Merge pull request #684 from buildpacks/fix/683-daemon-untrusted-builder

Use lifecycle image instead of provided builder when exporting to daemon

internal/build/phases.go

@@ -199,6 +199,8 @@ func (l *Lifecycle) newAnalyze(repoName, cacheName, networkMode string, publish,
 		"analyzer",
 		l,
 		WithLogPrefix("analyzer"),
+		WithImage(l.lifecycleImage),
+		WithEnv(fmt.Sprintf("%s=%d", builder.EnvUID, l.builder.UID()), fmt.Sprintf("%s=%d", builder.EnvGID, l.builder.GID())),
 		WithDaemonAccess(),
 		WithArgs(
 			l.withLogLevel(
@@ -247,15 +249,13 @@ func (l *Lifecycle) Build(ctx context.Context, networkMode string, volumes []str
 
 func (l *Lifecycle) Export(ctx context.Context, repoName string, runImage string, publish bool, launchCacheName, cacheName, networkMode string, phaseFactory PhaseFactory) error {
 	var stackMount mount.Mount
-	if publish {
-		stackPath, err := l.writeStackToml()
-		if err != nil {
-			return errors.Wrap(err, "writing stack toml")
-		}
-		defer os.Remove(stackPath)
-
-		stackMount = mount.Mount{Type: "bind", Source: stackPath, Target: builder.StackPath, ReadOnly: true}
+	stackPath, err := l.writeStackToml()
+	if err != nil {
+		return errors.Wrap(err, "writing stack toml")
 	}
+	defer os.Remove(stackPath)
+
+	stackMount = mount.Mount{Type: "bind", Source: stackPath, Target: builder.StackPath, ReadOnly: true}
 
 	export, err := l.newExport(repoName, runImage, publish, launchCacheName, cacheName, networkMode, []mount.Mount{stackMount}, phaseFactory)
 	if err != nil {
@@ -317,12 +317,15 @@ func (l *Lifecycle) newExport(repoName, runImage string, publish bool, launchCac
 		"exporter",
 		l,
 		WithLogPrefix("exporter"),
+		WithImage(l.lifecycleImage),
+		WithEnv(fmt.Sprintf("%s=%d", builder.EnvUID, l.builder.UID()), fmt.Sprintf("%s=%d", builder.EnvGID, l.builder.GID())),
 		WithDaemonAccess(),
 		WithArgs(
 			l.withLogLevel(args...)...,
 		),
 		WithNetwork(networkMode),
 		WithBinds(binds...),
+		WithMounts(mounts...),
 	)
 
 	return phaseFactory.New(configProvider), nil

internal/build/phases_test.go

@@ -518,6 +518,33 @@ func testPhases(t *testing.T, when spec.G, it spec.S) {
 		})
 
 		when("publish is false", func() {
+			it("runs the phase with the lifecycle image", func() {
+				lifecycle := newTestLifecycle(t, true, func(options *build.LifecycleOptions) {
+					options.LifecycleImage = "some-lifecycle-image"
+				})
+				fakePhaseFactory := fakes.NewFakePhaseFactory()
+
+				err := lifecycle.Analyze(context.Background(), "test", "test", "test", false, false, fakePhaseFactory)
+				h.AssertNil(t, err)
+
+				configProvider := fakePhaseFactory.NewCalledWithProvider
+				h.AssertEq(t, configProvider.ContainerConfig().Image, "some-lifecycle-image")
+			})
+
+			it("sets the CNB_USER_ID and CNB_GROUP_ID in the environment", func() {
+				fakeBuilder, err := fakes.NewFakeBuilder(fakes.WithUID(2222), fakes.WithGID(3333))
+				h.AssertNil(t, err)
+				lifecycle := newTestLifecycle(t, false, fakes.WithBuilder(fakeBuilder))
+				fakePhaseFactory := fakes.NewFakePhaseFactory()
+
+				err = lifecycle.Analyze(context.Background(), "test", "test", "test", false, false, fakePhaseFactory)
+				h.AssertNil(t, err)
+
+				configProvider := fakePhaseFactory.NewCalledWithProvider
+				h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_USER_ID=2222")
+				h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_GROUP_ID=3333")
+			})
+
 			it("configures the phase with daemon access", func() {
 				lifecycle := newTestLifecycle(t, false)
 				fakePhaseFactory := fakes.NewFakePhaseFactory()
@@ -880,6 +907,33 @@ func testPhases(t *testing.T, when spec.G, it spec.S) {
 		})
 
 		when("publish is false", func() {
+			it("runs the phase with the lifecycle image", func() {
+				lifecycle := newTestLifecycle(t, true, func(options *build.LifecycleOptions) {
+					options.LifecycleImage = "some-lifecycle-image"
+				})
+				fakePhaseFactory := fakes.NewFakePhaseFactory()
+
+				err := lifecycle.Export(context.Background(), "test", "test", false, "test", "test", "test", fakePhaseFactory)
+				h.AssertNil(t, err)
+
+				configProvider := fakePhaseFactory.NewCalledWithProvider
+				h.AssertEq(t, configProvider.ContainerConfig().Image, "some-lifecycle-image")
+			})
+
+			it("sets the CNB_USER_ID and CNB_GROUP_ID in the environment", func() {
+				fakeBuilder, err := fakes.NewFakeBuilder(fakes.WithUID(2222), fakes.WithGID(3333))
+				h.AssertNil(t, err)
+				lifecycle := newTestLifecycle(t, false, fakes.WithBuilder(fakeBuilder))
+				fakePhaseFactory := fakes.NewFakePhaseFactory()
+
+				err = lifecycle.Export(context.Background(), "test", "test", false, "test", "test", "test", fakePhaseFactory)
+				h.AssertNil(t, err)
+
+				configProvider := fakePhaseFactory.NewCalledWithProvider
+				h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_USER_ID=2222")
+				h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_GROUP_ID=3333")
+			})
+
 			it("configures the phase with daemon access", func() {
 				lifecycle := newTestLifecycle(t, false)
 				fakePhaseFactory := fakes.NewFakePhaseFactory()
@@ -931,6 +985,21 @@ func testPhases(t *testing.T, when spec.G, it spec.S) {
 				configProvider := fakePhaseFactory.NewCalledWithProvider
 				h.AssertSliceContains(t, configProvider.HostConfig().Binds, expectedBinds...)
 			})
+
+			it("configures the phase with bind mounts", func() {
+				lifecycle := newTestLifecycle(t, false)
+				fakePhaseFactory := fakes.NewFakePhaseFactory()
+
+				err := lifecycle.Export(context.Background(), "test", "test", false, "test", "some-cache", "test", fakePhaseFactory)
+				h.AssertNil(t, err)
+
+				configProvider := fakePhaseFactory.NewCalledWithProvider
+				h.AssertTrue(t, len(configProvider.HostConfig().Mounts) > 0)
+				firstMount := configProvider.HostConfig().Mounts[0]
+				h.AssertEq(t, firstMount.Type, mount.Type("bind"))
+				h.AssertEq(t, firstMount.Target, "/cnb/stack.toml")
+				h.AssertTrue(t, firstMount.ReadOnly)
+			})
 		})
 
 		when("platform api 0.2", func() {