Merge pull request #12797 from edsantiago/test_image_scp_sudo

Tests for podman image scp (the sudo form)

5 files changed, 117 insertions, 26 deletions

diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh
index c7352106a..ae538d23f 100644
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@@ -138,7 +138,9 @@ passthrough_envars(){
 }
 
 setup_rootless() {
-    req_env_vars ROOTLESS_USER GOPATH GOSRC SECRET_ENV_RE
+    req_env_vars GOPATH GOSRC SECRET_ENV_RE
+
+    ROOTLESS_USER="${ROOTLESS_USER:-some${RANDOM}dude}"
 
     local rootless_uid
     local rootless_gid
@@ -150,9 +152,11 @@ setup_rootless() {
     # shellcheck disable=SC2154
     if passwd --status $ROOTLESS_USER
     then
-        msg "Updating $ROOTLESS_USER user permissions on possibly changed libpod code"
-        chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
-        return 0
+        if [[ $PRIV_NAME = "rootless" ]]; then
+            msg "Updating $ROOTLESS_USER user permissions on possibly changed libpod code"
+            chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
+            return 0
+        fi
     fi
     msg "************************************************************"
     msg "Setting up rootless user '$ROOTLESS_USER'"
@@ -164,7 +168,11 @@ setup_rootless() {
     msg "creating $rootless_uid:$rootless_gid $ROOTLESS_USER user"
     groupadd -g $rootless_gid $ROOTLESS_USER
     useradd -g $rootless_gid -u $rootless_uid --no-user-group --create-home $ROOTLESS_USER
-    chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
+
+    # We also set up rootless user for image-scp tests (running as root)
+    if [[ $PRIV_NAME = "rootless" ]]; then
+        chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
+    fi
     echo "$ROOTLESS_USER ALL=(root) NOPASSWD: ALL" > /etc/sudoers.d/ci-rootless
 
     mkdir -p "$HOME/.ssh" "/home/$ROOTLESS_USER/.ssh"
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index 8f535c7e7..03b954a5b 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -177,19 +177,26 @@ esac
 
 # Required to be defined by caller: Are we testing as root or a regular user
 case "$PRIV_NAME" in
-    root) ;;
+    root)
+        if [[ "$TEST_FLAVOR" = "sys" ]]; then
+            # Used in local image-scp testing
+            setup_rootless
+            echo "PODMAN_ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
+        fi
+        ;;
     rootless)
         # load kernel modules since the rootless user has no permission to do so
         modprobe ip6_tables || :
         modprobe ip6table_nat || :
-        # Needs to exist for setup_rootless()
-        ROOTLESS_USER="${ROOTLESS_USER:-some${RANDOM}dude}"
-        echo "ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
         setup_rootless
         ;;
     *) die_unknown PRIV_NAME
 esac
 
+if [[ -n "$ROOTLESS_USER" ]]; then
+    echo "ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
+fi
+
 # Required to be defined by caller: Are we testing podman or podman-remote client
 # shellcheck disable=SC2154
 case "$PODBIN_NAME" in
diff --git a/hack/bats b/hack/bats
index cd81a9c73..0776521f4 100755
--- a/hack/bats
+++ b/hack/bats
@@ -98,6 +98,9 @@ if [[ -z "$CONTAINERS_HELPER_BINARY_DIR" ]]; then
     export CONTAINERS_HELPER_BINARY_DIR=$(pwd)/bin
 fi
 
+# Used in 120-load test to identify rootless destination for podman image scp
+export PODMAN_ROOTLESS_USER=$(id -un)
+
 # Root
 if [ -z "$ROOTLESS_ONLY" ]; then
     echo "# bats ${bats_filter[@]} $TESTS"
@@ -105,6 +108,7 @@ if [ -z "$ROOTLESS_ONLY" ]; then
             --preserve-env=PODMAN_TEST_DEBUG \
             --preserve-env=OCI_RUNTIME \
             --preserve-env=CONTAINERS_HELPER_BINARY_DIR \
+            --preserve-env=PODMAN_ROOTLESS_USER \
             bats "${bats_opts[@]}" "${bats_filter[@]}" $TESTS
     rc=$?
 fi
diff --git a/test/system/120-load.bats b/test/system/120-load.bats
index b1d181d50..f5ba93d8a 100644
--- a/test/system/120-load.bats
+++ b/test/system/120-load.bats
@@ -80,26 +80,94 @@ verify_iid_and_name() {
 
 @test "podman image scp transfer" {
     skip_if_remote "only applicable under local podman"
+    if is_ubuntu; then
+        skip "I don't have time to deal with this"
+    fi
 
-    skip "FIXME FIXME FIXME: this needs a big rewrite"
-
-    get_iid_and_name
+    # The testing is the same whether we're root or rootless; all that
+    # differs is the destination (not-me) username.
     if is_rootless; then
+        # Simple: push to root.
         whoami=$(id -un)
-        # FIXME: first, test that we can sudo. If we can't, skip.
-        # FIXME: test 'scp $IMAGE root@localhost::'
-        # FIXME: then test the rest
-        # FIXME: check output
-        run_podman image scp $whoami@localhost::$iid root@localhost::
-        is "$output" "Loaded image.*: $iid" "...."
-
-        # FIXME: "-q" is a NOP
-        run_podman image scp -q $whoami@localhost::$iid root@localhost::
+        notme=root
+        _sudo() { command sudo -n "$@"; }
     else
-        # root
-        # FIXME: identify a rootless user. DO NOT CREATE ONE.
-        run_podman image scp root@localhost::$iid 1000:1000@localhost::
+        # Harder: our CI infrastructure needs to define this & set up the acct
+        whoami=root
+        notme=${PODMAN_ROOTLESS_USER}
+        if [[ -z "$notme" ]]; then
+            skip "To run this test, set PODMAN_ROOTLESS_USER to a safe username"
+        fi
+        _sudo() { command sudo -n -u "$notme" "$@"; }
     fi
+
+    # If we can't sudo, we can't test.
+    _sudo true || skip "cannot sudo to $notme"
+
+    # FIXME FIXME FIXME: it'd be reeeeeeally nice if we could pass --root
+    #                    to the non-self user, hence avoid vandalizing
+    #                    their storage.
+
+    # Preserve digest of original image; we will compare against it later
+    run_podman image inspect --format '{{.Digest}}' $IMAGE
+    src_digest=$output
+
+    # image name that is not likely to exist in the destination
+    newname=foo.bar/nonesuch/c_$(random_string 10 | tr A-Z a-z):mytag
+    run_podman tag $IMAGE $newname
+
+    # Copy it there.
+    # FIXME: the first '.*' in the expect string below is unfortunate; it's
+    #        a workaround for Ubuntu which gripes:
+    #        "warning.*defaulting to su since machinectl is not available"
+    #        Reexamine this once #12829 is fixed
+    run_podman image scp $newname ${notme}@localhost::
+    is "$output" ".*Copying blob .*Copying config.*Writing manifest.*Storing signatures"
+
+    # confirm that image was copied. FIXME: also try $PODMAN image inspect?
+    _sudo $PODMAN image exists $newname
+
+    # Copy it back, this time using -q
+    run_podman untag $IMAGE $newname
+    run_podman image scp -q ${notme}@localhost::$newname
+
+    expect="Loaded image(s): $newname"
+    # FIXME FIXME FIXME: ubuntu has no machinectl, emits useless warning message instead
+    if ! is_rootless; then
+        # FIXME: root on fedora uses machinectl, which emits useless \n and \r (#12829)
+        NL=$'\n'
+        CR=$'\r'
+        expect="$NL$expect$CR"
+    fi
+    is "$output" "$expect" "-q silences output"
+
+    # Confirm that we have it, and that its digest matches our original
+    run_podman image inspect --format '{{.Digest}}' $newname
+    is "$output" "$src_digest" "Digest of re-fetched image matches original"
+
+    # Clean up
+    _sudo $PODMAN image rm $newname
+    run_podman untag $IMAGE $newname
+
+    # Negative test for nonexistent image.
+    # FIXME FIXME: cannot test on root, because it uses machinectl (#12829)
+    if is_rootless; then
+        # FIXME: error message is 2 lines, the 2nd being "exit status 125".
+        # FIXME: is that fixable, or do we have to live with it?
+        nope="nope.nope/nonesuch:notag"
+        run_podman 125 image scp ${notme}@localhost::$nope
+        is "$output" "Error: $nope: image not known.*" "Pulling nonexistent image"
+
+        run_podman 125 image scp $nope ${notme}@localhost::
+        is "$output" "Error: $nope: image not known.*" "Pushing nonexistent image"
+    fi
+
+    # Negative test for copying to a different name
+    run_podman 125 image scp $IMAGE ${notme}@localhost::newname:newtag
+    is "$output" "Error: cannot specify an image rename: invalid argument" \
+       "Pushing with a different name: not allowed"
+
+    # FIXME: any point in copying by image ID? What else should we test?
 }
 
 
diff --git a/test/system/272-system-connection.bats b/test/system/272-system-connection.bats
index 4e9ac4dd6..7b70f60f4 100644
--- a/test/system/272-system-connection.bats
+++ b/test/system/272-system-connection.bats
@@ -124,10 +124,14 @@ $c2[ ]\+tcp://localhost:54321[ ]\+true" \
 
 # If we have ssh access to localhost (unlikely in CI), test that.
 @test "podman system connection - ssh" {
-    rand=$(random_string 20)
-    echo $rand >$PODMAN_TMPDIR/testfile
+    # system connection only really works if we have an agent
+    run ssh-add -l
+    test "$status"      -eq 0 || skip "Not running under ssh-agent"
+    test "${#lines[@]}" -ge 1 || skip "ssh agent has no identities"
 
     # Can we actually ssh to localhost?
+    rand=$(random_string 20)
+    echo $rand >$PODMAN_TMPDIR/testfile
     run ssh -q -o BatchMode=yes \
         -o UserKnownHostsFile=/dev/null \
         -o StrictHostKeyChecking=no \