Optionally disallow the use of 'root' user for Processes and Tasks of docker lifecycle Apps (#4452)

* Add 'allow_docker_root_user' config property

* Remove duplicate docker? check in helper

* Disallow Process and Task 'root' user at runtime

* Ignore user in droplet docker execution metadata via dockerfile for staging
  because user may be subsequently overridden on Process or Task model
* Enforce that 'root' or '0' user is not used at runtime by task_action and
  desired_lrp builders
* Re-raise the error in desire app handler. If not re-raised, error
  is supressed with no clear user feedback.

Author: acosta11

app/models/runtime/process_model.rb

@@ -576,8 +576,6 @@ def permitted_users
     end
 
     def docker_run_action_user
-      return AppModel::DEFAULT_CONTAINER_USER unless docker?
-
       desired_droplet&.docker_user.presence || AppModel::DEFAULT_DOCKER_CONTAINER_USER
     end
 

config/cloud_controller.yml

@@ -68,6 +68,7 @@ max_retained_deployments_per_app: 100
 max_retained_builds_per_app: 100
 max_retained_revisions_per_app: 100
 additional_allowed_process_users: ['ContainerUser', 'TestUser']
+allow_docker_root_user: true
 
 broker_client_default_async_poll_interval_seconds: 60
 broker_client_max_async_poll_duration_minutes: 10080

lib/cloud_controller/config_schemas/api_schema.rb

@@ -45,6 +45,7 @@ class ApiSchema < VCAP::Config
           default_health_check_timeout: Integer,
           maximum_health_check_timeout: Integer,
           additional_allowed_process_users: Array,
+          allow_docker_root_user: bool,
 
           instance_file_descriptor_limit: Integer,
 

lib/cloud_controller/config_schemas/clock_schema.rb

@@ -188,6 +188,7 @@ class ClockSchema < VCAP::Config
           max_retained_builds_per_app: Integer,
           max_retained_revisions_per_app: Integer,
           additional_allowed_process_users: Array,
+          allow_docker_root_user: bool,
 
           diego_sync: { frequency_in_seconds: Integer },
 

lib/cloud_controller/config_schemas/deployment_updater_schema.rb

@@ -58,6 +58,7 @@ class DeploymentUpdaterSchema < VCAP::Config
           maximum_app_disk_in_mb: Integer,
           instance_file_descriptor_limit: Integer,
           additional_allowed_process_users: Array,
+          allow_docker_root_user: bool,
 
           deployment_updater: {
             update_frequency_in_seconds: Integer,

lib/cloud_controller/config_schemas/worker_schema.rb

@@ -198,6 +198,7 @@ class WorkerSchema < VCAP::Config
           default_app_log_rate_limit_in_bytes_per_second: Integer,
           default_app_ssh_access: bool,
           additional_allowed_process_users: Array,
+          allow_docker_root_user: bool,
 
           jobs: {
             global: {

lib/cloud_controller/diego/desire_app_handler.rb

@@ -12,6 +12,8 @@ def create_or_update_app(process, client)
               if e.name == 'RunnerError' && e.message['the requested resource already exists']
                 existing_lrp = client.get_app(process)
                 client.update_app(process, existing_lrp)
+              elsif e.name == 'UnprocessableEntity'
+                raise
               end
             end
           end

lib/cloud_controller/diego/docker/lifecycle_protocol.rb

@@ -8,6 +8,8 @@ module CloudController
     module Diego
       module Docker
         class LifecycleProtocol
+          ROOT_USERS = %w[root 0].freeze
+
           def lifecycle_data(staging_details)
             lifecycle_data              = Diego::Docker::LifecycleData.new
             lifecycle_data.docker_image = staging_details.package.image
@@ -22,10 +24,18 @@ def staging_action_builder(config, staging_details)
           end
 
           def task_action_builder(config, task)
+            if task.docker? && !docker_run_action_user_permitted?(task.run_action_user)
+              raise ::CloudController::Errors::ApiError.new_from_details('UnprocessableEntity', 'Attempting to run task as root user, which is not permitted.')
+            end
+
             TaskActionBuilder.new(config, task, { droplet_path: task.droplet.docker_receipt_image })
           end
 
           def desired_lrp_builder(config, process)
+            if process.docker? && !docker_run_action_user_permitted?(process.run_action_user)
+              raise ::CloudController::Errors::ApiError.new_from_details('UnprocessableEntity', 'Attempting to run process as root user, which is not permitted.')
+            end
+
             DesiredLrpBuilder.new(config, builder_opts(process))
           end
 
@@ -46,6 +56,10 @@ def container_env_vars_for_process(process)
             additional_env = []
             additional_env + WindowsEnvironmentSage.ponder(process.app)
           end
+
+          def docker_run_action_user_permitted?(run_action_user)
+            Config.config.get(:allow_docker_root_user) || ROOT_USERS.exclude?(run_action_user)
+          end
         end
       end
     end

spec/unit/lib/cloud_controller/diego/desire_app_handler_spec.rb

@@ -51,6 +51,18 @@ module Diego
             expect(client).to have_received(:get_app).exactly(2).times
           end
         end
+
+        context 'when root user is not permitted' do
+          it 'raises a CloudController::Errors::ApiError' do
+            allow(client).to receive(:desire_app).and_raise(CloudController::Errors::ApiError.new_from_details('UnprocessableEntity',
+                                                                                                               'Attempting to run process as root user, which is not permitted.'))
+            expect { DesireAppHandler.create_or_update_app(process, client) }.to(raise_error do |error|
+              expect(error).to be_a(CloudController::Errors::ApiError)
+              expect(error.name).to eq('UnprocessableEntity')
+              expect(error.message).to include('Attempting to run process as root user, which is not permitted')
+            end)
+          end
+        end
       end
     end
   end