ability to test private Features in CI (auto-skipping locally if secret is unset)

joshspicer · web-flow · commit 4967462fd86d · 2023-04-07T23:11:06.000Z
diff --git a/src/test/container-features/configs/registry-compatibility/azure-registry-scoped/.devcontainer.json b/src/test/container-features/configs/registry-compatibility/azure-registry-scoped/.devcontainer.json
@@ -0,0 +1,6 @@
+{
+	"image": "mcr.microsoft.com/devcontainers/base:ubuntu",
+	"features": {
+		"privatedevcontainercli.azurecr.io/features/rabbit:1": {}
+	}
+}
diff --git a/src/test/container-features/registryCompatibilityOCI.test.ts b/src/test/container-features/registryCompatibilityOCI.test.ts
@@ -9,12 +9,26 @@ import { devContainerDown, devContainerUp, shellExec } from '../testUtils';
 
 const pkg = require('../../../package.json');
 
+enum AuthStrategy {
+	Anonymous,
+	DockerConfigAuthFile,
+	// PlatformCredentialHelper,
+	// RefreshToken,
+}
+
 interface TestPlan {
 	name: string;
 	configName: string;
 	testFeatureId: string;
 	testCommand?: string;
 	testCommandResult?: RegExp;
+	// Optionally tell the test to set up with a specfic auth strategy.
+	// If not set, the test will run with anonymous.
+	// NOTE:
+	// 	These will be skipped unless the environment has the relevant 'authCredentialEnvSecret' set in the environment.
+	useAuthStrategy?: AuthStrategy;
+	// Format: registry|username|passwordOrToken
+	authCredentialEnvSecret?: string;
 }
 
 const defaultTestPlan = {
@@ -32,11 +46,54 @@ const registryCompatibilityTestPlan: TestPlan[] = [
 		name: 'Anonymous access of GHCR',
 		configName: 'github-anonymous',
 		testFeatureId: 'ghcr.io/devcontainers/feature-starter/color',
+	},
+	// https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions
+	{
+		name: 'Authenticated access of Azure Container Registry with registry scoped token',
+		configName: 'azure-registry-scoped',
+		testFeatureId: 'privatedevcontainercli.azurecr.io/features/rabbit',
+		useAuthStrategy: AuthStrategy.DockerConfigAuthFile,
+		authCredentialEnvSecret: 'FEATURES_TEST__AZURE_REGISTRY_SCOPED_CREDENTIAL',
+		testCommand: 'rabbit',
+		testCommandResult: /rabbit-is-the-best-animal/,
 	}
 ];
 
+function constructAuthFromStrategy(tmpFolder: string, authStrategy: AuthStrategy, authCredentialEnvSecret?: string): string | undefined {
+	const generateAuthFolder = () => {
+		const randomChars = Math.random().toString(36).substring(2, 6);
+		const tmpAuthFolder = path.join(tmpFolder, randomChars, 'auth');
+		shellExec(`mkdir -p ${tmpAuthFolder}`);
+		return tmpAuthFolder;
+	};
+
+	switch (authStrategy) {
+		case AuthStrategy.Anonymous:
+			return;
+		case AuthStrategy.DockerConfigAuthFile:
+			if (!authCredentialEnvSecret) {
+				return;
+			}
+			const split = process.env[authCredentialEnvSecret]?.split('|');
+			if (!split || split.length !== 3) {
+				return;
+			}
+			const tmpAuthFolder = generateAuthFolder();
+
+			const registry = split?.[0];
+			const username = split?.[1];
+			const passwordOrToken = split?.[2];
+			const encodedAuth = Buffer.from(`${username}:${passwordOrToken}`).toString('base64');
+
+			shellExec(`echo '{"auths":{"${registry}":{"auth": "${encodedAuth}"}}}' > ${tmpAuthFolder}/config.json`);
+			return tmpAuthFolder;
+		default:
+			return;
+	}
+}
+
 describe('Registry Compatibility', function () {
-	this.timeout('1200s');
+	this.timeout('120s');
 	const tmp = path.relative(process.cwd(), path.join(__dirname, 'tmp'));
 	const cli = `npx --prefix ${tmp} devcontainer`;
 
@@ -46,14 +103,19 @@ describe('Registry Compatibility', function () {
 		await shellExec(`npm --prefix ${tmp} install devcontainers-cli-${pkg.version}.tgz`);
 	});
 
-	registryCompatibilityTestPlan.forEach(({ name, configName, testFeatureId, testCommand, testCommandResult }) => {
+	registryCompatibilityTestPlan.forEach(({ name, configName, testFeatureId, testCommand, testCommandResult, useAuthStrategy, authCredentialEnvSecret }) => {
 		this.timeout('120s');
-		describe(name, () => {
-			describe('devcontainer up', () => {
+		describe(name, async function () {
+			((authCredentialEnvSecret && !process.env[authCredentialEnvSecret]) ? describe.skip : describe)('devcontainer up', async function () {
+
+				const authFolder = constructAuthFromStrategy(tmp, useAuthStrategy ?? AuthStrategy.Anonymous, authCredentialEnvSecret);
+
 				let containerId: string | null = null;
 				const testFolder = `${__dirname}/configs/registry-compatibility/${configName}`;
 
-				before(async () => containerId = (await devContainerUp(cli, testFolder, { 'logLevel': 'trace' })).containerId);
+				before(async () => containerId = (await devContainerUp(cli, testFolder, {
+					'logLevel': 'trace', prefix: authFolder ? `DOCKER_CONFIG=${authFolder}` : undefined
+				})).containerId);
 				after(async () => await devContainerDown({ containerId }));
 
 				const cmd = testCommand ?? defaultTestPlan.testCommand;
@@ -66,12 +128,20 @@ describe('Registry Compatibility', function () {
 				});
 			});
 
-			describe(`devcontainer features info manifest`, async () => {
-				it('fetches manifest', async () => {
+			((authCredentialEnvSecret && !process.env[authCredentialEnvSecret]) ? describe.skip : describe)(`devcontainer features info manifest`, async function () {
+
+				const authFolder = constructAuthFromStrategy(tmp, useAuthStrategy ?? AuthStrategy.Anonymous, authCredentialEnvSecret);
+
+				it('fetches manifest', async function () {
 					let infoManifestResult: { stdout: string; stderr: string } | null = null;
 					let success = false;
 					try {
-						infoManifestResult = await shellExec(`${cli} features info manifest ${testFeatureId} --log-level trace`);
+						if (authFolder) {
+							infoManifestResult = await shellExec(`DOCKER_CONFIG=${authFolder} ${cli} features info manifest ${testFeatureId} --log-level trace`);
+
+						} else {
+							infoManifestResult = await shellExec(`${cli} features info manifest ${testFeatureId} --log-level trace`);
+						}
 						success = true;
 					} catch (error) {
 						assert.fail('features info tags sub-command should not throw');
diff --git a/src/test/testUtils.ts b/src/test/testUtils.ts
@@ -81,13 +81,14 @@ export async function shellPtyExec(command: string, options: { stdin?: string }
     }).then(res => ({ code: 0, ...res }), error => error);
 }
 
-export async function devContainerUp(cli: string, workspaceFolder: string, options?: { cwd?: string; useBuildKit?: boolean; userDataFolder?: string; logLevel?: string; extraArgs?: string }): Promise<UpResult> {
+export async function devContainerUp(cli: string, workspaceFolder: string, options?: { cwd?: string; useBuildKit?: boolean; userDataFolder?: string; logLevel?: string; extraArgs?: string; prefix?: string }): Promise<UpResult> {
     const buildkitOption = (options?.useBuildKit ?? false) ? '' : ' --buildkit=never';
     const userDataFolderOption = (options?.userDataFolder ?? false) ? ` --user-data-folder=${options?.userDataFolder}` : '';
     const logLevelOption = (options?.logLevel ?? false) ? ` --log-level ${options?.logLevel}` : '';
     const extraArgs = (options?.extraArgs ?? false) ? ` ${options?.extraArgs}` : '';
+    const prefix = (options?.prefix ?? false) ? `${options?.prefix} ` : '';
     const shellExecOptions = { cwd: options?.cwd };
-    const res = await shellExec(`${cli} up --workspace-folder ${workspaceFolder}${buildkitOption}${userDataFolderOption}${extraArgs} ${logLevelOption}`, shellExecOptions);
+    const res = await shellExec(`${prefix}${cli} up --workspace-folder ${workspaceFolder}${buildkitOption}${userDataFolderOption}${extraArgs} ${logLevelOption}`, shellExecOptions);
     const response = JSON.parse(res.stdout);
     assert.equal(response.outcome, 'success');
     const { outcome, containerId, composeProjectName } = response as UpResult;
