From b9c3cdd7a484d2c081ce1442b30dffd079fc5647 Mon Sep 17 00:00:00 2001 From: Luigi Pavan Date: Thu, 11 Jun 2026 12:50:26 +0200 Subject: [PATCH] tests: Add test for installing from an auth-protected OCI registry Add a regression test that installs from an auth-protected OCI registry. The registry requires a bearer token for all /v2/ requests; the client authenticates via the mock test authenticator and the installation completes successfully. The test runs for both user and system install paths. Assisted-by: Cursor --- tests/meson.build | 1 + tests/test-oci-auth.sh | 69 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100755 tests/test-oci-auth.sh diff --git a/tests/meson.build b/tests/meson.build index 43d1493b7..d0b4f29e0 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -396,6 +396,7 @@ tests = { 'system,http', 'system,https', ]}, + 'oci-auth': {'wrap': ['user', 'system']}, 'update-remote-configuration': {'wrap': ['newsummary', 'oldsummary']}, 'override': {}, 'update-portal': {'wrap': ['user', 'system']}, diff --git a/tests/test-oci-auth.sh b/tests/test-oci-auth.sh new file mode 100755 index 000000000..33c2271f0 --- /dev/null +++ b/tests/test-oci-auth.sh @@ -0,0 +1,69 @@ +#!/bin/bash +# +# Copyright (C) 2026 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place - Suite 330, +# Boston, MA 02111-1307, USA. + +set -euo pipefail + +# shellcheck source=libtest.sh +. "$(dirname "$0")/libtest.sh" + +skip_without_bwrap + +echo "1..1" + +# Start the fake OCI registry server + +httpd oci-registry-server.py --dir=. +port=$(cat httpd-port) + +# shellcheck disable=SC2154 +client="python3 ${test_srcdir}/oci-registry-client.py --url=http://127.0.0.1:${port}" + +setup_repo_no_add oci + +# Build OCI bundles and upload them to the registry + +${FLATPAK} build-bundle --runtime --oci $FL_GPGARGS repos/oci oci/platform-image org.test.Platform >&2 +$client add platform latest "$(pwd)/oci/platform-image" + +${FLATPAK} build-bundle --oci $FL_GPGARGS repos/oci oci/app-image org.test.Hello >&2 +$client add hello latest "$(pwd)/oci/app-image" + +# Add OCI remote configured to use the mock test authenticator. +# The default authenticator for OCI remotes is org.flatpak.Authenticator.Oci; +# we override it to use the mock authenticator that reads its token from +# $XDG_RUNTIME_DIR/required-token on every call. + +${FLATPAK} remote-add ${U} oci-auth-registry "oci+http://127.0.0.1:${port}" \ + --authenticator-name org.flatpak.Authenticator.test >&2 + +# Test: install from an auth-protected OCI registry +# +# The registry requires a bearer token for all /v2/ requests. The client +# authenticates via the mock authenticator and completes the installation +# successfully. + +echo -n "token-1" > "${XDG_RUNTIME_DIR}/required-token" +$client configure-auth --token token-1 + +${FLATPAK} ${U} install -y oci-auth-registry org.test.Hello >&2 + +run org.test.Hello > hello_out +assert_file_has_content hello_out '^Hello world, from a sandbox$' + +ok "install from auth-protected OCI registry"