Verify authfile exists if user specifies it

Fixes: containers#18938

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

cmd/podman/auto-update.go

@@ -68,6 +68,9 @@ func autoUpdate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("`%s` takes no arguments", cmd.CommandPath())
 	}
 
+	if err := auth.CheckAuthFile(autoUpdateOptions.Authfile); err != nil {
+		return err
+	}
 	if cmd.Flags().Changed("tls-verify") {
 		autoUpdateOptions.InsecureSkipTLSVerify = types.NewOptionalBool(!autoUpdateOptions.tlsVerify)
 	}

cmd/podman/containers/create.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/containers/buildah/pkg/cli"
+	"github.com/containers/common/pkg/auth"
 	"github.com/containers/common/pkg/config"
 	cutil "github.com/containers/common/pkg/util"
 	"github.com/containers/image/v5/transports/alltransports"
@@ -154,6 +155,11 @@ func create(cmd *cobra.Command, args []string) error {
 		}
 		imageName = name
 	}
+
+	if err := auth.CheckAuthFile(cliVals.Authfile); err != nil {
+		return err
+	}
+
 	s := specgen.NewSpecGenerator(imageName, cliVals.RootFS)
 	if err := specgenutil.FillOutSpecGen(s, &cliVals, args); err != nil {
 		return err

cmd/podman/containers/run.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/containers/common/pkg/auth"
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/podman/v4/cmd/podman/common"
 	"github.com/containers/podman/v4/cmd/podman/registry"
@@ -114,10 +115,8 @@ func run(cmd *cobra.Command, args []string) error {
 		logrus.Warnf("The input device is not a TTY. The --tty and --interactive flags might not work properly")
 	}
 
-	if af := cliVals.Authfile; len(af) > 0 {
-		if _, err := os.Stat(af); err != nil {
-			return err
-		}
+	if err := auth.CheckAuthFile(cliVals.Authfile); err != nil {
+		return err
 	}
 
 	runOpts.CIDFile = cliVals.CIDFile

cmd/podman/containers/runlabel.go

@@ -2,7 +2,6 @@ package containers
 
 import (
 	"context"
-	"os"
 	"strings"
 
 	"github.com/containers/common/pkg/auth"
@@ -91,10 +90,8 @@ func runlabel(cmd *cobra.Command, args []string) error {
 	if cmd.Flags().Changed("tls-verify") {
 		runlabelOptions.SkipTLSVerify = types.NewOptionalBool(!runlabelOptions.TLSVerifyCLI)
 	}
-	if runlabelOptions.Authfile != "" {
-		if _, err := os.Stat(runlabelOptions.Authfile); err != nil {
-			return err
-		}
+	if err := auth.CheckAuthFile(runlabelOptions.Authfile); err != nil {
+		return err
 	}
 	return registry.ContainerEngine().ContainerRunlabel(context.Background(), strings.TrimPrefix(args[0], "/"), args[1], args[2:], runlabelOptions.ContainerRunlabelOptions)
 }

cmd/podman/images/build.go

@@ -363,6 +363,10 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		}
 	}
 
+	if err := auth.CheckAuthFile(flags.Authfile); err != nil {
+		return nil, err
+	}
+
 	commonOpts, err := parse.CommonBuildOptions(c)
 	if err != nil {
 		return nil, err
@@ -398,12 +402,6 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		pullPolicy = buildahDefine.PullNever
 	}
 
-	if c.Flag("authfile").Changed {
-		if err := auth.CheckAuthFile(flags.Authfile); err != nil {
-			return nil, err
-		}
-	}
-
 	var cleanTmpFile bool
 	flags.Authfile, cleanTmpFile = buildahUtil.MirrorToTempFileIfPathIsDescriptor(flags.Authfile)
 	if cleanTmpFile {

cmd/podman/images/pull.go

@@ -136,10 +136,8 @@ func imagePull(cmd *cobra.Command, args []string) error {
 	if cmd.Flags().Changed("tls-verify") {
 		pullOptions.SkipTLSVerify = types.NewOptionalBool(!pullOptions.TLSVerifyCLI)
 	}
-	if pullOptions.Authfile != "" {
-		if _, err := os.Stat(pullOptions.Authfile); err != nil {
-			return err
-		}
+	if err := auth.CheckAuthFile(pullOptions.Authfile); err != nil {
+		return err
 	}
 	platform, err := cmd.Flags().GetString("platform")
 	if err != nil {

cmd/podman/images/push.go

@@ -173,10 +173,8 @@ func imagePush(cmd *cobra.Command, args []string) error {
 		pushOptions.SkipTLSVerify = types.NewOptionalBool(!pushOptions.TLSVerifyCLI)
 	}
 
-	if pushOptions.Authfile != "" {
-		if _, err := os.Stat(pushOptions.Authfile); err != nil {
-			return err
-		}
+	if err := auth.CheckAuthFile(pushOptions.Authfile); err != nil {
+		return err
 	}
 
 	if pushOptions.CredentialsCLI != "" {

cmd/podman/images/search.go

@@ -138,10 +138,8 @@ func imageSearch(cmd *cobra.Command, args []string) error {
 		searchOptions.SkipTLSVerify = types.NewOptionalBool(!searchOptions.TLSVerifyCLI)
 	}
 
-	if searchOptions.Authfile != "" {
-		if _, err := os.Stat(searchOptions.Authfile); err != nil {
-			return err
-		}
+	if err := auth.CheckAuthFile(searchOptions.Authfile); err != nil {
+		return err
 	}
 
 	if searchOptions.CredentialsCLI != "" {

cmd/podman/images/sign.go

@@ -56,6 +56,9 @@ func init() {
 }
 
 func sign(cmd *cobra.Command, args []string) error {
+	if err := auth.CheckAuthFile(signOptions.Authfile); err != nil {
+		return err
+	}
 	if signOptions.SignBy == "" {
 		return errors.New("no identity provided")
 	}

cmd/podman/kube/play.go

@@ -217,10 +217,8 @@ func play(cmd *cobra.Command, args []string) error {
 	if cmd.Flags().Changed("build") {
 		playOptions.Build = types.NewOptionalBool(playOptions.BuildCLI)
 	}
-	if playOptions.Authfile != "" {
-		if _, err := os.Stat(playOptions.Authfile); err != nil {
-			return err
-		}
+	if err := auth.CheckAuthFile(playOptions.Authfile); err != nil {
+		return err
 	}
 	if playOptions.ContextDir != "" && playOptions.Build != types.OptionalBoolTrue {
 		return errors.New("--build must be specified when using --context-dir option")

cmd/podman/manifest/inspect.go

@@ -44,6 +44,9 @@ func init() {
 }
 
 func inspect(cmd *cobra.Command, args []string) error {
+	if err := auth.CheckAuthFile(inspectOptions.Authfile); err != nil {
+		return err
+	}
 	if cmd.Flags().Changed("tls-verify") {
 		inspectOptions.SkipTLSVerify = types.NewOptionalBool(!tlsVerifyCLI)
 	} else if cmd.Flags().Changed("insecure") {

test/e2e/create_test.go

@@ -311,10 +311,11 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("podman create --authfile with nonexistent authfile", func() {
-		// FIXME (#18938): this test should fail but does not!
-		session := podmanTest.Podman([]string{"create", "--authfile", "/tmp/nonexistent", "--name=foo", ALPINE})
+		bogus := filepath.Join(podmanTest.TempDir, "bogus.conf")
+		session := podmanTest.Podman([]string{"create", "--authfile", bogus, "--name=foo", ALPINE})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(Exit(0))
+		Expect(session).To(ExitWithError())
+		Expect(session.ErrorToString()).To(ContainSubstring("no such file or directory"))
 	})
 
 	It("podman create --signature-policy", func() {

test/e2e/login_logout_test.go

@@ -169,7 +169,7 @@ var _ = Describe("Podman login and logout", func() {
 		session = podmanTest.Podman([]string{"push", "--authfile", "/tmp/nonexistent", ALPINE, testImg})
 		session.WaitWithDefaultTimeout()
 		Expect(session).To(ExitWithError())
-		Expect(session.ErrorToString()).To(Equal("Error: stat /tmp/nonexistent: no such file or directory"))
+		Expect(session.ErrorToString()).To(Equal("Error: checking authfile: stat /tmp/nonexistent: no such file or directory"))
 
 		session = podmanTest.Podman([]string{"push", "--authfile", authFile, ALPINE, testImg})
 		session.WaitWithDefaultTimeout()

test/system/030-run.bats

@@ -1158,4 +1158,35 @@ EOF
     run_podman rm -f -t0 $ctr
 }
 
+@test "podman --authfile=/tmp/bogus " {
+    bogus=$PODMAN_TMPDIR/bogus-authfile
+    for command in "run" "create" "pull" "push" "manifest push" "manifest add" "container runlabel"; do
+        if is_remote -a $command -eq "container runlabel"; then
+           continue
+        fi
+        run_podman 125 $command --authfile=$bogus $IMAGE argument
+        is "$output" "Error: checking authfile: stat $bogus: no such file or directory" "$command should fail with not such file"
+    done
+
+    for command in "search" "manifest inspect" "logout" "image sign"; do
+        if is_remote -a $command -eq "image sign"; then
+           continue
+        fi
+
+        run_podman 125 $command --authfile=$bogus $IMAGE
+        is "$output" "Error: checking authfile: stat $bogus: no such file or directory" "$command should fail with not such file"
+    done
+
+    if !is_remote; then
+        for command in "auto-update"; do
+            run_podman 125 $command --authfile=$bogus
+            is "$output" "Error: checking authfile: stat $bogus: no such file or directory" "$command should fail with not such file"
+        done
+    fi
+
+    touch $PODMAN_TMPDIR/Containerfile
+    run_podman 125 build --authfile=$bogus $PODMAN_TMPDIR
+    is "$output" "Error: checking authfile: stat $bogus: no such file or directory" "build should fail with not such file"
+}
+
 # vim: filetype=sh

test/system/700-play.bats

@@ -724,3 +724,13 @@ spec:
 
     run_podman kube down $pod_file
 }
+
+@test "podman kube with --authfile=/tmp/bogus" {
+    TESTDIR=$PODMAN_TMPDIR/testdir
+    mkdir -p $TESTDIR
+    echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
+    bogus=$PODMAN_TMPDIR/bogus-authfile
+
+    run_podman 125 kube play --authfile=$bogus - < $PODMAN_TMPDIR/test.yaml
+    is "$output" "Error: checking authfile: stat $bogus: no such file or directory" "$command should fail with not such file"
+}