Add tests

.test/ca-certificates-update/certs/README.md

@@ -0,0 +1 @@
+This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/server.key -out certs/server.crt` and is only used for testing

.test/ca-certificates-update/certs/server.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
+BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
+aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
+kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
+N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
+hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
+Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
+me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
+w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
+o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
+r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
+kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
+DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
+WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
+CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
+ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
+-----END CERTIFICATE-----

.test/ca-certificates-update/certs/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs
+Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac
+SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT
+CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss
+ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9
+jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH
+TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG
+yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg
+SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx
+qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK
+d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg
+rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu
+PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw
+Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw
+buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G
+Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r
+BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX
+mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr
+ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx
+XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD
+Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL
+6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB
+ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4
+6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi
+YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V
+1HI3wrgh88qBEGASVY8y6rDH
+-----END PRIVATE KEY-----

.test/ca-certificates-update/container.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+

.test/ca-certificates-update/expected-std-out.txt

@@ -0,0 +1 @@
+010100

.test/ca-certificates-update/run.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -o pipefail 
+
+testDir="$(readlink -f "$(dirname "$BASH_SOURCE")")"
+runDir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
+
+# Find Java major/minor/build/patch version
+# 
+# https://stackoverflow.com/a/74459237/6460
+IFS='"' read -r _ java_version_string _ < <(java -version 2>&1)
+IFS='._' read -r \
+    java_version_major \
+    java_version_minor \
+    java_version_build \
+    java_version_patch \
+    <<<"$java_version_string"
+
+# CMD1 in each run is just a `date` to make sure nothing is broken with or without the entrypoint
+CMD1=date
+
+# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore
+if [ "$java_version_major" -lt 11 ]; then
+    # We are working with JDK/JRE 8
+    #
+    # `keytool` from JDK/JRE 8 does not have the `-cacerts` option and also does not have standardized location for the
+    # `cacerts` file between the JDK and JRE, so we'd want to check both possible locations.
+    CACERTS=/opt/java/openjdk/lib/security/cacerts
+    CACERTS2=/opt/java/openjdk/jre/lib/security/cacerts
+
+    CMD2=(sh -c "keytool -list -keystore $CACERTS -storepass changeit -alias dockerbuilder || keytool -list -keystore $CACERTS2 -storepass changeit -alias dockerbuilder")
+else
+    CMD2=(keytool -list -cacerts -storepass changeit -alias dockerbuilder)
+fi
+
+# 
+# We need to use `docker run`, since `run-in-container.sh` overwrites the entrypoint
+#
+
+# Test run 1: No added certificates and not environment variable. We expect CMD1 to succeed and CMD2 to fail.
+docker run "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 2: Certificates are mounted, but the environment variable is not set, i.e. certificate importing should not
+# be activated. We expect CMD1 to succeed and CMD2 to fail.
+docker run --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 3: Certificates are mounted and the environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?

.test/config.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+globalTests+=(
+    ca-certificates-update
+)
+
+globalExcludeTests+=(
+	# nanoservcer/windowsservercore: updating local store with additional certificates is not implemented
+	[:nanoserver_ca-certificates-update]=1
+	[:windowsservercore_ca-certificates-update]=1
+)