baron-sso/test/works_drive_docker_image_download_policy_test.sh

#!/usr/bin/env bash
set -euo pipefail

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
script="$repo_root/scripts/docker-image/download_works_drive.sh"
tmp_root="$(mktemp -d)"

cleanup() {
  rm -rf "$tmp_root"
}
trap cleanup EXIT INT TERM

fail() {
  echo "$1" >&2
  exit 1
}

[[ -x "$script" ]] || fail "download script must exist and be executable."
grep -Fq 'baron-sso/${IMAGE_TAG}/${image}.${IMAGE_TAG}.tar.zst' "$script" \
  || fail "download script must document the normalized archive path."
grep -Fq -- '--location-trusted' "$script" \
  || fail "download script must preserve Authorization across WORKS download redirects."

source_dir="$tmp_root/source"
mkdir -p "$source_dir"
printf 'backend image archive payload\n' >"$source_dir/backend.txt"
tar -C "$source_dir" -cf "$tmp_root/backend.v1.2606.ab12.tar" backend.txt
zstd -q -f -o "$tmp_root/backend.v1.2606.ab12.tar.zst" "$tmp_root/backend.v1.2606.ab12.tar"
archive_sha256="$(sha256sum "$tmp_root/backend.v1.2606.ab12.tar.zst" | awk '{print $1}')"
archive_size="$(wc -c <"$tmp_root/backend.v1.2606.ab12.tar.zst" | tr -d ' ')"
printf '%s  backend.v1.2606.ab12.tar.zst\n' "$archive_sha256" >"$tmp_root/backend.v1.2606.ab12.sha256"
jq -n \
  --arg sha "$archive_sha256" \
  --argjson size "$archive_size" \
  '{
    schema_version: 1,
    format: "docker-save-zstd",
    image_ref: "baron_sso/backend:v1.2606.ab12",
    repository: "baron_sso/backend",
    release_repository: "baron-sso",
    image_name: "backend",
    tag: "v1.2606.ab12",
    remote_path: "baron-sso/v1.2606.ab12",
    archive: {
      file_name: "backend.v1.2606.ab12.tar.zst",
      sha256: $sha,
      size_bytes: $size
    },
    images: {
      backend: {
        archive: {
          file_name: "backend.v1.2606.ab12.tar.zst",
          sha256: $sha,
          size_bytes: $size
        }
      }
    }
  }' >"$tmp_root/manifest.v1.2606.ab12.json"

curl_log="$tmp_root/curl.log"
docker_log="$tmp_root/docker.log"
fake_curl="$tmp_root/curl"
cat >"$fake_curl" <<'SH'
#!/usr/bin/env bash
set -euo pipefail

printf '%s\n' "$*" >>"$FAKE_CURL_LOG"

output_file=""
args=("$@")
for ((i = 0; i < ${#args[@]}; i += 1)); do
  if [[ "${args[$i]}" == "-o" ]]; then
    output_file="${args[$((i + 1))]}"
  fi
done
url="${args[-1]}"

if [[ -n "$output_file" ]]; then
  case "$url" in
    */files/backend-archive/download) cp "$FAKE_WORKS_SOURCE/backend.v1.2606.ab12.tar.zst" "$output_file" ;;
    */files/backend-checksum/download) cp "$FAKE_WORKS_SOURCE/backend.v1.2606.ab12.sha256" "$output_file" ;;
    */files/backend-manifest/download) cp "$FAKE_WORKS_SOURCE/manifest.v1.2606.ab12.json" "$output_file" ;;
    *) echo "unexpected download URL: $url" >&2; exit 2 ;;
  esac
  exit 0
fi

case "$url" in
  https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files)
    printf '{"files":[{"fileId":"baron-sso-id","fileName":"baron-sso","fileType":"FOLDER"}]}\n200\n'
    ;;
  https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/baron-sso-id/children)
    printf '{"files":[{"fileId":"tag-id","fileName":"v1.2606.ab12","fileType":"FOLDER"}]}\n200\n'
    ;;
  https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/tag-id/children)
    printf '{"files":[{"fileId":"backend-archive","fileName":"backend.v1.2606.ab12.tar.zst","fileType":"FILE"},{"fileId":"backend-checksum","fileName":"backend.v1.2606.ab12.sha256","fileType":"FILE"},{"fileId":"backend-manifest","fileName":"manifest.v1.2606.ab12.json","fileType":"FILE"}]}\n200\n'
    ;;
  *)
    echo "unexpected list URL: $url" >&2
    exit 2
    ;;
esac
SH
chmod +x "$fake_curl"

fake_bin="$tmp_root/bin"
mkdir -p "$fake_bin"
cat >"$fake_bin/docker" <<'SH'
#!/usr/bin/env bash
set -euo pipefail

if [[ "$1" == "load" ]]; then
  bytes="$(wc -c | tr -d ' ')"
  printf 'docker load bytes=%s\n' "$bytes" >>"$FAKE_DOCKER_LOG"
  exit 0
fi

echo "unexpected docker command: $*" >&2
exit 2
SH
chmod +x "$fake_bin/docker"

PATH="$fake_bin:$PATH" \
FAKE_CURL_LOG="$curl_log" \
FAKE_DOCKER_LOG="$docker_log" \
FAKE_WORKS_SOURCE="$tmp_root" \
WORKS_DRIVE_CURL_BIN="$fake_curl" \
WORKS_DRIVE_ACCESS_TOKEN="test-access-token" \
WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID="shared-drive-1" \
WORKS_DOCKER_IMAGE_NAMES="backend" \
WORKS_DOCKER_IMAGE_DOWNLOAD_DIR="$tmp_root/downloaded" \
IMAGE_TAG="v1.2606.ab12" \
  "$script" >/dev/null

grep -Fq "sharedrives/shared-drive-1/files" "$curl_log" \
  || fail "download script must list the shared drive root."
grep -Fq "sharedrives/shared-drive-1/files/baron-sso-id/children" "$curl_log" \
  || fail "download script must resolve the baron-sso folder."
grep -Fq "sharedrives/shared-drive-1/files/tag-id/children" "$curl_log" \
  || fail "download script must resolve the image tag folder."
grep -Fq "files/backend-archive/download" "$curl_log" \
  || fail "download script must download the normalized backend archive."
grep -Fq "docker load bytes=" "$docker_log" \
  || fail "download script must load the downloaded archive into Docker."

echo "OK: WORKS Drive Docker image archive download flow resolves, verifies, and loads image artifacts"