system_update_committer/metadata/
policy.rs

1// Copyright 2020 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5use super::configuration_without_recovery::ConfigurationWithoutRecovery;
6use super::errors::{BootManagerError, BootManagerResultExt, PolicyError};
7use fidl_fuchsia_paver as paver;
8use log::{info, warn};
9use zx::Status;
10
11/// After gathering state from the BootManager, the PolicyEngine can answer whether we
12/// should verify and commit.
13#[derive(Debug)]
14pub struct PolicyEngine(State);
15
16#[derive(Debug)]
17enum State {
18    // If no verification or committing is necessary, i.e. if any of:
19    //   * ABR is not supported
20    //   * the current config is Recovery
21    //   * the current config status is Healthy
22    NoOp,
23    Active {
24        current_config: ConfigurationWithoutRecovery,
25        // None if the value is erroneously missing from QueryConfigurationStatusAndBootAttempts.
26        boot_attempts: Option<u8>,
27    },
28}
29
30impl PolicyEngine {
31    /// Gathers system state from the BootManager.
32    pub async fn build(boot_manager: &paver::BootManagerProxy) -> Result<Self, PolicyError> {
33        let current_config = match boot_manager
34            .query_current_configuration()
35            .await
36            .into_boot_manager_result("query_current_configuration")
37        {
38            Err(BootManagerError::Fidl {
39                error: fidl::Error::ClientChannelClosed { status: Status::NOT_SUPPORTED, .. },
40                ..
41            }) => {
42                info!("ABR not supported: skipping health verification and boot metadata updates");
43                return Ok(Self(State::NoOp));
44            }
45            Err(e) => return Err(PolicyError::Build(e)),
46            Ok(paver::Configuration::Recovery) => {
47                info!("System in recovery: skipping health verification and boot metadata updates");
48                return Ok(Self(State::NoOp));
49            }
50            Ok(paver::Configuration::A) => ConfigurationWithoutRecovery::A,
51            Ok(paver::Configuration::B) => ConfigurationWithoutRecovery::B,
52        };
53
54        let status_and_boot_attempts = boot_manager
55            .query_configuration_status_and_boot_attempts((&current_config).into())
56            .await
57            .into_boot_manager_result("query_configuration_status")
58            .map_err(PolicyError::Build)?;
59        match status_and_boot_attempts
60            .status
61            .ok_or(PolicyError::Build(BootManagerError::StatusNotSet))?
62        {
63            paver::ConfigurationStatus::Healthy => {
64                return Ok(Self(State::NoOp));
65            }
66            paver::ConfigurationStatus::Pending => {}
67            paver::ConfigurationStatus::Unbootable => {
68                return Err(PolicyError::CurrentConfigurationUnbootable((&current_config).into()));
69            }
70        };
71
72        let boot_attempts = status_and_boot_attempts.boot_attempts;
73        if boot_attempts.is_none() {
74            warn!("Current config status is pending but boot attempts was not set");
75        }
76
77        Ok(Self(State::Active { current_config, boot_attempts }))
78    }
79
80    /// Determines if we should verify and commit.
81    /// * If we should (e.g. if the system is pending commit), return
82    ///   `Some((slot_to_act_on, boot_attempts))`.
83    /// * If we shouldn't (e.g. if the system is already committed), return `None`.
84    pub fn should_verify_and_commit(&self) -> Option<(&ConfigurationWithoutRecovery, Option<u8>)> {
85        match &self.0 {
86            State::Active { current_config, boot_attempts } => {
87                Some((current_config, *boot_attempts))
88            }
89            State::NoOp => None,
90        }
91    }
92}
93
94#[cfg(test)]
95mod tests {
96    use super::*;
97    use assert_matches::assert_matches;
98    use fuchsia_async as fasync;
99    use mock_paver::{hooks as mphooks, MockPaverServiceBuilder, PaverEvent};
100    use std::sync::Arc;
101
102    /// Test we should NOT verify and commit when when the device is in recovery.
103    #[fasync::run_singlethreaded(test)]
104    async fn test_skip_when_device_in_recovery() {
105        let paver = Arc::new(
106            MockPaverServiceBuilder::new()
107                .current_config(paver::Configuration::Recovery)
108                .insert_hook(mphooks::config_status_and_boot_attempts(|_| {
109                    Ok((paver::ConfigurationStatus::Healthy, None))
110                }))
111                .build(),
112        );
113        let engine = PolicyEngine::build(&paver.spawn_boot_manager_service()).await.unwrap();
114
115        assert_eq!(engine.should_verify_and_commit(), None);
116
117        assert_eq!(paver.take_events(), vec![PaverEvent::QueryCurrentConfiguration]);
118    }
119
120    /// Test we should NOT verify and commit when the device does not support ABR.
121    #[fasync::run_singlethreaded(test)]
122    async fn test_skip_when_device_does_not_support_abr() {
123        let paver = Arc::new(
124            MockPaverServiceBuilder::new()
125                .boot_manager_close_with_epitaph(Status::NOT_SUPPORTED)
126                .build(),
127        );
128        let engine = PolicyEngine::build(&paver.spawn_boot_manager_service()).await.unwrap();
129
130        assert_eq!(engine.should_verify_and_commit(), None);
131
132        assert_eq!(paver.take_events(), vec![]);
133    }
134
135    /// Helper fn to verify we should NOT verify and commit when current is healthy.
136    async fn test_skip_when_current_is_healthy(current_config: paver::Configuration) {
137        let paver = Arc::new(
138            MockPaverServiceBuilder::new()
139                .current_config(current_config)
140                .insert_hook(mphooks::config_status_and_boot_attempts(|_| {
141                    Ok((paver::ConfigurationStatus::Healthy, None))
142                }))
143                .build(),
144        );
145        let engine = PolicyEngine::build(&paver.spawn_boot_manager_service()).await.unwrap();
146
147        assert_eq!(engine.should_verify_and_commit(), None);
148
149        assert_eq!(
150            paver.take_events(),
151            vec![
152                PaverEvent::QueryCurrentConfiguration,
153                PaverEvent::QueryConfigurationStatusAndBootAttempts {
154                    configuration: current_config
155                },
156            ]
157        );
158    }
159
160    #[fasync::run_singlethreaded(test)]
161    async fn test_skip_when_current_is_healthy_a() {
162        test_skip_when_current_is_healthy(paver::Configuration::A).await
163    }
164
165    #[fasync::run_singlethreaded(test)]
166    async fn test_skip_when_current_is_healthy_b() {
167        test_skip_when_current_is_healthy(paver::Configuration::B).await
168    }
169
170    /// Helper fn to verify we should verify and commit when current is pending.
171    async fn test_verify_and_commit_when_current_is_pending(
172        current_config: &ConfigurationWithoutRecovery,
173    ) {
174        let paver = Arc::new(
175            MockPaverServiceBuilder::new()
176                .current_config(current_config.into())
177                .insert_hook(mphooks::config_status_and_boot_attempts(|_| {
178                    Ok((paver::ConfigurationStatus::Pending, Some(1)))
179                }))
180                .build(),
181        );
182        let engine = PolicyEngine::build(&paver.spawn_boot_manager_service()).await.unwrap();
183
184        assert_eq!(engine.should_verify_and_commit(), Some((current_config, Some(1))));
185
186        assert_eq!(
187            paver.take_events(),
188            vec![
189                PaverEvent::QueryCurrentConfiguration,
190                PaverEvent::QueryConfigurationStatusAndBootAttempts {
191                    configuration: current_config.into()
192                },
193            ]
194        );
195    }
196
197    #[fasync::run_singlethreaded(test)]
198    async fn test_verify_and_commit_when_current_is_pending_a() {
199        test_verify_and_commit_when_current_is_pending(&ConfigurationWithoutRecovery::A).await
200    }
201
202    #[fasync::run_singlethreaded(test)]
203    async fn test_verify_and_commit_when_current_is_pending_b() {
204        test_verify_and_commit_when_current_is_pending(&ConfigurationWithoutRecovery::B).await
205    }
206
207    /// Helper fn to verify an error is returned if current is unbootable.
208    async fn test_returns_error_when_current_unbootable(
209        current_config: &ConfigurationWithoutRecovery,
210    ) {
211        let paver = Arc::new(
212            MockPaverServiceBuilder::new()
213                .current_config(current_config.into())
214                .insert_hook(mphooks::config_status_and_boot_attempts(|_| {
215                    Ok((paver::ConfigurationStatus::Unbootable, None))
216                }))
217                .build(),
218        );
219
220        assert_matches!(
221            PolicyEngine::build(&paver.spawn_boot_manager_service()).await,
222            Err(PolicyError::CurrentConfigurationUnbootable(cc)) if cc == current_config.into()
223        );
224
225        assert_eq!(
226            paver.take_events(),
227            vec![
228                PaverEvent::QueryCurrentConfiguration,
229                PaverEvent::QueryConfigurationStatusAndBootAttempts {
230                    configuration: current_config.into()
231                },
232            ]
233        );
234    }
235
236    #[fasync::run_singlethreaded(test)]
237    async fn test_returns_error_when_current_unbootable_a() {
238        test_returns_error_when_current_unbootable(&ConfigurationWithoutRecovery::A).await
239    }
240
241    #[fasync::run_singlethreaded(test)]
242    async fn test_returns_error_when_current_unbootable_b() {
243        test_returns_error_when_current_unbootable(&ConfigurationWithoutRecovery::B).await
244    }
245
246    /// Test the build fn fails on a standard paver error.
247    #[fasync::run_singlethreaded(test)]
248    async fn test_build_fails_when_paver_fails() {
249        let paver = Arc::new(
250            MockPaverServiceBuilder::new()
251                .insert_hook(mphooks::return_error(|e| match e {
252                    PaverEvent::QueryCurrentConfiguration => Status::OUT_OF_RANGE,
253                    _ => Status::OK,
254                }))
255                .build(),
256        );
257
258        assert_matches!(
259            PolicyEngine::build(&paver.spawn_boot_manager_service()).await,
260            Err(PolicyError::Build(BootManagerError::Status {
261                method_name: "query_current_configuration",
262                status: Status::OUT_OF_RANGE
263            }))
264        );
265
266        assert_eq!(paver.take_events(), vec![PaverEvent::QueryCurrentConfiguration]);
267    }
268}