From 72b87ad0046ac403a6d3f73328a4992c2fb6872f Mon Sep 17 00:00:00 2001
From: Ye Sijun <junnplus@gmail.com>
Date: Fri, 17 Jun 2022 14:51:35 +0800
Subject: [PATCH] add WithAdditionalGIDs test

Signed-off-by: Ye Sijun <junnplus@gmail.com>
---
 oci/spec_opts.go            |  2 +-
 oci/spec_opts_linux_test.go | 68 +++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/oci/spec_opts.go b/oci/spec_opts.go
index 942b6ad96..6526aec73 100644
--- a/oci/spec_opts.go
+++ b/oci/spec_opts.go
@@ -805,7 +805,7 @@ func WithUsername(username string) SpecOpts {
 }
 
 // WithAdditionalGIDs sets the OCI spec's additionalGids array to any additional groups listed
-// for a particular user in the /etc/groups file of the image's root filesystem
+// for a particular user in the /etc/group file of the image's root filesystem
 // The passed in user can be either a uid or a username.
 func WithAdditionalGIDs(userstr string) SpecOpts {
 	return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) {
diff --git a/oci/spec_opts_linux_test.go b/oci/spec_opts_linux_test.go
index 28dfd7864..267d6b15f 100644
--- a/oci/spec_opts_linux_test.go
+++ b/oci/spec_opts_linux_test.go
@@ -22,11 +22,79 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/pkg/testutil"
+	"github.com/containerd/continuity/fs/fstest"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/stretchr/testify/assert"
 	"golang.org/x/sys/unix"
 )
 
+// nolint:gosec
+func TestWithAdditionalGIDs(t *testing.T) {
+	t.Parallel()
+	expectedPasswd := `root:x:0:0:root:/root:/bin/ash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+`
+	expectedGroup := `root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+sys:x:3:root,bin,adm
+`
+	td := t.TempDir()
+	apply := fstest.Apply(
+		fstest.CreateDir("/etc", 0777),
+		fstest.CreateFile("/etc/passwd", []byte(expectedPasswd), 0777),
+		fstest.CreateFile("/etc/group", []byte(expectedGroup), 0777),
+	)
+	if err := apply.Apply(td); err != nil {
+		t.Fatalf("failed to apply: %v", err)
+	}
+	c := containers.Container{ID: t.Name()}
+
+	testCases := []struct {
+		name     string
+		user     string
+		expected []uint32
+	}{
+		{
+			user:     "root",
+			expected: []uint32{},
+		},
+		{
+			user:     "1000",
+			expected: []uint32{},
+		},
+		{
+			user:     "bin",
+			expected: []uint32{2, 3},
+		},
+		{
+			user:     "bin:root",
+			expected: []uint32{},
+		},
+		{
+			user:     "daemon",
+			expected: []uint32{1},
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.user, func(t *testing.T) {
+			t.Parallel()
+			s := Spec{
+				Version: specs.Version,
+				Root: &specs.Root{
+					Path: td,
+				},
+			}
+			err := WithAdditionalGIDs(testCase.user)(context.Background(), nil, &c, &s)
+			assert.NoError(t, err)
+			assert.Equal(t, testCase.expected, s.Process.User.AdditionalGids)
+		})
+	}
+}
+
 func TestAddCaps(t *testing.T) {
 	t.Parallel()