test: cover plugin requirements entrypoint path

lucarlig · lucarlig · commit fc5a959347dd · 2026-04-10T15:05:51.000+01:00
Signed-off-by: lucarlig &lt;luca.carlig@ibm.com&gt;
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -9,6 +9,7 @@ if [ "$(uname -m)" = "s390x" ]; then
 fi
 
 HTTP_SERVER="${HTTP_SERVER:-gunicorn}"
+APP_ROOT="${APP_ROOT:-/app}"
 RUST_MCP_MODE="${RUST_MCP_MODE:-off}"
 RUST_MCP_LOG="${RUST_MCP_LOG:-warn}"
 RUST_MCP_SESSION_AUTH_REUSE="${RUST_MCP_SESSION_AUTH_REUSE:-}"
@@ -47,7 +48,8 @@ RUST_MCP_PID=""
 SERVER_PID=""
 
 apply_rust_mcp_mode_defaults() {
-    local normalized_mode="${RUST_MCP_MODE,,}"
+    local normalized_mode
+    normalized_mode="$(printf '%s' "${RUST_MCP_MODE}" | tr '[:upper:]' '[:lower:]')"
     local runtime_enabled_default="false"
     local managed_default="true"
     local session_core_default="false"
@@ -391,27 +393,31 @@ PY
 
 install_plugin_requirements() {
     RELOAD_PLUGIN_REQUIREMENTS_TXT="${RELOAD_PLUGIN_REQUIREMENTS_TXT:-false}"
-    PLUGIN_REQUIREMENTS_TXT_PATH="${PLUGIN_REQUIREMENTS_TXT_PATH:-/app/plugins/requirements.txt}"
+    PLUGIN_REQUIREMENTS_TXT_PATH="${PLUGIN_REQUIREMENTS_TXT_PATH:-${APP_ROOT}/plugins/requirements.txt}"
 
     if [[ "${RELOAD_PLUGIN_REQUIREMENTS_TXT}" != "true" ]]; then
         return 0
     fi
 
-    # Resolve both /app and the requested path to their canonical forms, then
-    # require the requested path to live inside /app. Canonicalizing /app too
+    # Resolve both APP_ROOT and the requested path to their canonical forms, then
+    # require the requested path to live inside APP_ROOT. Canonicalizing APP_ROOT too
     # handles the case where /app is itself a symlink (uncommon in this repo's
     # Containerfiles, but defensive). This prevents env-controlled path
     # injection like PLUGIN_REQUIREMENTS_TXT_PATH=/tmp/evil-requirements.txt.
     local app_root resolved_path
-    app_root="$(readlink -f /app 2>/dev/null)"
+    app_root="$(readlink -f "${APP_ROOT}" 2>/dev/null)"
     if [[ -z "${app_root}" ]]; then
-        echo "❌ /app could not be resolved; refusing to start with RELOAD_PLUGIN_REQUIREMENTS_TXT=true"
+        echo "❌ ${APP_ROOT} could not be resolved; refusing to start with RELOAD_PLUGIN_REQUIREMENTS_TXT=true"
         return 1
     fi
-    if ! resolved_path="$(readlink -f "${PLUGIN_REQUIREMENTS_TXT_PATH}" 2>/dev/null)"; then
+    local requirements_dir requirements_file
+    requirements_dir="$(dirname "${PLUGIN_REQUIREMENTS_TXT_PATH}")"
+    requirements_file="$(basename "${PLUGIN_REQUIREMENTS_TXT_PATH}")"
+    if ! resolved_path="$(readlink -f "${requirements_dir}" 2>/dev/null)"; then
         echo "❌ PLUGIN_REQUIREMENTS_TXT_PATH=${PLUGIN_REQUIREMENTS_TXT_PATH} could not be resolved; refusing to start"
         return 1
     fi
+    resolved_path="${resolved_path}/${requirements_file}"
     if [[ "${resolved_path}" != "${app_root}/"* ]]; then
         echo "❌ PLUGIN_REQUIREMENTS_TXT_PATH must resolve under ${app_root}/ (got ${resolved_path}); refusing to start"
         return 1
@@ -428,7 +434,7 @@ install_plugin_requirements() {
     local max_retries=3
     local attempt=1
     while (( attempt <= max_retries )); do
-        if /app/.venv/bin/pip install --no-cache-dir -r "${resolved_path}"; then
+        if "${app_root}/.venv/bin/pip" install --no-cache-dir -r "${resolved_path}"; then
             return 0
         fi
         echo "⚠️  Plugin package install attempt ${attempt}/${max_retries} failed"
@@ -439,6 +445,10 @@ install_plugin_requirements() {
     return 1
 }
 
+if [[ "${CONTEXTFORGE_TEST_ONLY_SOURCE:-false}" = "true" ]]; then
+    return 0 2>/dev/null || exit 0
+fi
+
 apply_rust_mcp_mode_defaults
 install_plugin_requirements
 build_server_command "$@"
diff --git a/tests/unit/test_docker_entrypoint.py b/tests/unit/test_docker_entrypoint.py
@@ -0,0 +1,145 @@
+"""Direct unit tests for docker-entrypoint.sh plugin requirement reload logic."""
+
+from __future__ import annotations
+
+import stat
+import subprocess
+from pathlib import Path
+
+REPO_ROOT = Path(__file__).resolve().parents[2]
+ENTRYPOINT = REPO_ROOT / "docker-entrypoint.sh"
+
+
+def _write_executable(path: Path, content: str) -> None:
+    path.write_text(content, encoding="utf-8")
+    path.chmod(path.stat().st_mode | stat.S_IXUSR)
+
+
+def _make_app_root(tmp_path: Path) -> Path:
+    app_root = tmp_path / "app"
+    (app_root / ".venv" / "bin").mkdir(parents=True)
+    (app_root / "plugins").mkdir()
+    return app_root
+
+
+def _run_install_plugin_requirements(app_root: Path, requirements_path: Path | None = None) -> subprocess.CompletedProcess[str]:
+    command = f"""
+set -euo pipefail
+export CONTEXTFORGE_TEST_ONLY_SOURCE=true
+export APP_ROOT="{app_root}"
+source "{ENTRYPOINT}"
+export RELOAD_PLUGIN_REQUIREMENTS_TXT=true
+export PLUGIN_REQUIREMENTS_TXT_PATH="{requirements_path or app_root / 'plugins' / 'requirements.txt'}"
+install_plugin_requirements
+"""
+    return subprocess.run(
+        ["bash", "-lc", command],
+        capture_output=True,
+        text=True,
+        cwd=REPO_ROOT,
+        check=False,
+    )
+
+
+def test_install_plugin_requirements_refuses_path_outside_app_root(tmp_path: Path) -> None:
+    app_root = _make_app_root(tmp_path)
+    outside_requirements = tmp_path / "outside.txt"
+    outside_requirements.write_text("cpex-rate-limiter==0.0.3\n", encoding="utf-8")
+
+    result = _run_install_plugin_requirements(app_root, outside_requirements)
+
+    assert result.returncode == 1
+    assert "must resolve under" in result.stdout
+
+
+def test_install_plugin_requirements_refuses_missing_file(tmp_path: Path) -> None:
+    app_root = _make_app_root(tmp_path)
+    missing_requirements = app_root / "plugins" / "missing.txt"
+
+    result = _run_install_plugin_requirements(app_root, missing_requirements)
+
+    assert result.returncode == 1
+    assert "not found" in result.stdout
+
+
+def test_install_plugin_requirements_retries_three_times_then_fails(tmp_path: Path) -> None:
+    app_root = _make_app_root(tmp_path)
+    requirements = app_root / "plugins" / "requirements.txt"
+    requirements.write_text("cpex-rate-limiter==0.0.3\n", encoding="utf-8")
+    attempts_file = tmp_path / "attempts.txt"
+    _write_executable(
+        app_root / ".venv" / "bin" / "pip",
+        f"""#!/usr/bin/env bash
+set -euo pipefail
+echo attempt >> "{attempts_file}"
+exit 1
+""",
+    )
+
+    result = _run_install_plugin_requirements(app_root, requirements)
+
+    assert result.returncode == 1
+    assert attempts_file.read_text(encoding="utf-8").count("attempt") == 3
+    assert "failed after 3 attempts" in result.stdout
+
+
+def test_install_plugin_requirements_succeeds_after_retry(tmp_path: Path) -> None:
+    app_root = _make_app_root(tmp_path)
+    requirements = app_root / "plugins" / "requirements.txt"
+    requirements.write_text("# comment\n\ncpex-rate-limiter==0.0.3\n", encoding="utf-8")
+    attempts_file = tmp_path / "attempts.txt"
+    _write_executable(
+        app_root / ".venv" / "bin" / "pip",
+        f"""#!/usr/bin/env bash
+set -euo pipefail
+count=0
+if [[ -f "{attempts_file}" ]]; then
+    count=$(wc -l < "{attempts_file}")
+fi
+echo attempt >> "{attempts_file}"
+if [[ "$count" -lt 1 ]]; then
+    exit 1
+fi
+exit 0
+""",
+    )
+
+    result = _run_install_plugin_requirements(app_root, requirements)
+
+    assert result.returncode == 0
+    assert attempts_file.read_text(encoding="utf-8").count("attempt") == 2
+    assert "Installing 1 plugin package requirement" in result.stdout
+    assert "attempt 1/3 failed" in result.stdout
+
+
+def test_install_plugin_requirements_skips_when_reload_disabled(tmp_path: Path) -> None:
+    app_root = _make_app_root(tmp_path)
+    marker = tmp_path / "pip-called.txt"
+    _write_executable(
+        app_root / ".venv" / "bin" / "pip",
+        f"""#!/usr/bin/env bash
+set -euo pipefail
+echo called > "{marker}"
+exit 0
+""",
+    )
+    command = f"""
+set -euo pipefail
+export CONTEXTFORGE_TEST_ONLY_SOURCE=true
+export APP_ROOT="{app_root}"
+source "{ENTRYPOINT}"
+export RELOAD_PLUGIN_REQUIREMENTS_TXT=false
+install_plugin_requirements
+"""
+
+    result = subprocess.run(
+        ["bash", "-lc", command],
+        capture_output=True,
+        text=True,
+        cwd=REPO_ROOT,
+        check=False,
+    )
+
+    assert result.returncode == 0
+    assert not marker.exists()
+    assert result.stdout == ""
