Merge pull request #25 from fosterseth/pass_incontainer_path

fosterseth · web-flow · commit 9af86ce75433 · 2025-03-05T22:00:32.000Z
Allow passing in container_root for extra_vars file
diff --git a/.flake8 b/.flake8
@@ -110,6 +110,7 @@ per-file-ignores =
   # additionally test docstrings don't need param lists (DAR, DCO020):
   tests/**.py: DAR, DCO020, S101, S105, S108, S404, S603, WPS202, WPS210, WPS430, WPS436, WPS441, WPS442, WPS450
 
+  tests/_temporary_private_container_api_test.py: DAR, DCO020, S101, S105, S108, S404, S603, WPS202, WPS210, WPS226, WPS430, WPS436, WPS441, WPS442, WPS450
   tests/_temporary_private_inject_api_test.py: DAR, DCO020, S101, S105, S108, S404, S603, WPS202, WPS210, WPS226, WPS430, WPS436, WPS441, WPS442, WPS450, WPS201
 
   src/awx_plugins/interfaces/_temporary_private_inject_api.py: ANN001,ANN201,B950,C901,CCR001,D103,E800,LN001,LN002,Q003,WPS110,WPS111,WPS118,WPS125,WPS204,WPS210,WPS211,WPS213,WPS221,WPS226,WPS231,WPS232,WPS319,WPS323,WPS336,WPS337,WPS361,WPS421,WPS429,WPS430,WPS431,WPS436,WPS442,WPS503,WPS507,WPS516,WPS226
diff --git a/src/awx_plugins/interfaces/_temporary_private_container_api.py b/src/awx_plugins/interfaces/_temporary_private_container_api.py
@@ -18,6 +18,8 @@
 def get_incontainer_path(
         path: os.PathLike[str] | str,
         private_data_dir: os.PathLike[str] | str,
+        *,
+        container_root: os.PathLike[str] | str | None = None,
 ) -> str:
     """Produce an in-container path string.
 
@@ -30,6 +32,8 @@ def get_incontainer_path(
     :param path: Host-side path view.
     :param private_data_dir: Host-side directory mounted to ``/runner``
                              in container.
+    :param container_root: Container-side root directory to mount the private
+                           data directory to.
 
     :raises RuntimeError: If the private data directory is not absolute or does
                           not contain the path.
@@ -39,15 +43,21 @@ def get_incontainer_path(
     if not os.path.isabs(private_data_dir):
         raise RuntimeError('The private_data_dir path must be absolute')
 
-    container_root = pathlib.Path(CONTAINER_ROOT)
+    container_root_path = pathlib.Path(
+        CONTAINER_ROOT if container_root is None
+        else container_root,
+    )
 
     # NOTE: Due to how `tempfile.mkstemp()` works, we are probably passed
     # NOTE: a resolved `path`, but unresolved `private_data_dir``.
     resolved_path = pathlib.Path(path).resolve()
     resolved_pdd = pathlib.Path(private_data_dir).resolve()
 
     try:
-        return str(container_root / resolved_path.relative_to(resolved_pdd))
+        return str(
+            container_root_path /
+            resolved_path.relative_to(resolved_pdd),
+        )
     except ValueError as val_err:
         raise RuntimeError(
             f'Cannot convert path {resolved_path !s} '
diff --git a/src/awx_plugins/interfaces/_temporary_private_inject_api.py b/src/awx_plugins/interfaces/_temporary_private_inject_api.py
@@ -159,6 +159,8 @@ def inject_credential(
     safe_env: EnvVarsType,
     args: ArgsType,
     private_data_dir: str,
+    *,
+    container_root: os.PathLike[str] | str | None = None,
 ) -> None:
     # pylint: disable=unidiomatic-typecheck
     """Inject credential data.
@@ -181,6 +183,8 @@ def inject_credential(
     :param private_data_dir: a temporary directory to store files
         generated by file injectors (like configuration files or key
         files)
+    :param container_root: root directory inside the container to mount
+        the private data directory to.
     :returns: None
     """
     if not cred_type.injectors:
@@ -287,7 +291,9 @@ def inject_credential(
         )
         if extra_vars:
             path = _build_extra_vars_file(extra_vars, private_data_dir)
-            container_path = get_incontainer_path(path, private_data_dir)
+            container_path = get_incontainer_path(
+                path, private_data_dir, container_root=container_root,
+            )
             args.extend(
                 # pylint: disable-next=consider-using-f-string
                 ['-e', '@%s' % container_path],
diff --git a/tests/_temporary_private_container_api_test.py b/tests/_temporary_private_container_api_test.py
@@ -87,3 +87,58 @@ def test_paths_outside_private_path_conversion(
         get_incontainer_path(typed_host_path, typed_host_runner_path)
 
     assert isinstance(raised_exc_info.value.__cause__, ValueError)
+
+
+@pytest.mark.parametrize(
+    (
+        'host_path',
+        'host_runner_path',
+        'container_root',
+        'expected_incontainer_path',
+    ),
+    (
+        ('/root', '/', '/tmp', '/tmp/root'),
+        (
+            '/tmp/private/subdir',
+            '/tmp/private',
+            '/tmp/private',
+            '/tmp/private/subdir',
+        ),
+        (
+            '/tmp/private/subdir',
+            '/tmp/private',
+            None,
+            f'{CONTAINER_ROOT}/subdir',
+        ),
+    ),
+    ids=('differing-paths', 'same-paths', 'default-container-root'),
+)
+@pytest.mark.parametrize(
+    'convert_path_to_type',
+    (pathlib.Path, str),
+    ids=('host-path-pathlib', 'host-path-str'),
+)
+@pytest.mark.parametrize(
+    'convert_runner_path_to_type',
+    (pathlib.Path, str),
+    ids=('host-path-pathlib', 'host-path-str'),
+)
+# pylint: disable-next=too-many-arguments,too-many-positional-arguments
+def test_provide_custom_container_root(  # noqa: WPS211
+        host_path: os.PathLike[str] | str,
+        host_runner_path: os.PathLike[str] | str,
+        container_root: os.PathLike[str] | str | None,
+        expected_incontainer_path: str,
+        convert_path_to_type: PathToTypeCallableType,
+        convert_runner_path_to_type: PathToTypeCallableType,
+) -> None:
+    """Ensure custom container root is respected."""
+    typed_host_path = convert_path_to_type(host_path)
+    typed_host_runner_path = convert_runner_path_to_type(host_runner_path)
+
+    incontainer_path = get_incontainer_path(
+        typed_host_path,
+        typed_host_runner_path,
+        container_root=container_root,
+    )
+    assert expected_incontainer_path == incontainer_path
diff --git a/tests/_temporary_private_inject_api_test.py b/tests/_temporary_private_inject_api_test.py
@@ -599,3 +599,53 @@ def custom_injectors(_cr: Credential, env: EnvVarsType, _pd: str) -> None:
     )
 
     assert safe_env.items() == expected_safe_env.items()
+
+
+@pytest.mark.parametrize(
+    (
+        'container_root',
+        'expected_arg_prefix',
+    ),
+    (
+        pytest.param(
+            None,
+            f'@{CONTAINER_ROOT}/',
+            id='default-root',
+        ),
+        pytest.param(
+            '/custom_root',
+            '@/custom_root/',
+            id='custom-root',
+        ),
+    ),
+)
+def test_custom_container_root_with_extra_vars(
+    private_data_dir: str,
+    container_root: str | None,
+    expected_arg_prefix: str,
+) -> None:
+    """Check custom container root with extra vars."""
+    cred_type = ManagedCredentialType(
+        kind='cloudh',
+        name='SomeCloudi',
+        namespace='foo',
+        managed=True,
+        inputs={},
+        injectors={'extra_vars': {'api_secret': '{{api_secret}}'}},
+    )
+    credential = Credential(inputs={})
+
+    env: EnvVarsType = {}
+    cmdline_args: list[str] = []
+    inject_credential(
+        cred_type,
+        credential,
+        env,
+        {},
+        cmdline_args,
+        private_data_dir,
+        container_root=container_root,
+    )
+
+    assert cmdline_args[0] == '-e'
+    assert cmdline_args[1].startswith(expected_arg_prefix)
