Set --user on exec

ndeloof · Yann Diorcet · commit 8aa288b01dca · 2019-05-15T13:49:01.000+02:00
diff --git a/src/main/java/org/jenkinsci/plugins/docker/workflow/WithContainerStep.java b/src/main/java/org/jenkinsci/plugins/docker/workflow/WithContainerStep.java
@@ -24,6 +24,7 @@
 package org.jenkinsci.plugins.docker.workflow;
 
 import com.google.common.base.Optional;
+import hudson.util.ArgumentListBuilder;
 import org.jenkinsci.plugins.docker.workflow.client.DockerClient;
 import com.google.inject.Inject;
 import hudson.AbortException;
@@ -183,7 +184,8 @@ public static class Execution extends AbstractStepExecutionImpl {
                 volumes.put(tmp, tmp);
             }
 
-            container = dockerClient.run(env, step.image, step.args, ws, volumes, volumesFromContainers, envReduced, dockerClient.whoAmI(), /* expected to hang until killed */ "cat");
+            final String userId = dockerClient.whoAmI();
+            container = dockerClient.run(env, step.image, step.args, ws, volumes, volumesFromContainers, envReduced, userId, /* expected to hang until killed */ "cat");
             final List<String> ps = dockerClient.listProcess(env, container);
             if (!ps.contains("cat")) {
                 listener.error(
@@ -196,7 +198,7 @@ public static class Execution extends AbstractStepExecutionImpl {
             DockerFingerprints.addRunFacet(dockerClient.getContainerRecord(env, container), run);
             ImageAction.add(step.image, run);
             getContext().newBodyInvoker().
-                    withContext(BodyInvoker.mergeLauncherDecorators(getContext().get(LauncherDecorator.class), new Decorator(container, envHost, ws, toolName, dockerVersion))).
+                    withContext(BodyInvoker.mergeLauncherDecorators(getContext().get(LauncherDecorator.class), new Decorator(container, envHost, ws, userId, toolName, dockerVersion))).
                     withCallback(new Callback(container, toolName)).
                     start();
             return false;
@@ -222,17 +224,19 @@ private static class Decorator extends LauncherDecorator implements Serializable
         private final String container;
         private final String[] envHost;
         private final String ws;
+        private final String user;
         private final @CheckForNull String toolName;
         private final boolean hasEnv;
         private final boolean hasWorkdir;
 
-        Decorator(String container, EnvVars envHost, String ws, String toolName, VersionNumber dockerVersion) {
+        Decorator(String container, EnvVars envHost, String ws, String user, String toolName, VersionNumber dockerVersion) {
             this.container = container;
             this.envHost = Util.mapToEnv(envHost);
             this.ws = ws;
             this.toolName = toolName;
             this.hasEnv = dockerVersion != null && dockerVersion.compareTo(new VersionNumber("1.13.0")) >= 0;
             this.hasWorkdir = dockerVersion != null && dockerVersion.compareTo(new VersionNumber("17.12")) >= 0;
+            this.user = user;
         }
 
         @Override public Launcher decorate(final Launcher launcher, final Node node) {
@@ -244,8 +248,15 @@ private static class Decorator extends LauncherDecorator implements Serializable
                     } catch (InterruptedException x) {
                         throw new IOException(x);
                     }
+                    
                     List<String> prefix = new ArrayList<>(Arrays.asList(executable, "exec"));
                     List<Boolean> masksPrefixList = new ArrayList<>(Arrays.asList(false, false));
+                    if (user != null) {
+                        prefix.add("-u");
+                        masksPrefixList.add(false);
+                        prefix.add(user);
+                        masksPrefixList.add(false);
+                    }
                     if (ws != null) {
                         FilePath cwd = starter.pwd();
                         if (cwd != null) {
diff --git a/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java b/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java
@@ -32,6 +32,9 @@
 import hudson.util.ArgumentListBuilder;
 import hudson.util.VersionNumber;
 import org.jenkinsci.plugins.docker.commons.fingerprint.ContainerRecord;
+import org.jenkinsci.plugins.docker.commons.tools.DockerTool;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
@@ -44,21 +47,18 @@
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
-import java.util.Map;
 import java.util.List;
-import java.util.Arrays;
+import java.util.Map;
 import java.util.StringTokenizer;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-import org.jenkinsci.plugins.docker.commons.tools.DockerTool;
-import org.kohsuke.accmod.Restricted;
-import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * Simple docker client for Pipeline.
@@ -103,7 +103,7 @@ public DockerClient(@Nonnull Launcher launcher, @CheckForNull Node node, @CheckF
      * @param command The command to execute in the image container being run.
      * @return The container ID.
      */
-    public String run(@Nonnull EnvVars launchEnv, @Nonnull String image, @CheckForNull String args, @CheckForNull String workdir, @Nonnull Map<String, String> volumes, @Nonnull Collection<String> volumesFromContainers, @Nonnull EnvVars containerEnv, @Nonnull String user, @Nonnull String... command) throws IOException, InterruptedException {
+    public String run(@Nonnull EnvVars launchEnv, @Nonnull String image, @CheckForNull String args, @CheckForNull String workdir, @Nonnull Map<String, String> volumes, @Nonnull Collection<String> volumesFromContainers, @Nonnull EnvVars containerEnv, @CheckForNull String user, @Nonnull String... command) throws IOException, InterruptedException {
         ArgumentListBuilder argb = new ArgumentListBuilder();
 
         argb.add("run", "-t", "-d", "-u", user);
diff --git a/src/test/java/org/jenkinsci/plugins/docker/workflow/WithContainerStepTest.java b/src/test/java/org/jenkinsci/plugins/docker/workflow/WithContainerStepTest.java
@@ -243,6 +243,42 @@ public class WithContainerStepTest {
         });
     }
 
+    @Test public void withInitAndExecAsUser() throws Exception {
+        story.addStep(new Statement() {
+            @Override
+            public void evaluate() throws Throwable {
+                DockerTestUtil.assumeDocker();
+                WorkflowJob p = story.j.jenkins.createProject(WorkflowJob.class, "prj");
+                p.setDefinition(new CpsFlowDefinition(
+                    "node {" +
+                        "  withDockerContainer(args: '-e BUILDER_UID=1000 -e BUILDER_GID=1000 -e BUILDER_USER=jenkins -e BUILDER_GROUP=jenkins -e HOME=/home/jenkins', image: 'dockcross/manylinux-x64') {" +
+                        "    sh 'stat -c \"%U %G\" /opt/python/cp36-cp36m/share/man'\n" +
+                        "  }" +
+                        "}", true));
+                WorkflowRun b = story.j.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0));
+            }
+        });
+    }
+
+    @Test public void withInitAsRootAndExecAsUser() throws Exception {
+        story.addStep(new Statement() {
+            @Override
+            public void evaluate() throws Throwable {
+                DockerTestUtil.assumeDocker();
+                WorkflowJob p = story.j.jenkins.createProject(WorkflowJob.class, "prj");
+                p.setDefinition(new CpsFlowDefinition(
+                    "node {\n" +
+                        "  withDockerContainer(args: '--user root:root -e BUILDER_UID=1000 -e BUILDER_GID=1000 -e BUILDER_USER=jenkins -e BUILDER_GROUP=jenkins -e HOME=/home/jenkins', image: 'dockcross/manylinux-x64') {\n" +
+                        "    sh 'stat -c \"%U %G\" /opt/python/cp36-cp36m/share/man'\n" +
+                        "  }\n" +
+                        "}\n", true));
+                WorkflowRun b = story.j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());
+                story.j.assertLogContains("jenkins jenkins", b);
+            }
+        });
+    }
+
+
     @Issue("JENKINS-27152")
     @Test public void configFile() throws Exception {
         story.addStep(new Statement() {
