test: restore missing runner tests

inercia · inercia · commit 085b2b62e623 · 2026-02-03T18:20:08.000+01:00
Restore tests that were removed during the runner package extraction:
- TestDocker_Run_Networking: tests network isolation
- TestDocker_Run_PrepareCommand: tests prepare_command option
- TestExec_Optimization_SingleExecutable: tests single executable optimization
- Expanded TestNewDockerOptions assertions for all fields
- Expanded TestSandboxExec_Run with template and env variable tests
diff --git a/pkg/runner/docker_test.go b/pkg/runner/docker_test.go
@@ -2,6 +2,7 @@ package runner
 
 import (
 	"context"
+	"os"
 	"os/exec"
 	"runtime"
 	"strings"
@@ -159,6 +160,103 @@ func TestDocker_Run_EnvironmentVariables(t *testing.T) {
 	}
 }
 
+func TestDocker_Run_Networking(t *testing.T) {
+	// Skip on Windows - Alpine Linux doesn't support Windows containers
+	if runtime.GOOS == "windows" {
+		t.Skip("Skipping Docker test on Windows - Alpine Linux image not compatible with Windows containers")
+	}
+
+	// Skip if docker is not available or not running
+	if !checkDockerRunning() {
+		t.Skip("Docker not installed or not running, skipping test")
+	}
+
+	// Check if running in GitHub Actions
+	inGitHubActions := os.Getenv("GITHUB_ACTIONS") == "true"
+	if inGitHubActions {
+		t.Skip("Skipping network test in GitHub Actions environment")
+	}
+
+	logger, _ := common.NewLogger("test-docker: ", "", common.LogLevelInfo, false)
+
+	testCases := []struct {
+		name            string
+		allowNetworking bool
+		expectSuccess   bool
+	}{
+		{
+			name:            "With networking",
+			allowNetworking: true,
+			expectSuccess:   true,
+		},
+		{
+			name:            "Without networking",
+			allowNetworking: false,
+			expectSuccess:   false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create a runner with specified networking
+			r, err := NewDocker(Options{
+				"image":            "alpine:latest",
+				"allow_networking": tc.allowNetworking,
+			}, logger)
+
+			if err != nil {
+				t.Fatalf("Failed to create Docker runner: %v", err)
+			}
+
+			// Try to ping google.com (will fail if networking is disabled)
+			_, err = r.Run(context.Background(), "", "ping -c 1 -W 1 google.com", nil, nil, false)
+
+			if tc.expectSuccess && err != nil {
+				t.Errorf("Expected network ping to succeed but got error: %v", err)
+			}
+
+			if !tc.expectSuccess && err == nil {
+				t.Errorf("Expected network ping to fail but it succeeded")
+			}
+		})
+	}
+}
+
+func TestDocker_Run_PrepareCommand(t *testing.T) {
+	// Skip on Windows - Alpine Linux doesn't support Windows containers
+	if runtime.GOOS == "windows" {
+		t.Skip("Skipping Docker test on Windows - Alpine Linux image not compatible with Windows containers")
+	}
+
+	// Skip if docker is not available or not running
+	if !checkDockerRunning() {
+		t.Skip("Docker not installed or not running, skipping test")
+	}
+
+	logger, _ := common.NewLogger("test-docker: ", "", common.LogLevelInfo, false)
+
+	// Create a runner with alpine image and prepare command to install grep
+	r, err := NewDocker(Options{
+		"image":           "alpine:latest",
+		"prepare_command": "apk add --no-cache grep",
+	}, logger)
+
+	if err != nil {
+		t.Fatalf("Failed to create Docker runner: %v", err)
+	}
+
+	// Run grep command that should only work if the prepare_command executed properly
+	output, err := r.Run(context.Background(), "", "grep --version | head -n 1", nil, nil, false)
+	if err != nil {
+		t.Errorf("Failed to run command that requires prepare_command: %v", err)
+	}
+
+	// Check the output contains grep version information
+	if !strings.Contains(output, "grep") {
+		t.Errorf("Expected output to contain grep version information, got: %q", output)
+	}
+}
+
 func TestDocker_Optimization_SingleExecutable(t *testing.T) {
 	// Skip on Windows - Alpine Linux doesn't support Windows containers
 	if runtime.GOOS == "windows" {
@@ -282,9 +380,41 @@ func TestNewDockerOptions(t *testing.T) {
 			if result.Image != tc.expected.Image {
 				t.Errorf("Image: expected %q, got %q", tc.expected.Image, result.Image)
 			}
+			if result.DockerRunOpts != tc.expected.DockerRunOpts {
+				t.Errorf("DockerRunOpts: expected %q, got %q", tc.expected.DockerRunOpts, result.DockerRunOpts)
+			}
 			if result.AllowNetworking != tc.expected.AllowNetworking {
 				t.Errorf("AllowNetworking: expected %v, got %v", tc.expected.AllowNetworking, result.AllowNetworking)
 			}
+			if result.Network != tc.expected.Network {
+				t.Errorf("Network: expected %q, got %q", tc.expected.Network, result.Network)
+			}
+			if result.User != tc.expected.User {
+				t.Errorf("User: expected %q, got %q", tc.expected.User, result.User)
+			}
+			if result.WorkDir != tc.expected.WorkDir {
+				t.Errorf("WorkDir: expected %q, got %q", tc.expected.WorkDir, result.WorkDir)
+			}
+			if result.PrepareCommand != tc.expected.PrepareCommand {
+				t.Errorf("PrepareCommand: expected %q, got %q", tc.expected.PrepareCommand, result.PrepareCommand)
+			}
+
+			// Check slice fields
+			if !compareStringSlices(result.Mounts, tc.expected.Mounts) {
+				t.Errorf("Mounts: expected %v, got %v", tc.expected.Mounts, result.Mounts)
+			}
+			if !compareStringSlices(result.CapAdd, tc.expected.CapAdd) {
+				t.Errorf("CapAdd: expected %v, got %v", tc.expected.CapAdd, result.CapAdd)
+			}
+			if !compareStringSlices(result.CapDrop, tc.expected.CapDrop) {
+				t.Errorf("CapDrop: expected %v, got %v", tc.expected.CapDrop, result.CapDrop)
+			}
+			if !compareStringSlices(result.DNS, tc.expected.DNS) {
+				t.Errorf("DNS: expected %v, got %v", tc.expected.DNS, result.DNS)
+			}
+			if !compareStringSlices(result.DNSSearch, tc.expected.DNSSearch) {
+				t.Errorf("DNSSearch: expected %v, got %v", tc.expected.DNSSearch, result.DNSSearch)
+			}
 		})
 	}
 }
diff --git a/pkg/runner/exec_test.go b/pkg/runner/exec_test.go
@@ -163,3 +163,33 @@ func TestExec_RunWithEnvExpansion(t *testing.T) {
 		t.Errorf("Environment variable expansion failed: got %q, want %q", output, expected)
 	}
 }
+
+func TestExec_Optimization_SingleExecutable(t *testing.T) {
+	logger, _ := common.NewLogger("test-runner-exec-opt: ", "", common.LogLevelInfo, false)
+	r, err := NewExec(Options{}, logger)
+	if err != nil {
+		t.Fatalf("Failed to create Exec: %v", err)
+	}
+
+	// This command should be a single executable and run directly
+	command := "whoami"
+	output, err := r.Run(context.Background(), "", command, nil, nil, false)
+	if err != nil {
+		t.Errorf("Expected '%s' to run without error, got: %v", command, err)
+	}
+	if len(strings.TrimSpace(output)) == 0 {
+		t.Errorf("Expected output from '%s', got empty string", command)
+	}
+
+	// This command has arguments and should be run via a shell, not directly.
+	// isSingleExecutableCommand should return false.
+	// The command itself should succeed when run through the shell.
+	commandWithArgs := "echo hello"
+	output, err = r.Run(context.Background(), "", commandWithArgs, nil, nil, false)
+	if err != nil {
+		t.Errorf("Expected '%s' to run without error, got: %v", commandWithArgs, err)
+	}
+	if strings.TrimSpace(output) != "hello" {
+		t.Errorf("Expected output from '%s' to be 'hello', got %q", commandWithArgs, output)
+	}
+}
diff --git a/pkg/runner/sandbox_test.go b/pkg/runner/sandbox_test.go
@@ -2,6 +2,7 @@ package runner
 
 import (
 	"context"
+	"os"
 	"reflect"
 	"runtime"
 	"strings"
@@ -84,6 +85,20 @@ func TestSandboxExec_Run(t *testing.T) {
 		t.Skip("skipping test in short mode")
 	}
 
+	// Set environment variables for the test
+	if err := os.Setenv("ALLOWED_FROM_ENV", "/tmp"); err != nil {
+		t.Fatalf("Failed to set environment variable: %v", err)
+	}
+	if err := os.Setenv("USR_DIR", "/usr"); err != nil {
+		t.Fatalf("Failed to set environment variable: %v", err)
+	}
+
+	// Ensure cleanup
+	defer func() {
+		_ = os.Unsetenv("ALLOWED_FROM_ENV")
+		_ = os.Unsetenv("USR_DIR")
+	}()
+
 	// Create a logger for the test
 	logger, _ := common.NewLogger("test-runner-sandbox: ", "", common.LogLevelInfo, false)
 	ctx := context.Background()
@@ -127,6 +142,67 @@ func TestSandboxExec_Run(t *testing.T) {
 			shouldSucceed: true,
 			expectedOut:   "Restricted",
 		},
+		{
+			name:    "read /tmp with folder restrictions",
+			command: "ls -la /tmp | grep -q . && echo 'success'",
+			options: Options{
+				"allow_networking":   false,
+				"allow_user_folders": false,
+			},
+			shouldSucceed: true,
+			expectedOut:   "success",
+		},
+		{
+			name:    "custom profile allowing only /tmp",
+			command: "ls -la /tmp | grep -q . && echo 'success'",
+			options: Options{
+				"custom_profile": `(version 1)
+(allow default)
+(deny file-read* (subpath "/Users"))
+(allow file-read* (regex "^/tmp"))`,
+			},
+			shouldSucceed: true,
+			expectedOut:   "success",
+		},
+		{
+			name:    "read from allowed folder using env variable",
+			command: "ls -la /tmp > /dev/null && echo 'can read /tmp'",
+			options: Options{
+				"allow_networking":   false,
+				"allow_user_folders": false,
+				"allow_read_folders": []string{"{{ env ALLOWED_FROM_ENV }}"},
+				"custom_profile":     "",
+			},
+			shouldSucceed: true,
+			expectedOut:   "can read /tmp",
+		},
+		{
+			name:    "template variables in allow_read_folders",
+			command: "ls -la /var > /dev/null && echo 'can read templated folder'",
+			options: Options{
+				"allow_networking":   false,
+				"allow_user_folders": false,
+				"allow_read_folders": []string{"{{.test_folder}}"},
+				"custom_profile":     "",
+			},
+			params: map[string]interface{}{
+				"test_folder": "/var",
+			},
+			shouldSucceed: true,
+			expectedOut:   "can read templated folder",
+		},
+		{
+			name:    "complex env variable template in allow_read_folders",
+			command: "ls -la /usr/bin > /dev/null && echo 'can read /usr/bin'",
+			options: Options{
+				"allow_networking":   false,
+				"allow_user_folders": false,
+				"allow_read_folders": []string{"{{ env USR_DIR }}/bin"},
+				"custom_profile":     "",
+			},
+			shouldSucceed: true,
+			expectedOut:   "can read /usr/bin",
+		},
 	}
 
 	for _, tt := range tests {
