From 1298f19773574963b9ce5ba7ca3b1637d1a07ef6 Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Mon, 23 Dec 2019 05:43:08 -0700
Subject: more BATS tests

- run: --name (includes 'podman container exists' tests)
- run: --pull (always, never, missing)
- build: new test for ADD URL (#4420)
- exec: new test for issue #4785 (pipe getting lost)
- diff: new test
- selinux (mostly copied from docker-autotest)

Plus a bug fix: the wait_for_output() helper would continue
checking, eventually timing out, even if the container had
already exited (probably because of an error). Fix: as
part of the loop, run 'podman inspect' and bail out if
container is not running. Include exit code and logs.

Signed-off-by: Ed Santiago <santiago@redhat.com>
---
 test/system/030-run.bats     | 51 ++++++++++++++++++++++++++++++++++
 test/system/070-build.bats   | 21 +++++++++++++-
 test/system/075-exec.bats    | 16 +++++++++++
 test/system/140-diff.bats    | 28 +++++++++++++++++++
 test/system/410-selinux.bats | 66 ++++++++++++++++++++++++++++++++++++++++++++
 test/system/helpers.bash     | 14 ++++++++--
 6 files changed, 193 insertions(+), 3 deletions(-)
 create mode 100644 test/system/140-diff.bats
 create mode 100644 test/system/410-selinux.bats

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 7cbb60501..f1e9776c1 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -85,4 +85,55 @@ echo $rand        |   0 | $rand
     run_podman 1 run --rm $IMAGE sh -c /bin/false
 }
 
+@test "podman run --name" {
+    randomname=$(random_string 30)
+
+    # Assume that 4 seconds gives us enough time for 3 quick tests (or at
+    # least for the 'ps'; the 'container exists' should pass even in the
+    # unlikely case that the container exits before we get to them)
+    run_podman run -d --name $randomname $IMAGE sleep 4
+    cid=$output
+
+    run_podman ps --format '{{.Names}}--{{.ID}}'
+    is "$output" "$randomname--${cid:0:12}"
+
+    run_podman container exists $randomname
+    run_podman container exists $cid
+
+    # Done with live-container tests; now let's test after container finishes
+    run_podman wait $cid
+
+    # Container still exists even after stopping:
+    run_podman container exists $randomname
+    run_podman container exists $cid
+
+    # ...but not after being removed:
+    run_podman rm $cid
+    run_podman 1 container exists $randomname
+    run_podman 1 container exists $cid
+}
+
+@test "podman run --pull" {
+    skip_if_remote "podman-remote does not emit 'Trying to pull' msgs"
+
+    run_podman run --pull=missing $IMAGE true
+    is "$output" "" "--pull=missing [present]: no output"
+
+    run_podman run --pull=never $IMAGE true
+    is "$output" "" "--pull=never [present]: no output"
+
+    # Now test with busybox, which we don't have present
+    run_podman 125 run --pull=never busybox true
+    is "$output" "Error: unable to find a name and tag match for busybox in repotags: no such image" "--pull=never [busybox/missing]: error"
+
+    run_podman run --pull=missing busybox true
+    is "$output" "Trying to pull .*" "--pull=missing [busybox/missing]: fetches"
+
+    run_podman run --pull=always busybox true
+    is "$output" "Trying to pull .*" "--pull=always [busybox/present]: fetches"
+
+    run_podman rm -a
+    run_podman rmi busybox
+}
+
 # vim: filetype=sh
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index 7c39da72c..fd4ce03fc 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -40,7 +40,7 @@ EOF
 
     # Make an empty test directory, with a subdirectory used for tar
     tmpdir=$PODMAN_TMPDIR/build-test
-    run mkdir -p $tmpdir/subtest || die "Could not mkdir $tmpdir/subtest"
+    mkdir -p $tmpdir/subtest || die "Could not mkdir $tmpdir/subtest"
 
     echo "This is the ORIGINAL file" > $tmpdir/subtest/myfile1
     run tar -C $tmpdir -cJf $tmpdir/myfile.tar.xz subtest
@@ -80,6 +80,25 @@ EOF
     run_podman rmi -f build_test $iid
 }
 
+@test "podman build - URLs" {
+    tmpdir=$PODMAN_TMPDIR/build-test
+    mkdir -p $tmpdir
+
+    cat >$tmpdir/Dockerfile <<EOF
+FROM $IMAGE
+ADD https://github.com/containers/libpod/blob/master/README.md /tmp/
+EOF
+    run_podman build -t add_url $tmpdir
+    run_podman run --rm add_url stat /tmp/README.md
+    run_podman rmi -f add_url
+
+    # Now test COPY. That should fail.
+    sed -i -e 's/ADD/COPY/' $tmpdir/Dockerfile
+    run_podman 125 build -t copy_url $tmpdir
+    is "$output" ".*error building at STEP .*: source can't be a URL for COPY"
+}
+
+
 function teardown() {
     # A timeout or other error in 'build' can leave behind stale images
     # that podman can't even see and which will cascade into subsequent
diff --git a/test/system/075-exec.bats b/test/system/075-exec.bats
index 472fdd1ab..36e9d57ec 100644
--- a/test/system/075-exec.bats
+++ b/test/system/075-exec.bats
@@ -49,4 +49,20 @@ load helpers
     run_podman rm -f $cid
 }
 
+# Issue #4785 - piping to exec statement - fixed in #4818
+@test "podman exec - cat from stdin" {
+    skip_if_remote
+
+    run_podman run -d $IMAGE sh -c 'while [ ! -e /stop ]; do sleep 0.1;done'
+    cid="$output"
+
+    echo_string=$(random_string 20)
+    run_podman exec -i $cid cat < <(echo $echo_string)
+    is "$output" "$echo_string" "output read back from 'exec cat'"
+
+    run_podman exec $cid touch /stop
+    run_podman wait $cid
+    run_podman rm $cid
+}
+
 # vim: filetype=sh
diff --git a/test/system/140-diff.bats b/test/system/140-diff.bats
new file mode 100644
index 000000000..9f4a2c0de
--- /dev/null
+++ b/test/system/140-diff.bats
@@ -0,0 +1,28 @@
+#!/usr/bin/env bats   -*- bats -*-
+#
+# Tests for podman diff
+#
+
+load helpers
+
+@test "podman diff" {
+    rand_file=$(random_string 10)
+    run_podman run $IMAGE sh -c "touch /$rand_file;rm /etc/services"
+    run_podman diff --format json -l
+
+    # Expected results for each type of diff
+    declare -A expect=(
+        [added]="/$rand_file"
+        [changed]="/etc"
+        [deleted]="/etc/services"
+    )
+
+    for field in ${!expect[@]}; do
+        result=$(jq -r -c ".${field}[]" <<<"$output")
+        is "$result" "${expect[$field]}" "$field"
+    done
+
+    run_podman rm -l
+}
+
+# vim: filetype=sh
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
new file mode 100644
index 000000000..8a0477eff
--- /dev/null
+++ b/test/system/410-selinux.bats
@@ -0,0 +1,66 @@
+#!/usr/bin/env bats   -*- bats -*-
+#
+# 410-selinux - podman selinux tests
+#
+
+load helpers
+
+
+function check_label() {
+    if [ ! -e /usr/sbin/selinuxenabled ] || ! /usr/sbin/selinuxenabled; then
+        skip "selinux disabled or not available"
+    fi
+
+    local args="$1"; shift        # command-line args for run
+
+    # FIXME: it'd be nice to specify the command to run, e.g. 'ls -dZ /',
+    # but alpine ls (from busybox) doesn't support -Z
+    run_podman run --rm $args $IMAGE cat -v /proc/self/attr/current
+
+    # FIXME: on some CI systems, 'run --privileged' emits a spurious
+    # warning line about dup devices. Ignore it.
+    local context="$output"
+    if [ ${#lines[@]} -gt 1 ]; then
+        if expr "${lines[0]}" : "WARNING: .* type, major" >/dev/null; then
+            echo "# ${lines[0]} [ignored]" >&3
+            context="${lines[1]}"
+        else
+            die "FAILED: too much output, expected one single line"
+        fi
+    fi
+
+    is "$context" ".*_u:system_r:.*" "SELinux role should always be system_r"
+
+    # e.g. system_u:system_r:container_t:s0:c45,c745 -> "container_t"
+    type=$(cut -d: -f3 <<<"$context")
+    is "$type" "$1" "SELinux type"
+
+    if [ -n "$2" ]; then
+        # e.g. from the above example -> "s0:c45,c745"
+        range=$(cut -d: -f4,5 <<<"$context")
+        is "$range" "$2" "SELinux range"
+    fi
+}
+
+
+@test "podman selinux: confined container" {
+    check_label "" "container_t"
+}
+
+@test "podman selinux: container with label=disable" {
+    skip_if_rootless
+
+    check_label "--security-opt label=disable" "spc_t"
+}
+
+@test "podman selinux: privileged container" {
+    skip_if_rootless
+
+    check_label "--privileged --userns=host" "spc_t"
+}
+
+@test "podman selinux: container with overridden range" {
+    check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
+}
+
+# vim: filetype=sh
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 940f3f426..2e856930e 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -192,15 +192,24 @@ function wait_for_output {
         fi
     done
 
-    [ -n "$cid" ] || die "FATAL: wait_for_ready: no container name/ID in '$*'"
+    [ -n "$cid" ] || die "FATAL: wait_for_output: no container name/ID in '$*'"
 
     t1=$(expr $SECONDS + $how_long)
     while [ $SECONDS -lt $t1 ]; do
         run_podman logs $cid
-        if expr "$output" : ".*$expect" >/dev/null; then
+        logs=$output
+        if expr "$logs" : ".*$expect" >/dev/null; then
             return
         fi
 
+        # Barf if container is not running
+        run_podman inspect --format '{{.State.Running}}' $cid
+        if [ $output != "true" ]; then
+            run_podman inspect --format '{{.State.ExitCode}}' $cid
+            exitcode=$output
+            die "Container exited (status: $exitcode) before we saw '$expect': $logs"
+        fi
+
         sleep $sleep_delay
     done
 
@@ -258,6 +267,7 @@ function skip_if_not_systemd() {
 #  die  #  Abort with helpful message
 #########
 function die() {
+    # FIXME: handle multi-line output
     echo "#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"  >&2
     echo "#| FAIL: $*"                                           >&2
     echo "#\\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" >&2
-- 
cgit v1.2.3-54-g00ecf