test: Add a test for mountpoint policy violations

Users cannot create a mountpoint on /ostree, make sure that an error is returned when this happens.
osbuild · Apr 12, 2024 · e26533f · e26533f
1 parent fe2cdfd
commit e26533f
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/test/test_manifest.py b/test/test_manifest.py
@@ -1,4 +1,5 @@
 import json
+import pathlib
 import subprocess
 import textwrap
 
@@ -109,3 +110,47 @@ def test_manifest_local_checks_containers_storage_works(tmp_path, build_containe
             f'--entrypoint=["/usr/bin/bootc-image-builder", "manifest", "--local", "localhost/{container_tag}"]',
             build_container,
         ], check=True, encoding="utf8")
+
+
+@pytest.mark.parametrize("image_type", gen_testcases("manifest"))
+def test_mount_ostree_error(tmpdir_factory, build_container, image_type):
+    container_ref = image_type.split(",")[0]
+    CFG = {
+        "blueprint": {
+            "customizations": {
+                "filesystem": [
+                    {
+                        "mountpoint": "/",
+                        "minsize": "12GiB"
+                    },
+                    {
+                        "mountpoint": "/var/log",
+                        "minsize": "1GiB"
+                    },
+                    {
+                        "mountpoint": "/ostree",
+                        "minsize": "10GiB"
+                    }
+                ]
+            },
+        },
+    }
+
+    output_path = pathlib.Path(tmpdir_factory.mktemp("data")) / "output"
+    output_path.mkdir(exist_ok=True)
+    config_json_path = output_path / "config.json"
+    config_json_path.write_text(json.dumps(CFG), encoding="utf-8")
+
+    try:
+        subprocess.check_output([
+            "podman", "run", "--rm",
+            "--privileged",
+            "--security-opt", "label=type:unconfined_t",
+            "-v", f"{output_path}:/output",
+            f'--entrypoint=["/usr/bin/bootc-image-builder", "manifest", "{container_ref}"]',
+            build_container,
+            "--config", "/output/config.json",
+        ], stderr=subprocess.PIPE)
+        assert False, "Did not raise a CalledProcessError when mounting /ostree"
+    except subprocess.CalledProcessError as err:
+        assert 'The following custom mountpoints are not supported ["/ostree"]' in err.stderr.decode("utf-8")