Validate use of 'root' user by Tasks

acosta11 · acosta11 · commit 0cc23ee55024 · 2025-07-14T14:15:44.000-07:00
* Matches the logic from the Process model for run_action_user default
  behavior when root not allowed
* Relies on ProcessUserPolicy for validation
diff --git a/app/models/runtime/task_model.rb b/app/models/runtime/task_model.rb
@@ -66,7 +66,7 @@ def permitted_users
     end
 
     def docker_run_action_user
-      droplet.docker_user.presence || AppModel::DEFAULT_CONTAINER_USER
+      droplet&.docker_user.presence || (Config.config.get(:allow_process_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
     end
 
     def running_state?
diff --git a/spec/unit/models/runtime/task_model_spec.rb b/spec/unit/models/runtime/task_model_spec.rb
@@ -204,51 +204,111 @@ module VCAP::CloudController
           task.droplet.update(execution_metadata: droplet_execution_metadata)
         end
 
-        context 'when the task has a user specified' do
+        context 'when root user is allowed' do
           before do
-            task.update(user: 'ContainerUser')
+            TestConfig.override(allow_process_root_user: true)
           end
 
-          it 'returns the user' do
-            expect(task.run_action_user).to eq('ContainerUser')
+          context 'when the task has a user specified' do
+            before do
+              task.update(user: 'ContainerUser')
+            end
+
+            it 'returns the user' do
+              expect(task.run_action_user).to eq('ContainerUser')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata specifies a user' do
-          it 'returns the specified user' do
-            expect(task.run_action_user).to eq('cnb')
+          context 'when the droplet execution metadata specifies a user' do
+            it 'returns the specified user' do
+              expect(task.run_action_user).to eq('cnb')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata DOES NOT specify a user' do
-          let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+          context 'when the droplet execution metadata DOES NOT specify a user' do
+            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is an empty string' do
-          let(:droplet_execution_metadata) { '' }
+          context 'when the droplet execution metadata is an empty string' do
+            let(:droplet_execution_metadata) { '' }
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is nil' do
-          let(:droplet_execution_metadata) { nil }
+          context 'when the droplet execution metadata is nil' do
+            let(:droplet_execution_metadata) { nil }
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
+          end
+
+          context 'when the droplet execution metadata has invalid json' do
+            let(:droplet_execution_metadata) { '{' }
+
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
           end
         end
 
-        context 'when the droplet execution metadata has invalid json' do
-          let(:droplet_execution_metadata) { '{' }
+        context 'when root user is not allowed' do
+          before do
+            TestConfig.override(allow_process_root_user: false)
+          end
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+          context 'when the task has a user specified' do
+            before do
+              task.update(user: 'ContainerUser')
+            end
+
+            it 'returns the user' do
+              expect(task.run_action_user).to eq('ContainerUser')
+            end
+          end
+
+          context 'when the droplet execution metadata specifies a user' do
+            it 'returns the specified user' do
+              expect(task.run_action_user).to eq('cnb')
+            end
+          end
+
+          context 'when the droplet execution metadata DOES NOT specify a user' do
+            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata is an empty string' do
+            let(:droplet_execution_metadata) { '' }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata is nil' do
+            let(:droplet_execution_metadata) { nil }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata has invalid json' do
+            let(:droplet_execution_metadata) { '{' }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
           end
         end
       end
