Support overriding user for CNB tasks

Author: tcdowney

app/models/runtime/app_model.rb

@@ -8,6 +8,7 @@ class AppModel < Sequel::Model(:apps)
     include Serializer
     APP_NAME_REGEX = /\A[[:alnum:][:punct:][:print:]]+\Z/
     DEFAULT_CONTAINER_USER = 'vcap'.freeze
+    DEFAULT_DOCKER_CONTAINER_USER = 'root'.freeze
 
     many_to_many :routes, join_table: :route_mappings, left_key: :app_guid, left_primary_key: :guid, right_primary_key: :guid, right_key: :route_guid
     one_to_many :route_mappings, class: 'VCAP::CloudController::RouteMappingModel', key: :app_guid, primary_key: :guid

app/models/runtime/droplet_model.rb

@@ -138,7 +138,7 @@ def docker_user
         end
       end
 
-      container_user.presence || 'root'
+      container_user.presence || AppModel::DEFAULT_DOCKER_CONTAINER_USER
     end
 
     def staging?

app/models/runtime/process_model.rb

@@ -576,7 +576,9 @@ def permitted_users
     end
 
     def docker_run_action_user
-      desired_droplet.docker_user.presence || AppModel::DEFAULT_CONTAINER_USER
+      return AppModel::DEFAULT_CONTAINER_USER unless docker?
+
+      desired_droplet&.docker_user.presence || AppModel::DEFAULT_DOCKER_CONTAINER_USER
     end
 
     def non_unique_process_types

app/models/runtime/task_model.rb

@@ -47,10 +47,17 @@ def after_destroy
     def run_action_user
       return user if user.present?
 
-      docker? ? docker_run_action_user : AppModel::DEFAULT_CONTAINER_USER
+      if docker?
+        docker_run_action_user
+      elsif cnb?
+        'root' # TODO: Why do CNB tasks default to this user instead of vcap?
+      else
+        AppModel::DEFAULT_CONTAINER_USER
+      end
     end
 
     delegate :docker?, to: :droplet
+    delegate :cnb?, to: :droplet
 
     private
 

lib/cloud_controller/diego/cnb/lifecycle_protocol.rb

@@ -15,7 +15,7 @@ def staging_action_builder(config, staging_details)
           end
 
           def task_action_builder(config, task)
-            VCAP::CloudController::Diego::Buildpack::TaskActionBuilder.new(config, task, task_lifecycle_data(task), 'root', ['--', task.command], 'cnb')
+            VCAP::CloudController::Diego::Buildpack::TaskActionBuilder.new(config, task, task_lifecycle_data(task), task.run_action_user, ['--', task.command], 'cnb')
           end
 
           def desired_lrp_builder(config, process)

spec/unit/lib/cloud_controller/diego/cnb/lifecycle_protocol_spec.rb

@@ -175,6 +175,31 @@ module CNB
                                                                                'cnb')
             end
 
+            context 'when the task has a user specified' do
+              let(:task) { TaskModel.make(:cnb, user: 'TestUser') }
+
+              it 'sets the appropriate user' do
+                task.app.update(cnb_lifecycle_data: CNBLifecycleDataModel.make(stack: 'potato-stack'))
+
+                task_action_builder = instance_double(Buildpack::TaskActionBuilder)
+                allow(Buildpack::TaskActionBuilder).to receive(:new).and_return task_action_builder
+
+                expect(lifecycle_protocol.task_action_builder(config, task)).to be task_action_builder
+
+                expect(Buildpack::TaskActionBuilder).to have_received(:new).with(
+                  config,
+                  task,
+                  {
+                    droplet_uri: 'droplet-download-url',
+                    stack: 'potato-stack'
+                  },
+                  'TestUser',
+                  ['--', task.command],
+                  'cnb'
+                )
+              end
+            end
+
             context 'when the blobstore_url_generator returns nil' do
               let(:droplet_download_url) { nil }
 

spec/unit/models/runtime/process_model_spec.rb

@@ -679,7 +679,7 @@ def act_as_cf_admin
 
       context 'when the process belongs to a Docker lifecycle app' do
         subject(:process) { ProcessModelFactory.make({ docker_image: 'example.com/image' }) }
-        let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"],"user":"cnb"}' }
+        let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"],"user":"some-user"}' }
 
         before do
           process.desired_droplet.update(execution_metadata: droplet_execution_metadata)
@@ -699,7 +699,7 @@ def act_as_cf_admin
 
         context 'when the droplet execution metadata specifies a user' do
           it 'returns the specified user' do
-            expect(process.run_action_user).to eq('cnb')
+            expect(process.run_action_user).to eq('some-user')
           end
         end
 
@@ -734,6 +734,17 @@ def act_as_cf_admin
             expect(process.run_action_user).to eq('root')
           end
         end
+
+        context 'when the app does not have a droplet assigned' do
+          before do
+            process.app.update(droplet: nil)
+            process.reload
+          end
+
+          it 'defaults the user to root' do
+            expect(process.run_action_user).to eq('root')
+          end
+        end
       end
 
       context 'when the process DOES NOT belong to a Docker lifecycle app' do

spec/unit/models/runtime/task_model_spec.rb

@@ -168,6 +168,32 @@ module VCAP::CloudController
       let(:task) { TaskModel.make(app: parent_app, droplet: droplet, state: TaskModel::SUCCEEDED_STATE) }
       let(:droplet) { DropletModel.make }
 
+      context 'when the task belongs to a CNB lifecycle app' do
+        let(:parent_app) { AppModel.make(:cnb) }
+        let(:task) { TaskModel.make(app: parent_app, droplet: droplet, state: TaskModel::SUCCEEDED_STATE) }
+        let(:droplet) { DropletModel.make(:cnb) }
+
+        context 'when the task has a user specified' do
+          before do
+            task.update(user: 'TestUser')
+          end
+
+          it 'returns the user' do
+            expect(task.run_action_user).to eq('TestUser')
+          end
+        end
+
+        context 'when the task does not have a user specified' do
+          before do
+            task.update(user: nil)
+          end
+
+          it 'defaults the user to root' do
+            expect(task.run_action_user).to eq('root')
+          end
+        end
+      end
+
       context 'when the task belongs to a Docker lifecycle app' do
         let(:parent_app) { AppModel.make(:docker) }
         let(:task) { TaskModel.make(app: parent_app, droplet: droplet, state: TaskModel::SUCCEEDED_STATE) }