e2e-tests: Add test for rollback denied due to bootloader protection

Signed-off-by: Andre Detsch <[email protected]>
foundriesio · Jan 3, 2025 · a974c91 · a974c91
1 parent 3cb5c9c
commit a974c91
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/docker-e2e-test/e2e-test.py b/docker-e2e-test/e2e-test.py
@@ -213,6 +213,13 @@ def invoke_aklite(options):
     logger.info("Running `" + " ".join([aklite_path] + options) + "`")
     return subprocess.run([aklite_path] + options, capture_output=True)
 
+def create_bootloader_env_read_script():
+    bootloader_get_env_script = "fioefi_printenv"
+    if not os.path.exists(bootloader_get_env_script):
+        with open(bootloader_get_env_script, "w") as f:
+            f.write("#!/bin/sh\nprintenv $@\n")
+        os.chmod(bootloader_get_env_script, stat.S_IREAD | stat.S_IWRITE |  stat.S_IEXEC)
+
 def write_settings(apps=None, prune=True):
     logger.info(f"Updating settings. {apps=}")
     callback_file = "/var/sota/callback.sh"
@@ -253,6 +260,15 @@ def write_settings(apps=None, prune=True):
         with open("/var/sota/sota.toml", "w") as f:
             f.write(sota_toml_content)
 
+    # allow bootloader environment variables to be read from shell environment
+    if not "[bootloader]" in sota_toml_content:
+        sota_toml_content = sota_toml_content + '[bootloader]\nrollback_mode = "fioefi"\n'
+        with open("/var/sota/sota.toml", "w") as f:
+            f.write(sota_toml_content)
+    create_bootloader_env_read_script()
+    if not "." in os.environ.get("PATH", "").split(":"):
+        os.environ["PATH"] = os.environ["PATH"] + ":."
+
 def get_all_current_apps():
     sp = invoke_aklite(['list', '--json', '1'])
     out_json = json.loads(sp.stdout)
@@ -704,6 +720,23 @@ def run_test_rollback_with_version(do_reboot, do_finalize):
     logger.info("Performing second additional rollback operation on already rolled back environment")
     do_rollback(get_target_version(Targets.First), True)
 
+def run_test_rollback_denied():
+    restore_system_state()
+    apps = None # All apps, for now
+    write_settings(apps, prune)
+
+    # Install
+    logger.info("Installing base target for rollback operations")
+    target = all_targets[Targets.WorkingOstree]
+    install_version(get_target_version(target.version_offset), True, target.install_rollback, target.run_rollback)
+
+    # Test a rollback that does *not* require a reboot
+    logger.info("Testing rollback not allowed")
+    os.environ["rollback_protection"] = "1"
+    cp = invoke_aklite(['rollback'])
+    print(cp.stdout.decode("utf-8"))
+    assert cp.returncode == ReturnCodes.UnknownError
+
 @pytest.mark.parametrize('offline_', [True, False])
 @pytest.mark.parametrize('single_step_', [True, False])
 @pytest.mark.parametrize('do_reboot', [True, False])
@@ -729,3 +762,10 @@ def test_rollback_with_version(do_reboot, do_finalize, offline_, single_step_):
     single_step = single_step_
     logger.info(f"Testing rollback with explicit version {do_reboot=} {do_finalize=}")
     run_test_rollback_with_version(do_reboot, do_finalize)
+
+def test_rollback_denied():
+    global offline, single_step
+    offline = False
+    single_step = False
+    logger.info(f"Testing rollback denied because of bootloader rollback protection")
+    run_test_rollback_denied()