landscape-scripts icon indicating copy to clipboard operation
landscape-scripts copied to clipboard
verified publisher icon canonical

Issues with add-system-user.py

Open dilyn-corner opened this issue 3 months ago • 1 comments

Where is the system-user-authority line coming from?

https://github.com/canonical/landscape-scripts/blob/1712ef2af183825c8663c7baa2a8fdb6eaf58712/core/users/add-system-user.py#L21

It isn't part of the documentation for system-user assertions. I know it to be a component of model assertions, however...

Besides that, attempting to use the script with a modified assertion results in an error:

Traceback (most recent call last):
  File "/tmp/tmpvjzx2jko", line 39, in <module>
    snap_http.add_assertion(assertion)
  File "/snap/landscape-client/684/lib/python3.12/site-packages/landscape/client/snap_http/api.py", line 634, in add_assertion
    return http.post("/assertions", body)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/landscape-client/684/lib/python3.12/site-packages/landscape/client/snap_http/http.py", line 40, in post
    response = _make_request(path, "POST", body=body)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/landscape-client/684/lib/python3.12/site-packages/landscape/client/snap_http/http.py", line 99, in _make_request
    raise SnapdHttpException(response_body)
landscape.client.snap_http.http.SnapdHttpException: b'{"type":"error","status-code":400,"status":"Bad Request","result":{"message":"cannot decode request body into assertions: parsing assertion headers: header entry missing \':\' separator: \\"\\""}}'

It isn't entirely obvious to me why this happens, but I do know that usually a system-user assertion must be accompanied by a known account and account-key assertion...

dilyn-corner avatar Sep 17 '25 20:09 dilyn-corner

Hmm… I can't speak to the system-user assertions specification, but I can tell you that the YAML looks a bit malformed.

In some YAML parsers, * denotes an alias, or is otherwise a special character. I'm not sure what parser snapd uses. This can usually be resolved by single-quoting the value: '*'. Still not sure if it needs to be in there though.

On top of that, the whitespace in the value for sign-key-sha3-384 is probably the source of the header parsing issue you're seeing. Adding a 4-space indent to lines 27-36 allows parsing to pass for this item. May also need to change > to | if the intention is to preserve multiline formatting.

What do you think @st3v3nmw ?

Perfect5th avatar Sep 17 '25 21:09 Perfect5th

It was confirmed by @Cruzh3r2107 that the issue has to do with the beginning of the body (line 7 with the """). If the assertion starts there with no \n, that is to say the script looks like:

assertion = """type: system-user
...

Then parsing succeeds. So it's a very small issue, for which we plan on filing a PR.

Additionally, we may want to update the script to actually pass all required assertions for this process to truly work; you also need the account and account-key assertions to be known by snapd for the system-user assertion to take, and you can pass all of them as a single body (this has been demonstrated to work without issue). We'll probably include that in the PR.

dilyn-corner avatar Dec 05 '25 15:12 dilyn-corner