move user determination behaviour back to assetStaging

Author: cgatt

packages/aws-cdk-lib/core/lib/asset-staging.ts

@@ -1,4 +1,5 @@
 import * as crypto from 'crypto';
+import * as os from 'os';
 import * as path from 'path';
 import { Construct } from 'constructs';
 import * as fs from 'fs-extra';
@@ -451,7 +452,11 @@ export class AssetStaging extends Construct {
           sourcePath: this.sourcePath,
           bundleDir,
           ...options,
+          securityOpt: options.securityOpt ?? '',
+          user: options.user ?? this.determineUser(),
           volumes: [...(options.volumes ?? [])],
+          workingDirectory:
+            options.workingDirectory ?? AssetStaging.BUNDLING_INPUT_DIR,
         };
 
         // Add the asset input and output volumes based on BundlingFileAccess setting
@@ -483,12 +488,7 @@ export class AssetStaging extends Construct {
             break;
         }
 
-        assetStagingOptions.image.run({
-          workingDirectory:
-            assetStagingOptions.workingDirectory ?? AssetStaging.BUNDLING_INPUT_DIR,
-          securityOpt: assetStagingOptions.securityOpt ?? '',
-          ...assetStagingOptions,
-        });
+        assetStagingOptions.image.run(assetStagingOptions);
       }
     } catch (err) {
       // When bundling fails, keep the bundle output for diagnosability, but
@@ -552,6 +552,17 @@ export class AssetStaging extends Construct {
     }
     return targetPath;
   }
+
+  /**
+   * Determines a useful default user if not given otherwise
+   */
+  private determineUser(): string {
+    // Default to current user
+    const userInfo = os.userInfo();
+    return userInfo.uid !== -1 // uid is -1 on Windows
+      ? `${userInfo.uid}:${userInfo.gid}`
+      : '1000:1000';
+  }
 }
 
 function renderAssetFilename(assetHash: string, extension = '') {

packages/aws-cdk-lib/core/lib/bundling.ts

@@ -279,8 +279,8 @@ export class BundlingDockerImage {
         ...options.platform
           ? ['--platform', options.platform]
           : [],
-        ...volumeHelper.user
-          ? ['-u', volumeHelper.user]
+        ...options.user
+          ? ['-u', options.user]
           : [],
         ...volumeHelper.volumeCommands,
         ...flatten(Object.entries(environment).map(([k, v]) => ['--env', `${k}=${v}`])),

packages/aws-cdk-lib/core/lib/private/bundling.ts

@@ -1,6 +1,5 @@
 import { spawnSync, SpawnSyncOptions } from 'child_process';
 import * as crypto from 'crypto';
-import * as os from 'os';
 import {
   DockerRunOptions,
   DockerVolume,
@@ -37,7 +36,6 @@ export interface DockerVolumes {
  */
 export class DockerVolumeHelper {
   readonly volumeCommands: string[];
-  readonly user?: string;
   readonly containerName?: string;
   readonly volumes: DockerVolumes;
 
@@ -57,16 +55,17 @@ export class DockerVolumeHelper {
       }
     }
     if (this.volumes.volumeCopyVolumes.length > 0) {
-      // TODO handle user properly
-      this.user = this.determineUser();
       this.containerName = `copyContainer${crypto.randomBytes(12).toString('hex')}`;
       const copyVolumeCommands = this.volumes.volumeCopyVolumes.flatMap(volume => [
         '-v',
         // leading ':' is required for anonymous volume with opts
         volume.opts ? `:${volume.containerPath}:${volume.opts.join(',')}` : `${volume.containerPath}`,
       ]);
-      const chownCommands = this.volumes.volumeCopyVolumes
-        .map(volume => `mkdir -p ${volume.containerPath} && chown -R ${this.user} ${volume.containerPath}`);
+      const directoryCommands: string[] = [];
+      for (let volume of this.volumes.volumeCopyVolumes) {
+        directoryCommands.push(`mkdir -p ${volume.containerPath}`);
+        if (options.user) directoryCommands.push(`chown -R ${options.user} ${volume.containerPath}`);
+      }
       dockerExec([
         'run',
         '--name',
@@ -75,7 +74,7 @@ export class DockerVolumeHelper {
         'public.ecr.aws/docker/library/alpine',
         'sh',
         '-c',
-        chownCommands.join(' && '),
+        directoryCommands.join(' && '),
       ]);
       try {
         this.copyInputVolumes();
@@ -84,8 +83,6 @@ export class DockerVolumeHelper {
         dockerExec(['rm', '-v', this.containerName]);
         throw e;
       }
-    } else {
-      this.user = this.options.user;
     }
     this.volumeCommands = this.buildVolumeCommands();
   };
@@ -124,24 +121,6 @@ export class DockerVolumeHelper {
     return volumeCommands;
   }
 
-  /**
-   * Determines a useful default user if not given otherwise
-   */
-  private determineUser(): string {
-    let user;
-    if (this.options.user) {
-      user = this.options.user;
-    } else {
-      // Default to current user
-      const userInfo = os.userInfo();
-      user =
-        userInfo.uid !== -1 // uid is -1 on Windows
-          ? `${userInfo.uid}:${userInfo.gid}`
-          : '1000:1000';
-    }
-    return user;
-  }
-
   /**
    * copy files from the host where this is executed into the input volume
    * @param sourcePath - path to folder where files should be copied from - without trailing slash

packages/aws-cdk-lib/core/test/bundling.test.ts

@@ -807,6 +807,59 @@ describe('bundling', () => {
     ]), { encoding: 'utf-8', stdio: ['ignore', process.stderr, 'inherit'] })).toEqual(true);
   });
 
+  test('can handle copy volume without user', () => {
+    // GIVEN
+    sinon.stub(process, 'platform').value('darwin');
+    const spawnSyncStub = sinon.stub(child_process, 'spawnSync').returns({
+      status: 0,
+      stderr: Buffer.from('stderr'),
+      stdout: Buffer.from('stdout'),
+      pid: 123,
+      output: ['stdout', 'stderr'],
+      signal: null,
+    });
+
+    // WHEN
+    const image = DockerImage.fromRegistry('alpine');
+    image.run({
+      command: ['cool', 'command'],
+      volumes: [{
+        dockerVolumeType: DockerVolumeType.VOLUME_COPY,
+        containerPath: '/container/path/1',
+        hostInputPath: '/host/input/1',
+      }, {
+        dockerVolumeType: DockerVolumeType.VOLUME_COPY,
+        containerPath: '/container/path/2',
+        hostInputPath: '/host/input/2',
+        opts: ['opt1', 'opt2'],
+      }],
+      workingDirectory: '/working-directory',
+    });
+
+    // copy container volume opts are correct
+    expect(spawnSyncStub.calledWith(dockerCmd, sinon.match([
+      'run',
+      '--name', sinon.match(/copyContainer.*/g),
+      '-v', '/container/path/1',
+      '-v', ':/container/path/2:opt1,opt2',
+      'public.ecr.aws/docker/library/alpine',
+      'sh',
+      '-c',
+      [
+        'mkdir -p /container/path/1',
+        'mkdir -p /container/path/2',
+      ].join(' && '),
+    ]), { encoding: 'utf-8', stdio: ['ignore', process.stderr, 'inherit'] })).toEqual(true);
+
+    // main image run volume commands are correct
+    expect(spawnSyncStub.calledWith(dockerCmd, sinon.match([
+      'run', '--rm',
+      '--volumes-from', sinon.match(/copyContainer.*/g),
+      '-w', '/working-directory',
+      'alpine', 'cool', 'command',
+    ]), { encoding: 'utf-8', stdio: ['ignore', process.stderr, 'inherit'] })).toEqual(true);
+  });
+
   test('cleans up volume helper', () => {
     // GIVEN
     sinon.stub(process, 'platform').value('darwin');

packages/aws-cdk-lib/core/test/staging.test.ts

@@ -5,18 +5,7 @@ import * as fs from 'fs-extra';
 import * as sinon from 'sinon';
 import { FileAssetPackaging } from '../../cloud-assembly-schema';
 import * as cxapi from '../../cx-api';
-import {
-  App,
-  AssetHashType,
-  AssetStaging,
-  BundlingFileAccess,
-  BundlingOptions,
-  BundlingOutput,
-  DockerImage,
-  FileSystem,
-  Stack,
-  Stage,
-} from '../lib';
+import { App, AssetHashType, AssetStaging, DockerImage, BundlingOptions, BundlingOutput, FileSystem, Stack, Stage, BundlingFileAccess } from '../lib';
 
 const STUB_INPUT_FILE = '/tmp/docker-stub.input';
 const STUB_INPUT_CONCAT_FILE = '/tmp/docker-stub.input.concat';
@@ -322,7 +311,7 @@ describe('staging', () => {
     const assembly = app.synth();
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
     expect(fs.readdirSync(assembly.directory)).toEqual([
       'asset.b1e32e86b3523f2fa512eb99180ee2975a50a4439e63e8badd153f2a68d61aa4',
@@ -401,7 +390,7 @@ describe('staging', () => {
     // We're testing that docker was run exactly once even though there are two bundling assets.
     expect(
       readDockerStubInputConcat()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
 
     expect(fs.readdirSync(assembly.directory)).toEqual([
@@ -446,7 +435,7 @@ describe('staging', () => {
     // and that the hash is based on the output
     expect(
       readDockerStubInputConcat()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
 
     expect(fs.readdirSync(assembly.directory)).toEqual([
@@ -494,8 +483,8 @@ describe('staging', () => {
     // operating on the same source asset.
     expect(
       readDockerStubInputConcat()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS\n' +
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated --env UNIQUE_ENV_VAR=SOMEVALUE -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS\n` +
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated --env UNIQUE_ENV_VAR=SOMEVALUE -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
 
     expect(fs.readdirSync(assembly.directory)).toEqual([
@@ -543,7 +532,7 @@ describe('staging', () => {
     // We're testing that docker was run once, only for the first Asset, since the only difference is the token.
     expect(
       readDockerStubInputConcat()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated --env PIP_INDEX_URL=https://aws:MY_SECRET_TOKEN@your-code-repo.d.codeartifact.us-west-2.amazonaws.com/pypi/python/simple/ -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated --env PIP_INDEX_URL=https://aws:MY_SECRET_TOKEN@your-code-repo.d.codeartifact.us-west-2.amazonaws.com/pypi/python/simple/ -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
 
     expect(fs.readdirSync(assembly.directory)).toEqual([
@@ -674,7 +663,7 @@ describe('staging', () => {
 
     expect(
       readDockerStubInputConcat()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
 
     expect(appAssembly.directory).toEqual(app2Assembly.directory);
@@ -736,7 +725,7 @@ describe('staging', () => {
 
     expect(
       readDockerStubInputConcat()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated --env PIP_EXTRA_INDEX_URL=https://aws:MY_SECRET_TOKEN@your-code-repo.d.codeartifact.us-west-2.amazonaws.com/pypi/python/simple/ -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated --env PIP_EXTRA_INDEX_URL=https://aws:MY_SECRET_TOKEN@your-code-repo.d.codeartifact.us-west-2.amazonaws.com/pypi/python/simple/ -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
 
     expect(appAssembly.directory).toEqual(app2Assembly.directory);
@@ -766,7 +755,7 @@ describe('staging', () => {
 
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS_NO_OUTPUT',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS_NO_OUTPUT`,
     );
   });
 
@@ -789,7 +778,7 @@ describe('staging', () => {
     // THEN
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
     expect(asset.assetHash).toEqual('33cbf2cae5432438e0f046bc45ba8c3cef7b6afcf47b59d1c183775c1918fb1f');
   });
@@ -814,7 +803,7 @@ describe('staging', () => {
     // THEN
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm --security-opt no-new-privileges -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm --security-opt no-new-privileges ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
     expect(asset.assetHash).toEqual('33cbf2cae5432438e0f046bc45ba8c3cef7b6afcf47b59d1c183775c1918fb1f');
   });
@@ -839,7 +828,7 @@ describe('staging', () => {
     // THEN
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input --entrypoint DOCKER_STUB_SUCCESS alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input --entrypoint DOCKER_STUB_SUCCESS alpine DOCKER_STUB_SUCCESS`,
     );
     expect(asset.assetHash).toEqual('33cbf2cae5432438e0f046bc45ba8c3cef7b6afcf47b59d1c183775c1918fb1f');
   });
@@ -957,7 +946,7 @@ describe('staging', () => {
     })).toThrow(/Failed to bundle asset stack\/Asset/);
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input this-is-an-invalid-docker-image DOCKER_STUB_FAIL',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input this-is-an-invalid-docker-image DOCKER_STUB_FAIL`,
     );
   });
 
@@ -1248,7 +1237,7 @@ describe('staging', () => {
 
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
     expect(asset.assetHash).toEqual('33cbf2cae5432438e0f046bc45ba8c3cef7b6afcf47b59d1c183775c1918fb1f'); // hash of MyStack/Asset
   });
@@ -1272,7 +1261,7 @@ describe('staging', () => {
 
     expect(
       readDockerStubInput()).toEqual(
-      'run --rm -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS',
+      `run --rm ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
     );
     expect(asset.assetHash).toEqual('33cbf2cae5432438e0f046bc45ba8c3cef7b6afcf47b59d1c183775c1918fb1f'); // hash of MyStack/Asset
   });
@@ -1656,11 +1645,12 @@ describe('staging with docker cp', () => {
 
 // Reads a docker stub and cleans the volume paths out of the stub.
 function readAndCleanDockerStubInput(file: string) {
-  return fs
-    .readFileSync(file, 'utf-8')
+  const commands = fs
+    .readFileSync(file, 'utf-8');
+  return commands
     .trim()
-    .replace(/-v ([^:]+):\/asset-input/g, '-v /input:/asset-input')
-    .replace(/-v ([^:]+):\/asset-output/g, '-v /output:/asset-output');
+    .replace(/-v ([^:\n]+):\/asset-input/g, '-v /input:/asset-input')
+    .replace(/-v ([^:\n]+):\/asset-output/g, '-v /output:/asset-output');
 }
 
 // Last docker input since last teardown