RHOAIENG-21740: Perform filesystem permission check on images

This adds a simple test to scan our final images for the crucial
directories for their ownership and permissions configuration.

Author: jstourac

tests/containers/base_image_test.py

@@ -15,6 +15,7 @@
 import testcontainers.core.waiting_utils
 
 from tests.containers import docker_utils
+from tests.containers import utils
 
 import pytest
 
@@ -219,6 +220,30 @@ def test_oc_command_runs_fake_fips(self, image: str, subtests: pytest_subtests.S
             finally:
                 docker_utils.NotebookContainer(container).stop(timeout=0)
 
+    def test_file_permissions(self, image: str, subtests: pytest_subtests.SubTests):
+        """Checks the permissions and ownership for some selected files/directories."""
+
+        app_root_path = "/opt/app-root"
+        expected_uid = "1001" # default
+        expected_gid = "0" # root
+        # Directories to assert permissions and ownerships as we did in ODS-CI
+        directories_to_check: list[str] = [
+            [f"{app_root_path}/lib", "775", expected_gid, expected_uid],
+        ]
+        if not utils.is_rstudio_image(image):
+            # RStudio image doesn't have '/opt/app-root/share' directory
+            directories_to_check.append([f"{app_root_path}/share", "775", expected_gid, expected_uid])
+
+        def test_fn(container: testcontainers.core.container.DockerContainer):
+            for item in directories_to_check:
+                with subtests.test(f"Checking permissions of the: {item[0]}"):
+                    _, output = container.exec(["stat", "--format='%a:%g:%u'", f"{item[0]}"])
+                    logging.debug(output.decode())
+                    cleaned_output = output.decode().strip().strip("'")
+                    assert cleaned_output == f"{item[1]}:{item[2]}:{item[3]}"
+
+        self._run_test(image=image, test_fn=test_fn)
+
 def encode_python_function_execution_command_interpreter(python: str, function: Callable[..., Any], *args: list[Any]) -> list[str]:
     """Returns a cli command that will run the given Python function encoded inline.
     All dependencies (imports, ...) must be part of function body."""

tests/containers/conftest.py

@@ -16,6 +16,7 @@
 import docker.types
 
 from tests.containers import docker_utils
+from tests.containers import utils
 
 if TYPE_CHECKING:
     from pytest import ExitCode, Session, Parser, Metafunc
@@ -92,7 +93,7 @@ def jupyterlab_image(image: str) -> docker.models.images.Image:
 @pytest.fixture(scope="function")
 def rstudio_image(image: str) -> docker.models.images.Image:
     image_metadata = skip_if_not_workbench_image(image)
-    if "-rstudio-" not in image_metadata.labels['name']:
+    if not utils.is_rstudio_image(image):
         pytest.skip(
             f"Image {image} does not have '-rstudio-' in {image_metadata.labels['name']=}'")
 

tests/containers/utils.py

@@ -0,0 +1,15 @@
+import docker.errors
+import docker.models.images
+import testcontainers.core.container
+
+def is_rstudio_image(my_image: str) -> bool:
+    label = "-rstudio-"
+
+    client = testcontainers.core.container.DockerClient()
+    try:
+        image_metadata = client.client.images.get(my_image)
+    except docker.errors.ImageNotFound:
+        image_metadata = client.client.images.pull(my_image)
+        assert isinstance(image_metadata, docker.models.images.Image)
+
+    return label in image_metadata.labels['name']