manifest inspect: support authentication

Previous tests have worked by pure chance since the client and server ran on the same host; the server picked up the credentials created by the client login. Extend the gating tests and add a new integration test which is further capable of exercising the remote code. Note that fixing authentication support requires adding a new `--authfile` CLi flag to `manifest inspect`. This will at least allow for passing an authfile to be bindings. Username and password are not yet supported. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2025-06-22 18:08:11 +08:00 · 2023-07-10 10:52:01 +02:00
parent 7cd1fb77f9
commit a69194b02f
13 changed files with 135 additions and 41 deletions
--- a/test/e2e/login_logout_test.go
+++ b/test/e2e/login_logout_test.go
@ -190,6 +190,44 @@ var _ = Describe("Podman login and logout", func() {
 		Expect(session).Should(Exit(0))
 	})

+	It("podman manifest with --authfile", func() {
+		os.Unsetenv("REGISTRY_AUTH_FILE")
+
+		authFile := filepath.Join(podmanTest.TempDir, "auth.json")
+		session := podmanTest.Podman([]string{"login", "--username", "podmantest", "--password", "test", "--authfile", authFile, server})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		readAuthInfo(authFile)
+
+		session = podmanTest.Podman([]string{"manifest", "create", testImg})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"manifest", "push", testImg})
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError())
+		Expect(session.ErrorToString()).To(ContainSubstring(": authentication required"))
+
+		session = podmanTest.Podman([]string{"manifest", "push", "--authfile", authFile, testImg})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		// Now remove the local manifest to trigger remote inspection
+		session = podmanTest.Podman([]string{"manifest", "rm", testImg})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"manifest", "inspect", testImg})
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError())
+		Expect(session.ErrorToString()).To(ContainSubstring(": authentication required"))
+
+		session = podmanTest.Podman([]string{"manifest", "inspect", "--authfile", authFile, testImg})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+	})
+
 	It("podman login and logout with --tls-verify", func() {
 		session := podmanTest.Podman([]string{"login", "--username", "podmantest", "--password", "test", "--tls-verify=false", server})
 		session.WaitWithDefaultTimeout()
--- a/test/system/012-manifest.bats
+++ b/test/system/012-manifest.bats
@ -1,6 +1,8 @@
 #!/usr/bin/env bats

 load helpers
+load helpers.network
+load helpers.registry

 # Regression test for #8931
@test "podman images - bare manifest list" {
@ -20,4 +22,38 @@ load helpers
    run_podman rmi test:1.0
 }

+@test "podman manifest --tls-verify and --authfile" {
+    skip_if_remote "running a local registry doesn't work with podman-remote"
+    start_registry
+    authfile=${PODMAN_LOGIN_WORKDIR}/auth-$(random_string 10).json
+    run_podman login --tls-verify=false \
+               --username ${PODMAN_LOGIN_USER} \
+               --password-stdin \
+               --authfile=$authfile \
+               localhost:${PODMAN_LOGIN_REGISTRY_PORT} <<<"${PODMAN_LOGIN_PASS}"
+    is "$output" "Login Succeeded!" "output from podman login"
+
+    manifest1="localhost:${PODMAN_LOGIN_REGISTRY_PORT}/test:1.0"
+    run_podman manifest create $manifest1
+    mid=$output
+    run_podman manifest push --authfile=$authfile \
+        --tls-verify=false $mid \
+        $manifest1
+    run_podman manifest rm $manifest1
+
+    # Default is to require TLS; also test explicit opts
+    for opt in '' '--insecure=false' '--tls-verify=true' "--authfile=$authfile"; do
+        run_podman 125 manifest inspect $opt $manifest1
+        assert "$output" =~ "Error: reading image \"docker://$manifest1\": pinging container registry localhost:${PODMAN_LOGIN_REGISTRY_PORT}:.*x509" \
+               "TLE check: fails (as expected) with ${opt:-default}"
+    done
+
+    run_podman manifest inspect --authfile=$authfile --tls-verify=false $manifest1
+    is "$output" ".*\"mediaType\": \"application/vnd.docker.distribution.manifest.list.v2+json\"" "Verify --tls-verify=false --authfile works against an insecure registry"
+    run_podman manifest inspect --authfile=$authfile --insecure $manifest1
+    is "$output" ".*\"mediaType\": \"application/vnd.docker.distribution.manifest.list.v2+json\"" "Verify --insecure --authfile works against an insecure registry"
+    REGISTRY_AUTH_FILE=$authfile run_podman manifest inspect --tls-verify=false $manifest1
+    is "$output" ".*\"mediaType\": \"application/vnd.docker.distribution.manifest.list.v2+json\"" "Verify --tls-verify=false with REGISTRY_AUTH_FILE works against an insecure registry"
+}
+
 # vim: filetype=sh
--- a/test/system/150-login.bats
+++ b/test/system/150-login.bats
@ -241,35 +241,6 @@ function _test_skopeo_credential_sharing() {
    rm -f $authfile
 }

-@test "podman manifest --tls-verify - basic test" {
-    run_podman login --tls-verify=false \
-               --username ${PODMAN_LOGIN_USER} \
-               --password-stdin \
-               localhost:${PODMAN_LOGIN_REGISTRY_PORT} <<<"${PODMAN_LOGIN_PASS}"
-    is "$output" "Login Succeeded!" "output from podman login"
-
-    manifest1="localhost:${PODMAN_LOGIN_REGISTRY_PORT}/test:1.0"
-    run_podman manifest create $manifest1
-    mid=$output
-    run_podman manifest push --authfile=$authfile \
-        --tls-verify=false $mid \
-        $manifest1
-    run_podman manifest rm $manifest1
-    run_podman manifest inspect --insecure $manifest1
-    is "$output" ".*\"mediaType\": \"application/vnd.docker.distribution.manifest.list.v2+json\"" "Verify --insecure works against an insecure registry"
-    run_podman 125 manifest inspect --insecure=false $manifest1
-    is "$output" ".*Error: reading image \"docker://$manifest1\": pinging container registry localhost:${PODMAN_LOGIN_REGISTRY_PORT}:" "Verify --insecure=false fails"
-    run_podman manifest inspect --tls-verify=false $manifest1
-    is "$output" ".*\"mediaType\": \"application/vnd.docker.distribution.manifest.list.v2+json\"" "Verify --tls-verify=false works against an insecure registry"
-    run_podman 125 manifest inspect --tls-verify=true $manifest1
-    is "$output" ".*Error: reading image \"docker://$manifest1\": pinging container registry localhost:${PODMAN_LOGIN_REGISTRY_PORT}:" "Verify --tls-verify=true fails"
-
-    # Now log out
-    run_podman logout localhost:${PODMAN_LOGIN_REGISTRY_PORT}
-    is "$output" "Removed login credentials for localhost:${PODMAN_LOGIN_REGISTRY_PORT}" \
-       "output from podman logout"
-}
-
 # END   cooperation with skopeo
 # END   actual tests
 ###############################################################################