Move default docker user selection into Droplet

* Not able to remove logic from Process because Droplet not guaranteed
  to exist for unstaged App

Author: acosta11

app/models/runtime/task_model.rb

@@ -48,7 +48,7 @@ def run_action_user
       return user if user.present?
 
       if docker?
-        docker_run_action_user
+        docker_user
       elsif cnb?
         'root' # TODO: Why do CNB tasks default to this user instead of vcap?
       else
@@ -64,16 +64,16 @@ def cnb?
       !!droplet&.cnb?
     end
 
+    def docker_user
+      droplet&.docker_user
+    end
+
     private
 
     def permitted_users
       Set.new([AppModel::DEFAULT_CONTAINER_USER]) + Config.config.get(:additional_allowed_process_users)
     end
 
-    def docker_run_action_user
-      droplet&.docker_user.presence || (Config.config.get(:allow_docker_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
-    end
-
     def running_state?
       state == RUNNING_STATE
     end

spec/unit/models/runtime/droplet_model_spec.rb

@@ -359,41 +359,91 @@ module VCAP::CloudController
         let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"],"user":"cnb"}' }
         let(:droplet_model) { DropletModel.make(:docker, execution_metadata: droplet_execution_metadata) }
 
-        context 'when the droplet execution metadata specifies a user' do
-          it 'returns the specified user' do
-            expect(droplet_model.docker_user).to eq('cnb')
+        context 'when root user is allowed' do
+          before do
+            TestConfig.override(allow_process_root_user: true)
+          end
+
+          context 'when the droplet execution metadata specifies a user' do
+            it 'returns the specified user' do
+              expect(droplet_model.docker_user).to eq('cnb')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata DOES NOT specify a user' do
-          let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+          context 'when the droplet execution metadata DOES NOT specify a user' do
+            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
 
-          it 'defaults the user to root' do
-            expect(droplet_model.docker_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(droplet_model.docker_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is an empty string' do
-          let(:droplet_execution_metadata) { '' }
+          context 'when the droplet execution metadata is an empty string' do
+            let(:droplet_execution_metadata) { '' }
 
-          it 'defaults the user to root' do
-            expect(droplet_model.docker_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(droplet_model.docker_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is nil' do
-          let(:droplet_execution_metadata) { nil }
+          context 'when the droplet execution metadata is nil' do
+            let(:droplet_execution_metadata) { nil }
 
-          it 'defaults the user to root' do
-            expect(droplet_model.docker_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(droplet_model.docker_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata has invalid json' do
-          let(:droplet_execution_metadata) { '{' }
+          context 'when the droplet execution metadata has invalid json' do
+            let(:droplet_execution_metadata) { '{' }
+
+            it 'defaults the user to root' do
+              expect(droplet_model.docker_user).to eq('root')
+            end
+          end
+
+          context 'when root user is not allowed' do
+            before do
+              TestConfig.override(allow_process_root_user: false)
+            end
+
+            context 'when the droplet execution metadata specifies a user' do
+              it 'returns the specified user' do
+                expect(droplet_model.docker_user).to eq('cnb')
+              end
+            end
+
+            context 'when the droplet execution metadata DOES NOT specify a user' do
+              let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+
+              it 'defaults the user to vcap' do
+                expect(droplet_model.docker_user).to eq('vcap')
+              end
+            end
+
+            context 'when the droplet execution metadata is an empty string' do
+              let(:droplet_execution_metadata) { '' }
+
+              it 'defaults the user to root' do
+                expect(droplet_model.docker_user).to eq('vcap')
+              end
+            end
+
+            context 'when the droplet execution metadata is nil' do
+              let(:droplet_execution_metadata) { nil }
+
+              it 'defaults the user to root' do
+                expect(droplet_model.docker_user).to eq('vcap')
+              end
+            end
+
+            context 'when the droplet execution metadata has invalid json' do
+              let(:droplet_execution_metadata) { '{' }
 
-          it 'defaults the user to root' do
-            expect(droplet_model.docker_user).to eq('root')
+              it 'defaults the user to root' do
+                expect(droplet_model.docker_user).to eq('vcap')
+              end
+            end
           end
         end
       end

spec/unit/models/runtime/task_model_spec.rb

@@ -204,111 +204,36 @@ module VCAP::CloudController
           task.droplet.update(execution_metadata: droplet_execution_metadata)
         end
 
-        context 'when root user is allowed' do
+        context 'when the task has a user specified' do
           before do
-            TestConfig.override(allow_docker_root_user: true)
-          end
-
-          context 'when the task has a user specified' do
-            before do
-              task.update(user: 'ContainerUser')
-            end
-
-            it 'returns the user' do
-              expect(task.run_action_user).to eq('ContainerUser')
-            end
-          end
-
-          context 'when the droplet execution metadata specifies a user' do
-            it 'returns the specified user' do
-              expect(task.run_action_user).to eq('some-user')
-            end
-          end
-
-          context 'when the droplet execution metadata DOES NOT specify a user' do
-            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
-
-            it 'defaults the user to root' do
-              expect(task.run_action_user).to eq('root')
-            end
-          end
-
-          context 'when the droplet execution metadata is an empty string' do
-            let(:droplet_execution_metadata) { '' }
-
-            it 'defaults the user to root' do
-              expect(task.run_action_user).to eq('root')
-            end
-          end
-
-          context 'when the droplet execution metadata is nil' do
-            let(:droplet_execution_metadata) { nil }
-
-            it 'defaults the user to root' do
-              expect(task.run_action_user).to eq('root')
-            end
+            task.update(user: 'ContainerUser')
           end
 
-          context 'when the droplet execution metadata has invalid json' do
-            let(:droplet_execution_metadata) { '{' }
-
-            it 'defaults the user to root' do
-              expect(task.run_action_user).to eq('root')
-            end
+          it 'returns the user' do
+            expect(task.run_action_user).to eq('ContainerUser')
           end
         end
 
-        context 'when root user is not allowed' do
-          before do
-            TestConfig.override(allow_docker_root_user: false)
-          end
-
-          context 'when the task has a user specified' do
+        context 'when the task DOES NOT have a user specified' do
+          context 'when there is a droplet and it has the docker lifecycle' do
             before do
-              task.update(user: 'ContainerUser')
-            end
-
-            it 'returns the user' do
-              expect(task.run_action_user).to eq('ContainerUser')
-            end
-          end
-
-          context 'when the droplet execution metadata specifies a user' do
-            it 'returns the specified user' do
-              expect(task.run_action_user).to eq('some-user')
+              allow(task.droplet).to(receive(:docker_user).and_return('DropletDockerUser'))
             end
-          end
-
-          context 'when the droplet execution metadata DOES NOT specify a user' do
-            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
 
-            it 'defaults the user to vcap' do
-              expect(task.run_action_user).to eq('vcap')
+            it 'returns the docker_user from the droplet' do
+              expect(task.run_action_user).to eq('DropletDockerUser')
             end
           end
+        end
 
-          context 'when the droplet execution metadata is an empty string' do
-            let(:droplet_execution_metadata) { '' }
-
-            it 'defaults the user to vcap' do
-              expect(task.run_action_user).to eq('vcap')
-            end
-          end
-
-          context 'when the droplet execution metadata is nil' do
-            let(:droplet_execution_metadata) { nil }
-
-            it 'defaults the user to vcap' do
-              expect(task.run_action_user).to eq('vcap')
-            end
+        context 'when there is no droplet for the task' do
+          before do
+            task.droplet.delete
+            task.reload
           end
 
-          context 'when the droplet execution metadata has invalid json' do
-            let(:droplet_execution_metadata) { '{' }
-
-            it 'defaults the user to vcap' do
-              expect(task.run_action_user).to eq('vcap')
-            end
+          it 'returns the default "vcap" user' do
+            expect(task.run_action_user).to eq('vcap')
           end
         end
       end