotg + """ - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-vm | + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-vm | - Scenario Outline: Enable Real-time kernel service access-only - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo and options `--no-auto-enable` - When I run `pro enable realtime-kernel --access-only` with sudo - Then stdout matches regexp: - """ - One moment, checking your subscription first - Updating Real-time kernel package lists - Skipping installing packages: ubuntu-realtime - Real-time kernel access enabled - """ - Then stdout does not match regexp: - """ - A reboot is required to complete install. - """ - When I run `apt-cache policy ubuntu-realtime` as non-root - Then stdout matches regexp: - """ - .*Installed: \(none\) - """ - And stdout matches regexp: - """ - \s* 500 https://esm.ubuntu.com/realtime/ubuntu /main amd64 Packages - """ - When I apt install `ubuntu-realtime` - When I reboot the machine - When I run `uname -r` as non-root - Then stdout matches regexp: - """ - realtime - """ - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-vm | + Scenario Outline: Enable Real-time kernel service access-only + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo and options `--no-auto-enable` + When I run `pro enable realtime-kernel --access-only` with sudo + Then stdout matches regexp: + """ + One moment, checking your subscription first + Updating Real-time kernel package lists + Skipping installing packages: ubuntu-realtime + Real-time kernel access enabled + """ + Then stdout does not match regexp: + """ + A reboot is required to complete install. + """ + When I run `apt-cache policy ubuntu-realtime` as non-root + Then stdout matches regexp: + """ + .*Installed: \(none\) + """ + And stdout matches regexp: + """ + \s* 500 https://esm.ubuntu.com/realtime/ubuntu /main amd64 Packages + """ + When I apt install `ubuntu-realtime` + When I reboot the machine + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + realtime + """ + + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-vm | diff --git a/features/reboot_cmds.feature b/features/reboot_cmds.feature index 60ffa99ffe..f26b9b7462 100644 --- a/features/reboot_cmds.feature +++ b/features/reboot_cmds.feature @@ -1,42 +1,43 @@ @uses.config.contract_token Feature: Reboot Commands - Scenario Outline: reboot-cmds removes fips package holds and updates packages - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - When I apt install `strongswan` - When I run `pro enable fips --assume-yes` with sudo - When I reboot the machine - Then I verify that `fips` is enabled - When I apt install `strongswan=` - When I run `apt-mark hold strongswan` with sudo - When I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Reboot to FIPS kernel required - """ - When I reboot the machine - And I verify that running `systemctl status ua-reboot-cmds.service` `as non-root` exits `0,3` - Then stdout matches regexp: - """ - .*status=0\/SUCCESS.* - """ - When I run `pro status` with sudo - Then stdout does not match regexp: - """ - NOTICES - """ - When I run `apt-mark showholds` with sudo - Then I will see the following on stdout: - """ - """ - When I run `apt policy strongswan` with sudo - Then stdout contains substring: - """ - *** 1001 - """ - Examples: ubuntu release - | release | machine_type | old_version | new_version | - | focal | lxd-container | 5.8.2-1ubuntu3 | 5.8.2-1ubuntu3.fips.3.1.2 | + Scenario Outline: reboot-cmds removes fips package holds and updates packages + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + When I apt install `strongswan` + When I run `pro enable fips --assume-yes` with sudo + When I reboot the machine + Then I verify that `fips` is enabled + When I apt install `strongswan=` + When I run `apt-mark hold strongswan` with sudo + When I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Reboot to FIPS kernel required + """ + When I reboot the machine + And I verify that running `systemctl status ua-reboot-cmds.service` `as non-root` exits `0,3` + Then stdout matches regexp: + """ + .*status=0\/SUCCESS.* + """ + When I run `pro status` with sudo + Then stdout does not match regexp: + """ + NOTICES + """ + When I run `apt-mark showholds` with sudo + Then I will see the following on stdout: + """ + """ + When I run `apt policy strongswan` with sudo + Then stdout contains substring: + """ + *** 1001 + """ + + Examples: ubuntu release + | release | machine_type | old_version | new_version | + | focal | lxd-container | 5.8.2-1ubuntu3 | 5.8.2-1ubuntu3.fips.3.1.2 | diff --git a/features/retry_auto_attach.feature b/features/retry_auto_attach.feature index 4401e57be0..6391ee6c41 100644 --- a/features/retry_auto_attach.feature +++ b/features/retry_auto_attach.feature @@ -1,372 +1,372 @@ Feature: auto-attach retries periodically on failures - Scenario Outline: auto-attach retries for a month and updates status - Given a `` `` machine with ubuntu-advantage-tools installed - When I change contract to staging with sudo - When I install ubuntu-advantage-pro - When I reboot the machine - When I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `3` - Then stdout matches regexp: - """ - Active: failed - """ - Then stdout matches regexp: - """ - creating flag file to trigger retries - """ - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - Then stdout matches regexp: - """ - mode: retry auto attach - """ - Then stdout does not match regexp: - """ - mode: poll for pro license - """ - When I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). - The failure was due to: Canonical servers did not recognize this machine as Ubuntu Pro: ".*". - The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. - You can try manually with `sudo pro auto-attach`. - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). - The failure was due to: Canonical servers did not recognize this machine as Ubuntu Pro: ".*". - The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. - You can try manually with `sudo pro auto-attach`. - """ + Scenario Outline: auto-attach retries for a month and updates status + Given a `` `` machine with ubuntu-advantage-tools installed + When I change contract to staging with sudo + When I install ubuntu-advantage-pro + When I reboot the machine + When I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `3` + Then stdout matches regexp: + """ + Active: failed + """ + Then stdout matches regexp: + """ + creating flag file to trigger retries + """ + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + Then stdout matches regexp: + """ + mode: retry auto attach + """ + Then stdout does not match regexp: + """ + mode: poll for pro license + """ + When I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). + The failure was due to: Canonical servers did not recognize this machine as Ubuntu Pro: ".*". + The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. + You can try manually with `sudo pro auto-attach`. + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription 1 time\(s\). + The failure was due to: Canonical servers did not recognize this machine as Ubuntu Pro: ".*". + The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. + You can try manually with `sudo pro auto-attach`. + """ + # simulate a middle attempt with different reason + When I set `interval_index` = `10` in json file `/var/lib/ubuntu-advantage/retry-auto-attach-state.json` + When I set `failure_reason` = `"an unknown error"` in json file `/var/lib/ubuntu-advantage/retry-auto-attach-state.json` + When I run `systemctl restart ubuntu-advantage.service` with sudo + And I wait `5` seconds + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + Then stdout matches regexp: + """ + mode: retry auto attach + """ + Then stdout does not match regexp: + """ + mode: poll for pro license + """ + When I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription 11 time\(s\). + The failure was due to: an unknown error. + The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. + You can try manually with `sudo pro auto-attach`. + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription 11 time\(s\). + The failure was due to: an unknown error. + The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. + You can try manually with `sudo pro auto-attach`. + """ + # simulate all attempts failing + When I set `interval_index` = `18` in json file `/var/lib/ubuntu-advantage/retry-auto-attach-state.json` + When I run `systemctl restart ubuntu-advantage.service` with sudo + And I wait `5` seconds + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` + Then stdout contains substring + """ + Active: inactive (dead) + """ + Then stdout matches regexp: + """ + mode: retry auto attach + """ + Then stdout does not match regexp: + """ + mode: poll for pro license + """ + When I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription 19 time\(s\). + The most recent failure was due to: an unknown error. + Try re-launching the instance or report this issue by running `ubuntu-bug ubuntu-advantage-tools` + You can try manually with `sudo pro auto-attach`. + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription 19 time\(s\). + The most recent failure was due to: an unknown error. + Try re-launching the instance or report this issue by running `ubuntu-bug ubuntu-advantage-tools` + You can try manually with `sudo pro auto-attach`. + """ - # simulate a middle attempt with different reason - When I set `interval_index` = `10` in json file `/var/lib/ubuntu-advantage/retry-auto-attach-state.json` - When I set `failure_reason` = `"an unknown error"` in json file `/var/lib/ubuntu-advantage/retry-auto-attach-state.json` - When I run `systemctl restart ubuntu-advantage.service` with sudo - And I wait `5` seconds - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - Then stdout matches regexp: - """ - mode: retry auto attach - """ - Then stdout does not match regexp: - """ - mode: poll for pro license - """ - When I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription 11 time\(s\). - The failure was due to: an unknown error. - The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. - You can try manually with `sudo pro auto-attach`. - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription 11 time\(s\). - The failure was due to: an unknown error. - The next attempt is scheduled for \d+-\d+-\d+T\d+:\d+:00.*. - You can try manually with `sudo pro auto-attach`. - """ + Examples: ubuntu release + | release | machine_type | + | xenial | aws.generic | + | xenial | azure.generic | + | xenial | gcp.generic | + | bionic | aws.generic | + | bionic | azure.generic | + | bionic | gcp.generic | + | focal | aws.generic | + | focal | azure.generic | + | focal | gcp.generic | + | jammy | aws.generic | + | jammy | azure.generic | + | jammy | gcp.generic | - # simulate all attempts failing - When I set `interval_index` = `18` in json file `/var/lib/ubuntu-advantage/retry-auto-attach-state.json` - When I run `systemctl restart ubuntu-advantage.service` with sudo - And I wait `5` seconds - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `3` - Then stdout contains substring - """ - Active: inactive (dead) - """ - Then stdout matches regexp: - """ - mode: retry auto attach - """ - Then stdout does not match regexp: - """ - mode: poll for pro license - """ - When I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription 19 time\(s\). - The most recent failure was due to: an unknown error. - Try re-launching the instance or report this issue by running `ubuntu-bug ubuntu-advantage-tools` - You can try manually with `sudo pro auto-attach`. - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription 19 time\(s\). - The most recent failure was due to: an unknown error. - Try re-launching the instance or report this issue by running `ubuntu-bug ubuntu-advantage-tools` - You can try manually with `sudo pro auto-attach`. - """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.generic | - | xenial | azure.generic | - | xenial | gcp.generic | - | bionic | aws.generic | - | bionic | azure.generic | - | bionic | gcp.generic | - | focal | aws.generic | - | focal | azure.generic | - | focal | gcp.generic | - | jammy | aws.generic | - | jammy | azure.generic | - | jammy | gcp.generic | + Scenario Outline: auto-attach retries stop if manual auto-attach succeeds + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + When I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: + """ + { + "https://contracts.canonical.com/v1/clouds/$behave_var{cloud system-under-test}/token": [{ + "type": "contract", + "code": 400, + "response": { + "message": "error" + } + }] + } + """ + And I append the following on uaclient config: + """ + features: + serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" + """ + When I reboot the machine + When I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `3` + Then stdout matches regexp: + """ + Active: failed + """ + Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + When I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription + """ + When I append the following on uaclient config: + """ + features: {} + """ + # The retry service waits 15 minutes before trying again, so this + # _should_ run and finish before the retry service has done anything + When I run `pro auto-attach` with sudo + When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `3` + Then stdout contains substring + """ + Active: inactive (dead) + """ + # Workaround for livepatch issue LP #2015585 + Then I verify that running `run-parts /etc/update-motd.d/` `with sudo` exits `0,1` + Then stdout does not match regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription + """ + When I run `pro status` with sudo + Then stdout does not match regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription + """ + Examples: ubuntu release + | release | machine_type | + | xenial | aws.pro | + | xenial | azure.pro | + | xenial | gcp.pro | + | bionic | aws.pro | + | bionic | azure.pro | + | bionic | gcp.pro | + | focal | aws.pro | + | focal | azure.pro | + | focal | gcp.pro | + | jammy | aws.pro | + | jammy | azure.pro | + | jammy | gcp.pro | - Scenario Outline: auto-attach retries stop if manual auto-attach succeeds - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - When I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: - """ - { - "https://contracts.canonical.com/v1/clouds/$behave_var{cloud system-under-test}/token": [{ - "type": "contract", - "code": 400, - "response": { - "message": "error" - } - }] - } - """ - And I append the following on uaclient config: - """ - features: - serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" - """ - When I reboot the machine - When I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `3` - Then stdout matches regexp: - """ - Active: failed - """ - Then I verify that running `systemctl status ubuntu-advantage.service` `with sudo` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - When I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription - """ - When I append the following on uaclient config: - """ - features: {} - """ - # The retry service waits 15 minutes before trying again, so this - # _should_ run and finish before the retry service has done anything - When I run `pro auto-attach` with sudo - When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `3` - Then stdout contains substring - """ - Active: inactive (dead) - """ - # Workaround for livepatch issue LP #2015585 - Then I verify that running `run-parts /etc/update-motd.d/` `with sudo` exits `0,1` - Then stdout does not match regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription - """ - When I run `pro status` with sudo - Then stdout does not match regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription - """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.pro | - | xenial | azure.pro | - | xenial | gcp.pro | - | bionic | aws.pro | - | bionic | azure.pro | - | bionic | gcp.pro | - | focal | aws.pro | - | focal | azure.pro | - | focal | gcp.pro | - | jammy | aws.pro | - | jammy | azure.pro | - | jammy | gcp.pro | + Scenario Outline: gcp auto-detect triggers retries on fail + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + When I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: + """ + { + "https://contracts.canonical.com/v1/clouds/gcp/token": [{ + "type": "contract", + "code": 400, + "response": { + "message": "error" + } + }] + } + """ + And I append the following on uaclient config: + """ + features: + serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" + """ + When I run `systemctl start ubuntu-advantage.service` with sudo + When I wait `1` seconds + When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `0` + Then stdout contains substring + """ + Active: active (running) + """ + Then stdout matches regexp: + """ + mode: poll for pro license + """ + Then stdout matches regexp: + """ + creating flag file to trigger retries + """ + Then stdout matches regexp: + """ + mode: retry auto attach + """ + When I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription + """ - Scenario Outline: gcp auto-detect triggers retries on fail - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - When I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: - """ - { - "https://contracts.canonical.com/v1/clouds/gcp/token": [{ - "type": "contract", - "code": 400, - "response": { - "message": "error" - } - }] - } - """ - And I append the following on uaclient config: - """ - features: - serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" - """ - When I run `systemctl start ubuntu-advantage.service` with sudo - When I wait `1` seconds - When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `0` - Then stdout contains substring - """ - Active: active (running) - """ - Then stdout matches regexp: - """ - mode: poll for pro license - """ - Then stdout matches regexp: - """ - creating flag file to trigger retries - """ - Then stdout matches regexp: - """ - mode: retry auto attach - """ - When I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription - """ - Examples: ubuntu release - | release | machine_type | - | xenial | gcp.pro | - | bionic | gcp.pro | - | focal | gcp.pro | - | jammy | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | xenial | gcp.pro | + | bionic | gcp.pro | + | focal | gcp.pro | + | jammy | gcp.pro | + Scenario Outline: auto-attach retries eventually succeed and clean up + Given a `` `` machine with ubuntu-advantage-tools installed + # modify the wait time to be shorter so we don't have to wait 15m + When I replace `900, # 15m (T+15m)` in `/usr/lib/python3/dist-packages/uaclient/daemon/retry_auto_attach.py` with `60,` + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + When I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: + """ + { + "https://contracts.canonical.com/v1/clouds/$behave_var{cloud system-under-test}/token": [{ + "type": "contract", + "code": 400, + "response": { + "message": "error" + } + }] + } + """ + And I append the following on uaclient config: + """ + features: + serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" + """ + When I reboot the machine + When I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `3` + Then stdout matches regexp: + """ + Active: failed + """ + When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `0` + Then stdout matches regexp: + """ + Active: active \(running\) + """ + When I run `run-parts /etc/update-motd.d/` with sudo + Then stdout matches regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription + """ + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription + """ + When I append the following on uaclient config: + """ + features: {} + """ + When I wait `60` seconds + And I run `pro status --wait` with sudo + Then the machine is attached + When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `3` + Then stdout contains substring + """ + Active: inactive (dead) + """ + # Workaround for livepatch issue LP #2015585 + Then I verify that running `run-parts /etc/update-motd.d/` `with sudo` exits `0,1` + Then stdout does not match regexp: + """ + Failed to automatically attach to an Ubuntu Pro subscription + """ + When I run `pro status` with sudo + Then stdout does not match regexp: + """ + NOTICES + Failed to automatically attach to an Ubuntu Pro subscription + """ - Scenario Outline: auto-attach retries eventually succeed and clean up - Given a `` `` machine with ubuntu-advantage-tools installed - # modify the wait time to be shorter so we don't have to wait 15m - When I replace `900, # 15m (T+15m)` in `/usr/lib/python3/dist-packages/uaclient/daemon/retry_auto_attach.py` with `60,` - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - When I create the file `/var/lib/ubuntu-advantage/response-overlay.json` with the following: - """ - { - "https://contracts.canonical.com/v1/clouds/$behave_var{cloud system-under-test}/token": [{ - "type": "contract", - "code": 400, - "response": { - "message": "error" - } - }] - } - """ - And I append the following on uaclient config: - """ - features: - serviceclient_url_responses: "/var/lib/ubuntu-advantage/response-overlay.json" - """ - When I reboot the machine - When I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `3` - Then stdout matches regexp: - """ - Active: failed - """ - When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `0` - Then stdout matches regexp: - """ - Active: active \(running\) - """ - When I run `run-parts /etc/update-motd.d/` with sudo - Then stdout matches regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription - """ - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription - """ - When I append the following on uaclient config: - """ - features: {} - """ - When I wait `60` seconds - And I run `pro status --wait` with sudo - Then the machine is attached - When I verify that running `systemctl status ubuntu-advantage.service` `as non-root` exits `3` - Then stdout contains substring - """ - Active: inactive (dead) - """ - # Workaround for livepatch issue LP #2015585 - Then I verify that running `run-parts /etc/update-motd.d/` `with sudo` exits `0,1` - Then stdout does not match regexp: - """ - Failed to automatically attach to an Ubuntu Pro subscription - """ - When I run `pro status` with sudo - Then stdout does not match regexp: - """ - NOTICES - Failed to automatically attach to an Ubuntu Pro subscription - """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.pro | - | xenial | azure.pro | - | xenial | gcp.pro | - | bionic | aws.pro | - | bionic | azure.pro | - | bionic | gcp.pro | - | focal | aws.pro | - | focal | azure.pro | - | focal | gcp.pro | - | jammy | aws.pro | - | jammy | azure.pro | - | jammy | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | xenial | aws.pro | + | xenial | azure.pro | + | xenial | gcp.pro | + | bionic | aws.pro | + | bionic | azure.pro | + | bionic | gcp.pro | + | focal | aws.pro | + | focal | azure.pro | + | focal | gcp.pro | + | jammy | aws.pro | + | jammy | azure.pro | + | jammy | gcp.pro | diff --git a/features/security_status.feature b/features/security_status.feature index 87636b052a..fb67445e36 100644 --- a/features/security_status.feature +++ b/features/security_status.feature @@ -1,859 +1,860 @@ Feature: Security status command behavior - @uses.config.contract_token - Scenario Outline: Run security status with JSON/YAML format - Given a `` `` machine with ubuntu-advantage-tools installed - When I apt install `ansible` - And I run `pro security-status --format json` as non-root - Then stdout is a json matching the `ua_security_status` schema - And stdout matches regexp: - """ - "_schema_version": "0.1" - """ - And stdout matches regexp: - """ - "attached": false - """ - And stdout matches regexp: - """ - "enabled_services": \[\] - """ - And stdout matches regexp: - """ - "entitled_services": \[\] - """ - And stdout matches regexp: - """ - "package": "" - """ - And stdout matches regexp: - """ - "service_name": "" - """ - And stdout matches regexp: - """ - "origin": "esm.ubuntu.com" - """ - And stdout matches regexp: - """ - "status": "pending_attach" - """ - And stdout matches regexp: - """ - "download_size": \d+ - """ - When I attach `contract_token` with sudo - And I run `pro security-status --format json` as non-root - Then stdout is a json matching the `ua_security_status` schema - Then stdout matches regexp: - """ - "_schema_version": "0.1" - """ - And stdout matches regexp: - """ - "attached": true - """ - And stdout matches regexp: - """ - "enabled_services": \["esm-apps", "esm-infra"\] - """ - And stdout matches regexp: - """ - "entitled_services": \["esm-apps", "esm-infra"\] - """ - And stdout matches regexp: - """ - "status": "upgrade_available" - """ - And stdout matches regexp: - """ - "download_size": \d+ - """ - When I run `pro security-status --format yaml` as non-root - Then stdout is a yaml matching the `ua_security_status` schema - And stdout matches regexp: - """ - _schema_version: '0.1' - """ - When I verify that running `pro security-status --format unsupported` `as non-root` exits `2` - Then I will see the following on stderr: - """ - usage: security-status [-h] [--format {json,yaml,text}] - [--thirdparty | --unavailable | --esm-infra | --esm-apps] - argument --format: invalid choice: 'unsupported' (choose from 'json', 'yaml', 'text') - """ - Examples: ubuntu release - | release | machine_type | package | service | - | xenial | lxd-container | apport | esm-infra | - | bionic | lxd-container | ansible | esm-apps | - | bionic | wsl | ansible | esm-apps | - - @uses.config.contract_token - Scenario: Check for livepatch CVEs in security-status on an Ubuntu machine - Given a `xenial` `lxd-vm` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `pro security-status --format json` as non-root - Then stdout is a json matching the `ua_security_status` schema - Then stdout matches regexp: - """ - {"name": "cve-2013-1798", "patched": true} - """ - When I run `pro security-status --format yaml` as non-root - Then stdout is a yaml matching the `ua_security_status` schema - And stdout matches regexp: - """ - - name: cve-2013-1798 - patched: true - """ - - @uses.config.contract_token - Scenario: Run security status in an Ubuntu machine - Given a `xenial` `lxd-container` machine with ubuntu-advantage-tools installed - When I install third-party / unknown packages in the machine - # Ansible is in esm-apps - And I apt install `ansible` - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is NOT receiving security patches because the LTS period has ended - and esm-infra is not enabled. - This machine is NOT attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2026\. There (is|are) \d+ pending security update[s]?\. - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2026\. There (is|are) \d+ pending security update[s]?\. - - Try Ubuntu Pro with a free personal subscription on up to 5 machines. - Learn more at https://ubuntu.com/pro - """ - When I verify root and non-root `pro security-status --esm-infra` calls have the same output - And I run `pro security-status --esm-infra` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - - This machine is NOT receiving security patches because the LTS period has ended - and esm-infra is not enabled. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2026\. There (is|are) \d+ pending security update[s]?\. - - Run 'pro help esm-infra' to learn more - - Installed packages with an available esm-infra update: - (.|\n)+ - - Further installed packages covered by esm-infra: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I verify root and non-root `pro security-status --esm-apps` calls have the same output - And I run `pro security-status --esm-apps` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2026\. There (is|are) \d+ pending security update[s]?\. - - Run 'pro help esm-apps' to learn more - - Installed packages with an available esm-apps update: - (.|\n)+ - - Further installed packages covered by esm-apps: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I attach `contract_token` with sudo - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is attached to an Ubuntu Pro subscription. - - Main/Restricted packages are receiving security updates from - Ubuntu Pro with 'esm-infra' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. - - Universe/Multiverse packages are receiving security updates from - Ubuntu Pro with 'esm-apps' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. - """ - When I verify root and non-root `pro security-status --esm-infra` calls have the same output - And I run `pro security-status --esm-infra` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - - Main/Restricted packages are receiving security updates from - Ubuntu Pro with 'esm-infra' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. - - Run 'pro help esm-infra' to learn more - - Installed packages with an available esm-infra update: - (.|\n)+ - - Further installed packages covered by esm-infra: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I verify root and non-root `pro security-status --esm-apps` calls have the same output - And I run `pro security-status --esm-apps` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - - Universe/Multiverse packages are receiving security updates from - Ubuntu Pro with 'esm-apps' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. - - Run 'pro help esm-apps' to learn more - - Installed packages with an available esm-apps update: - (.|\n)+ - - Further installed packages covered by esm-apps: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I apt upgrade - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is attached to an Ubuntu Pro subscription. - - Main/Restricted packages are receiving security updates from - Ubuntu Pro with 'esm-infra' enabled until 2026\. You have received \d+ security - update[s]?\. - - Universe/Multiverse packages are receiving security updates from - Ubuntu Pro with 'esm-apps' enabled until 2026\. You have received \d+ security - update[s]?\. - """ - When I run `pro disable esm-infra esm-apps` with sudo - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is NOT receiving security patches because the LTS period has ended - and esm-infra is not enabled. - This machine is attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2026. - - Enable esm-infra with: pro enable esm-infra - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2026. - - Enable esm-apps with: pro enable esm-apps - """ - When I verify root and non-root `pro security-status --thirdparty` calls have the same output - And I run `pro security-status --thirdparty` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +1 package from a third party - - Packages from third parties are not provided by the official Ubuntu - archive, for example packages from Personal Package Archives in Launchpad\. - - Packages: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I verify root and non-root `pro security-status --unavailable` calls have the same output - And I run `pro security-status --unavailable` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? no longer available for download - - Packages that are not available for download may be left over from a - previous release of Ubuntu, may have been installed directly from a - .deb file, or are from a source which has been disabled\. - - Packages: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I verify root and non-root `pro security-status --esm-infra` calls have the same output - And I run `pro security-status --esm-infra` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - - This machine is NOT receiving security patches because the LTS period has ended - and esm-infra is not enabled. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2026. - - Run 'pro help esm-infra' to learn more - - Installed packages covered by esm-infra: - (.|\n)+ - """ - When I verify root and non-root `pro security-status --esm-apps` calls have the same output - And I run `pro security-status --esm-apps` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2026. - - Run 'pro help esm-apps' to learn more - - Installed packages covered by esm-apps: - (.|\n)+ - """ - When I verify that running `pro security-status --thirdparty --unavailable` `as non-root` exits `2` - Then I will see the following on stderr - """ - usage: security-status [-h] [--format {json,yaml,text}] - [--thirdparty | --unavailable | --esm-infra | --esm-apps] - argument --unavailable: not allowed with argument --thirdparty - """ - When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - The system apt cache may be outdated\. Make sure to run - sudo apt update - to get the latest package information from apt\. - - This machine is NOT receiving security patches because the LTS period has ended - and esm-infra is not enabled. - This machine is attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2026. - - Enable esm-infra with: pro enable esm-infra - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2026. - - Enable esm-apps with: pro enable esm-apps - """ - When I run `touch -d '-2 days' /var/lib/apt/periodic/update-success-stamp` with sudo - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - The system apt information was updated 2 day\(s\) ago\. Make sure to run - sudo apt update - to get the latest package information from apt\. - - This machine is NOT receiving security patches because the LTS period has ended - and esm-infra is not enabled. - This machine is attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2026. - - Enable esm-infra with: pro enable esm-infra - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2026. - - Enable esm-apps with: pro enable esm-apps - """ - - @uses.config.contract_token - Scenario Outline: Run security status in an Ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I install third-party / unknown packages in the machine - # Ansible is in esm-apps - And I apt install `ansible` - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is receiving security patching for Ubuntu Main/Restricted - repository until 2025. - This machine is NOT attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2030. - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2030\. There (is|are) \d+ pending security update[s]?\. - - Try Ubuntu Pro with a free personal subscription on up to 5 machines. - Learn more at https://ubuntu.com/pro - """ - When I verify root and non-root `pro security-status --esm-infra` calls have the same output - And I run `pro security-status --esm-infra` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - - This machine is receiving security patching for Ubuntu Main/Restricted - repository until 2025. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2030. - - Run 'pro help esm-infra' to learn more - """ - When I verify root and non-root `pro security-status --esm-apps` calls have the same output - And I run `pro security-status --esm-apps` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2030\. There (is|are) \d+ pending security update[s]?\. - - Run 'pro help esm-apps' to learn more - - Installed packages with an available esm-apps update: - (.|\n)+ - - Further installed packages covered by esm-apps: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I attach `contract_token` with sudo - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is attached to an Ubuntu Pro subscription. - - Main/Restricted packages are receiving security updates from - Ubuntu Pro with 'esm-infra' enabled until 2030. - - Universe/Multiverse packages are receiving security updates from - Ubuntu Pro with 'esm-apps' enabled until 2030\. There (is|are) \d+ pending security update[s]?\. - """ - When I verify root and non-root `pro security-status --esm-infra` calls have the same output - And I run `pro security-status --esm-infra` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - - Main/Restricted packages are receiving security updates from - Ubuntu Pro with 'esm-infra' enabled until 2030. - - Run 'pro help esm-infra' to learn more - """ - When I verify root and non-root `pro security-status --esm-apps` calls have the same output - And I run `pro security-status --esm-apps` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - - Universe/Multiverse packages are receiving security updates from - Ubuntu Pro with 'esm-apps' enabled until 2030\. There (is|are) \d+ pending security update[s]?\. - - Run 'pro help esm-apps' to learn more - - Installed packages with an available esm-apps update: - (.|\n)+ - - Further installed packages covered by esm-apps: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I apt upgrade - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is attached to an Ubuntu Pro subscription. - - Main/Restricted packages are receiving security updates from - Ubuntu Pro with 'esm-infra' enabled until 2030\. - - Universe/Multiverse packages are receiving security updates from - Ubuntu Pro with 'esm-apps' enabled until 2030\. You have received \d+ security - update[s]?\. - """ - When I run `pro disable esm-infra esm-apps` with sudo - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - This machine is receiving security patching for Ubuntu Main/Restricted - repository until 2025. - This machine is attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2030. - - Enable esm-infra with: pro enable esm-infra - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2030. - - Enable esm-apps with: pro enable esm-apps - """ - When I verify root and non-root `pro security-status --thirdparty` calls have the same output - And I run `pro security-status --thirdparty` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +1 package from a third party - - Packages from third parties are not provided by the official Ubuntu - archive, for example packages from Personal Package Archives in Launchpad\. - - Packages: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I verify root and non-root `pro security-status --unavailable` calls have the same output - And I run `pro security-status --unavailable` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? no longer available for download - - Packages that are not available for download may be left over from a - previous release of Ubuntu, may have been installed directly from a - .deb file, or are from a source which has been disabled\. - - Packages: - (.|\n)+ - - For example, run: - apt-cache show .+ - to learn more about that package\. - """ - When I verify root and non-root `pro security-status --esm-infra` calls have the same output - And I run `pro security-status --esm-infra` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - - This machine is receiving security patching for Ubuntu Main/Restricted - repository until 2025. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2030. - - Run 'pro help esm-infra' to learn more - """ - When I verify root and non-root `pro security-status --esm-apps` calls have the same output - And I run `pro security-status --esm-apps` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2030. - - Run 'pro help esm-apps' to learn more - - Installed packages covered by esm-apps: - (.|\n)+ - """ - When I verify that running `pro security-status --thirdparty --unavailable` `as non-root` exits `2` - Then I will see the following on stderr - """ - usage: security-status [-h] [--format {json,yaml,text}] - [--thirdparty | --unavailable | --esm-infra | --esm-apps] - argument --unavailable: not allowed with argument --thirdparty - """ - When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - The system apt cache may be outdated\. Make sure to run - sudo apt update - to get the latest package information from apt\. - - This machine is receiving security patching for Ubuntu Main/Restricted - repository until 2025. - This machine is attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2030. - - Enable esm-infra with: pro enable esm-infra - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2030. - - Enable esm-apps with: pro enable esm-apps - """ - When I run `touch -d '-2 days' /var/lib/apt/periodic/update-success-stamp` with sudo - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ package[s]? from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - The system apt information was updated 2 day\(s\) ago\. Make sure to run - sudo apt update - to get the latest package information from apt\. - - This machine is receiving security patching for Ubuntu Main/Restricted - repository until 2025. - This machine is attached to an Ubuntu Pro subscription. - - Ubuntu Pro with 'esm-infra' enabled provides security updates for - Main/Restricted packages until 2030. - - Enable esm-infra with: pro enable esm-infra - - Ubuntu Pro with 'esm-apps' enabled provides security updates for - Universe/Multiverse packages until 2030. - - Enable esm-apps with: pro enable esm-apps - """ - - Examples: ubuntu release - | release | machine_type | - | focal | lxd-container | - | focal | wsl | - - # Latest released non-LTS - Scenario: Run security status in an Ubuntu machine - Given a `mantic` `lxd-container` machine with ubuntu-advantage-tools installed - When I install third-party / unknown packages in the machine - # Ansible is in esm-apps - And I apt install `ansible` - And I verify root and non-root `pro security-status` calls have the same output - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - Main/Restricted packages receive updates until 7/2024\. - - Ubuntu Pro is not available for non-LTS releases\. - """ - When I verify root and non-root `pro security-status --esm-infra` calls have the same output - And I run `pro security-status --esm-infra` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - - Main/Restricted packages receive updates until 7/2024\. - - Ubuntu Pro is not available for non-LTS releases\. - """ - When I verify root and non-root `pro security-status --esm-apps` calls have the same output - And I run `pro security-status --esm-apps` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Universe/Multiverse repository - - Ubuntu Pro is not available for non-LTS releases\. - """ - When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - The system apt cache may be outdated\. Make sure to run - sudo apt update - to get the latest package information from apt\. - - Main/Restricted packages receive updates until 7/2024\. - - Ubuntu Pro is not available for non-LTS releases\. - """ - When I run `touch -d '-2 days' /var/lib/apt/periodic/update-success-stamp` with sudo - And I run `pro security-status` as non-root - Then stdout matches regexp: - """ - \d+ packages installed: - +\d+ packages from Ubuntu Main/Restricted repository - +\d+ package[s]? from Ubuntu Universe/Multiverse repository - +\d+ package[s]? from a third party - +\d+ package[s]? no longer available for download - - To get more information about the packages, run - pro security-status --help - for a list of available options\. - - The system apt information was updated 2 day\(s\) ago\. Make sure to run - sudo apt update - to get the latest package information from apt\. - - Main/Restricted packages receive updates until 7/2024\. - - Ubuntu Pro is not available for non-LTS releases\. - """ + @uses.config.contract_token + Scenario Outline: Run security status with JSON/YAML format + Given a `` `` machine with ubuntu-advantage-tools installed + When I apt install `ansible` + And I run `pro security-status --format json` as non-root + Then stdout is a json matching the `ua_security_status` schema + And stdout matches regexp: + """ + "_schema_version": "0.1" + """ + And stdout matches regexp: + """ + "attached": false + """ + And stdout matches regexp: + """ + "enabled_services": \[\] + """ + And stdout matches regexp: + """ + "entitled_services": \[\] + """ + And stdout matches regexp: + """ + "package": "" + """ + And stdout matches regexp: + """ + "service_name": "" + """ + And stdout matches regexp: + """ + "origin": "esm.ubuntu.com" + """ + And stdout matches regexp: + """ + "status": "pending_attach" + """ + And stdout matches regexp: + """ + "download_size": \d+ + """ + When I attach `contract_token` with sudo + And I run `pro security-status --format json` as non-root + Then stdout is a json matching the `ua_security_status` schema + Then stdout matches regexp: + """ + "_schema_version": "0.1" + """ + And stdout matches regexp: + """ + "attached": true + """ + And stdout matches regexp: + """ + "enabled_services": \["esm-apps", "esm-infra"\] + """ + And stdout matches regexp: + """ + "entitled_services": \["esm-apps", "esm-infra"\] + """ + And stdout matches regexp: + """ + "status": "upgrade_available" + """ + And stdout matches regexp: + """ + "download_size": \d+ + """ + When I run `pro security-status --format yaml` as non-root + Then stdout is a yaml matching the `ua_security_status` schema + And stdout matches regexp: + """ + _schema_version: '0.1' + """ + When I verify that running `pro security-status --format unsupported` `as non-root` exits `2` + Then I will see the following on stderr: + """ + usage: security-status [-h] [--format {json,yaml,text}] + [--thirdparty | --unavailable | --esm-infra | --esm-apps] + argument --format: invalid choice: 'unsupported' (choose from 'json', 'yaml', 'text') + """ + + Examples: ubuntu release + | release | machine_type | package | service | + | xenial | lxd-container | apport | esm-infra | + | bionic | lxd-container | ansible | esm-apps | + | bionic | wsl | ansible | esm-apps | + + @uses.config.contract_token + Scenario: Check for livepatch CVEs in security-status on an Ubuntu machine + Given a `xenial` `lxd-vm` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `pro security-status --format json` as non-root + Then stdout is a json matching the `ua_security_status` schema + Then stdout matches regexp: + """ + {"name": "cve-2013-1798", "patched": true} + """ + When I run `pro security-status --format yaml` as non-root + Then stdout is a yaml matching the `ua_security_status` schema + And stdout matches regexp: + """ + - name: cve-2013-1798 + patched: true + """ + + @uses.config.contract_token + Scenario: Run security status in an Ubuntu machine + Given a `xenial` `lxd-container` machine with ubuntu-advantage-tools installed + When I install third-party / unknown packages in the machine + # Ansible is in esm-apps + And I apt install `ansible` + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is NOT receiving security patches because the LTS period has ended + and esm-infra is not enabled. + This machine is NOT attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2026\. There (is|are) \d+ pending security update[s]?\. + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2026\. There (is|are) \d+ pending security update[s]?\. + + Try Ubuntu Pro with a free personal subscription on up to 5 machines. + Learn more at https://ubuntu.com/pro + """ + When I verify root and non-root `pro security-status --esm-infra` calls have the same output + And I run `pro security-status --esm-infra` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + + This machine is NOT receiving security patches because the LTS period has ended + and esm-infra is not enabled. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2026\. There (is|are) \d+ pending security update[s]?\. + + Run 'pro help esm-infra' to learn more + + Installed packages with an available esm-infra update: + (.|\n)+ + + Further installed packages covered by esm-infra: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I verify root and non-root `pro security-status --esm-apps` calls have the same output + And I run `pro security-status --esm-apps` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2026\. There (is|are) \d+ pending security update[s]?\. + + Run 'pro help esm-apps' to learn more + + Installed packages with an available esm-apps update: + (.|\n)+ + + Further installed packages covered by esm-apps: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I attach `contract_token` with sudo + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is attached to an Ubuntu Pro subscription. + + Main/Restricted packages are receiving security updates from + Ubuntu Pro with 'esm-infra' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. + + Universe/Multiverse packages are receiving security updates from + Ubuntu Pro with 'esm-apps' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. + """ + When I verify root and non-root `pro security-status --esm-infra` calls have the same output + And I run `pro security-status --esm-infra` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + + Main/Restricted packages are receiving security updates from + Ubuntu Pro with 'esm-infra' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. + + Run 'pro help esm-infra' to learn more + + Installed packages with an available esm-infra update: + (.|\n)+ + + Further installed packages covered by esm-infra: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I verify root and non-root `pro security-status --esm-apps` calls have the same output + And I run `pro security-status --esm-apps` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + + Universe/Multiverse packages are receiving security updates from + Ubuntu Pro with 'esm-apps' enabled until 2026\. There (is|are) \d+ pending security update[s]?\. + + Run 'pro help esm-apps' to learn more + + Installed packages with an available esm-apps update: + (.|\n)+ + + Further installed packages covered by esm-apps: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I apt upgrade + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is attached to an Ubuntu Pro subscription. + + Main/Restricted packages are receiving security updates from + Ubuntu Pro with 'esm-infra' enabled until 2026\. You have received \d+ security + update[s]?\. + + Universe/Multiverse packages are receiving security updates from + Ubuntu Pro with 'esm-apps' enabled until 2026\. You have received \d+ security + update[s]?\. + """ + When I run `pro disable esm-infra esm-apps` with sudo + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is NOT receiving security patches because the LTS period has ended + and esm-infra is not enabled. + This machine is attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2026. + + Enable esm-infra with: pro enable esm-infra + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2026. + + Enable esm-apps with: pro enable esm-apps + """ + When I verify root and non-root `pro security-status --thirdparty` calls have the same output + And I run `pro security-status --thirdparty` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +1 package from a third party + + Packages from third parties are not provided by the official Ubuntu + archive, for example packages from Personal Package Archives in Launchpad\. + + Packages: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I verify root and non-root `pro security-status --unavailable` calls have the same output + And I run `pro security-status --unavailable` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? no longer available for download + + Packages that are not available for download may be left over from a + previous release of Ubuntu, may have been installed directly from a + .deb file, or are from a source which has been disabled\. + + Packages: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I verify root and non-root `pro security-status --esm-infra` calls have the same output + And I run `pro security-status --esm-infra` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + + This machine is NOT receiving security patches because the LTS period has ended + and esm-infra is not enabled. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2026. + + Run 'pro help esm-infra' to learn more + + Installed packages covered by esm-infra: + (.|\n)+ + """ + When I verify root and non-root `pro security-status --esm-apps` calls have the same output + And I run `pro security-status --esm-apps` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2026. + + Run 'pro help esm-apps' to learn more + + Installed packages covered by esm-apps: + (.|\n)+ + """ + When I verify that running `pro security-status --thirdparty --unavailable` `as non-root` exits `2` + Then I will see the following on stderr + """ + usage: security-status [-h] [--format {json,yaml,text}] + [--thirdparty | --unavailable | --esm-infra | --esm-apps] + argument --unavailable: not allowed with argument --thirdparty + """ + When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + The system apt cache may be outdated\. Make sure to run + sudo apt update + to get the latest package information from apt\. + + This machine is NOT receiving security patches because the LTS period has ended + and esm-infra is not enabled. + This machine is attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2026. + + Enable esm-infra with: pro enable esm-infra + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2026. + + Enable esm-apps with: pro enable esm-apps + """ + When I run `touch -d '-2 days' /var/lib/apt/periodic/update-success-stamp` with sudo + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + The system apt information was updated 2 day\(s\) ago\. Make sure to run + sudo apt update + to get the latest package information from apt\. + + This machine is NOT receiving security patches because the LTS period has ended + and esm-infra is not enabled. + This machine is attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2026. + + Enable esm-infra with: pro enable esm-infra + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2026. + + Enable esm-apps with: pro enable esm-apps + """ + + @uses.config.contract_token + Scenario Outline: Run security status in an Ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I install third-party / unknown packages in the machine + # Ansible is in esm-apps + And I apt install `ansible` + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is receiving security patching for Ubuntu Main/Restricted + repository until 2025. + This machine is NOT attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2030. + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2030\. There (is|are) \d+ pending security update[s]?\. + + Try Ubuntu Pro with a free personal subscription on up to 5 machines. + Learn more at https://ubuntu.com/pro + """ + When I verify root and non-root `pro security-status --esm-infra` calls have the same output + And I run `pro security-status --esm-infra` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + + This machine is receiving security patching for Ubuntu Main/Restricted + repository until 2025. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2030. + + Run 'pro help esm-infra' to learn more + """ + When I verify root and non-root `pro security-status --esm-apps` calls have the same output + And I run `pro security-status --esm-apps` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2030\. There (is|are) \d+ pending security update[s]?\. + + Run 'pro help esm-apps' to learn more + + Installed packages with an available esm-apps update: + (.|\n)+ + + Further installed packages covered by esm-apps: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I attach `contract_token` with sudo + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is attached to an Ubuntu Pro subscription. + + Main/Restricted packages are receiving security updates from + Ubuntu Pro with 'esm-infra' enabled until 2030. + + Universe/Multiverse packages are receiving security updates from + Ubuntu Pro with 'esm-apps' enabled until 2030\. There (is|are) \d+ pending security update[s]?\. + """ + When I verify root and non-root `pro security-status --esm-infra` calls have the same output + And I run `pro security-status --esm-infra` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + + Main/Restricted packages are receiving security updates from + Ubuntu Pro with 'esm-infra' enabled until 2030. + + Run 'pro help esm-infra' to learn more + """ + When I verify root and non-root `pro security-status --esm-apps` calls have the same output + And I run `pro security-status --esm-apps` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + + Universe/Multiverse packages are receiving security updates from + Ubuntu Pro with 'esm-apps' enabled until 2030\. There (is|are) \d+ pending security update[s]?\. + + Run 'pro help esm-apps' to learn more + + Installed packages with an available esm-apps update: + (.|\n)+ + + Further installed packages covered by esm-apps: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I apt upgrade + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is attached to an Ubuntu Pro subscription. + + Main/Restricted packages are receiving security updates from + Ubuntu Pro with 'esm-infra' enabled until 2030\. + + Universe/Multiverse packages are receiving security updates from + Ubuntu Pro with 'esm-apps' enabled until 2030\. You have received \d+ security + update[s]?\. + """ + When I run `pro disable esm-infra esm-apps` with sudo + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + This machine is receiving security patching for Ubuntu Main/Restricted + repository until 2025. + This machine is attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2030. + + Enable esm-infra with: pro enable esm-infra + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2030. + + Enable esm-apps with: pro enable esm-apps + """ + When I verify root and non-root `pro security-status --thirdparty` calls have the same output + And I run `pro security-status --thirdparty` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +1 package from a third party + + Packages from third parties are not provided by the official Ubuntu + archive, for example packages from Personal Package Archives in Launchpad\. + + Packages: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I verify root and non-root `pro security-status --unavailable` calls have the same output + And I run `pro security-status --unavailable` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? no longer available for download + + Packages that are not available for download may be left over from a + previous release of Ubuntu, may have been installed directly from a + .deb file, or are from a source which has been disabled\. + + Packages: + (.|\n)+ + + For example, run: + apt-cache show .+ + to learn more about that package\. + """ + When I verify root and non-root `pro security-status --esm-infra` calls have the same output + And I run `pro security-status --esm-infra` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + + This machine is receiving security patching for Ubuntu Main/Restricted + repository until 2025. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2030. + + Run 'pro help esm-infra' to learn more + """ + When I verify root and non-root `pro security-status --esm-apps` calls have the same output + And I run `pro security-status --esm-apps` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2030. + + Run 'pro help esm-apps' to learn more + + Installed packages covered by esm-apps: + (.|\n)+ + """ + When I verify that running `pro security-status --thirdparty --unavailable` `as non-root` exits `2` + Then I will see the following on stderr + """ + usage: security-status [-h] [--format {json,yaml,text}] + [--thirdparty | --unavailable | --esm-infra | --esm-apps] + argument --unavailable: not allowed with argument --thirdparty + """ + When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + The system apt cache may be outdated\. Make sure to run + sudo apt update + to get the latest package information from apt\. + + This machine is receiving security patching for Ubuntu Main/Restricted + repository until 2025. + This machine is attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2030. + + Enable esm-infra with: pro enable esm-infra + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2030. + + Enable esm-apps with: pro enable esm-apps + """ + When I run `touch -d '-2 days' /var/lib/apt/periodic/update-success-stamp` with sudo + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ package[s]? from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + The system apt information was updated 2 day\(s\) ago\. Make sure to run + sudo apt update + to get the latest package information from apt\. + + This machine is receiving security patching for Ubuntu Main/Restricted + repository until 2025. + This machine is attached to an Ubuntu Pro subscription. + + Ubuntu Pro with 'esm-infra' enabled provides security updates for + Main/Restricted packages until 2030. + + Enable esm-infra with: pro enable esm-infra + + Ubuntu Pro with 'esm-apps' enabled provides security updates for + Universe/Multiverse packages until 2030. + + Enable esm-apps with: pro enable esm-apps + """ + + Examples: ubuntu release + | release | machine_type | + | focal | lxd-container | + | focal | wsl | + + # Latest released non-LTS + Scenario: Run security status in an Ubuntu machine + Given a `mantic` `lxd-container` machine with ubuntu-advantage-tools installed + When I install third-party / unknown packages in the machine + # Ansible is in esm-apps + And I apt install `ansible` + And I verify root and non-root `pro security-status` calls have the same output + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + Main/Restricted packages receive updates until 7/2024\. + + Ubuntu Pro is not available for non-LTS releases\. + """ + When I verify root and non-root `pro security-status --esm-infra` calls have the same output + And I run `pro security-status --esm-infra` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + + Main/Restricted packages receive updates until 7/2024\. + + Ubuntu Pro is not available for non-LTS releases\. + """ + When I verify root and non-root `pro security-status --esm-apps` calls have the same output + And I run `pro security-status --esm-apps` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Universe/Multiverse repository + + Ubuntu Pro is not available for non-LTS releases\. + """ + When I run `rm /var/lib/apt/periodic/update-success-stamp` with sudo + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + The system apt cache may be outdated\. Make sure to run + sudo apt update + to get the latest package information from apt\. + + Main/Restricted packages receive updates until 7/2024\. + + Ubuntu Pro is not available for non-LTS releases\. + """ + When I run `touch -d '-2 days' /var/lib/apt/periodic/update-success-stamp` with sudo + And I run `pro security-status` as non-root + Then stdout matches regexp: + """ + \d+ packages installed: + +\d+ packages from Ubuntu Main/Restricted repository + +\d+ package[s]? from Ubuntu Universe/Multiverse repository + +\d+ package[s]? from a third party + +\d+ package[s]? no longer available for download + + To get more information about the packages, run + pro security-status --help + for a list of available options\. + + The system apt information was updated 2 day\(s\) ago\. Make sure to run + sudo apt update + to get the latest package information from apt\. + + Main/Restricted packages receive updates until 7/2024\. + + Ubuntu Pro is not available for non-LTS releases\. + """ diff --git a/features/timer.feature b/features/timer.feature index ef93f9128b..5adb1803b4 100644 --- a/features/timer.feature +++ b/features/timer.feature @@ -1,17 +1,18 @@ @uses.config.contract_token Feature: Timer for regular background jobs while attached - # earlies, latest lts, devel - Scenario Outline: Timer is stopped when detached, started when attached - Given a `` `` machine with ubuntu-advantage-tools installed - Then I verify the `ua-timer` systemd timer is disabled - When I attach `contract_token` with sudo - # 6 hour timer with 1 hour randomized delay -> potentially 7 hours - Then I verify the `ua-timer` systemd timer is scheduled to run within `420` minutes - When I run `pro detach --assume-yes` with sudo - Then I verify the `ua-timer` systemd timer is disabled - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + # earlies, latest lts, devel + Scenario Outline: Timer is stopped when detached, started when attached + Given a `` `` machine with ubuntu-advantage-tools installed + Then I verify the `ua-timer` systemd timer is disabled + When I attach `contract_token` with sudo + # 6 hour timer with 1 hour randomized delay -> potentially 7 hours + Then I verify the `ua-timer` systemd timer is scheduled to run within `420` minutes + When I run `pro detach --assume-yes` with sudo + Then I verify the `ua-timer` systemd timer is disabled + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/ubuntu_pro.feature b/features/ubuntu_pro.feature index 1307f1b609..30c869c6df 100644 --- a/features/ubuntu_pro.feature +++ b/features/ubuntu_pro.feature @@ -1,266 +1,266 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image - Scenario Outline: Proxy auto-attach on a cloud Ubuntu Pro machine - Given a `` `` machine with ubuntu-advantage-tools installed - Given a `focal` `` machine named `proxy` with ingress ports `3389` - When I apt install `squid` on the `proxy` machine - And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: - """ - dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_port 3389\nhttp_access allow all - """ - And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine - # This also tests that legacy `ua_config` settings still work - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - ua_config: - http_proxy: http://$behave_var{machine-ip proxy}:3389 - https_proxy: http://$behave_var{machine-ip proxy}:3389 - """ - And I verify `/var/log/squid/access.log` is empty on `proxy` machine - When I run `pro auto-attach` with sudo - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `livepatch` is enabled - When I run `pro enable ` with sudo - Then I verify that `` is enabled - When I run `pro disable ` with sudo - Then stdout matches regexp: - """ - Updating package lists - """ - And I verify that `` is disabled - When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine - Then stdout matches regexp: - """ - .*CONNECT contracts.canonical.com.* - """ - And stdout does not match regexp: - """ - .*CONNECT 169.254.169.254.* - """ - And stdout does not match regexp: - """ - .*CONNECT metadata.* - """ + Scenario Outline: Proxy auto-attach on a cloud Ubuntu Pro machine + Given a `` `` machine with ubuntu-advantage-tools installed + Given a `focal` `` machine named `proxy` with ingress ports `3389` + When I apt install `squid` on the `proxy` machine + And I add this text on `/etc/squid/squid.conf` on `proxy` above `http_access deny all`: + """ + dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_port 3389\nhttp_access allow all + """ + And I run `systemctl restart squid.service` `with sudo` on the `proxy` machine + # This also tests that legacy `ua_config` settings still work + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + ua_config: + http_proxy: http://$behave_var{machine-ip proxy}:3389 + https_proxy: http://$behave_var{machine-ip proxy}:3389 + """ + And I verify `/var/log/squid/access.log` is empty on `proxy` machine + When I run `pro auto-attach` with sudo + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `livepatch` is enabled + When I run `pro enable ` with sudo + Then I verify that `` is enabled + When I run `pro disable ` with sudo + Then stdout matches regexp: + """ + Updating package lists + """ + And I verify that `` is disabled + When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine + Then stdout matches regexp: + """ + .*CONNECT contracts.canonical.com.* + """ + And stdout does not match regexp: + """ + .*CONNECT 169.254.169.254.* + """ + And stdout does not match regexp: + """ + .*CONNECT metadata.* + """ - Examples: ubuntu release - | release | machine_type | fips-s | cc-eal-s | cis-s | livepatch-s | lp-desc | cis_or_usg | - | xenial | aws.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | - | xenial | azure.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | - | xenial | gcp.pro | n/a | disabled | disabled | warning | Current kernel is not supported | cis | - | bionic | aws.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | - | bionic | azure.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | - | bionic | gcp.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | - | focal | aws.pro | disabled | n/a | disabled | enabled | Canonical Livepatch service | usg | - | focal | azure.pro | disabled | n/a | disabled | enabled | Canonical Livepatch service | usg | - | focal | gcp.pro | disabled | n/a | disabled | enabled | Canonical Livepatch service | usg | + Examples: ubuntu release + | release | machine_type | fips-s | cc-eal-s | cis-s | livepatch-s | lp-desc | cis_or_usg | + | xenial | aws.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | + | xenial | azure.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | + | xenial | gcp.pro | n/a | disabled | disabled | warning | Current kernel is not supported | cis | + | bionic | aws.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | + | bionic | azure.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | + | bionic | gcp.pro | disabled | disabled | disabled | enabled | Canonical Livepatch service | cis | + | focal | aws.pro | disabled | n/a | disabled | enabled | Canonical Livepatch service | usg | + | focal | azure.pro | disabled | n/a | disabled | enabled | Canonical Livepatch service | usg | + | focal | gcp.pro | disabled | n/a | disabled | enabled | Canonical Livepatch service | usg | - Scenario Outline: Attached refresh in an Ubuntu pro cloud machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `livepatch` is enabled - When I run `systemctl start ua-auto-attach.service` with sudo - And I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `0,3` - Then stdout matches regexp: - """ - .*status=0\/SUCCESS.* - """ - And stdout matches regexp: - """ - Active: inactive \(dead\).* - \s*Condition: start condition failed.* - .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met - """ - When I verify that running `pro auto-attach` `with sudo` exits `2` - Then stderr matches regexp: - """ - This machine is already attached to '.*' - To use a different subscription first run: sudo pro detach. - """ - When I run `apt-cache policy` with sudo - Then apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/infra/ubuntu -infra-security/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/apps/ubuntu -apps-updates/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages - """ - And I ensure apt update runs without errors - When I apt install `/-infra-security` - And I run `apt-cache policy ` as non-root - Then stdout matches regexp: - """ - \s*510 https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages - """ - And stdout matches regexp: - """ - Installed: .*[~+]esm - """ - When I apt install `/-apps-security` - And I run `apt-cache policy ` as non-root - Then stdout matches regexp: - """ - Version table: - \s*\*\*\* .* 510 - \s*510 https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages - """ - When I create the file `/var/lib/ubuntu-advantage/marker-reboot-cmds-required` with the following: - """ - """ - And I reboot the machine - And I verify that running `systemctl status ua-reboot-cmds.service` `as non-root` exits `0,3` - Then stdout matches regexp: - """ - .*status=0\/SUCCESS.* - """ - When I run `ua api u.pro.attach.auto.should_auto_attach.v1` with sudo - Then stdout matches regexp: - """ - {"_schema_version": "v1", "data": {"attributes": {"should_auto_attach": true}, "meta": {"environment_vars": \[\]}, "type": "ShouldAutoAttach"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} - """ + Scenario Outline: Attached refresh in an Ubuntu pro cloud machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `livepatch` is enabled + When I run `systemctl start ua-auto-attach.service` with sudo + And I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `0,3` + Then stdout matches regexp: + """ + .*status=0\/SUCCESS.* + """ + And stdout matches regexp: + """ + Active: inactive \(dead\).* + \s*Condition: start condition failed.* + .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met + """ + When I verify that running `pro auto-attach` `with sudo` exits `2` + Then stderr matches regexp: + """ + This machine is already attached to '.*' + To use a different subscription first run: sudo pro detach. + """ + When I run `apt-cache policy` with sudo + Then apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/infra/ubuntu -infra-security/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/apps/ubuntu -apps-updates/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages + """ + And I ensure apt update runs without errors + When I apt install `/-infra-security` + And I run `apt-cache policy ` as non-root + Then stdout matches regexp: + """ + \s*510 https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages + """ + And stdout matches regexp: + """ + Installed: .*[~+]esm + """ + When I apt install `/-apps-security` + And I run `apt-cache policy ` as non-root + Then stdout matches regexp: + """ + Version table: + \s*\*\*\* .* 510 + \s*510 https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages + """ + When I create the file `/var/lib/ubuntu-advantage/marker-reboot-cmds-required` with the following: + """ + """ + And I reboot the machine + And I verify that running `systemctl status ua-reboot-cmds.service` `as non-root` exits `0,3` + Then stdout matches regexp: + """ + .*status=0\/SUCCESS.* + """ + When I run `ua api u.pro.attach.auto.should_auto_attach.v1` with sudo + Then stdout matches regexp: + """ + {"_schema_version": "v1", "data": {"attributes": {"should_auto_attach": true}, "meta": {"environment_vars": \[\]}, "type": "ShouldAutoAttach"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]} + """ - Examples: ubuntu release - | release | machine_type | infra-pkg | apps-pkg | - | xenial | aws.pro | libkrad0 | jq | - | xenial | azure.pro | libkrad0 | jq | - | xenial | gcp.pro | libkrad0 | jq | - | bionic | aws.pro | libkrad0 | bundler | - | bionic | azure.pro | libkrad0 | bundler | - | bionic | gcp.pro | libkrad0 | bundler | - | focal | aws.pro | hello | ant | - | focal | azure.pro | hello | ant | - | focal | gcp.pro | hello | ant | - | jammy | aws.pro | hello | hello | - | jammy | azure.pro | hello | hello | - | jammy | gcp.pro | hello | hello | + Examples: ubuntu release + | release | machine_type | infra-pkg | apps-pkg | + | xenial | aws.pro | libkrad0 | jq | + | xenial | azure.pro | libkrad0 | jq | + | xenial | gcp.pro | libkrad0 | jq | + | bionic | aws.pro | libkrad0 | bundler | + | bionic | azure.pro | libkrad0 | bundler | + | bionic | gcp.pro | libkrad0 | bundler | + | focal | aws.pro | hello | ant | + | focal | azure.pro | hello | ant | + | focal | gcp.pro | hello | ant | + | jammy | aws.pro | hello | hello | + | jammy | azure.pro | hello | hello | + | jammy | gcp.pro | hello | hello | - Scenario Outline: Auto-attach service works on Pro Machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `systemctl start ua-auto-attach.service` with sudo - And I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - And I reboot the machine - And I run `pro status --wait` with sudo - And I run `pro security-status --format json` with sudo - Then stdout matches regexp: - """ - "attached": true - """ + Scenario Outline: Auto-attach service works on Pro Machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `systemctl start ua-auto-attach.service` with sudo + And I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + And I reboot the machine + And I run `pro status --wait` with sudo + And I run `pro security-status --format json` with sudo + Then stdout matches regexp: + """ + "attached": true + """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.pro | - | xenial | azure.pro | - | xenial | gcp.pro | - | bionic | aws.pro | - | bionic | azure.pro | - | bionic | gcp.pro | - | focal | aws.pro | - | focal | azure.pro | - | focal | gcp.pro | - | jammy | aws.pro | - | jammy | azure.pro | - | jammy | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | xenial | aws.pro | + | xenial | azure.pro | + | xenial | gcp.pro | + | bionic | aws.pro | + | bionic | azure.pro | + | bionic | gcp.pro | + | focal | aws.pro | + | focal | azure.pro | + | focal | gcp.pro | + | jammy | aws.pro | + | jammy | azure.pro | + | jammy | gcp.pro | - Scenario Outline: Auto-attach no-op when cloud-init has ubuntu_advantage on userdata - Given a `` `` machine with ubuntu-advantage-tools installed adding this cloud-init user_data: - # This user_data should not do anything, just guarantee that the ua-auto-attach service - # does nothing - """ - ubuntu_advantage: - features: - disable_auto_attach: true - """ - When I run `cloud-init query userdata` with sudo - Then stdout matches regexp: - """ - ubuntu_advantage: - features: - disable_auto_attach: true - """ - # On GCP, this service will auto-attach the machine automatically after we override - # the uaclient.conf file. To guarantee that we are not auto-attaching on reboot - # through the ua-auto-attach.service, we are masking it - When I run `systemctl mask ubuntu-advantage.service` with sudo - And I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - """ - And I reboot the machine - And I run `pro status --wait` with sudo - And I run `pro security-status --format json` with sudo - Then stdout matches regexp: - """ - "attached": false - """ - When I run `cat /var/log/ubuntu-advantage.log` with sudo - Then stdout matches regexp: - """ - cloud-init userdata has ubuntu-advantage key. - """ - And stdout matches regexp: - """ - Skipping auto-attach and deferring to cloud-init to setup and configure auto-attach - """ - When I run `cloud-init status` with sudo - Then stdout matches regexp: - """ - status: done - """ + Scenario Outline: Auto-attach no-op when cloud-init has ubuntu_advantage on userdata + Given a `` `` machine with ubuntu-advantage-tools installed adding this cloud-init user_data: + # This user_data should not do anything, just guarantee that the ua-auto-attach service + # does nothing + """ + ubuntu_advantage: + features: + disable_auto_attach: true + """ + When I run `cloud-init query userdata` with sudo + Then stdout matches regexp: + """ + ubuntu_advantage: + features: + disable_auto_attach: true + """ + # On GCP, this service will auto-attach the machine automatically after we override + # the uaclient.conf file. To guarantee that we are not auto-attaching on reboot + # through the ua-auto-attach.service, we are masking it + When I run `systemctl mask ubuntu-advantage.service` with sudo + And I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + """ + And I reboot the machine + And I run `pro status --wait` with sudo + And I run `pro security-status --format json` with sudo + Then stdout matches regexp: + """ + "attached": false + """ + When I run `cat /var/log/ubuntu-advantage.log` with sudo + Then stdout matches regexp: + """ + cloud-init userdata has ubuntu-advantage key. + """ + And stdout matches regexp: + """ + Skipping auto-attach and deferring to cloud-init to setup and configure auto-attach + """ + When I run `cloud-init status` with sudo + Then stdout matches regexp: + """ + status: done + """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.pro | - | xenial | azure.pro | - | xenial | gcp.pro | - | bionic | aws.pro | - | bionic | azure.pro | - | bionic | gcp.pro | - | focal | aws.pro | - | focal | azure.pro | - | focal | gcp.pro | - | jammy | aws.pro | - | jammy | azure.pro | - | jammy | gcp.pro | + Examples: ubuntu release + | release | machine_type | + | xenial | aws.pro | + | xenial | azure.pro | + | xenial | gcp.pro | + | bionic | aws.pro | + | bionic | azure.pro | + | bionic | gcp.pro | + | focal | aws.pro | + | focal | azure.pro | + | focal | gcp.pro | + | jammy | aws.pro | + | jammy | azure.pro | + | jammy | gcp.pro | - Scenario Outline: Unregistered Pro machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro auto-attach` `with sudo` exits `1` - Then stderr matches regexp: - """ - Error on Pro Image: - missing instance information - """ + Scenario Outline: Unregistered Pro machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro auto-attach` `with sudo` exits `1` + Then stderr matches regexp: + """ + Error on Pro Image: + missing instance information + """ - Examples: ubuntu release - | release | machine_type | - | xenial | aws.generic | - | bionic | aws.generic | - | focal | aws.generic | - | jammy | aws.generic | + Examples: ubuntu release + | release | machine_type | + | xenial | aws.generic | + | bionic | aws.generic | + | focal | aws.generic | + | jammy | aws.generic | diff --git a/features/ubuntu_pro_fips.feature b/features/ubuntu_pro_fips.feature index 42656915ba..a0e4d611eb 100644 --- a/features/ubuntu_pro_fips.feature +++ b/features/ubuntu_pro_fips.feature @@ -1,250 +1,250 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO fips image - Scenario Outline: Check fips is enabled correctly on Ubuntu pro fips Azure machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - features: - allow_xenial_fips_on_cloud: true - """ - And I run `pro auto-attach` with sudo - And I run `pro status --wait` as non-root - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `fips` is enabled - And I verify that `fips-updates` is disabled - And I ensure apt update runs without errors - And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` - When I run `uname -r` as non-root - Then stdout matches regexp: - """ - - """ - When I run `apt-cache policy ` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - When I run `systemctl daemon-reload` with sudo - When I run `systemctl start ua-auto-attach.service` with sudo - And I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `0,3` - Then stdout matches regexp: - """ - .*status=0\/SUCCESS.* - """ - And stdout matches regexp: - """ - Active: inactive \(dead\).* - \s*Condition: start condition failed.* - .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met - """ - When I verify that running `pro auto-attach` `with sudo` exits `2` - Then stderr matches regexp: - """ - This machine is already attached to '.*' - To use a different subscription first run: sudo pro detach. - """ - When I run `apt-cache policy` with sudo - Then apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/infra/ubuntu -infra-security/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/apps/ubuntu -apps-updates/main amd64 Packages - """ - And apt-cache policy for the following url has priority `510` - """ - https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages - """ - And apt-cache policy for the following url has priority `1001` - """ - amd64 Packages - """ - And I ensure apt update runs without errors - When I apt install `/-infra-security` - And I run `apt-cache policy ` as non-root - Then stdout matches regexp: - """ - \s*510 https://esm.ubuntu.com/infra/ubuntu -infra-security/main amd64 Packages - """ - Then stdout matches regexp: - """ - \s*510 https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages - """ - And stdout matches regexp: - """ - Installed: .*[~+]esm - """ - When I apt install `/-apps-security` - And I run `apt-cache policy ` as non-root - Then stdout matches regexp: - """ - Version table: - \s*\*\*\* .* 510 - \s*510 https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages - """ - When I run `pro enable fips-updates --assume-yes` with sudo - Then I will see the following on stdout: - """ - One moment, checking your subscription first - Disabling incompatible service: FIPS - Updating FIPS Updates package lists - Installing FIPS Updates packages - Updating standard Ubuntu package lists - FIPS Updates enabled - A reboot is required to complete install. - """ - Then I verify that `fips-updates` is enabled - When I run `pro status` with sudo - Then stdout matches regexp: - """ - NOTICES - FIPS support requires system reboot to complete configuration. - """ - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - - """ - When I run `apt-cache policy ` as non-root - Then stdout does not match regexp: - """ - .*Installed: \(none\) - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - When I run `pro status` with sudo - Then stdout does not match regexp: - """ - NOTICES - FIPS support requires system reboot to complete configuration. - """ + Scenario Outline: Check fips is enabled correctly on Ubuntu pro fips Azure machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + features: + allow_xenial_fips_on_cloud: true + """ + And I run `pro auto-attach` with sudo + And I run `pro status --wait` as non-root + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `fips` is enabled + And I verify that `fips-updates` is disabled + And I ensure apt update runs without errors + And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + + """ + When I run `apt-cache policy ` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + When I run `systemctl daemon-reload` with sudo + When I run `systemctl start ua-auto-attach.service` with sudo + And I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `0,3` + Then stdout matches regexp: + """ + .*status=0\/SUCCESS.* + """ + And stdout matches regexp: + """ + Active: inactive \(dead\).* + \s*Condition: start condition failed.* + .*ConditionPathExists=!/var/lib/ubuntu-advantage/private/machine-token.json was not met + """ + When I verify that running `pro auto-attach` `with sudo` exits `2` + Then stderr matches regexp: + """ + This machine is already attached to '.*' + To use a different subscription first run: sudo pro detach. + """ + When I run `apt-cache policy` with sudo + Then apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/infra/ubuntu -infra-security/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/apps/ubuntu -apps-updates/main amd64 Packages + """ + And apt-cache policy for the following url has priority `510` + """ + https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages + """ + And apt-cache policy for the following url has priority `1001` + """ + amd64 Packages + """ + And I ensure apt update runs without errors + When I apt install `/-infra-security` + And I run `apt-cache policy ` as non-root + Then stdout matches regexp: + """ + \s*510 https://esm.ubuntu.com/infra/ubuntu -infra-security/main amd64 Packages + """ + Then stdout matches regexp: + """ + \s*510 https://esm.ubuntu.com/infra/ubuntu -infra-updates/main amd64 Packages + """ + And stdout matches regexp: + """ + Installed: .*[~+]esm + """ + When I apt install `/-apps-security` + And I run `apt-cache policy ` as non-root + Then stdout matches regexp: + """ + Version table: + \s*\*\*\* .* 510 + \s*510 https://esm.ubuntu.com/apps/ubuntu -apps-security/main amd64 Packages + """ + When I run `pro enable fips-updates --assume-yes` with sudo + Then I will see the following on stdout: + """ + One moment, checking your subscription first + Disabling incompatible service: FIPS + Updating FIPS Updates package lists + Installing FIPS Updates packages + Updating standard Ubuntu package lists + FIPS Updates enabled + A reboot is required to complete install. + """ + Then I verify that `fips-updates` is enabled + When I run `pro status` with sudo + Then stdout matches regexp: + """ + NOTICES + FIPS support requires system reboot to complete configuration. + """ + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + + """ + When I run `apt-cache policy ` as non-root + Then stdout does not match regexp: + """ + .*Installed: \(none\) + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + When I run `pro status` with sudo + Then stdout does not match regexp: + """ + NOTICES + FIPS support requires system reboot to complete configuration. + """ - Examples: ubuntu release - | release | machine_type | infra-pkg | apps-pkg | fips-apt-source | fips-kernel-version | fips-package | - | xenial | azure.pro-fips | libkrad0 | jq | https://esm.ubuntu.com/fips/ubuntu xenial/main | fips | ubuntu-fips | - | xenial | aws.pro-fips | libkrad0 | jq | https://esm.ubuntu.com/fips/ubuntu xenial/main | fips | ubuntu-fips | - | bionic | azure.pro-fips | libkrad0 | bundler | https://esm.ubuntu.com/fips/ubuntu bionic/main | azure-fips | ubuntu-azure-fips | - | bionic | aws.pro-fips | libkrad0 | bundler | https://esm.ubuntu.com/fips/ubuntu bionic/main | aws-fips | ubuntu-aws-fips | - | bionic | gcp.pro-fips | libkrad0 | bundler | https://esm.ubuntu.com/fips/ubuntu bionic/main | gcp-fips | ubuntu-gcp-fips | - | focal | azure.pro-fips | hello | 389-ds | https://esm.ubuntu.com/fips/ubuntu focal/main | azure-fips | ubuntu-azure-fips | - | focal | aws.pro-fips | hello | 389-ds | https://esm.ubuntu.com/fips/ubuntu focal/main | aws-fips | ubuntu-aws-fips | - | focal | gcp.pro-fips | hello | 389-ds | https://esm.ubuntu.com/fips/ubuntu focal/main | gcp-fips | ubuntu-gcp-fips | + Examples: ubuntu release + | release | machine_type | infra-pkg | apps-pkg | fips-apt-source | fips-kernel-version | fips-package | + | xenial | azure.pro-fips | libkrad0 | jq | https://esm.ubuntu.com/fips/ubuntu xenial/main | fips | ubuntu-fips | + | xenial | aws.pro-fips | libkrad0 | jq | https://esm.ubuntu.com/fips/ubuntu xenial/main | fips | ubuntu-fips | + | bionic | azure.pro-fips | libkrad0 | bundler | https://esm.ubuntu.com/fips/ubuntu bionic/main | azure-fips | ubuntu-azure-fips | + | bionic | aws.pro-fips | libkrad0 | bundler | https://esm.ubuntu.com/fips/ubuntu bionic/main | aws-fips | ubuntu-aws-fips | + | bionic | gcp.pro-fips | libkrad0 | bundler | https://esm.ubuntu.com/fips/ubuntu bionic/main | gcp-fips | ubuntu-gcp-fips | + | focal | azure.pro-fips | hello | 389-ds | https://esm.ubuntu.com/fips/ubuntu focal/main | azure-fips | ubuntu-azure-fips | + | focal | aws.pro-fips | hello | 389-ds | https://esm.ubuntu.com/fips/ubuntu focal/main | aws-fips | ubuntu-aws-fips | + | focal | gcp.pro-fips | hello | 389-ds | https://esm.ubuntu.com/fips/ubuntu focal/main | gcp-fips | ubuntu-gcp-fips | - Scenario Outline: Check fips packages are correctly installed on Azure Focal machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - And I run `pro status --wait` as non-root - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `fips` is enabled - And I verify that `fips-updates` is disabled - And I ensure apt update runs without errors - And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` - And I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` + Scenario Outline: Check fips packages are correctly installed on Azure Focal machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + And I run `pro status --wait` as non-root + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `fips` is enabled + And I verify that `fips-updates` is disabled + And I ensure apt update runs without errors + And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` + And I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` - Examples: ubuntu release - | release | machine_type | fips-apt-source | - | focal | azure.pro-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | aws.pro-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - | focal | gcp.pro-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + Examples: ubuntu release + | release | machine_type | fips-apt-source | + | focal | azure.pro-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | aws.pro-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | + | focal | gcp.pro-fips | https://esm.ubuntu.com/fips/ubuntu focal/main | - Scenario Outline: Check fips packages are correctly installed on Azure Bionic & Xenial machines - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - data_dir: /var/lib/ubuntu-advantage - log_level: debug - log_file: /var/log/ubuntu-advantage.log - features: - allow_xenial_fips_on_cloud: true - """ - And I run `pro auto-attach` with sudo - And I run `pro status --wait` as non-root - Then I verify that `esm-apps` is enabled - And I verify that `esm-infra` is enabled - And I verify that `fips` is enabled - And I verify that `fips-updates` is disabled - And I ensure apt update runs without errors - And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` - And I verify that `openssh-server` is installed from apt source `` - And I verify that `openssh-client` is installed from apt source `` - And I verify that `strongswan` is installed from apt source `` - And I verify that `openssh-server-hmac` is installed from apt source `` - And I verify that `openssh-client-hmac` is installed from apt source `` - And I verify that `strongswan-hmac` is installed from apt source `` + Scenario Outline: Check fips packages are correctly installed on Azure Bionic & Xenial machines + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + data_dir: /var/lib/ubuntu-advantage + log_level: debug + log_file: /var/log/ubuntu-advantage.log + features: + allow_xenial_fips_on_cloud: true + """ + And I run `pro auto-attach` with sudo + And I run `pro status --wait` as non-root + Then I verify that `esm-apps` is enabled + And I verify that `esm-infra` is enabled + And I verify that `fips` is enabled + And I verify that `fips-updates` is disabled + And I ensure apt update runs without errors + And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1` + And I verify that `openssh-server` is installed from apt source `` + And I verify that `openssh-client` is installed from apt source `` + And I verify that `strongswan` is installed from apt source `` + And I verify that `openssh-server-hmac` is installed from apt source `` + And I verify that `openssh-client-hmac` is installed from apt source `` + And I verify that `strongswan-hmac` is installed from apt source `` - Examples: ubuntu release - | release | machine_type | fips-apt-source | - | xenial | azure.pro-fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | - | xenial | aws.pro-fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | - | bionic | azure.pro-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | aws.pro-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - | bionic | gcp.pro-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + Examples: ubuntu release + | release | machine_type | fips-apt-source | + | xenial | azure.pro-fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | + | xenial | aws.pro-fips | https://esm.ubuntu.com/fips/ubuntu xenial/main | + | bionic | azure.pro-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | aws.pro-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | + | bionic | gcp.pro-fips | https://esm.ubuntu.com/fips/ubuntu bionic/main | - Scenario Outline: Check fips-updates can be enabled in a focal PRO FIPS machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: - """ - contract_url: 'https://contracts.canonical.com' - log_level: debug - """ - And I run `pro auto-attach` with sudo - And I run `pro status --wait` as non-root - Then I verify that `fips` is enabled - And I verify that `fips-updates` is disabled - When I run `pro enable fips-updates --assume-yes` with sudo - Then stdout contains substring: - """ - One moment, checking your subscription first - Disabling incompatible service: FIPS - Updating FIPS Updates package lists - Installing FIPS Updates packages - Updating standard Ubuntu package lists - FIPS Updates enabled - A reboot is required to complete install. - """ - And I verify that `fips` is disabled - And I verify that `fips-updates` is enabled - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ + Scenario Outline: Check fips-updates can be enabled in a focal PRO FIPS machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following: + """ + contract_url: 'https://contracts.canonical.com' + log_level: debug + """ + And I run `pro auto-attach` with sudo + And I run `pro status --wait` as non-root + Then I verify that `fips` is enabled + And I verify that `fips-updates` is disabled + When I run `pro enable fips-updates --assume-yes` with sudo + Then stdout contains substring: + """ + One moment, checking your subscription first + Disabling incompatible service: FIPS + Updating FIPS Updates package lists + Installing FIPS Updates packages + Updating standard Ubuntu package lists + FIPS Updates enabled + A reboot is required to complete install. + """ + And I verify that `fips` is disabled + And I verify that `fips-updates` is enabled + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ - Examples: ubuntu release - | release | machine_type | - | focal | aws.pro-fips | - | focal | azure.pro-fips | - | focal | gcp.pro-fips | + Examples: ubuntu release + | release | machine_type | + | focal | aws.pro-fips | + | focal | azure.pro-fips | + | focal | gcp.pro-fips | diff --git a/features/ubuntu_upgrade.feature b/features/ubuntu_upgrade.feature index 6eeefd91ea..0b09b9786a 100644 --- a/features/ubuntu_upgrade.feature +++ b/features/ubuntu_upgrade.feature @@ -1,124 +1,122 @@ @uses.config.contract_token Feature: Upgrade between releases when uaclient is attached - @slow - @upgrade - Scenario Outline: Attached upgrade - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I run `` with sudo - # Local PPAs are prepared and served only when testing with local debs - And I prepare the local PPAs to upgrade from `` to `` - And I run `DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade --assume-yes` with sudo - # Some packages upgrade may require a reboot - And I reboot the machine - And I create the file `/etc/update-manager/release-upgrades.d/ua-test.cfg` with the following - """ - [Sources] - AllowThirdParty=yes - """ - And I run `sed -i 's/Prompt=lts/Prompt=/' /etc/update-manager/release-upgrades` with sudo - And I run `do-release-upgrade --frontend DistUpgradeViewNonInteractive` `with sudo` and stdin `y\n` - And I reboot the machine - And I run `lsb_release -cs` as non-root - Then I will see the following on stdout: - """ - - """ - And I verify that running `egrep "|disabled" /etc/apt/sources.list.d/*` `as non-root` exits `2` - And I will see the following on stdout: - """ - """ - When I run `pro refresh` with sudo - And I run `pro status --all` with sudo - Then stdout matches regexp: - """ - +yes + - """ - Then stdout matches regexp: - """ - +yes + - """ - When I run `pro detach --assume-yes` with sudo - Then stdout matches regexp: - """ - This machine is now detached. - """ + @slow @upgrade + Scenario Outline: Attached upgrade + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `` with sudo + # Local PPAs are prepared and served only when testing with local debs + And I prepare the local PPAs to upgrade from `` to `` + And I run `DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade --assume-yes` with sudo + # Some packages upgrade may require a reboot + And I reboot the machine + And I create the file `/etc/update-manager/release-upgrades.d/ua-test.cfg` with the following + """ + [Sources] + AllowThirdParty=yes + """ + And I run `sed -i 's/Prompt=lts/Prompt=/' /etc/update-manager/release-upgrades` with sudo + And I run `do-release-upgrade --frontend DistUpgradeViewNonInteractive` `with sudo` and stdin `y\n` + And I reboot the machine + And I run `lsb_release -cs` as non-root + Then I will see the following on stdout: + """ + + """ + And I verify that running `egrep "|disabled" /etc/apt/sources.list.d/*` `as non-root` exits `2` + And I will see the following on stdout: + """ + """ + When I run `pro refresh` with sudo + And I run `pro status --all` with sudo + Then stdout matches regexp: + """ + +yes + + """ + Then stdout matches regexp: + """ + +yes + + """ + When I run `pro detach --assume-yes` with sudo + Then stdout matches regexp: + """ + This machine is now detached. + """ - Examples: ubuntu release - | release | machine_type | next_release | prompt | devel_release | service1 | service1_status | service2 | service2_status | before_cmd | - | xenial | lxd-container | bionic | lts | | esm-infra | enabled | esm-apps | enabled | true | - | bionic | lxd-container | focal | lts | | esm-infra | enabled | esm-apps | enabled | true | - | bionic | lxd-container | focal | lts | | usg | enabled | usg | enabled | pro enable cis | - | focal | lxd-container | jammy | lts | | esm-infra | enabled | esm-apps | enabled | true | - | jammy | lxd-container | mantic | normal | | esm-infra | n/a | esm-apps | n/a | true | - | mantic | lxd-container | noble | normal | --devel-release | esm-infra | n/a | esm-apps | n/a | true | + Examples: ubuntu release + | release | machine_type | next_release | prompt | devel_release | service1 | service1_status | service2 | service2_status | before_cmd | + | xenial | lxd-container | bionic | lts | | esm-infra | enabled | esm-apps | enabled | true | + | bionic | lxd-container | focal | lts | | esm-infra | enabled | esm-apps | enabled | true | + | bionic | lxd-container | focal | lts | | usg | enabled | usg | enabled | pro enable cis | + | focal | lxd-container | jammy | lts | | esm-infra | enabled | esm-apps | enabled | true | + | jammy | lxd-container | mantic | normal | | esm-infra | n/a | esm-apps | n/a | true | + | mantic | lxd-container | noble | normal | --devel-release | esm-infra | n/a | esm-apps | n/a | true | - @slow - @upgrade - Scenario Outline: Attached FIPS upgrade across LTS releases - Given a `` `` machine with ubuntu-advantage-tools installed - When I attach `contract_token` with sudo - And I apt install `lsof` - And I run `pro disable livepatch` with sudo - And I run `pro enable --assume-yes` with sudo - Then stdout contains substring: - """ - Updating package lists - Installing packages - Updating standard Ubuntu package lists - enabled - A reboot is required to complete install. - """ - When I run `pro status --all` with sudo - Then I verify that `` is enabled - And I ensure apt update runs without errors - When I reboot the machine - And I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ - # Local PPAs are prepared and served only when testing with local debs - When I prepare the local PPAs to upgrade from `` to `` - And I run `DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y --allow-downgrades` with sudo - # A package may need a reboot after running dist-upgrade - And I reboot the machine - And I create the file `/etc/update-manager/release-upgrades.d/ua-test.cfg` with the following - """ - [Sources] - AllowThirdParty=yes - """ - Then I verify that running `do-release-upgrade --frontend DistUpgradeViewNonInteractive` `with sudo` exits `0` - When I reboot the machine - And I run `lsb_release -cs` as non-root - Then I will see the following on stdout: - """ - - """ - When I verify that running `egrep "disabled" /etc/apt/sources.list.d/.list` `as non-root` exits `1` - Then I will see the following on stdout: - """ - """ - When I run `pro status --all` with sudo - Then I verify that `` is enabled - When I run `uname -r` as non-root - Then stdout matches regexp: - """ - fips - """ - When I run `cat /proc/sys/crypto/fips_enabled` with sudo - Then I will see the following on stdout: - """ - 1 - """ + @slow @upgrade + Scenario Outline: Attached FIPS upgrade across LTS releases + Given a `` `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I apt install `lsof` + And I run `pro disable livepatch` with sudo + And I run `pro enable --assume-yes` with sudo + Then stdout contains substring: + """ + Updating package lists + Installing packages + Updating standard Ubuntu package lists + enabled + A reboot is required to complete install. + """ + When I run `pro status --all` with sudo + Then I verify that `` is enabled + And I ensure apt update runs without errors + When I reboot the machine + And I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ + # Local PPAs are prepared and served only when testing with local debs + When I prepare the local PPAs to upgrade from `` to `` + And I run `DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y --allow-downgrades` with sudo + # A package may need a reboot after running dist-upgrade + And I reboot the machine + And I create the file `/etc/update-manager/release-upgrades.d/ua-test.cfg` with the following + """ + [Sources] + AllowThirdParty=yes + """ + Then I verify that running `do-release-upgrade --frontend DistUpgradeViewNonInteractive` `with sudo` exits `0` + When I reboot the machine + And I run `lsb_release -cs` as non-root + Then I will see the following on stdout: + """ + + """ + When I verify that running `egrep "disabled" /etc/apt/sources.list.d/.list` `as non-root` exits `1` + Then I will see the following on stdout: + """ + """ + When I run `pro status --all` with sudo + Then I verify that `` is enabled + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + When I run `cat /proc/sys/crypto/fips_enabled` with sudo + Then I will see the following on stdout: + """ + 1 + """ - Examples: ubuntu release - | release | machine_type | next_release | fips-service | fips-name | source-file | - | xenial | lxd-vm | bionic | fips | FIPS | ubuntu-fips | - | xenial | lxd-vm | bionic | fips-updates | FIPS Updates | ubuntu-fips-updates | + Examples: ubuntu release + | release | machine_type | next_release | fips-service | fips-name | source-file | + | xenial | lxd-vm | bionic | fips | FIPS | ubuntu-fips | + | xenial | lxd-vm | bionic | fips-updates | FIPS Updates | ubuntu-fips-updates | diff --git a/features/ubuntu_upgrade_unattached.feature b/features/ubuntu_upgrade_unattached.feature index 39153e164a..2a8d4ba76a 100644 --- a/features/ubuntu_upgrade_unattached.feature +++ b/features/ubuntu_upgrade_unattached.feature @@ -1,65 +1,63 @@ Feature: Upgrade between releases when uaclient is unattached - @slow - @upgrade - @uses.config.contract_token - Scenario Outline: Unattached upgrade - Given a `` `` machine with ubuntu-advantage-tools installed - # Local PPAs are prepared and served only when testing with local debs - When I prepare the local PPAs to upgrade from `` to `` - And I apt update - And I run `sleep 30` as non-root - And I run shell command `cat /var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-infra.list || true` with sudo - Then if `` in `xenial` and stdout matches regexp: - """ - deb https://esm.ubuntu.com/infra/ubuntu -infra-security main - """ - And if `` in `xenial` and stdout matches regexp: - """ - deb https://esm.ubuntu.com/infra/ubuntu -infra-updates main - """ - When I apt dist-upgrade - # Some packages upgrade may require a reboot - And I reboot the machine - And I create the file `/etc/update-manager/release-upgrades.d/ua-test.cfg` with the following - """ - [Sources] - AllowThirdParty=yes - """ - And I run `sed -i 's/Prompt=lts/Prompt=/' /etc/update-manager/release-upgrades` with sudo - And I run `do-release-upgrade --frontend DistUpgradeViewNonInteractive` `with sudo` and stdin `y\n` - And I reboot the machine - And I run `lsb_release -cs` as non-root - Then I will see the following on stdout: - """ - - """ - And I verify that running `egrep "|disabled" /etc/apt/sources.list.d/*` `as non-root` exits `2` - And I will see the following on stdout: - """ - """ - And I verify that the folder `/var/lib/ubuntu-advantage/apt-esm` does not exist - When I apt update - And I run shell command `cat /var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.list || true` with sudo - Then if `` not in `mantic or noble` and stdout matches regexp: - """ - deb https://esm.ubuntu.com/apps/ubuntu -apps-security main - """ - And if `` not in `mantic or noble` and stdout matches regexp: - """ - deb https://esm.ubuntu.com/apps/ubuntu -apps-updates main - """ - When I attach `contract_token` with sudo - And I run `pro status --all` with sudo - Then stdout matches regexp: - """ - esm-infra +yes + - """ + @slow @upgrade @uses.config.contract_token + Scenario Outline: Unattached upgrade + Given a `` `` machine with ubuntu-advantage-tools installed + # Local PPAs are prepared and served only when testing with local debs + When I prepare the local PPAs to upgrade from `` to `` + And I apt update + And I run `sleep 30` as non-root + And I run shell command `cat /var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-infra.list || true` with sudo + Then if `` in `xenial` and stdout matches regexp: + """ + deb https://esm.ubuntu.com/infra/ubuntu -infra-security main + """ + And if `` in `xenial` and stdout matches regexp: + """ + deb https://esm.ubuntu.com/infra/ubuntu -infra-updates main + """ + When I apt dist-upgrade + # Some packages upgrade may require a reboot + And I reboot the machine + And I create the file `/etc/update-manager/release-upgrades.d/ua-test.cfg` with the following + """ + [Sources] + AllowThirdParty=yes + """ + And I run `sed -i 's/Prompt=lts/Prompt=/' /etc/update-manager/release-upgrades` with sudo + And I run `do-release-upgrade --frontend DistUpgradeViewNonInteractive` `with sudo` and stdin `y\n` + And I reboot the machine + And I run `lsb_release -cs` as non-root + Then I will see the following on stdout: + """ + + """ + And I verify that running `egrep "|disabled" /etc/apt/sources.list.d/*` `as non-root` exits `2` + And I will see the following on stdout: + """ + """ + And I verify that the folder `/var/lib/ubuntu-advantage/apt-esm` does not exist + When I apt update + And I run shell command `cat /var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.list || true` with sudo + Then if `` not in `mantic or noble` and stdout matches regexp: + """ + deb https://esm.ubuntu.com/apps/ubuntu -apps-security main + """ + And if `` not in `mantic or noble` and stdout matches regexp: + """ + deb https://esm.ubuntu.com/apps/ubuntu -apps-updates main + """ + When I attach `contract_token` with sudo + And I run `pro status --all` with sudo + Then stdout matches regexp: + """ + esm-infra +yes + + """ - Examples: ubuntu release - | release | machine_type | next_release | prompt | devel_release | service_status | - | xenial | lxd-container | bionic | lts | | enabled | - | bionic | lxd-container | focal | lts | | enabled | - | focal | lxd-container | jammy | lts | | enabled | - | jammy | lxd-container | mantic | normal | | n/a | - | mantic | lxd-container | noble | normal | --devel-release | n/a | + Examples: ubuntu release + | release | machine_type | next_release | prompt | devel_release | service_status | + | xenial | lxd-container | bionic | lts | | enabled | + | bionic | lxd-container | focal | lts | | enabled | + | focal | lxd-container | jammy | lts | | enabled | + | jammy | lxd-container | mantic | normal | | n/a | + | mantic | lxd-container | noble | normal | --devel-release | n/a | diff --git a/features/unattached_commands.feature b/features/unattached_commands.feature index ec0afa56ae..b9dd6d6a09 100644 --- a/features/unattached_commands.feature +++ b/features/unattached_commands.feature @@ -1,524 +1,523 @@ Feature: Command behaviour when unattached - Scenario Outline: Unattached auto-attach does nothing in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - # Validate systemd unit/timer syntax - When I run `systemd-analyze verify /lib/systemd/system/ua-timer.timer` with sudo - Then stderr does not match regexp: - """ - .*\/lib\/systemd/system\/ua.* - """ - When I verify that running `pro auto-attach` `as non-root` exits `1` - Then stderr matches regexp: - """ - This command must be run as root \(try using sudo\). - """ - When I run `pro auto-attach` with sudo - Then stderr matches regexp: - """ - Auto-attach image support is not available on lxd - See: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/explanations/what_are_ubuntu_pro_cloud_instances.html - """ + Scenario Outline: Unattached auto-attach does nothing in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + # Validate systemd unit/timer syntax + When I run `systemd-analyze verify /lib/systemd/system/ua-timer.timer` with sudo + Then stderr does not match regexp: + """ + .*\/lib\/systemd/system\/ua.* + """ + When I verify that running `pro auto-attach` `as non-root` exits `1` + Then stderr matches regexp: + """ + This command must be run as root \(try using sudo\). + """ + When I run `pro auto-attach` with sudo + Then stderr matches regexp: + """ + Auto-attach image support is not available on lxd + See: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/explanations/what_are_ubuntu_pro_cloud_instances.html + """ - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Scenario Outline: Unattached commands that requires enabled user in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro ` `as non-root` exits `1` - Then I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro ` `with sudo` exits `1` - Then stderr matches regexp: - """ - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ + Scenario Outline: Unattached commands that requires enabled user in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro ` `as non-root` exits `1` + Then I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro ` `with sudo` exits `1` + Then stderr matches regexp: + """ + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ - Examples: pro commands - | release | machine_type | command | - | bionic | lxd-container | detach | - | bionic | lxd-container | refresh | - | bionic | wsl | detach | - | bionic | wsl | refresh | - | focal | lxd-container | detach | - | focal | lxd-container | refresh | - | focal | wsl | detach | - | focal | wsl | refresh | - | xenial | lxd-container | detach | - | xenial | lxd-container | refresh | - | jammy | lxd-container | detach | - | jammy | lxd-container | refresh | - | jammy | wsl | detach | - | jammy | wsl | refresh | - | mantic | lxd-container | detach | - | mantic | lxd-container | refresh | + Examples: pro commands + | release | machine_type | command | + | bionic | lxd-container | detach | + | bionic | lxd-container | refresh | + | bionic | wsl | detach | + | bionic | wsl | refresh | + | focal | lxd-container | detach | + | focal | lxd-container | refresh | + | focal | wsl | detach | + | focal | wsl | refresh | + | xenial | lxd-container | detach | + | xenial | lxd-container | refresh | + | jammy | lxd-container | detach | + | jammy | lxd-container | refresh | + | jammy | wsl | detach | + | jammy | wsl | refresh | + | mantic | lxd-container | detach | + | mantic | lxd-container | refresh | - Scenario Outline: Help command on an unattached machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro help esm-infra` as non-root - Then I will see the following on stdout: - """ - Name: - esm-infra + Scenario Outline: Help command on an unattached machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro help esm-infra` as non-root + Then I will see the following on stdout: + """ + Name: + esm-infra - Available: - + Available: + - Help: - Expanded Security Maintenance for Infrastructure provides access to a private - PPA which includes available high and critical CVE fixes for Ubuntu LTS - packages in the Ubuntu Main repository between the end of the standard Ubuntu - LTS security maintenance and its end of life. It is enabled by default with - Ubuntu Pro. You can find out more about the service at - https://ubuntu.com/security/esm - """ - When I run `pro help esm-infra --format json` with sudo - Then I will see the following on stdout: - """ - {"name": "esm-infra", "available": "", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} - """ - When I verify that running `pro help invalid-service` `with sudo` exits `1` - Then I will see the following on stderr: - """ - No help available for 'invalid-service' - """ - When I verify that running `pro --wrong-flag` `with sudo` exits `2` - Then I will see the following on stderr: - """ - usage: pro [flags] - Try 'pro --help' for more information. - """ + Help: + Expanded Security Maintenance for Infrastructure provides access to a private + PPA which includes available high and critical CVE fixes for Ubuntu LTS + packages in the Ubuntu Main repository between the end of the standard Ubuntu + LTS security maintenance and its end of life. It is enabled by default with + Ubuntu Pro. You can find out more about the service at + https://ubuntu.com/security/esm + """ + When I run `pro help esm-infra --format json` with sudo + Then I will see the following on stdout: + """ + {"name": "esm-infra", "available": "", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} + """ + When I verify that running `pro help invalid-service` `with sudo` exits `1` + Then I will see the following on stderr: + """ + No help available for 'invalid-service' + """ + When I verify that running `pro --wrong-flag` `with sudo` exits `2` + Then I will see the following on stderr: + """ + usage: pro [flags] + Try 'pro --help' for more information. + """ - Examples: ubuntu release - | release | machine_type | infra-available | - | xenial | lxd-container | yes | - | bionic | lxd-container | yes | - | bionic | wsl | yes | - | focal | lxd-container | yes | - | focal | wsl | yes | - | jammy | lxd-container | yes | - | jammy | wsl | yes | - | mantic | lxd-container | no | + Examples: ubuntu release + | release | machine_type | infra-available | + | xenial | lxd-container | yes | + | bionic | lxd-container | yes | + | bionic | wsl | yes | + | focal | lxd-container | yes | + | focal | wsl | yes | + | jammy | lxd-container | yes | + | jammy | wsl | yes | + | mantic | lxd-container | no | - Scenario Outline: Unattached enable/disable fails in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify that running `pro esm-infra` `as non-root` exits `1` - Then I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro esm-infra` `with sudo` exits `1` - Then I will see the following on stderr: - """ - To use 'esm-infra' you need an Ubuntu Pro subscription - Personal and community subscriptions are available at no charge - See https://ubuntu.com/pro - """ - When I verify that running `pro esm-infra --format json --assume-yes` `with sudo` exits `1` - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"valid_service": "esm-infra"}, "message": "To use 'esm-infra' you need an Ubuntu Pro subscription\nPersonal and community subscriptions are available at no charge\nSee https://ubuntu.com/pro", "message_code": "valid-service-failure-unattached", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - When I verify that running `pro unknown` `as non-root` exits `1` - Then I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro unknown` `with sudo` exits `1` - Then I will see the following on stderr: - """ - Cannot unknown service 'unknown'. - """ - When I verify that running `pro unknown --format json --assume-yes` `with sudo` exits `1` - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "unknown", "operation": "", "service_msg": ""}, "message": "Cannot unknown service 'unknown'.\n", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ - When I verify that running `pro esm-infra unknown` `as non-root` exits `1` - Then I will see the following on stderr: - """ - This command must be run as root (try using sudo). - """ - When I verify that running `pro esm-infra unknown` `with sudo` exits `1` - Then I will see the following on stderr: - """ - Cannot unknown service 'unknown'. + Scenario Outline: Unattached enable/disable fails in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify that running `pro esm-infra` `as non-root` exits `1` + Then I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro esm-infra` `with sudo` exits `1` + Then I will see the following on stderr: + """ + To use 'esm-infra' you need an Ubuntu Pro subscription + Personal and community subscriptions are available at no charge + See https://ubuntu.com/pro + """ + When I verify that running `pro esm-infra --format json --assume-yes` `with sudo` exits `1` + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"valid_service": "esm-infra"}, "message": "To use 'esm-infra' you need an Ubuntu Pro subscription\nPersonal and community subscriptions are available at no charge\nSee https://ubuntu.com/pro", "message_code": "valid-service-failure-unattached", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + When I verify that running `pro unknown` `as non-root` exits `1` + Then I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro unknown` `with sudo` exits `1` + Then I will see the following on stderr: + """ + Cannot unknown service 'unknown'. + """ + When I verify that running `pro unknown --format json --assume-yes` `with sudo` exits `1` + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "unknown", "operation": "", "service_msg": ""}, "message": "Cannot unknown service 'unknown'.\n", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ + When I verify that running `pro esm-infra unknown` `as non-root` exits `1` + Then I will see the following on stderr: + """ + This command must be run as root (try using sudo). + """ + When I verify that running `pro esm-infra unknown` `with sudo` exits `1` + Then I will see the following on stderr: + """ + Cannot unknown service 'unknown'. - To use 'esm-infra' you need an Ubuntu Pro subscription - Personal and community subscriptions are available at no charge - See https://ubuntu.com/pro - """ - When I verify that running `pro esm-infra unknown --format json --assume-yes` `with sudo` exits `1` - Then stdout is a json matching the `ua_operation` schema - And I will see the following on stdout: - """ - {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "unknown", "operation": "", "service_msg": "", "valid_service": "esm-infra"}, "message": "Cannot unknown service 'unknown'.\n\nTo use 'esm-infra' you need an Ubuntu Pro subscription\nPersonal and community subscriptions are available at no charge\nSee https://ubuntu.com/pro", "message_code": "mixed-services-failure-unattached", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} - """ + To use 'esm-infra' you need an Ubuntu Pro subscription + Personal and community subscriptions are available at no charge + See https://ubuntu.com/pro + """ + When I verify that running `pro esm-infra unknown --format json --assume-yes` `with sudo` exits `1` + Then stdout is a json matching the `ua_operation` schema + And I will see the following on stdout: + """ + {"_schema_version": "0.1", "errors": [{"additional_info": {"invalid_service": "unknown", "operation": "", "service_msg": "", "valid_service": "esm-infra"}, "message": "Cannot unknown service 'unknown'.\n\nTo use 'esm-infra' you need an Ubuntu Pro subscription\nPersonal and community subscriptions are available at no charge\nSee https://ubuntu.com/pro", "message_code": "mixed-services-failure-unattached", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []} + """ - Examples: ubuntu release - | release | machine_type | command | - | xenial | lxd-container | enable | - | xenial | lxd-container | disable | - | bionic | lxd-container | enable | - | bionic | lxd-container | disable | - | bionic | wsl | enable | - | bionic | wsl | disable | - | focal | lxd-container | enable | - | focal | lxd-container | disable | - | focal | wsl | enable | - | focal | wsl | disable | - | jammy | lxd-container | enable | - | jammy | lxd-container | disable | - | jammy | wsl | enable | - | jammy | wsl | disable | - | mantic | lxd-container | enable | - | mantic | lxd-container | disable | + Examples: ubuntu release + | release | machine_type | command | + | xenial | lxd-container | enable | + | xenial | lxd-container | disable | + | bionic | lxd-container | enable | + | bionic | lxd-container | disable | + | bionic | wsl | enable | + | bionic | wsl | disable | + | focal | lxd-container | enable | + | focal | lxd-container | disable | + | focal | wsl | enable | + | focal | wsl | disable | + | jammy | lxd-container | enable | + | jammy | lxd-container | disable | + | jammy | wsl | enable | + | jammy | wsl | disable | + | mantic | lxd-container | enable | + | mantic | lxd-container | disable | - Scenario Outline: Check for newer versions of the client in an ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - # Make sure we have a fresh, just rebooted, environment - When I reboot the machine - Then I verify that no files exist matching `/run/ubuntu-advantage/candidate-version` - When I run `pro status` with sudo - Then stderr does not match regexp: - """ - .*\[info\].* A new version is available: 2:99.9.9 - Please run: - sudo apt install ubuntu-advantage-tools - to get the latest bug fixes and new features. - """ - And I verify that files exist matching `/run/ubuntu-advantage/candidate-version` - # We forge a candidate to see results - When I delete the file `/run/ubuntu-advantage/candidate-version` - And I create the file `/run/ubuntu-advantage/candidate-version` with the following - """ - 2:99.9.9 - """ - And I run `pro status` as non-root - Then stderr matches regexp: - """ - .*\[info\].* A new version is available: 2:99.9.9 - Please run: - sudo apt install ubuntu-advantage-tools - to get the latest bug fixes and new features. - """ - When I run `pro status --format json` as non-root - Then stderr does not match regexp: - """ - .*\[info\].* A new version is available: 2:99.9.9 - Please run: - sudo apt install ubuntu-advantage-tools - to get the latest bug fixes and new features. - """ - When I run `pro config show` as non-root - Then stderr matches regexp: - """ - .*\[info\].* A new version is available: 2:99.9.9 - Please run: - sudo apt install ubuntu-advantage-tools - to get the latest bug fixes and new features. - """ - When I run `pro api u.pro.version.v1` as non-root - Then stdout matches regexp - """ - \"code\": \"new-version-available\" - """ - When I verify that running `pro api u.pro.version.inexistent` `as non-root` exits `1` - Then stdout matches regexp - """ - \"code\": \"new-version-available\" - """ - When I run `pro api u.pro.version.v1` as non-root - Then stderr does not match regexp: - """ - .*\[info\].* A new version is available: 2:99.9.9 - Please run: - sudo apt install ubuntu-advantage-tools - to get the latest bug fixes and new features. - """ - When I apt update - # The update will bring a new candidate, which is the current installed version - And I run `pro status` as non-root - Then stderr does not match regexp: - """ - .*\[info\].* A new version is available: 2:99.9.9 - Please run: - sudo apt install ubuntu-advantage-tools - to get the latest bug fixes and new features. - """ + Scenario Outline: Check for newer versions of the client in an ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + # Make sure we have a fresh, just rebooted, environment + When I reboot the machine + Then I verify that no files exist matching `/run/ubuntu-advantage/candidate-version` + When I run `pro status` with sudo + Then stderr does not match regexp: + """ + .*\[info\].* A new version is available: 2:99.9.9 + Please run: + sudo apt install ubuntu-advantage-tools + to get the latest bug fixes and new features. + """ + And I verify that files exist matching `/run/ubuntu-advantage/candidate-version` + # We forge a candidate to see results + When I delete the file `/run/ubuntu-advantage/candidate-version` + And I create the file `/run/ubuntu-advantage/candidate-version` with the following + """ + 2:99.9.9 + """ + And I run `pro status` as non-root + Then stderr matches regexp: + """ + .*\[info\].* A new version is available: 2:99.9.9 + Please run: + sudo apt install ubuntu-advantage-tools + to get the latest bug fixes and new features. + """ + When I run `pro status --format json` as non-root + Then stderr does not match regexp: + """ + .*\[info\].* A new version is available: 2:99.9.9 + Please run: + sudo apt install ubuntu-advantage-tools + to get the latest bug fixes and new features. + """ + When I run `pro config show` as non-root + Then stderr matches regexp: + """ + .*\[info\].* A new version is available: 2:99.9.9 + Please run: + sudo apt install ubuntu-advantage-tools + to get the latest bug fixes and new features. + """ + When I run `pro api u.pro.version.v1` as non-root + Then stdout matches regexp + """ + \"code\": \"new-version-available\" + """ + When I verify that running `pro api u.pro.version.inexistent` `as non-root` exits `1` + Then stdout matches regexp + """ + \"code\": \"new-version-available\" + """ + When I run `pro api u.pro.version.v1` as non-root + Then stderr does not match regexp: + """ + .*\[info\].* A new version is available: 2:99.9.9 + Please run: + sudo apt install ubuntu-advantage-tools + to get the latest bug fixes and new features. + """ + When I apt update + # The update will bring a new candidate, which is the current installed version + And I run `pro status` as non-root + Then stderr does not match regexp: + """ + .*\[info\].* A new version is available: 2:99.9.9 + Please run: + sudo apt install ubuntu-advantage-tools + to get the latest bug fixes and new features. + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - # Side effect: this verifies that `ua` still works as a command - Scenario Outline: Verify autocomplete options - Given a `` `` machine with ubuntu-advantage-tools installed - When I prepare the autocomplete test - And I press tab twice to autocomplete the `ua` command - Then stdout matches regexp: - """ - --debug +auto-attach +enable +status\r - --help +collect-logs +fix +system\r - --version +config +help +version\r - api +detach +refresh +\r - attach +disable +security-status - """ - When I press tab twice to autocomplete the `pro` command - Then stdout matches regexp: - """ - --debug +auto-attach +enable +status\r - --help +collect-logs +fix +system\r - --version +config +help +version\r - api +detach +refresh +\r - attach +disable +security-status - """ - When I press tab twice to autocomplete the `ua enable` command - Then stdout matches regexp: - """ - anbox-cloud +esm-infra +livepatch +usg\s* - cc-eal +fips +realtime-kernel\s* - cis +fips-updates +ros\s* - esm-apps +landscape +ros-updates\s* - """ - When I press tab twice to autocomplete the `pro enable` command - Then stdout matches regexp: - """ - anbox-cloud +esm-infra +livepatch +usg\s* - cc-eal +fips +realtime-kernel\s* - cis +fips-updates +ros\s* - esm-apps +landscape +ros-updates\s* - """ - When I press tab twice to autocomplete the `ua disable` command - Then stdout matches regexp: - """ - anbox-cloud +esm-infra +livepatch +usg\s* - cc-eal +fips +realtime-kernel\s* - cis +fips-updates +ros\s* - esm-apps +landscape +ros-updates\s* - """ - When I press tab twice to autocomplete the `pro disable` command - Then stdout matches regexp: - """ - anbox-cloud +esm-infra +livepatch +usg\s* - cc-eal +fips +realtime-kernel\s* - cis +fips-updates +ros\s* - esm-apps +landscape +ros-updates\s* - """ + # Side effect: this verifies that `ua` still works as a command + Scenario Outline: Verify autocomplete options + Given a `` `` machine with ubuntu-advantage-tools installed + When I prepare the autocomplete test + And I press tab twice to autocomplete the `ua` command + Then stdout matches regexp: + """ + --debug +auto-attach +enable +status\r + --help +collect-logs +fix +system\r + --version +config +help +version\r + api +detach +refresh +\r + attach +disable +security-status + """ + When I press tab twice to autocomplete the `pro` command + Then stdout matches regexp: + """ + --debug +auto-attach +enable +status\r + --help +collect-logs +fix +system\r + --version +config +help +version\r + api +detach +refresh +\r + attach +disable +security-status + """ + When I press tab twice to autocomplete the `ua enable` command + Then stdout matches regexp: + """ + anbox-cloud +esm-infra +livepatch +usg\s* + cc-eal +fips +realtime-kernel\s* + cis +fips-updates +ros\s* + esm-apps +landscape +ros-updates\s* + """ + When I press tab twice to autocomplete the `pro enable` command + Then stdout matches regexp: + """ + anbox-cloud +esm-infra +livepatch +usg\s* + cc-eal +fips +realtime-kernel\s* + cis +fips-updates +ros\s* + esm-apps +landscape +ros-updates\s* + """ + When I press tab twice to autocomplete the `ua disable` command + Then stdout matches regexp: + """ + anbox-cloud +esm-infra +livepatch +usg\s* + cc-eal +fips +realtime-kernel\s* + cis +fips-updates +ros\s* + esm-apps +landscape +ros-updates\s* + """ + When I press tab twice to autocomplete the `pro disable` command + Then stdout matches regexp: + """ + anbox-cloud +esm-infra +livepatch +usg\s* + cc-eal +fips +realtime-kernel\s* + cis +fips-updates +ros\s* + esm-apps +landscape +ros-updates\s* + """ - Examples: ubuntu release - | release | machine_type | - # | xenial | lxd-container | Can't rely on Xenial because of bash sorting things weirdly - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + # | xenial | lxd-container | Can't rely on Xenial because of bash sorting things weirdly + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | - Scenario Outline: esm cache failures don't generate errors - Given a `` `` machine with ubuntu-advantage-tools installed - When I disable access to esm.ubuntu.com - And I apt update - # Wait for the hook to fail - When I wait `5` seconds - And I run `systemctl --failed` with sudo - Then stdout does not match regexp: - """ - esm-cache\.service - """ - When I run `journalctl -o cat -u esm-cache.service` with sudo - Then stdout does not match regexp: - """ - raise FetchFailedException\(\) - """ - When I run `ls /var/crash/` with sudo - Then stdout does not match regexp: - """ - _usr_lib_ubuntu-advantage_esm_cache - """ - When I run `cat /var/log/ubuntu-advantage.log` with sudo - Then stdout matches regexp: - """ - Failed to fetch ESM Apt Cache item: - """ + Scenario Outline: esm cache failures don't generate errors + Given a `` `` machine with ubuntu-advantage-tools installed + When I disable access to esm.ubuntu.com + And I apt update + # Wait for the hook to fail + When I wait `5` seconds + And I run `systemctl --failed` with sudo + Then stdout does not match regexp: + """ + esm-cache\.service + """ + When I run `journalctl -o cat -u esm-cache.service` with sudo + Then stdout does not match regexp: + """ + raise FetchFailedException\(\) + """ + When I run `ls /var/crash/` with sudo + Then stdout does not match regexp: + """ + _usr_lib_ubuntu-advantage_esm_cache + """ + When I run `cat /var/log/ubuntu-advantage.log` with sudo + Then stdout matches regexp: + """ + Failed to fetch ESM Apt Cache item: + """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | - # Services fail, degraded systemctl, but no crashes. - Scenario Outline: services fail gracefully when yaml is broken/absent - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `rm -rf /usr/lib/python3/dist-packages/yaml` with sudo - And I verify that running `pro status` `with sudo` exits `1` - Then stderr matches regexp: - """ - Couldn't import the YAML module. - Make sure the 'python3-yaml' package is installed correctly - and \/usr\/lib\/python3\/dist-packages is in your PYTHONPATH\. - """ - When I verify that running `python3 /usr/lib/ubuntu-advantage/esm_cache.py` `with sudo` exits `1` - Then stderr matches regexp: - """ - Couldn't import the YAML module. - Make sure the 'python3-yaml' package is installed correctly - and \/usr\/lib\/python3\/dist-packages is in your PYTHONPATH\. - """ - When I verify that running `systemctl start apt-news.service` `with sudo` exits `1` - And I verify that running `systemctl start esm-cache.service` `with sudo` exits `1` - And I run `systemctl --failed` with sudo - Then stdout matches regexp: - """ - apt-news.service - """ - And stdout matches regexp: - """ - esm-cache.service - """ - When I apt install `python3-pip` - And I run `pip3 install pyyaml==3.10 ` with sudo - And I run `ls /usr/local/lib//dist-packages/` with sudo - Then stdout matches regexp: - """ - yaml - """ - And I verify that running `pro status` `with sudo` exits `1` - Then stderr matches regexp: - """ - Error while trying to parse a yaml file using 'yaml' from - """ - # Test the specific script which triggered LP #2007241 - When I verify that running `python3 /usr/lib/ubuntu-advantage/esm_cache.py` `with sudo` exits `1` - Then stderr matches regexp: - """ - Error while trying to parse a yaml file using 'yaml' from - """ - When I verify that running `systemctl start apt-news.service` `with sudo` exits `1` - And I verify that running `systemctl start esm-cache.service` `with sudo` exits `1` - And I run `systemctl --failed` with sudo - Then stdout matches regexp: - """ - apt-news.service - """ - And stdout matches regexp: - """ - esm-cache.service - """ - When I run `ls /var/crash` with sudo - Then I will see the following on stdout - """ - """ + # Services fail, degraded systemctl, but no crashes. + Scenario Outline: services fail gracefully when yaml is broken/absent + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `rm -rf /usr/lib/python3/dist-packages/yaml` with sudo + And I verify that running `pro status` `with sudo` exits `1` + Then stderr matches regexp: + """ + Couldn't import the YAML module. + Make sure the 'python3-yaml' package is installed correctly + and \/usr\/lib\/python3\/dist-packages is in your PYTHONPATH\. + """ + When I verify that running `python3 /usr/lib/ubuntu-advantage/esm_cache.py` `with sudo` exits `1` + Then stderr matches regexp: + """ + Couldn't import the YAML module. + Make sure the 'python3-yaml' package is installed correctly + and \/usr\/lib\/python3\/dist-packages is in your PYTHONPATH\. + """ + When I verify that running `systemctl start apt-news.service` `with sudo` exits `1` + And I verify that running `systemctl start esm-cache.service` `with sudo` exits `1` + And I run `systemctl --failed` with sudo + Then stdout matches regexp: + """ + apt-news.service + """ + And stdout matches regexp: + """ + esm-cache.service + """ + When I apt install `python3-pip` + And I run `pip3 install pyyaml==3.10 ` with sudo + And I run `ls /usr/local/lib//dist-packages/` with sudo + Then stdout matches regexp: + """ + yaml + """ + And I verify that running `pro status` `with sudo` exits `1` + Then stderr matches regexp: + """ + Error while trying to parse a yaml file using 'yaml' from + """ + # Test the specific script which triggered LP #2007241 + When I verify that running `python3 /usr/lib/ubuntu-advantage/esm_cache.py` `with sudo` exits `1` + Then stderr matches regexp: + """ + Error while trying to parse a yaml file using 'yaml' from + """ + When I verify that running `systemctl start apt-news.service` `with sudo` exits `1` + And I verify that running `systemctl start esm-cache.service` `with sudo` exits `1` + And I run `systemctl --failed` with sudo + Then stdout matches regexp: + """ + apt-news.service + """ + And stdout matches regexp: + """ + esm-cache.service + """ + When I run `ls /var/crash` with sudo + Then I will see the following on stdout + """ + """ - Examples: ubuntu release - | release | machine_type | python_version | suffix | - | jammy | lxd-container | python3.10 | | - # mantic+ has a BIG error message explaining why this is a clear user error... - | mantic | lxd-container | python3.11 | --break-system-packages | + Examples: ubuntu release + | release | machine_type | python_version | suffix | + | jammy | lxd-container | python3.10 | | + # mantic+ has a BIG error message explaining why this is a clear user error... + | mantic | lxd-container | python3.11 | --break-system-packages | + Scenario Outline: Warn users not to redirect/pipe human readable output + Given a `` `` machine with ubuntu-advantage-tools installed + When I run shell command `pro version | cat` as non-root + Then I will see the following on stderr + """ + """ + When I run shell command `pro version > version_out` as non-root + Then I will see the following on stderr + """ + """ + When I run shell command `pro status | cat` as non-root + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro status --format json`. + """ + When I run shell command `pro status | cat` with sudo + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro status --format json`. + """ + When I run shell command `pro status > status_out` as non-root + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro status --format json`. + """ + When I run shell command `pro status > status_out` with sudo + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro status --format json`. + """ + When I run shell command `pro status --format tabular | cat` as non-root + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro status --format json`. + """ + When I run shell command `pro status --format tabular > status_out` as non-root + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro status --format json`. + """ + When I run shell command `pro status --format json | cat` as non-root + Then I will see the following on stderr + """ + """ + When I run shell command `pro status --format json > status_out` as non-root + Then I will see the following on stderr + """ + """ + When I run shell command `pro security-status | cat` as non-root + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro security-status --format json`. + """ + When I run shell command `pro security-status > status_out` as non-root + Then I will see the following on stderr + """ + WARNING: this output is intended to be human readable, and subject to change. + In scripts, prefer using machine readable data from the `pro api` command, + or use `pro security-status --format json`. + """ + When I run shell command `pro security-status --format json | cat` as non-root + Then I will see the following on stderr + """ + """ + When I run shell command `pro security-status --format json > status_out` as non-root + Then I will see the following on stderr + """ + """ - Scenario Outline: Warn users not to redirect/pipe human readable output - Given a `` `` machine with ubuntu-advantage-tools installed - When I run shell command `pro version | cat` as non-root - Then I will see the following on stderr - """ - """ - When I run shell command `pro version > version_out` as non-root - Then I will see the following on stderr - """ - """ - When I run shell command `pro status | cat` as non-root - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro status --format json`. - """ - When I run shell command `pro status | cat` with sudo - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro status --format json`. - """ - When I run shell command `pro status > status_out` as non-root - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro status --format json`. - """ - When I run shell command `pro status > status_out` with sudo - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro status --format json`. - """ - When I run shell command `pro status --format tabular | cat` as non-root - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro status --format json`. - """ - When I run shell command `pro status --format tabular > status_out` as non-root - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro status --format json`. - """ - When I run shell command `pro status --format json | cat` as non-root - Then I will see the following on stderr - """ - """ - When I run shell command `pro status --format json > status_out` as non-root - Then I will see the following on stderr - """ - """ - When I run shell command `pro security-status | cat` as non-root - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro security-status --format json`. - """ - When I run shell command `pro security-status > status_out` as non-root - Then I will see the following on stderr - """ - WARNING: this output is intended to be human readable, and subject to change. - In scripts, prefer using machine readable data from the `pro api` command, - or use `pro security-status --format json`. - """ - When I run shell command `pro security-status --format json | cat` as non-root - Then I will see the following on stderr - """ - """ - When I run shell command `pro security-status --format json > status_out` as non-root - Then I will see the following on stderr - """ - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | diff --git a/features/unattached_status.feature b/features/unattached_status.feature index 7d5e6ee439..f9f1d2a655 100644 --- a/features/unattached_status.feature +++ b/features/unattached_status.feature @@ -1,624 +1,625 @@ Feature: Unattached status - Scenario Outline: Unattached status in a ubuntu machine - formatted - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `pro status --format json` as non-root - Then stdout is a json matching the `ua_status` schema - When I run `pro status --format yaml` as non-root - Then stdout is a yaml matching the `ua_status` schema - When I run `sed -i 's/contracts.can/invalidurl.notcan/' /etc/ubuntu-advantage/uaclient.conf` with sudo - And I verify that running `pro status --format json` `as non-root` exits `1` - Then stdout is a json matching the `ua_status` schema - And stdout matches regexp: - """ - {"environment_vars": \[\], "errors": \[{"message": "Failed to connect to .*\\n\[Errno -2\] Name or service not known\\n", "message_code": "connectivity-error", "service": null, "type": "system"}\], "result": "failure", "services": \[\], "warnings": \[\]} - """ - And I verify that running `pro status --format yaml` `as non-root` exits `1` - Then stdout is a yaml matching the `ua_status` schema - And stdout matches regexp: - """ - environment_vars: \[\] - errors: - - message: 'Failed to connect to https://invalidurl.notcanonical.com/v1/resources(.*) - - \[Errno -2\] Name or service not known - - ' - message_code: connectivity-error - service: null - type: system - result: failure - services: \[\] - warnings: \[\] - """ - - Examples: ubuntu release - | release | machine_type | - | bionic | lxd-container | - | focal | lxd-container | - | xenial | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | - - Scenario Outline: Unattached status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - (anbox-cloud +(yes|no) +.*)? - ?cc-eal +yes +Common Criteria EAL2 Provisioning Packages - cis +yes +Security compliance and audit tools - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips +yes +NIST-certified FIPS crypto packages - fips-updates +yes +FIPS compliant crypto packages with stable security updates - livepatch +yes +(Canonical Livepatch service|Current kernel is not supported) - ros +yes +Security Updates for the Robot Operating System - ros-updates +yes +All Updates for the Robot Operating System - - For a list of all Ubuntu Pro services, run 'pro status --all' - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - anbox-cloud +(yes|no) +.* - cc-eal +yes +Common Criteria EAL2 Provisioning Packages - cis +yes +Security compliance and audit tools - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips +yes +NIST-certified FIPS crypto packages - fips-preview +no +.* - fips-updates +yes +FIPS compliant crypto packages with stable security updates - landscape +no +Management and administration tool for Ubuntu - livepatch +yes +(Canonical Livepatch service|Current kernel is not supported) - realtime-kernel +no +Ubuntu kernel with PREEMPT_RT patches integrated - ros +yes +Security Updates for the Robot Operating System - ros-updates +yes +All Updates for the Robot Operating System - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - When I append the following on uaclient config: - """ - features: - allow_beta: true - """ - And I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - (anbox-cloud +(yes|no) +.*)? - ?cc-eal +yes +Common Criteria EAL2 Provisioning Packages - cis +yes +Security compliance and audit tools - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips +yes +NIST-certified FIPS crypto packages - fips-updates +yes +FIPS compliant crypto packages with stable security updates - livepatch +yes +(Canonical Livepatch service|Current kernel is not supported) - ros +yes +Security Updates for the Robot Operating System - ros-updates +yes +All Updates for the Robot Operating System - - FEATURES - allow_beta: True - - For a list of all Ubuntu Pro services, run 'pro status --all' - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - - Scenario Outline: Unattached status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify root and non-root `pro status` calls have the same output - When I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips +yes +NIST-certified FIPS crypto packages - fips-updates +yes +FIPS compliant crypto packages with stable security updates - livepatch +yes +Canonical Livepatch service - ros +yes +Security Updates for the Robot Operating System - usg +yes +Security compliance and audit tools - - For a list of all Ubuntu Pro services, run 'pro status --all' - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - anbox-cloud +yes +.* - cc-eal +no +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips +yes +NIST-certified FIPS crypto packages - fips-preview +no +.* - fips-updates +yes +FIPS compliant crypto packages with stable security updates - landscape +no +Management and administration tool for Ubuntu - livepatch +yes +Canonical Livepatch service - realtime-kernel +no +Ubuntu kernel with PREEMPT_RT patches integrated - ros +yes +Security Updates for the Robot Operating System - ros-updates +no +All Updates for the Robot Operating System - usg +yes +Security compliance and audit tools - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - When I append the following on uaclient config: - """ - features: - allow_beta: true - """ - When I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips +yes +NIST-certified FIPS crypto packages - fips-updates +yes +FIPS compliant crypto packages with stable security updates - livepatch +yes +Canonical Livepatch service - ros +yes +Security Updates for the Robot Operating System - usg +yes +Security compliance and audit tools - - FEATURES - allow_beta: True - - For a list of all Ubuntu Pro services, run 'pro status --all' - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - - Examples: ubuntu release - | release | machine_type | - | focal | lxd-container | - - Scenario Outline: Unattached status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips-preview +yes +.* - fips-updates +yes +FIPS compliant crypto packages with stable security updates - livepatch +yes +Canonical Livepatch service - realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated - usg +yes +Security compliance and audit tools - - For a list of all Ubuntu Pro services, run 'pro status --all' - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - When I verify root and non-root `pro status --all` calls have the same output - And I run `pro status --all` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - anbox-cloud +yes +.* - cc-eal +no +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips +no +NIST-certified FIPS crypto packages - fips-preview +yes +.* - fips-updates +yes +FIPS compliant crypto packages with stable security updates - landscape +no +Management and administration tool for Ubuntu - livepatch +yes +Canonical Livepatch service - realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated - ros +no +Security Updates for the Robot Operating System - ros-updates +no +All Updates for the Robot Operating System - usg +yes +Security compliance and audit tools - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - When I append the following on uaclient config: - """ - features: - allow_beta: true - """ - When I verify root and non-root `pro status` calls have the same output - And I run `pro status` as non-root - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +Expanded Security Maintenance for Applications - esm-infra +yes +Expanded Security Maintenance for Infrastructure - fips-preview +yes +.* - fips-updates +yes +FIPS compliant crypto packages with stable security updates - livepatch +yes +Canonical Livepatch service - realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated - usg +yes +Security compliance and audit tools - - FEATURES - allow_beta: True - - For a list of all Ubuntu Pro services, run 'pro status --all' - - This machine is not attached to an Ubuntu Pro subscription. - See https://ubuntu.com/pro - """ - - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | - - @uses.config.contract_token - Scenario Outline: Simulate status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I do a preflight check for `contract_token` without the all flag - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - (anbox-cloud +yes +.*)? - ?cc-eal +yes +yes +no +Common Criteria EAL2 Provisioning Packages - cis +yes +yes +no +Security compliance and audit tools - esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +yes +yes +no +NIST-certified FIPS crypto packages - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - livepatch +yes +yes +yes +Canonical Livepatch service - """ - When I do a preflight check for `contract_token` with the all flag - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - anbox-cloud +(yes|no) +.* - cc-eal +yes +yes +no +Common Criteria EAL2 Provisioning Packages - cis +yes +yes +no +Security compliance and audit tools - esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +yes +yes +no +NIST-certified FIPS crypto packages - fips-preview +.* +.* +.* - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - landscape +no +yes +no +Management and administration tool for Ubuntu - livepatch +yes +yes +yes +Canonical Livepatch service - realtime-kernel +no +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated - ros +yes +yes +no +Security Updates for the Robot Operating System - ros-updates +yes +yes +no +All Updates for the Robot Operating System - """ - When I do a preflight check for `contract_token` formatted as json - Then stdout is a json matching the `ua_status` schema - When I do a preflight check for `contract_token` formatted as yaml - Then stdout is a yaml matching the `ua_status` schema - When I verify that a preflight check for `invalid_token` formatted as json exits 1 - Then stdout is a json matching the `ua_status` schema - And I will see the following on stdout: - """ - {"environment_vars": [], "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "result": "failure", "services": [], "warnings": []} - """ - When I verify that a preflight check for `invalid_token` formatted as yaml exits 1 - Then stdout is a yaml matching the `ua_status` schema - And I will see the following on stdout: - """ - environment_vars: [] - errors: - - message: Invalid token. See https://ubuntu.com/pro/dashboard - message_code: attach-invalid-token - service: null - type: system - result: failure - services: [] - warnings: [] - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - - @uses.config.contract_token - Scenario Outline: Simulate status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I do a preflight check for `contract_token` without the all flag - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +yes +yes +no +NIST-certified FIPS crypto packages - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - livepatch +yes +yes +yes +Canonical Livepatch service - ros +yes +yes +no +Security Updates for the Robot Operating System - usg +yes +yes +no +Security compliance and audit tools - """ - When I do a preflight check for `contract_token` with the all flag - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - anbox-cloud +yes +.* - cc-eal +no +yes +no +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +yes +yes +no +NIST-certified FIPS crypto packages - fips-preview +no +yes +no +.* - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - landscape +no +yes +no +Management and administration tool for Ubuntu - livepatch +yes +yes +yes +Canonical Livepatch service - realtime-kernel +no +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated - ros +yes +yes +no +Security Updates for the Robot Operating System - ros-updates +no +yes +no +All Updates for the Robot Operating System - usg +yes +yes +no +Security compliance and audit tools - """ - When I do a preflight check for `contract_token` formatted as json - Then stdout is a json matching the `ua_status` schema - When I do a preflight check for `contract_token` formatted as yaml - Then stdout is a yaml matching the `ua_status` schema - When I verify that a preflight check for `invalid_token` formatted as json exits 1 - Then stdout is a json matching the `ua_status` schema - And I will see the following on stdout: - """ - {"environment_vars": [], "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "result": "failure", "services": [], "warnings": []} - """ - When I verify that a preflight check for `invalid_token` formatted as yaml exits 1 - Then stdout is a yaml matching the `ua_status` schema - And I will see the following on stdout: - """ - environment_vars: [] - errors: - - message: Invalid token. See https://ubuntu.com/pro/dashboard - message_code: attach-invalid-token - service: null - type: system - result: failure - services: [] - warnings: [] - """ - - Examples: ubuntu release - | release | machine_type | - | focal | lxd-container | - - @uses.config.contract_token - Scenario Outline: Simulate status in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I do a preflight check for `contract_token` without the all flag - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips-preview +yes +yes +no +.* - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - livepatch +yes +yes +yes +Canonical Livepatch service - realtime-kernel +yes +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated - usg +yes +yes +no +Security compliance and audit tools - """ - When I do a preflight check for `contract_token` with the all flag - Then stdout matches regexp: - """ - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - anbox-cloud +yes +.* - cc-eal +no +yes +no +Common Criteria EAL2 Provisioning Packages - esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +no +yes +no +NIST-certified FIPS crypto packages - fips-preview +yes +yes +no +.* - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - landscape +no +yes +no +Management and administration tool for Ubuntu - livepatch +yes +yes +yes +Canonical Livepatch service - realtime-kernel +yes +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated - ros +no +yes +no +Security Updates for the Robot Operating System - ros-updates +no +yes +no +All Updates for the Robot Operating System - usg +yes +yes +no +Security compliance and audit tools - """ - When I do a preflight check for `contract_token` formatted as json - Then stdout is a json matching the `ua_status` schema - When I do a preflight check for `contract_token` formatted as yaml - Then stdout is a yaml matching the `ua_status` schema - When I verify that a preflight check for `invalid_token` formatted as json exits 1 - Then stdout is a json matching the `ua_status` schema - And I will see the following on stdout: - """ - {"environment_vars": [], "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "result": "failure", "services": [], "warnings": []} - """ - When I verify that a preflight check for `invalid_token` formatted as yaml exits 1 - Then stdout is a yaml matching the `ua_status` schema - And I will see the following on stdout: - """ - environment_vars: [] - errors: - - message: Invalid token. See https://ubuntu.com/pro/dashboard - message_code: attach-invalid-token - service: null - type: system - result: failure - services: [] - warnings: [] - """ - - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | - - - @uses.config.contract_token_staging_expired - Scenario Outline: Simulate status with expired token in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo - And I verify that a preflight check for `contract_token_staging_expired` formatted as json exits 1 - Then stdout is a json matching the `ua_status` schema - And stdout matches regexp: - """ - \"result\": \"failure\" - """ - And stdout matches regexp: - """ - \"message\": \"Attach denied:\\nContract .* expired on .*\" - """ - When I verify that a preflight check for `contract_token_staging_expired` formatted as yaml exits 1 - Then stdout is a yaml matching the `ua_status` schema - Then stdout matches regexp: - """ - errors: - - message: 'Attach denied: - - Contract .* expired on .* - """ - When I verify that a preflight check for `contract_token_staging_expired` without the all flag exits 1 - Then stdout matches regexp: - """ - This token is not valid. - Attach denied: - Contract \".*\" expired on .* - Visit https://ubuntu.com/pro/dashboard to manage contract tokens. - - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - (anbox-cloud +(yes|no) +.*)? - ?cc-eal +yes +yes +no +Common Criteria EAL2 Provisioning Packages - cis +yes +yes +no +Security compliance and audit tools - esm-apps +yes +no +no +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +yes +yes +no +NIST-certified FIPS crypto packages - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - livepatch +yes +yes +yes +Canonical Livepatch service - ros +yes +no +no +Security Updates for the Robot Operating System - ros-updates +yes +no +no +All Updates for the Robot Operating System - """ - - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - - @uses.config.contract_token_staging_expired - Scenario Outline: Simulate status with expired token in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo - And I verify that a preflight check for `contract_token_staging_expired` formatted as json exits 1 - Then stdout is a json matching the `ua_status` schema - And stdout matches regexp: - """ - \"result\": \"failure\" - """ - And stdout matches regexp: - """ - \"message\": \"Attach denied:\\nContract .* expired on .*\" - """ - When I verify that a preflight check for `contract_token_staging_expired` formatted as yaml exits 1 - Then stdout is a yaml matching the `ua_status` schema - Then stdout matches regexp: - """ - errors: - - message: 'Attach denied: - - Contract .* expired on .* - """ - When I verify that a preflight check for `contract_token_staging_expired` without the all flag exits 1 - Then stdout matches regexp: - """ - This token is not valid. - Attach denied: - Contract \".*\" expired on .* - Visit https://ubuntu.com/pro/dashboard to manage contract tokens. - - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +no +no +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +yes +yes +no +NIST-certified FIPS crypto packages - fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates - livepatch +yes +yes +yes +Canonical Livepatch service - ros +yes +no +no +Security Updates for the Robot Operating System - usg +yes +yes +no +Security compliance and audit tools - """ - - Examples: ubuntu release - | release | machine_type | - | focal | lxd-container | - - @uses.config.contract_token_staging_expired - Scenario Outline: Simulate status with expired token in a ubuntu machine - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo - And I verify that a preflight check for `contract_token_staging_expired` formatted as json exits 1 - Then stdout is a json matching the `ua_status` schema - And stdout matches regexp: - """ - \"result\": \"failure\" - """ - And stdout matches regexp: - """ - \"message\": \"Attach denied:\\nContract .* expired on .*\" - """ - When I verify that a preflight check for `contract_token_staging_expired` formatted as yaml exits 1 - Then stdout is a yaml matching the `ua_status` schema - Then stdout matches regexp: - """ - errors: - - message: 'Attach denied: - - Contract .* expired on .* - """ - When I verify that a preflight check for `contract_token_staging_expired` without the all flag exits 1 - Then stdout matches regexp: - """ - This token is not valid. - Attach denied: - Contract \".*\" expired on .* - Visit https://ubuntu.com/pro/dashboard to manage contract tokens. - - SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION - anbox-cloud +yes +.* - esm-apps +yes +no +no +Expanded Security Maintenance for Applications - esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure - fips +yes +yes +no +NIST-certified FIPS crypto packages - fips-preview +yes +yes +no +Preview of FIPS crypto packages undergoing certification with NIST - fips-updates +yes +yes +no +.* - livepatch +yes +yes +yes +Canonical Livepatch service - """ - - Examples: ubuntu release - | release | machine_type | - | jammy | lxd-container | - - Scenario Outline: Check notice file read permission - Given a `` `` machine with ubuntu-advantage-tools installed - When I run `mkdir -p /run/ubuntu-advantage/notices` with sudo - When I run `touch /run/ubuntu-advantage/notices/crasher` with sudo - When I run `chmod 0 /run/ubuntu-advantage/notices/crasher` with sudo - When I run `mkdir -p /var/lib/ubuntu-advantage/notices` with sudo - When I run `touch /var/lib/ubuntu-advantage/notices/crasher` with sudo - When I run `chmod 0 /var/lib/ubuntu-advantage/notices/crasher` with sudo - When I run `touch /run/ubuntu-advantage/notices/10-reboot_required` with sudo - When I run `pro status` as non-root - Then stdout matches regexp: - """ - NOTICES - System reboot required - """ - Examples: ubuntu release - | release | machine_type | - | xenial | lxd-container | - | bionic | lxd-container | - | focal | lxd-container | - | jammy | lxd-container | - | mantic | lxd-container | + Scenario Outline: Unattached status in a ubuntu machine - formatted + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `pro status --format json` as non-root + Then stdout is a json matching the `ua_status` schema + When I run `pro status --format yaml` as non-root + Then stdout is a yaml matching the `ua_status` schema + When I run `sed -i 's/contracts.can/invalidurl.notcan/' /etc/ubuntu-advantage/uaclient.conf` with sudo + And I verify that running `pro status --format json` `as non-root` exits `1` + Then stdout is a json matching the `ua_status` schema + And stdout matches regexp: + """ + {"environment_vars": \[\], "errors": \[{"message": "Failed to connect to .*\\n\[Errno -2\] Name or service not known\\n", "message_code": "connectivity-error", "service": null, "type": "system"}\], "result": "failure", "services": \[\], "warnings": \[\]} + """ + And I verify that running `pro status --format yaml` `as non-root` exits `1` + Then stdout is a yaml matching the `ua_status` schema + And stdout matches regexp: + """ + environment_vars: \[\] + errors: + - message: 'Failed to connect to https://invalidurl.notcanonical.com/v1/resources(.*) + + \[Errno -2\] Name or service not known + + ' + message_code: connectivity-error + service: null + type: system + result: failure + services: \[\] + warnings: \[\] + """ + + Examples: ubuntu release + | release | machine_type | + | bionic | lxd-container | + | focal | lxd-container | + | xenial | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container | + + Scenario Outline: Unattached status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + (anbox-cloud +(yes|no) +.*)? + ?cc-eal +yes +Common Criteria EAL2 Provisioning Packages + cis +yes +Security compliance and audit tools + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips +yes +NIST-certified FIPS crypto packages + fips-updates +yes +FIPS compliant crypto packages with stable security updates + livepatch +yes +(Canonical Livepatch service|Current kernel is not supported) + ros +yes +Security Updates for the Robot Operating System + ros-updates +yes +All Updates for the Robot Operating System + + For a list of all Ubuntu Pro services, run 'pro status --all' + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + anbox-cloud +(yes|no) +.* + cc-eal +yes +Common Criteria EAL2 Provisioning Packages + cis +yes +Security compliance and audit tools + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips +yes +NIST-certified FIPS crypto packages + fips-preview +no +.* + fips-updates +yes +FIPS compliant crypto packages with stable security updates + landscape +no +Management and administration tool for Ubuntu + livepatch +yes +(Canonical Livepatch service|Current kernel is not supported) + realtime-kernel +no +Ubuntu kernel with PREEMPT_RT patches integrated + ros +yes +Security Updates for the Robot Operating System + ros-updates +yes +All Updates for the Robot Operating System + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + When I append the following on uaclient config: + """ + features: + allow_beta: true + """ + And I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + (anbox-cloud +(yes|no) +.*)? + ?cc-eal +yes +Common Criteria EAL2 Provisioning Packages + cis +yes +Security compliance and audit tools + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips +yes +NIST-certified FIPS crypto packages + fips-updates +yes +FIPS compliant crypto packages with stable security updates + livepatch +yes +(Canonical Livepatch service|Current kernel is not supported) + ros +yes +Security Updates for the Robot Operating System + ros-updates +yes +All Updates for the Robot Operating System + + FEATURES + allow_beta: True + + For a list of all Ubuntu Pro services, run 'pro status --all' + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + + Scenario Outline: Unattached status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify root and non-root `pro status` calls have the same output + When I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips +yes +NIST-certified FIPS crypto packages + fips-updates +yes +FIPS compliant crypto packages with stable security updates + livepatch +yes +Canonical Livepatch service + ros +yes +Security Updates for the Robot Operating System + usg +yes +Security compliance and audit tools + + For a list of all Ubuntu Pro services, run 'pro status --all' + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + anbox-cloud +yes +.* + cc-eal +no +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips +yes +NIST-certified FIPS crypto packages + fips-preview +no +.* + fips-updates +yes +FIPS compliant crypto packages with stable security updates + landscape +no +Management and administration tool for Ubuntu + livepatch +yes +Canonical Livepatch service + realtime-kernel +no +Ubuntu kernel with PREEMPT_RT patches integrated + ros +yes +Security Updates for the Robot Operating System + ros-updates +no +All Updates for the Robot Operating System + usg +yes +Security compliance and audit tools + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + When I append the following on uaclient config: + """ + features: + allow_beta: true + """ + When I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips +yes +NIST-certified FIPS crypto packages + fips-updates +yes +FIPS compliant crypto packages with stable security updates + livepatch +yes +Canonical Livepatch service + ros +yes +Security Updates for the Robot Operating System + usg +yes +Security compliance and audit tools + + FEATURES + allow_beta: True + + For a list of all Ubuntu Pro services, run 'pro status --all' + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + + Examples: ubuntu release + | release | machine_type | + | focal | lxd-container | + + Scenario Outline: Unattached status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips-preview +yes +.* + fips-updates +yes +FIPS compliant crypto packages with stable security updates + livepatch +yes +Canonical Livepatch service + realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated + usg +yes +Security compliance and audit tools + + For a list of all Ubuntu Pro services, run 'pro status --all' + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + When I verify root and non-root `pro status --all` calls have the same output + And I run `pro status --all` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + anbox-cloud +yes +.* + cc-eal +no +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips +no +NIST-certified FIPS crypto packages + fips-preview +yes +.* + fips-updates +yes +FIPS compliant crypto packages with stable security updates + landscape +no +Management and administration tool for Ubuntu + livepatch +yes +Canonical Livepatch service + realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated + ros +no +Security Updates for the Robot Operating System + ros-updates +no +All Updates for the Robot Operating System + usg +yes +Security compliance and audit tools + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + When I append the following on uaclient config: + """ + features: + allow_beta: true + """ + When I verify root and non-root `pro status` calls have the same output + And I run `pro status` as non-root + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +Expanded Security Maintenance for Applications + esm-infra +yes +Expanded Security Maintenance for Infrastructure + fips-preview +yes +.* + fips-updates +yes +FIPS compliant crypto packages with stable security updates + livepatch +yes +Canonical Livepatch service + realtime-kernel +yes +Ubuntu kernel with PREEMPT_RT patches integrated + usg +yes +Security compliance and audit tools + + FEATURES + allow_beta: True + + For a list of all Ubuntu Pro services, run 'pro status --all' + + This machine is not attached to an Ubuntu Pro subscription. + See https://ubuntu.com/pro + """ + + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | + + @uses.config.contract_token + Scenario Outline: Simulate status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I do a preflight check for `contract_token` without the all flag + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + (anbox-cloud +yes +.*)? + ?cc-eal +yes +yes +no +Common Criteria EAL2 Provisioning Packages + cis +yes +yes +no +Security compliance and audit tools + esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +yes +yes +no +NIST-certified FIPS crypto packages + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + livepatch +yes +yes +yes +Canonical Livepatch service + """ + When I do a preflight check for `contract_token` with the all flag + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + anbox-cloud +(yes|no) +.* + cc-eal +yes +yes +no +Common Criteria EAL2 Provisioning Packages + cis +yes +yes +no +Security compliance and audit tools + esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +yes +yes +no +NIST-certified FIPS crypto packages + fips-preview +.* +.* +.* + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + landscape +no +yes +no +Management and administration tool for Ubuntu + livepatch +yes +yes +yes +Canonical Livepatch service + realtime-kernel +no +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated + ros +yes +yes +no +Security Updates for the Robot Operating System + ros-updates +yes +yes +no +All Updates for the Robot Operating System + """ + When I do a preflight check for `contract_token` formatted as json + Then stdout is a json matching the `ua_status` schema + When I do a preflight check for `contract_token` formatted as yaml + Then stdout is a yaml matching the `ua_status` schema + When I verify that a preflight check for `invalid_token` formatted as json exits 1 + Then stdout is a json matching the `ua_status` schema + And I will see the following on stdout: + """ + {"environment_vars": [], "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "result": "failure", "services": [], "warnings": []} + """ + When I verify that a preflight check for `invalid_token` formatted as yaml exits 1 + Then stdout is a yaml matching the `ua_status` schema + And I will see the following on stdout: + """ + environment_vars: [] + errors: + - message: Invalid token. See https://ubuntu.com/pro/dashboard + message_code: attach-invalid-token + service: null + type: system + result: failure + services: [] + warnings: [] + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + + @uses.config.contract_token + Scenario Outline: Simulate status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I do a preflight check for `contract_token` without the all flag + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +yes +yes +no +NIST-certified FIPS crypto packages + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + livepatch +yes +yes +yes +Canonical Livepatch service + ros +yes +yes +no +Security Updates for the Robot Operating System + usg +yes +yes +no +Security compliance and audit tools + """ + When I do a preflight check for `contract_token` with the all flag + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + anbox-cloud +yes +.* + cc-eal +no +yes +no +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +yes +yes +no +NIST-certified FIPS crypto packages + fips-preview +no +yes +no +.* + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + landscape +no +yes +no +Management and administration tool for Ubuntu + livepatch +yes +yes +yes +Canonical Livepatch service + realtime-kernel +no +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated + ros +yes +yes +no +Security Updates for the Robot Operating System + ros-updates +no +yes +no +All Updates for the Robot Operating System + usg +yes +yes +no +Security compliance and audit tools + """ + When I do a preflight check for `contract_token` formatted as json + Then stdout is a json matching the `ua_status` schema + When I do a preflight check for `contract_token` formatted as yaml + Then stdout is a yaml matching the `ua_status` schema + When I verify that a preflight check for `invalid_token` formatted as json exits 1 + Then stdout is a json matching the `ua_status` schema + And I will see the following on stdout: + """ + {"environment_vars": [], "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "result": "failure", "services": [], "warnings": []} + """ + When I verify that a preflight check for `invalid_token` formatted as yaml exits 1 + Then stdout is a yaml matching the `ua_status` schema + And I will see the following on stdout: + """ + environment_vars: [] + errors: + - message: Invalid token. See https://ubuntu.com/pro/dashboard + message_code: attach-invalid-token + service: null + type: system + result: failure + services: [] + warnings: [] + """ + + Examples: ubuntu release + | release | machine_type | + | focal | lxd-container | + + @uses.config.contract_token + Scenario Outline: Simulate status in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I do a preflight check for `contract_token` without the all flag + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips-preview +yes +yes +no +.* + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + livepatch +yes +yes +yes +Canonical Livepatch service + realtime-kernel +yes +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated + usg +yes +yes +no +Security compliance and audit tools + """ + When I do a preflight check for `contract_token` with the all flag + Then stdout matches regexp: + """ + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + anbox-cloud +yes +.* + cc-eal +no +yes +no +Common Criteria EAL2 Provisioning Packages + esm-apps +yes +yes +yes +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +no +yes +no +NIST-certified FIPS crypto packages + fips-preview +yes +yes +no +.* + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + landscape +no +yes +no +Management and administration tool for Ubuntu + livepatch +yes +yes +yes +Canonical Livepatch service + realtime-kernel +yes +yes +no +Ubuntu kernel with PREEMPT_RT patches integrated + ros +no +yes +no +Security Updates for the Robot Operating System + ros-updates +no +yes +no +All Updates for the Robot Operating System + usg +yes +yes +no +Security compliance and audit tools + """ + When I do a preflight check for `contract_token` formatted as json + Then stdout is a json matching the `ua_status` schema + When I do a preflight check for `contract_token` formatted as yaml + Then stdout is a yaml matching the `ua_status` schema + When I verify that a preflight check for `invalid_token` formatted as json exits 1 + Then stdout is a json matching the `ua_status` schema + And I will see the following on stdout: + """ + {"environment_vars": [], "errors": [{"message": "Invalid token. See https://ubuntu.com/pro/dashboard", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "result": "failure", "services": [], "warnings": []} + """ + When I verify that a preflight check for `invalid_token` formatted as yaml exits 1 + Then stdout is a yaml matching the `ua_status` schema + And I will see the following on stdout: + """ + environment_vars: [] + errors: + - message: Invalid token. See https://ubuntu.com/pro/dashboard + message_code: attach-invalid-token + service: null + type: system + result: failure + services: [] + warnings: [] + """ + + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | + + @uses.config.contract_token_staging_expired + Scenario Outline: Simulate status with expired token in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo + And I verify that a preflight check for `contract_token_staging_expired` formatted as json exits 1 + Then stdout is a json matching the `ua_status` schema + And stdout matches regexp: + """ + \"result\": \"failure\" + """ + And stdout matches regexp: + """ + \"message\": \"Attach denied:\\nContract .* expired on .*\" + """ + When I verify that a preflight check for `contract_token_staging_expired` formatted as yaml exits 1 + Then stdout is a yaml matching the `ua_status` schema + Then stdout matches regexp: + """ + errors: + - message: 'Attach denied: + + Contract .* expired on .* + """ + When I verify that a preflight check for `contract_token_staging_expired` without the all flag exits 1 + Then stdout matches regexp: + """ + This token is not valid. + Attach denied: + Contract \".*\" expired on .* + Visit https://ubuntu.com/pro/dashboard to manage contract tokens. + + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + (anbox-cloud +(yes|no) +.*)? + ?cc-eal +yes +yes +no +Common Criteria EAL2 Provisioning Packages + cis +yes +yes +no +Security compliance and audit tools + esm-apps +yes +no +no +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +yes +yes +no +NIST-certified FIPS crypto packages + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + livepatch +yes +yes +yes +Canonical Livepatch service + ros +yes +no +no +Security Updates for the Robot Operating System + ros-updates +yes +no +no +All Updates for the Robot Operating System + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + + @uses.config.contract_token_staging_expired + Scenario Outline: Simulate status with expired token in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo + And I verify that a preflight check for `contract_token_staging_expired` formatted as json exits 1 + Then stdout is a json matching the `ua_status` schema + And stdout matches regexp: + """ + \"result\": \"failure\" + """ + And stdout matches regexp: + """ + \"message\": \"Attach denied:\\nContract .* expired on .*\" + """ + When I verify that a preflight check for `contract_token_staging_expired` formatted as yaml exits 1 + Then stdout is a yaml matching the `ua_status` schema + Then stdout matches regexp: + """ + errors: + - message: 'Attach denied: + + Contract .* expired on .* + """ + When I verify that a preflight check for `contract_token_staging_expired` without the all flag exits 1 + Then stdout matches regexp: + """ + This token is not valid. + Attach denied: + Contract \".*\" expired on .* + Visit https://ubuntu.com/pro/dashboard to manage contract tokens. + + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +no +no +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +yes +yes +no +NIST-certified FIPS crypto packages + fips-updates +yes +yes +no +FIPS compliant crypto packages with stable security updates + livepatch +yes +yes +yes +Canonical Livepatch service + ros +yes +no +no +Security Updates for the Robot Operating System + usg +yes +yes +no +Security compliance and audit tools + """ + + Examples: ubuntu release + | release | machine_type | + | focal | lxd-container | + + @uses.config.contract_token_staging_expired + Scenario Outline: Simulate status with expired token in a ubuntu machine + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo + And I verify that a preflight check for `contract_token_staging_expired` formatted as json exits 1 + Then stdout is a json matching the `ua_status` schema + And stdout matches regexp: + """ + \"result\": \"failure\" + """ + And stdout matches regexp: + """ + \"message\": \"Attach denied:\\nContract .* expired on .*\" + """ + When I verify that a preflight check for `contract_token_staging_expired` formatted as yaml exits 1 + Then stdout is a yaml matching the `ua_status` schema + Then stdout matches regexp: + """ + errors: + - message: 'Attach denied: + + Contract .* expired on .* + """ + When I verify that a preflight check for `contract_token_staging_expired` without the all flag exits 1 + Then stdout matches regexp: + """ + This token is not valid. + Attach denied: + Contract \".*\" expired on .* + Visit https://ubuntu.com/pro/dashboard to manage contract tokens. + + SERVICE +AVAILABLE +ENTITLED +AUTO_ENABLED +DESCRIPTION + anbox-cloud +yes +.* + esm-apps +yes +no +no +Expanded Security Maintenance for Applications + esm-infra +yes +yes +yes +Expanded Security Maintenance for Infrastructure + fips +yes +yes +no +NIST-certified FIPS crypto packages + fips-preview +yes +yes +no +Preview of FIPS crypto packages undergoing certification with NIST + fips-updates +yes +yes +no +.* + livepatch +yes +yes +yes +Canonical Livepatch service + """ + + Examples: ubuntu release + | release | machine_type | + | jammy | lxd-container | + + Scenario Outline: Check notice file read permission + Given a `` `` machine with ubuntu-advantage-tools installed + When I run `mkdir -p /run/ubuntu-advantage/notices` with sudo + When I run `touch /run/ubuntu-advantage/notices/crasher` with sudo + When I run `chmod 0 /run/ubuntu-advantage/notices/crasher` with sudo + When I run `mkdir -p /var/lib/ubuntu-advantage/notices` with sudo + When I run `touch /var/lib/ubuntu-advantage/notices/crasher` with sudo + When I run `chmod 0 /var/lib/ubuntu-advantage/notices/crasher` with sudo + When I run `touch /run/ubuntu-advantage/notices/10-reboot_required` with sudo + When I run `pro status` as non-root + Then stdout matches regexp: + """ + NOTICES + System reboot required + """ + + Examples: ubuntu release + | release | machine_type | + | xenial | lxd-container | + | bionic | lxd-container | + | focal | lxd-container | + | jammy | lxd-container | + | mantic | lxd-container |