podman-compose/tests/integration/test_podman_compose_build_secrets.py

# SPDX-License-Identifier: GPL-2.0


"""Test how secrets in files are passed to podman."""

import os
import subprocess
import unittest

from tests.integration.test_podman_compose import podman_compose_path
from tests.integration.test_podman_compose import test_path


def compose_yaml_path():
    """ "Returns the path to the compose file used for this test module"""
    return os.path.join(test_path(), "build_secrets")


class TestComposeBuildSecrets(unittest.TestCase):
    def test_run_secret(self):
        """podman run should receive file secrets as --volume

        See build_secrets/docker-compose.yaml for secret names and mount points (aka targets)

        """
        cmd = (
            "coverage",
            "run",
            podman_compose_path(),
            "--dry-run",
            "--verbose",
            "-f",
            os.path.join(compose_yaml_path(), "docker-compose.yaml"),
            "run",
            "test",
        )
        p = subprocess.run(
            cmd, stdout=subprocess.PIPE, check=False, stderr=subprocess.STDOUT, text=True
        )
        self.assertEqual(p.returncode, 0)
        secret_path = os.path.join(compose_yaml_path(), "my_secret")
        self.assertIn(f"--volume {secret_path}:/run/secrets/run_secret:ro,rprivate,rbind", p.stdout)
        self.assertIn(f"--volume {secret_path}:/tmp/run_secret2:ro,rprivate,rbind", p.stdout)

    def test_build_secret(self):
        """podman build should receive secrets as --secret, so that they can be used inside the
        Dockerfile in "RUN --mount=type=secret ..." commands.

        """
        cmd = (
            "coverage",
            "run",
            podman_compose_path(),
            "--dry-run",
            "--verbose",
            "-f",
            os.path.join(compose_yaml_path(), "docker-compose.yaml"),
            "build",
        )
        p = subprocess.run(
            cmd, stdout=subprocess.PIPE, check=False, stderr=subprocess.STDOUT, text=True
        )
        self.assertEqual(p.returncode, 0)
        secret_path = os.path.join(compose_yaml_path(), "my_secret")
        self.assertIn(f"--secret id=build_secret,src={secret_path}", p.stdout)
        self.assertIn(f"--secret id=build_secret2,src={secret_path}", p.stdout)

    def test_invalid_build_secret(self):
        """build secrets in docker-compose file can only have a target argument without directory
        component

        """
        cmd = (
            "coverage",
            "run",
            podman_compose_path(),
            "--dry-run",
            "--verbose",
            "-f",
            os.path.join(compose_yaml_path(), "docker-compose.yaml.invalid"),
            "build",
        )
        p = subprocess.run(
            cmd, stdout=subprocess.PIPE, check=False, stderr=subprocess.STDOUT, text=True
        )
        self.assertNotEqual(p.returncode, 0)
        self.assertIn(
            'ValueError: ERROR: Build secret "build_secret" has invalid target "/build_secret"',
            p.stdout,
        )