From 768aaadca1d0cc96cf41b2a8672a57053da3c1f8 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Tue, 15 Oct 2024 15:30:15 +0200
Subject: [PATCH] libpod API: only return exit code without conditions

The special handling to return the exit code after the container has
been removed should only be done if there are no special conditions
requested. If a user asked for running or nay other state returning the
exit code immediately with a success response is just wrong. We only
want to allow that so the remote client can fetch the exit code without
races.

Fixes b3829a2932 ("libpod API: make wait endpoint better against rm races")

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 pkg/api/handlers/utils/containers.go |  8 +++++---
 test/apiv2/26-containersWait.at      | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/pkg/api/handlers/utils/containers.go b/pkg/api/handlers/utils/containers.go
index 07f8ca7f2f..585899509f 100644
--- a/pkg/api/handlers/utils/containers.go
+++ b/pkg/api/handlers/utils/containers.go
@@ -137,9 +137,11 @@ func WaitContainerLibpod(w http.ResponseWriter, r *http.Request) {
 			// However we keep the exit code around for longer than the container so
 			// we can just look it up here. Of course this only works when we get a
 			// full id as param but podman-remote will do that
-			if code, err := runtime.GetContainerExitCode(name); err == nil {
-				WriteResponse(w, http.StatusOK, strconv.Itoa(int(code)))
-				return
+			if len(opts.Conditions) == 0 {
+				if code, err := runtime.GetContainerExitCode(name); err == nil {
+					WriteResponse(w, http.StatusOK, strconv.Itoa(int(code)))
+					return
+				}
 			}
 			ContainerNotFound(w, name, err)
 			return
diff --git a/test/apiv2/26-containersWait.at b/test/apiv2/26-containersWait.at
index 81ba304a63..d3a76c3ded 100644
--- a/test/apiv2/26-containersWait.at
+++ b/test/apiv2/26-containersWait.at
@@ -15,6 +15,12 @@ t POST "containers/nonExistent/wait?condition=next-exit" 404
 # Make sure to test a non-zero exit code (see #18889)
 podman create --name "${CTR}" "${IMAGE}" sh -c "exit 3"
 
+t GET libpod/containers/${CTR}/json 200 \
+  .Id~[0-9a-f]\\{64\\}
+
+# We need the cid for the wait test at the end
+cid=$(jq -r '.Id' <<<"$output")
+
 t POST "containers/${CTR}/wait?condition=non-existent-cond" 400
 
 t POST "containers/${CTR}/wait?condition=not-running" 200
@@ -49,3 +55,12 @@ t POST "containers/${CTR}/wait?condition=removed" 200 \
 # work correctly.
 t POST "containers/${CTR}/wait?condition=next-exit" 404
 wait "${child_pid}"
+
+t POST "libpod/containers/${CTR}/wait?condition=running" 404
+t POST "libpod/containers/${cid}/wait?condition=running" 404
+# The container no longer exists but we want to ensure the remote client
+# can still fetch the exit code correctly until the exit code is pruned
+# (after 5 mins) but only by the container id and not the name.
+t POST "libpod/containers/${CTR}/wait" 404
+t POST "libpod/containers/${cid}/wait" 200 \
+ "3"