LP: #2021988

If the canonical-livepatch status command fails, we can mistakenly
tell the users that Livepatch is disabled. This is an incorrect
behavior as we should alert the users about the error. We are now
reflecting that went wrong with the command on the output
of pro status.

LP: #2019997

When running collect-logs as non-root, we might fail
trying to collect the jobs-status information. Since there
is no private date in this file, we are making it world readable
now.

Fixes: #2601

Signed-off-by: Renan Rodrigo <[email protected]>

The bug was fixed in mypy version 1.7

This extends the "behave-any" refactor to all integration tests. That means any combination of tests, regardless of the cloud/platform they run on, can be run with one command.  This allows consolidation of some tests since tests can now be parametrized by machine_type.

There is still the capability to run the tests in a per release, per platform matrix via the run-integration-tests.py script. However, after this refactor we don't have to split the tests up that way.

Fixes: #1579

Fixes: #1522

Some brazilian portuguese translations are marked as fuzzy.
We are removing the tag from the ones we believe are correct

It involves enabling FIPS, which is not in 22.04 yet.

Signed-off-by: Renan Rodrigo <[email protected]>

Signed-off-by: Renan Rodrigo <[email protected]>

Signed-off-by: Renan Rodrigo <[email protected]>

The fips-updates service is now available for Jammy.
We are now updating the Jammy tests to reflect that

Move the plan API common logic into the appropriate module.

Fixes: #2714

When fixing a CVE that is already patched by livepatch,
we should only relly on the specific livepatch message
we display when we identify that the patch is already applied

We we require an enable operation for the fix command,
we are now displaying two messages if the enable part fails.
One related to the actual error and a generic one mentioning
that we need the service to install the packages. We are removing
the generic one as it does add any new information to the user.

When fetching USN/CVEs data, we should also handle the generic
exception we raise if the data cannot be collected, otherwise
the plan API will not be able to deliver that information
on the JSON response

Move all functions to the security API module and move
all associated tests to other related test files

Since we already have a common module, it is better to put
the base fix logic inside that module instead of the fix module
itself

We want users to import all necessary data objects
directly from the cve/usn endpoint. To achieve that,
we are moving some imports directly into those modules

Due to the backwards compatibility, we will still allow
some plan API related objects to be imported through
the fix module

Now that we are using the term Associated CVEs for the USN headers,
we need to update the associated unit test

_post_cli_attach must be mocked to avoid leaks. The JSON part of the
test removed in this commit is covered in test_event_logger.

Signed-off-by: Renan Rodrigo <[email protected]>

testing only the relevant output

Signed-off-by: Renan Rodrigo <[email protected]>

Fixes: #2860

Signed-off-by: Renan Rodrigo <[email protected]>

This helps when the timer job is running in the background and a cli
command happens to collide with it. The timer job is usually over
quickly, so retrying several times with a small sleep time should be
sufficient.

This changes updates the integration tests to include new messages
about checking subscription, disabling livepatch, etc.

In line with normalization efforts, this change also converts many
checks that were unnecessarily regex to substring matches.

Prior to this change, livepatch status for an unenabled machine
that supported livepatch (which is always the case for FIPS
enabled machines) would record an error in the logs on querying
status.

Bringing this test is line with the format others are using

adjust messages for consistency; use the 'attach/detach/enable/disable'
correct usage for 'subscription' and 'service'

Fixes: #2788

Recently some messages were updated to have more consistent terminology
around the use of the words "service" and "subscription". This commit
updates the related behave tests to expect the new messages.

The test relies on downgrading the version of strongswan in focal. It
was previously set to downgrade to the version in focal-updates, but
that changed. After this commit, the test downgrades to the version in
focal, which will not change.

Fixes: #2863

We can stop testing on lunar since our next release will go out after
lunar EOL.

Also configures CI to build package for noble, and run integration tests
for on mantic.

Fixes: #2871

Signed-off-by: Renan Rodrigo <[email protected]>

Signed-off-by: Renan Rodrigo <[email protected]>

Fixes: #2839

* No longer assume landscape-client gets removed on disable
* Leave client.conf in place instead of renaming
* Require service to be running to consider "enabled"
* New explanatory message when disabling

Fixes: #2840

Fixes: #2743

Due to the PrivateTmp=yes restriction set on the apt-news.service unit,
tests that use the /tmp directory will fail.

This happens because the unit will get a brand new and empty /tmp when
it starts up, and anything it does in that /tmp will be gone when it
terminates.

…_pro_apt_news

…pt_news to ubuntu_pro_apt_news

Most or all of the settings are defined there, and since that module
doesn't import anything, this also avoids potential future dependencies.

Since ConnectityError is only raised when we detect an UrlError
exception, we have decided to merge those exceptios. Additionally,
we have also updated the ConnectivityError message to be more explicit
on what the actual error is.

Fixes: #2647

This serves as integration test coverage for the
settings_overrides.cloud_type feature since we didn't previously have
coverage for it.

This is useful in situations where for some reason, cloud-id does not
return the correct cloud. One prominent case where this happens is
inside docker builds.

When reporting enabled_services throught the API,
for each enabled entitlement, we are reporting its name.
This is problematic because today cis and usg share the same
entitlement. To differentiate between them, we need to get
the entitlement presentation_name instead.

If a service has has a warning status, we are now returning that
service as a enabled service through the enabled_services API.
However, we are also creating a warning in the API response
to let the user know that there is a required action for the
service.

Fixes: #2882

When checking if a incompatible service is enabled,
we must also take in consideration services whose status
is a warning one. That is because they are still enabled
in the system, even if they are properly running

Instead of relying on pro status to check if a service
is enabled/disabled or if the machine is attached to
a Pro subscription, we are now relying on the enabled_services
and is_attached APIs instead

Fixes: #2851

Use our API to check that a service status is warning instead
of relying on pro status for that

When fixing a CVE, we also fetch the related USNs tied to it.
When doing that, we need to discard LSNs since they are not supported
at the moment.

We fetch the CVE description from the USNs associated
with the CVE. Before, we picked the first USN title as
the CVE description. We are updating that logic to check
first if at least one package related to the USN is installed
in the system before using its description.

Fixes: #2739

Fixes: #2798

Signed-off-by: Renan Rodrigo <[email protected]>

This is tested in the integration tests, and the unit test
which changed this was removed/changed already

Signed-off-by: Renan Rodrigo <[email protected]>

- use the step instead of running the command explicitly
- use apt instead of apt-get
- retry on exit 100

Signed-off-by: Renan Rodrigo <[email protected]>