From bef5e4505e4f67aa8967f45c6870fce5bf0204b2 Mon Sep 17 00:00:00 2001
From: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
Date: Fri, 12 Mar 2021 11:28:06 -0500
Subject: [PATCH] Add system tests

Add system tests for the following subcommands and flags:
- skopeo copy --format
- skopeo copy --additional-tag
- skopeo copy --dest-shared-blob-dir
- skopeo copy --src-shared-blob-dir
- skopeo inspect --tls-verify --cert-dir
- skopeo delete --tls-verify --cert-dir
- skopeo copy --dest-creds
- skopeo copy --src-creds
- skopeo copy --authfile
- skopeo inspect --authfile
- skopeo delete --authfile
- skopeo copy --remove-signatures
- skopeo standalone-sign
- skopeo standalone-verify
- skopeo manifest-digest

Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
---
 systemtest/020-copy.bats                | 44 ++++++++++++++++
 systemtest/030-local-registry-tls.bats  | 11 +++-
 systemtest/040-local-registry-auth.bats | 43 ++++++++++++++-
 systemtest/050-signing.bats             | 69 +++++++++++++++++++++++++
 4 files changed, 165 insertions(+), 2 deletions(-)

diff --git a/systemtest/020-copy.bats b/systemtest/020-copy.bats
index c64f0b5b..c302fb50 100644
--- a/systemtest/020-copy.bats
+++ b/systemtest/020-copy.bats
@@ -100,6 +100,50 @@ function setup() {
                docker://localhost:5000/foo
 }
 
+# manifest format
+@test "copy: manifest format" {
+    local remote_image=docker://quay.io/libpod/busybox:latest
+
+    local dir1=$TESTDIR/dir1
+    local dir2=$TESTDIR/dir2
+
+    run_skopeo copy --format v2s2 $remote_image dir:$dir1
+    run_skopeo copy --format oci $remote_image dir:$dir2
+    grep 'application/vnd.docker.distribution.manifest.v2' $dir1/manifest.json
+    grep 'application/vnd.oci.image' $dir2/manifest.json
+}
+
+# additional tag
+@test "copy: additional tag" {
+    local remote_image=docker://quay.io/libpod/busybox:latest
+
+    # additional-tag is supported only for docker-archive
+    run_skopeo copy --additional-tag busybox:mine $remote_image \
+               docker-archive:$TESTDIR/mybusybox.tar:busybox:latest
+    mkdir -p $TESTDIR/podmanroot
+    run podman --root $TESTDIR/podmanroot load -i $TESTDIR/mybusybox.tar
+    run podman --root $TESTDIR/podmanroot images
+    expect_output --substring "mine"
+
+}
+
+# shared blob directory
+@test "copy: shared blob directory" {
+    local remote_image=docker://quay.io/libpod/busybox:latest
+
+    local shareddir=$TESTDIR/shareddir
+    local dir1=$TESTDIR/dir1
+    local dir2=$TESTDIR/dir2
+
+    run_skopeo copy --dest-shared-blob-dir $shareddir \
+               $remote_image oci:$dir1
+    [ -n "$(ls $shareddir)" ]
+    [ -z "$(ls $dir1/blobs)" ]
+    run_skopeo copy --src-shared-blob-dir $shareddir \
+               oci:$dir1 oci:$dir2
+    diff -urN $shareddir $dir2/blobs
+}
+
 teardown() {
     podman rm -f reg
 
diff --git a/systemtest/030-local-registry-tls.bats b/systemtest/030-local-registry-tls.bats
index 072b4851..acd8c749 100644
--- a/systemtest/030-local-registry-tls.bats
+++ b/systemtest/030-local-registry-tls.bats
@@ -8,7 +8,7 @@ load helpers
 function setup() {
     standard_setup
 
-    start_registry --with-cert reg
+    start_registry --with-cert --enable-delete=true reg
 }
 
 @test "local registry, with cert" {
@@ -21,6 +21,15 @@ function setup() {
     run_skopeo copy --src-cert-dir=$TESTDIR/client-auth \
                docker://localhost:5000/busybox:unsigned \
                dir:$TESTDIR/extracted
+
+    # inspect with cert
+    run_skopeo inspect --cert-dir=$TESTDIR/client-auth \
+               docker://localhost:5000/busybox:unsigned
+    expect_output --substring "localhost:5000/busybox"
+
+    # delete with cert
+    run_skopeo delete --cert-dir=$TESTDIR/client-auth \
+               docker://localhost:5000/busybox:unsigned
 }
 
 teardown() {
diff --git a/systemtest/040-local-registry-auth.bats b/systemtest/040-local-registry-auth.bats
index d6be6b97..a8e7d27f 100644
--- a/systemtest/040-local-registry-auth.bats
+++ b/systemtest/040-local-registry-auth.bats
@@ -18,7 +18,7 @@ function setup() {
     testuser=testuser
     testpassword=$(random_string 15)
 
-    start_registry --testuser=$testuser --testpassword=$testpassword reg
+    start_registry --testuser=$testuser --testpassword=$testpassword --enable-delete=true reg
 }
 
 @test "auth: credentials on command line" {
@@ -67,6 +67,47 @@ function setup() {
     expect_output --substring "unauthorized: authentication required"
 }
 
+@test "auth: copy with --src-creds and --dest-creds" {
+    run_skopeo copy --dest-tls-verify=false --dest-creds=$testuser:$testpassword \
+               docker://quay.io/libpod/busybox:latest \
+               docker://localhost:5000/busybox:mine
+    run_skopeo copy --src-tls-verify=false --src-creds=$testuser:$testpassword \
+               docker://localhost:5000/busybox:mine \
+               dir:$TESTDIR/dir1
+    run ls $TESTDIR/dir1
+    expect_output --substring "manifest.json"
+}
+
+@test "auth: credentials via authfile" {
+    podman login --tls-verify=false --authfile $TESTDIR/test.auth -u $testuser -p $testpassword localhost:5000
+
+    # copy without authfile: should fail
+    run_skopeo 1 copy --dest-tls-verify=false \
+               docker://quay.io/libpod/busybox:latest \
+               docker://localhost:5000/busybox:mine
+
+    # copy with authfile: should work
+    run_skopeo copy --dest-tls-verify=false \
+               --authfile $TESTDIR/test.auth \
+               docker://quay.io/libpod/busybox:latest \
+               docker://localhost:5000/busybox:mine
+
+    # inspect without authfile: should fail
+    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/busybox:mine
+    expect_output --substring "unauthorized: authentication required"
+
+    # inspect with authfile: should work
+    run_skopeo inspect --tls-verify=false --authfile $TESTDIR/test.auth docker://localhost:5000/busybox:mine
+    expect_output --substring "localhost:5000/busybox"
+
+    # delete without authfile: should fail
+    run_skopeo 1 delete --tls-verify=false docker://localhost:5000/busybox:mine
+    expect_output --substring "authentication required"
+
+    # delete with authfile: should work
+    run_skopeo delete --tls-verify=false --authfile $TESTDIR/test.auth docker://localhost:5000/busybox:mine
+}
+
 teardown() {
     podman rm -f reg
 
diff --git a/systemtest/050-signing.bats b/systemtest/050-signing.bats
index 57bf110d..587e6437 100644
--- a/systemtest/050-signing.bats
+++ b/systemtest/050-signing.bats
@@ -143,6 +143,75 @@ END_PUSH
 END_TESTS
 }
 
+@test "signing: remove signature" {
+    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null
+    if [[ "$output" =~ 'signing is not supported' ]]; then
+        skip "skopeo built without support for creating signatures"
+        return 1
+    fi
+    if [ "$status" -ne 0 ]; then
+        die "exit code is $status; expected 0"
+    fi
+
+    # Cache local copy
+    run_skopeo copy docker://quay.io/libpod/busybox:latest \
+               dir:$TESTDIR/busybox
+    # Push a signed image
+    run_skopeo --registries.d $REGISTRIES_D \
+               copy --dest-tls-verify=false \
+               --sign-by=alice@test.redhat.com \
+               dir:$TESTDIR/busybox \
+               docker://localhost:5000/myns/alice:signed
+    # Fetch the image with signature
+    run_skopeo  --registries.d $REGISTRIES_D \
+                --policy $POLICY_JSON \
+                copy --src-tls-verify=false \
+                docker://localhost:5000/myns/alice:signed \
+                dir:$TESTDIR/busybox-signed
+    # Fetch the image with removing signature
+    run_skopeo  --registries.d $REGISTRIES_D \
+                --policy $POLICY_JSON \
+                copy --src-tls-verify=false \
+                --remove-signatures \
+                docker://localhost:5000/myns/alice:signed \
+                dir:$TESTDIR/busybox-unsigned
+    ls $TESTDIR/busybox-signed | grep "signature"
+    [ -z "$(ls $TESTDIR/busybox-unsigned | grep "signature")" ]
+}
+
+@test "signing: standalone" {
+    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null
+    if [[ "$output" =~ 'signing is not supported' ]]; then
+        skip "skopeo built without support for creating signatures"
+        return 1
+    fi
+    if [ "$status" -ne 0 ]; then
+        die "exit code is $status; expected 0"
+    fi
+
+    run_skopeo copy --dest-tls-verify=false \
+               docker://quay.io/libpod/busybox:latest \
+               docker://localhost:5000/busybox:latest
+    run_skopeo copy --src-tls-verify=false \
+               docker://localhost:5000/busybox:latest \
+               dir:$TESTDIR/busybox
+    # Standalone sign
+    run_skopeo standalone-sign -o $TESTDIR/busybox.signature \
+               $TESTDIR/busybox/manifest.json \
+               localhost:5000/busybox:latest \
+               alice@test.redhat.com
+    # Standalone verify
+    fingerprint=$(gpg --list-keys | grep -B1 alice.test.redhat.com | head -n 1)
+    run_skopeo standalone-verify $TESTDIR/busybox/manifest.json \
+               localhost:5000/busybox:latest \
+               $fingerprint \
+               $TESTDIR/busybox.signature
+    # manifest digest
+    digest=$(echo "$output" | awk '{print $4;}')
+    run_skopeo manifest-digest $TESTDIR/busybox/manifest.json
+    expect_output $digest
+}
+
 teardown() {
     podman rm -f reg