Process run_action_user delegates docker_user to actual_droplet if exists

acosta11 · acosta11 · commit 44e4a5823b72 · 2025-07-22T12:43:37.000-07:00
* Only test fallback logic to default docker users
diff --git a/app/models/runtime/process_model.rb b/app/models/runtime/process_model.rb
@@ -576,7 +576,7 @@ def permitted_users
     end
 
     def docker_run_action_user
-      desired_droplet&.docker_user.presence || (Config.config.get(:allow_process_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
+      actual_droplet&.docker_user.presence || (Config.config.get(:allow_process_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
     end
 
     def non_unique_process_types
diff --git a/spec/unit/models/runtime/process_model_spec.rb b/spec/unit/models/runtime/process_model_spec.rb
@@ -678,7 +678,7 @@ def act_as_cf_admin
       subject(:process) { ProcessModelFactory.make }
 
       context 'when the process belongs to a Docker lifecycle app' do
-        subject(:process) { ProcessModelFactory.make({ docker_image: 'example.com/image' }) }
+        subject(:process) { ProcessModelFactory.make(:docker, { docker_image: 'example.com/image' }) }
         let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"],"user":"some-user"}' }
 
         before do
@@ -687,56 +687,25 @@ def act_as_cf_admin
           process.desired_droplet.reload
         end
 
-        context 'when root user is allowed' do
+        context 'when the process has a user specified' do
           before do
-            TestConfig.override(allow_process_root_user: true)
-          end
-
-          context 'when the process has a user specified' do
-            before do
-              process.update(user: 'ContainerUser')
-            end
-
-            it 'returns the user' do
-              expect(process.run_action_user).to eq('ContainerUser')
-            end
-          end
-
-          context 'when the droplet execution metadata specifies a user' do
-            it 'returns the specified user' do
-              expect(process.run_action_user).to eq('some-user')
-            end
-          end
-
-          context 'when the droplet execution metadata DOES NOT specify a user' do
-            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
-
-            it 'returns the default "root" user' do
-              expect(process.run_action_user).to eq('root')
-            end
+            process.update(user: 'ContainerUser')
           end
 
-          context 'when the droplet execution metadata is an empty string' do
-            let(:droplet_execution_metadata) { '' }
-
-            it 'returns the default "root" user' do
-              expect(process.run_action_user).to eq('root')
-            end
+          it 'returns the user' do
+            expect(process.run_action_user).to eq('ContainerUser')
           end
+        end
 
-          context 'when the droplet execution metadata is nil' do
-            let(:droplet_execution_metadata) { nil }
-
-            it 'returns the default "root" user' do
-              expect(process.run_action_user).to eq('root')
+        context 'when the process DOES NOT have a user specified' do
+          context 'when the process has a droplet' do
+            before do
+              # TODO: do we need to handle the distinction between desired and actual droplet?
+              allow(process.actual_droplet).to(receive(:docker_user)).and_return('ActualDropletDockerUser')
             end
-          end
-
-          context 'when the droplet execution metadata has invalid json' do
-            let(:droplet_execution_metadata) { '{' }
 
-            it 'returns the default "root" user' do
-              expect(process.run_action_user).to eq('root')
+            it 'returns the docker_user from the desired_droplet' do
+              expect(process.run_action_user).to eq('ActualDropletDockerUser')
             end
           end
 
@@ -746,73 +715,24 @@ def act_as_cf_admin
               process.reload
             end
 
-            it 'returns the default "root" user' do
-              expect(process.run_action_user).to eq('root')
-            end
-          end
-        end
-
-        context 'when root user is not allowed' do
-          before do
-            TestConfig.override(allow_process_root_user: false)
-          end
-
-          context 'when the process has a user specified' do
-            before do
-              process.update(user: 'ContainerUser')
-            end
-
-            it 'returns the user' do
-              expect(process.run_action_user).to eq('ContainerUser')
-            end
-          end
-
-          context 'when the droplet execution metadata specifies a user' do
-            it 'returns the specified user' do
-              expect(process.run_action_user).to eq('some-user')
-            end
-          end
-
-          context 'when the droplet execution metadata DOES NOT specify a user' do
-            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
-
-            it 'returns the default "vcap" user' do
-              expect(process.run_action_user).to eq('vcap')
-            end
-          end
-
-          context 'when the droplet execution metadata is an empty string' do
-            let(:droplet_execution_metadata) { '' }
-
-            it 'returns the default "vcap" user' do
-              expect(process.run_action_user).to eq('vcap')
-            end
-          end
-
-          context 'when the droplet execution metadata is nil' do
-            let(:droplet_execution_metadata) { nil }
-
-            it 'returns the default "vcap" user' do
-              expect(process.run_action_user).to eq('vcap')
-            end
-          end
-
-          context 'when the droplet execution metadata has invalid json' do
-            let(:droplet_execution_metadata) { '{' }
+            context 'when root user is allowed' do
+              before do
+                TestConfig.override(allow_process_root_user: true)
+              end
 
-            it 'returns the default "vcap" user' do
-              expect(process.run_action_user).to eq('vcap')
+              it 'returns the default "root" user' do
+                expect(process.run_action_user).to eq('root')
+              end
             end
-          end
 
-          context 'when the app does not have a droplet assigned' do
-            before do
-              process.app.update(droplet: nil)
-              process.reload
-            end
+            context 'when root user IS NOT allowed' do
+              before do
+                TestConfig.override(allow_process_root_user: false)
+              end
 
-            it 'returns the default "vcap" user' do
-              expect(process.run_action_user).to eq('vcap')
+              it 'returns the default "vcap" user' do
+                expect(process.run_action_user).to eq('vcap')
+              end
             end
           end
         end
