From 2c500a8145854c5f566bf76199d2a27226925b60 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 2 Mar 2021 14:57:46 -0500
Subject: Add support for podman build --ignorefile

Fixes: https://github.com/containers/podman/issues/9570

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 cmd/podman/images/build.go | 24 +++++++++++++++
 test/system/070-build.bats | 76 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)

diff --git a/cmd/podman/images/build.go b/cmd/podman/images/build.go
index de532ed78..78cf4efd0 100644
--- a/cmd/podman/images/build.go
+++ b/cmd/podman/images/build.go
@@ -2,6 +2,7 @@ package images
 
 import (
 	"io"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -512,6 +513,14 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		TransientMounts:         flags.Volumes,
 	}
 
+	if flags.IgnoreFile != "" {
+		excludes, err := parseDockerignore(flags.IgnoreFile)
+		if err != nil {
+			return nil, errors.Wrapf(err, "unable to obtain decrypt config")
+		}
+		opts.Excludes = excludes
+	}
+
 	if c.Flag("timestamp").Changed {
 		timestamp := time.Unix(flags.Timestamp, 0).UTC()
 		opts.Timestamp = &timestamp
@@ -534,3 +543,18 @@ func getDecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error)
 
 	return decConfig, nil
 }
+
+func parseDockerignore(ignoreFile string) ([]string, error) {
+	excludes := []string{}
+	ignore, err := ioutil.ReadFile(ignoreFile)
+	if err != nil {
+		return excludes, err
+	}
+	for _, e := range strings.Split(string(ignore), "\n") {
+		if len(e) == 0 || e[0] == '#' {
+			continue
+		}
+		excludes = append(excludes, e)
+	}
+	return excludes, nil
+}
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index 1e7d366a1..a9f97d5ab 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -362,6 +362,82 @@ Labels.$label_name | $label_value
     run_podman rmi -f build_test
 }
 
+@test "podman build - COPY with ignore" {
+    local tmpdir=$PODMAN_TMPDIR/build-test-$(random_string 10)
+    mkdir -p $tmpdir/subdir
+
+    # Create a bunch of files. Declare this as an array to avoid duplication
+    # because we iterate over that list below, checking for each file.
+    # A leading "-" indicates that the file SHOULD NOT exist in the built image
+    local -a files=(
+        -test1 -test1.txt
+         test2  test2.txt
+         subdir/sub1  subdir/sub1.txt
+         -subdir/sub2 -subdir/sub2.txt
+         this-file-does-not-match-anything-in-ignore-file
+         comment
+    )
+    for f in ${files[@]}; do
+        # The magic '##-' strips off the '-' prefix
+        echo "$f" > $tmpdir/${f##-}
+    done
+
+    # Directory that doesn't exist in the image; COPY should create it
+    local newdir=/newdir-$(random_string 12)
+    cat >$tmpdir/Containerfile <<EOF
+FROM $IMAGE
+COPY ./ $newdir/
+EOF
+
+    # Run twice: first with a custom --ignorefile, then with a default one.
+    # This ordering is deliberate: if we were to run with .dockerignore
+    # first, and forget to rm it, and then run with --ignorefile, _and_
+    # there was a bug in podman where --ignorefile was a NOP (eg #9570),
+    # the test might pass because of the existence of .dockerfile.
+    for ignorefile in ignoreme-$(random_string 5) .dockerignore; do
+        # Patterns to ignore. Mostly copied from buildah/tests/bud/dockerignore
+        cat >$tmpdir/$ignorefile <<EOF
+# comment
+test*
+!test2*
+subdir
+!*/sub1*
+EOF
+
+        # Build an image. For .dockerignore
+        local -a ignoreflag
+	unset ignoreflag
+        if [[ $ignorefile != ".dockerignore" ]]; then
+            ignoreflag="--ignorefile $tmpdir/$ignorefile"
+        fi
+        run_podman build -t build_test ${ignoreflag} $tmpdir
+
+        # Delete the ignore file! Otherwise, in the next iteration of the loop,
+        # we could end up with an existing .dockerignore that invisibly
+        # takes precedence over --ignorefile
+        rm -f $tmpdir/$ignorefile
+
+        # It would be much more readable, and probably safer, to iterate
+        # over each file, running 'podman run ... ls -l $f'. But each podman run
+        # takes a second or so, and we are mindful of each second.
+        run_podman run --rm build_test find $newdir -type f
+        for f in ${files[@]}; do
+            if [[ $f =~ ^- ]]; then
+                f=${f##-}
+                if [[ $output =~ $f ]]; then
+                    die "File '$f' found in image; it should have been ignored via $ignorefile"
+                fi
+            else
+                is "$output" ".*$newdir/$f" \
+                   "File '$f' should exist in container (no match in $ignorefile)"
+            fi
+        done
+
+        # Clean up
+        run_podman rmi -f build_test
+    done
+}
+
 @test "podman build - stdin test" {
     # Random workdir, and random string to verify build output
     workdir=/$(random_string 10)
-- 
cgit v1.2.3-54-g00ecf