test without system call

2026-06-11 17:12:51 +00:00 · 2020-09-16 12:15:35 -07:00
parent 11049fa0bb
commit 52016b22dd
4 changed files with 85 additions and 47 deletions
--- a/kyaml/fn/runtime/container/container.go
+++ b/kyaml/fn/runtime/container/container.go
@@ -5,7 +5,6 @@ package container

 import (
 	"fmt"
-	"os/user"

 	runtimeexec "sigs.k8s.io/kustomize/kyaml/fn/runtime/exec"
 	"sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil"
@@ -185,28 +184,9 @@ func (c *Filter) getCommand() (string, []string) {
 	return "docker", a
 }

-// getUIDGID will return "nobody" if asCurrentUser is false. Otherwise
-// return "uid:gid" according to current user who runs the command.
-func getUIDGID(asCurrentUser bool) (string, error) {
-	if !asCurrentUser {
-		return "nobody", nil
-	}
-
-	u, err := user.Current()
-	if err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%s:%s", u.Uid, u.Gid), nil
-}
-
 // NewContainer returns a new container filter
-func NewContainer(spec runtimeutil.ContainerSpec, asCurrentUser bool) (Filter, error) {
-	f := Filter{ContainerSpec: spec}
-	u, err := getUIDGID(asCurrentUser)
-	if err != nil {
-		return f, err
-	}
-	f.UIDGID = u
+func NewContainer(spec runtimeutil.ContainerSpec, uidgid string) (Filter, error) {
+	f := Filter{ContainerSpec: spec, UIDGID: uidgid}

 	return f, nil
 }
--- a/kyaml/fn/runtime/container/container_test.go
+++ b/kyaml/fn/runtime/container/container_test.go
@@ -6,7 +6,6 @@ package container
 import (
 	"bytes"
 	"fmt"
-	"os/user"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -16,16 +15,12 @@ import (
 )

 func TestFilter_setupExec(t *testing.T) {
-	u, err := user.Current()
-	if err != nil {
-		t.Fatal(err)
-	}
 	var tests = []struct {
 		name           string
 		functionConfig string
 		expectedArgs   []string
 		containerSpec  runtimeutil.ContainerSpec
-		asCurrentUser  bool
+		UIDGID         string
 	}{
 		{
 			name: "command",
@@ -45,6 +40,7 @@ metadata:
 			containerSpec: runtimeutil.ContainerSpec{
 				Image: "example.com:version",
 			},
+			UIDGID: "nobody",
 		},

 		{
@@ -62,12 +58,11 @@ metadata:
 				"--user", "nobody",
 				"--security-opt=no-new-privileges",
 			},
-			instance: NewContainer(
-				runtimeutil.ContainerSpec{
-					Image:   "example.com:version",
-					Network: true,
-				},
+			containerSpec: runtimeutil.ContainerSpec{
+				Image:   "example.com:version",
+				Network: true,
 			},
+			UIDGID: "nobody",
 		},

 		{
@@ -98,6 +93,7 @@ metadata:
 					{MountType: "tmpfs", Src: "", DstPath: "/local/"},
 				},
 			},
+			UIDGID: "nobody",
 		},
 		{
 			name: "as current user",
@@ -111,13 +107,13 @@ metadata:
 				"--rm",
 				"-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR",
 				"--network", "none",
-				"--user", fmt.Sprintf("%s:%s", u.Uid, u.Gid),
+				"--user", "1:2",
 				"--security-opt=no-new-privileges",
 			},
 			containerSpec: runtimeutil.ContainerSpec{
 				Image: "example.com:version",
 			},
-			asCurrentUser: true,
+			UIDGID: "1:2",
 		},
 	}

@@ -129,7 +125,7 @@ metadata:
 				t.FailNow()
 			}

-			instance, err := NewContainer(tt.containerSpec, tt.asCurrentUser)
+			instance, err := NewContainer(tt.containerSpec, tt.UIDGID)
 			if err != nil {
 				t.Fatal(err)
 			}