Make sure users changes --authfile before checking

In certain cases REGISTRY_AUTH_FILE is set but the auth file
does not exists yet, do not throw error unless user specified
a file directly using --authfile.

Fixes: https://github.com/containers/podman/issues/18405

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

cmd/podman/auto-update.go

@@ -68,8 +68,10 @@ func autoUpdate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("`%s` takes no arguments", cmd.CommandPath())
 	}
 
-	if err := auth.CheckAuthFile(autoUpdateOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(autoUpdateOptions.Authfile); err != nil {
+			return err
+		}
 	}
 	if cmd.Flags().Changed("tls-verify") {
 		autoUpdateOptions.InsecureSkipTLSVerify = types.NewOptionalBool(!autoUpdateOptions.tlsVerify)

cmd/podman/containers/create.go

@@ -156,8 +156,10 @@ func create(cmd *cobra.Command, args []string) error {
 		imageName = name
 	}
 
-	if err := auth.CheckAuthFile(cliVals.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(cliVals.Authfile); err != nil {
+			return err
+		}
 	}
 
 	s := specgen.NewSpecGenerator(imageName, cliVals.RootFS)

cmd/podman/containers/run.go

@@ -115,8 +115,10 @@ func run(cmd *cobra.Command, args []string) error {
 		logrus.Warnf("The input device is not a TTY. The --tty and --interactive flags might not work properly")
 	}
 
-	if err := auth.CheckAuthFile(cliVals.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(cliVals.Authfile); err != nil {
+			return err
+		}
 	}
 
 	runOpts.CIDFile = cliVals.CIDFile

cmd/podman/containers/runlabel.go

@@ -90,8 +90,10 @@ func runlabel(cmd *cobra.Command, args []string) error {
 	if cmd.Flags().Changed("tls-verify") {
 		runlabelOptions.SkipTLSVerify = types.NewOptionalBool(!runlabelOptions.TLSVerifyCLI)
 	}
-	if err := auth.CheckAuthFile(runlabelOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(runlabelOptions.Authfile); err != nil {
+			return err
+		}
 	}
 	return registry.ContainerEngine().ContainerRunlabel(context.Background(), strings.TrimPrefix(args[0], "/"), args[1], args[2:], runlabelOptions.ContainerRunlabelOptions)
 }

cmd/podman/images/build.go

@@ -363,8 +363,10 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		}
 	}
 
-	if err := auth.CheckAuthFile(flags.Authfile); err != nil {
+	if c.Flags().Changed("authfile") {
-		return nil, err
+		if err := auth.CheckAuthFile(flags.Authfile); err != nil {
+			return nil, err
+		}
 	}
 
 	commonOpts, err := parse.CommonBuildOptions(c)

cmd/podman/images/pull.go

@@ -136,8 +136,10 @@ func imagePull(cmd *cobra.Command, args []string) error {
 	if cmd.Flags().Changed("tls-verify") {
 		pullOptions.SkipTLSVerify = types.NewOptionalBool(!pullOptions.TLSVerifyCLI)
 	}
-	if err := auth.CheckAuthFile(pullOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(pullOptions.Authfile); err != nil {
+			return err
+		}
 	}
 	platform, err := cmd.Flags().GetString("platform")
 	if err != nil {

cmd/podman/images/push.go

@@ -173,8 +173,10 @@ func imagePush(cmd *cobra.Command, args []string) error {
 		pushOptions.SkipTLSVerify = types.NewOptionalBool(!pushOptions.TLSVerifyCLI)
 	}
 
-	if err := auth.CheckAuthFile(pushOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(pushOptions.Authfile); err != nil {
+			return err
+		}
 	}
 
 	if pushOptions.CredentialsCLI != "" {

cmd/podman/images/search.go

@@ -138,8 +138,10 @@ func imageSearch(cmd *cobra.Command, args []string) error {
 		searchOptions.SkipTLSVerify = types.NewOptionalBool(!searchOptions.TLSVerifyCLI)
 	}
 
-	if err := auth.CheckAuthFile(searchOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(searchOptions.Authfile); err != nil {
+			return err
+		}
 	}
 
 	if searchOptions.CredentialsCLI != "" {

cmd/podman/images/sign.go

@@ -56,8 +56,10 @@ func init() {
 }
 
 func sign(cmd *cobra.Command, args []string) error {
-	if err := auth.CheckAuthFile(signOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(signOptions.Authfile); err != nil {
+			return err
+		}
 	}
 	if signOptions.SignBy == "" {
 		return errors.New("no identity provided")

cmd/podman/kube/play.go

@@ -217,8 +217,10 @@ func play(cmd *cobra.Command, args []string) error {
 	if cmd.Flags().Changed("build") {
 		playOptions.Build = types.NewOptionalBool(playOptions.BuildCLI)
 	}
-	if err := auth.CheckAuthFile(playOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(playOptions.Authfile); err != nil {
+			return err
+		}
 	}
 	if playOptions.ContextDir != "" && playOptions.Build != types.OptionalBoolTrue {
 		return errors.New("--build must be specified when using --context-dir option")

cmd/podman/manifest/add.go

@@ -93,8 +93,10 @@ func init() {
 }
 
 func add(cmd *cobra.Command, args []string) error {
-	if err := auth.CheckAuthFile(manifestAddOpts.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(manifestAddOpts.Authfile); err != nil {
+			return err
+		}
 	}
 
 	if manifestAddOpts.CredentialsCLI != "" {

cmd/podman/manifest/inspect.go

@@ -44,8 +44,10 @@ func init() {
 }
 
 func inspect(cmd *cobra.Command, args []string) error {
-	if err := auth.CheckAuthFile(inspectOptions.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(inspectOptions.Authfile); err != nil {
+			return err
+		}
 	}
 	if cmd.Flags().Changed("tls-verify") {
 		inspectOptions.SkipTLSVerify = types.NewOptionalBool(!tlsVerifyCLI)

cmd/podman/manifest/push.go

@@ -114,8 +114,10 @@ func init() {
 }
 
 func push(cmd *cobra.Command, args []string) error {
-	if err := auth.CheckAuthFile(manifestPushOpts.Authfile); err != nil {
+	if cmd.Flags().Changed("authfile") {
-		return err
+		if err := auth.CheckAuthFile(manifestPushOpts.Authfile); err != nil {
+			return err
+		}
 	}
 	listImageSpec := args[0]
 	destSpec := args[len(args)-1]

test/system/030-run.bats

@@ -1163,10 +1163,11 @@ EOF
     #
     # Table format is:
     #   podman command | arguments | '-' if it does not work with podman-remote
+    echo "from $IMAGE" > $PODMAN_TMPDIR/Containerfile
     tests="
 auto-update          |                  | -
 build                | $PODMAN_TMPDIR   |
-container runlabel   | $IMAGE argument  | -
+container runlabel   | run $IMAGE       | -
 create               | $IMAGE argument  |
 image sign           | $IMAGE           | -
 kube play            | argument         |
@@ -1176,7 +1177,7 @@ manifest inspect     | $IMAGE           |
 manifest push        | $IMAGE argument  |
 pull                 | $IMAGE argument  |
 push                 | $IMAGE argument  |
-run                  | $IMAGE argument  |
+run                  | $IMAGE false     |
 search               | $IMAGE           |
 "
 
@@ -1197,6 +1198,12 @@ search               | $IMAGE           |
         run_podman 125 $command --authfile=$bogus $args
         assert "$output" = "Error: checking authfile: stat $bogus: no such file or directory" \
            "$command --authfile=nonexistent-path"
+
+        if [[ "$command" != "logout" ]]; then
+           REGISTRY_AUTH_FILE=$bogus run_podman ? $command $args
+           assert "$output" !~ "checking authfile" \
+              "$command REGISTRY_AUTH_FILE=nonexistent-path"
+        fi
     done < <(parse_table "$tests")
 }