From 409d07a18154b5bfedfc61498a8060fc6e9a3b52 Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Mon, 27 Jul 2020 15:15:15 -0600
Subject: System tests: add environment, volume tests

Tests for #7094, in which symlinks in a volume would
cause chown errors and nonrunnable containers.

Tests for environment variable precedence, now
include --env-host and proxy settings

Fix a bug caught by covscan in helpers.t ('source'
path would fail if path included spaces).

Fix podman-run man page: it was incorrect in stating
precedence between in-image environment and --env-host.

Fixes: #7099

Signed-off-by: Ed Santiago <santiago@redhat.com>
---
 docs/source/markdown/podman-run.1.md |  4 +-
 test/system/070-build.bats           | 74 +++++++++++++++++++++++++++++++-----
 test/system/helpers.t                |  2 +-
 3 files changed, 68 insertions(+), 12 deletions(-)

diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index b959b947f..4fdb7f81b 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -1411,9 +1411,9 @@ required for VPN, without it containers need to be run with the **--network=host
 Environment variables within containers can be set using multiple different options,
 in the following order of precedence (later entries override earlier entries):
 
-- **--env-host**: Host environment of the process executing Podman is added.
-- **--http-proxy**: By default, several environment variables will be passed in from the host, such as **http_proxy** and **no_proxy**. See **--http-proxy** for details.
 - Container image: Any environment variables specified in the container image.
+- **--http-proxy**: By default, several environment variables will be passed in from the host, such as **http_proxy** and **no_proxy**. See **--http-proxy** for details.
+- **--env-host**: Host environment of the process executing Podman is added.
 - **--env-file**: Any environment variables specified via env-files.  If multiple files specified, then they override each other in order of entry.
 - **--env**: Any environment variables specified will override previous settings.
 
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index 84d3adec1..accdc9315 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -109,6 +109,7 @@ EOF
     s_env1=$(random_string 20)
     s_env2=$(random_string 25)
     s_env3=$(random_string 30)
+    s_env4=$(random_string 40)
 
     # Label name: make sure it begins with a letter! jq barfs if you
     # try to ask it for '.foo.<N>xyz', i.e. any string beginning with digit
@@ -118,11 +119,17 @@ EOF
     # Command to run on container startup with no args
     cat >$tmpdir/mycmd <<EOF
 #!/bin/sh
+PATH=/usr/bin:/bin
 pwd
 echo "\$1"
-echo "\$MYENV1"
-echo "\$MYENV2"
-echo "\$MYENV3"
+printenv | grep MYENV | sort | sed -e 's/^MYENV.=//'
+EOF
+
+    # For overridding with --env-file
+    cat >$PODMAN_TMPDIR/env-file <<EOF
+MYENV3=$s_env3
+http_proxy=http-proxy-in-env-file
+https_proxy=https-proxy-in-env-file
 EOF
 
     cat >$tmpdir/Containerfile <<EOF
@@ -130,11 +137,25 @@ FROM $IMAGE
 LABEL $label_name=$label_value
 RUN mkdir $workdir
 WORKDIR $workdir
+
+# Test for #7094 - chowning of invalid symlinks
+RUN mkdir -p /a/b/c
+RUN ln -s /no/such/nonesuch /a/b/c/badsymlink
+RUN ln -s /bin/mydefaultcmd /a/b/c/goodsymlink
+RUN touch /a/b/c/myfile
+RUN chown -h 1:2 /a/b/c/badsymlink /a/b/c/goodsymlink /a/b/c/myfile
+VOLUME /a/b/c
+
+# Test for environment passing and override
 ENV MYENV1=$s_env1
-ENV MYENV2 $s_env2
-ENV MYENV3 this-should-be-overridden
+ENV MYENV2 this-should-be-overridden-by-env-host
+ENV MYENV3 this-should-be-overridden-by-env-file
+ENV MYENV4 this-should-be-overridden-by-cmdline
+ENV http_proxy http-proxy-in-image
+ENV ftp_proxy  ftp-proxy-in-image
 ADD mycmd /bin/mydefaultcmd
 RUN chmod 755 /bin/mydefaultcmd
+RUN chown 2:3 /bin/mydefaultcmd
 CMD ["/bin/mydefaultcmd","$s_echo"]
 EOF
 
@@ -143,12 +164,28 @@ EOF
     run_podman build -t build_test -f build-test/Containerfile build-test
 
     # Run without args - should run the above script. Verify its output.
-    run_podman run --rm -e MYENV3="$s_env3" build_test
+    export MYENV2="$s_env2"
+    export MYENV3="env-file-should-override-env-host!"
+    run_podman run --rm \
+               --env-file=$PODMAN_TMPDIR/env-file \
+               --env-host \
+               -e MYENV4="$s_env4" \
+               build_test
     is "${lines[0]}" "$workdir" "container default command: pwd"
     is "${lines[1]}" "$s_echo"  "container default command: output from echo"
     is "${lines[2]}" "$s_env1"  "container default command: env1"
     is "${lines[3]}" "$s_env2"  "container default command: env2"
-    is "${lines[4]}" "$s_env3"  "container default command: env3 (from cmdline)"
+    is "${lines[4]}" "$s_env3"  "container default command: env3 (from envfile)"
+    is "${lines[5]}" "$s_env4"  "container default command: env4 (from cmdline)"
+
+    # Proxies - environment should override container, but not env-file
+    http_proxy=http-proxy-from-env  ftp_proxy=ftp-proxy-from-env \
+              run_podman run --rm --env-file=$PODMAN_TMPDIR/env-file \
+              build_test \
+              printenv http_proxy https_proxy ftp_proxy
+    is "${lines[0]}" "http-proxy-in-env-file"  "env-file overrides env"
+    is "${lines[1]}" "https-proxy-in-env-file" "env-file sets proxy var"
+    is "${lines[2]}" "ftp-proxy-from-env"      "ftp-proxy is passed through"
 
     # test that workdir is set for command-line commands also
     run_podman run --rm build_test pwd
@@ -159,8 +196,9 @@ EOF
     run_podman image inspect build_test
     tests="
 Env[1]             | MYENV1=$s_env1
-Env[2]             | MYENV2=$s_env2
-Env[3]             | MYENV3=this-should-be-overridden
+Env[2]             | MYENV2=this-should-be-overridden-by-env-host
+Env[3]             | MYENV3=this-should-be-overridden-by-env-file
+Env[4]             | MYENV4=this-should-be-overridden-by-cmdline
 Cmd[0]             | /bin/mydefaultcmd
 Cmd[1]             | $s_echo
 WorkingDir         | $workdir
@@ -173,6 +211,24 @@ Labels.$label_name | $label_value
         is "$actual" "$expect" "jq .Config.$field"
     done
 
+    # Bad symlink in volume. Prior to #7094, well, we wouldn't actually
+    # get here because any 'podman run' on a volume that had symlinks,
+    # be they dangling or valid, would barf with
+    #    Error: chown <mountpath>/_data/symlink: ENOENT
+    run_podman run --rm build_test stat -c'%u:%g:%N' /a/b/c/badsymlink
+    is "$output" "0:0:'/a/b/c/badsymlink' -> '/no/such/nonesuch'" \
+       "bad symlink to nonexistent file is chowned and preserved"
+
+    run_podman run --rm build_test stat -c'%u:%g:%N' /a/b/c/goodsymlink
+    is "$output" "0:0:'/a/b/c/goodsymlink' -> '/bin/mydefaultcmd'" \
+       "good symlink to existing file is chowned and preserved"
+
+    run_podman run --rm build_test stat -c'%u:%g' /bin/mydefaultcmd
+    is "$output" "2:3" "target of symlink is not chowned"
+
+    run_podman run --rm build_test stat -c'%u:%g:%N' /a/b/c/myfile
+    is "$output" "0:0:/a/b/c/myfile" "file in volume is chowned to root"
+
     # Clean up
     run_podman rmi -f build_test
 }
diff --git a/test/system/helpers.t b/test/system/helpers.t
index a022f11c4..bee09505c 100755
--- a/test/system/helpers.t
+++ b/test/system/helpers.t
@@ -6,7 +6,7 @@
 # anything if we have to mess with them.
 #
 
-source $(dirname $0)/helpers.bash
+source "$(dirname $0)"/helpers.bash
 
 die() {
     echo "$(basename $0): $*" >&2
-- 
cgit v1.2.3-54-g00ecf