Rectified the logic for user inherit functionality for HPCs

Signed-off-by: Harsh Rawat <[email protected]>

Author: rawahars

cmd/containerd-shim-runhcs-v1/pod.go

@@ -516,18 +516,12 @@ func (p *pod) updateConfigForHostProcessContainer(s *specs.Spec) error {
 		)
 	}
 
-	if isHypervisorIsolatedPrivilegedSandbox {
-		if isHypervisorIsolatedPrivilegedContainer && s.Annotations[annotations.HostProcessInheritUser] == "true" {
-			// For privileged containers within the sandbox, if the annotation to inherit user is set
-			// we will set the user to NT AUTHORITY\SYSTEM.
-			s.Process.User.Username = `NT AUTHORITY\SYSTEM`
-		}
-
-		if !isHypervisorIsolatedPrivilegedContainer && s.Annotations[annotations.HostProcessInheritUser] != "" {
-			// If the hypervisor isolated sandbox was privileged but the container is non-privileged, then
-			// we will explicitly disable the annotation which allows privileged user with the exec.
-			s.Annotations[annotations.HostProcessInheritUser] = "false"
-		}
+	if isHypervisorIsolatedPrivilegedSandbox &&
+		!isHypervisorIsolatedPrivilegedContainer &&
+		s.Annotations[annotations.HostProcessInheritUser] != "" {
+		// If the hypervisor isolated sandbox was privileged but the container is non-privileged, then
+		// we will explicitly disable the annotation which allows privileged user with the exec.
+		s.Annotations[annotations.HostProcessInheritUser] = "false"
 	}
 
 	return nil

cmd/containerd-shim-runhcs-v1/pod_test.go

@@ -407,8 +407,6 @@ func getWCOWSpecsWithAnnotations(annotation map[string]string, isIsolated bool,
 }
 
 func Test_pod_UpdateConfigForHostProcessContainer(t *testing.T) {
-	ntAuthorityUser := `NT AUTHORITY\SYSTEM`
-
 	testCases := []struct {
 		testName              string
 		podSpec               *specs.Spec
@@ -470,7 +468,7 @@ func Test_pod_UpdateConfigForHostProcessContainer(t *testing.T) {
 				annotations.HostProcessContainer:      "true",
 				annotations.HostProcessInheritUser:    "true",
 				annotations.HostProcessRootfsLocation: "C:\\test",
-			}, true, ntAuthorityUser),
+			}, true, ""),
 			expectedError: "",
 		},
 		{
@@ -500,21 +498,6 @@ func Test_pod_UpdateConfigForHostProcessContainer(t *testing.T) {
 			expectedContainerSpec: getWCOWSpecsWithAnnotations(map[string]string{}, true, ""),
 			expectedError:         "",
 		},
-		{
-			testName: "set user process for inherit annotation (isolated hpc)",
-			podSpec: getWCOWSpecsWithAnnotations(map[string]string{
-				annotations.HostProcessContainer:   "true",
-				annotations.HostProcessInheritUser: "true",
-			}, true, ""),
-			containerSpec: getWCOWSpecsWithAnnotations(map[string]string{
-				annotations.HostProcessContainer: "true",
-			}, true, ""),
-			expectedContainerSpec: getWCOWSpecsWithAnnotations(map[string]string{
-				annotations.HostProcessContainer:   "true",
-				annotations.HostProcessInheritUser: "true",
-			}, true, ntAuthorityUser),
-			expectedError: "",
-		},
 		{
 			testName: "no changes in user process for normal containers (isolated hpc)",
 			podSpec: getWCOWSpecsWithAnnotations(map[string]string{

cmd/containerd-shim-runhcs-v1/task_hcs.go

@@ -214,7 +214,7 @@ func newHcsTask(
 	// For Isolated Job containers, we need special handling wherein if the command line
 	// is not specified, then we add 'cmd /C' by default.
 	if oci.IsIsolatedJobContainer(s) {
-		handleProcessArgsForIsolatedJobContainer(s.Process)
+		handleProcessArgsForIsolatedJobContainer(s, s.Process)
 	}
 
 	// Default to an infinite timeout (zero value)
@@ -370,7 +370,7 @@ func (ht *hcsTask) CreateExec(ctx context.Context, req *task.ExecProcessRequest,
 	}
 
 	if oci.IsIsolatedJobContainer(ht.taskSpec) {
-		handleProcessArgsForIsolatedJobContainer(spec)
+		handleProcessArgsForIsolatedJobContainer(ht.taskSpec, spec)
 	}
 
 	io, err := cmd.NewUpstreamIO(ctx, req.ID, req.Stdout, req.Stderr, req.Stdin, req.Terminal, ht.ioRetryTimeout)
@@ -993,13 +993,20 @@ func (ht *hcsTask) requestAddContainerMount(ctx context.Context, resourcePath st
 	return ht.c.Modify(ctx, modification)
 }
 
-func handleProcessArgsForIsolatedJobContainer(specs *specs.Process) {
+func handleProcessArgsForIsolatedJobContainer(taskSpec *specs.Spec, specs *specs.Process) {
 	if specs.CommandLine != "" && !strings.HasPrefix(strings.TrimSpace(strings.ToLower(specs.CommandLine)), "cmd") {
 		specs.CommandLine = fmt.Sprintf("cmd /c %s", specs.CommandLine)
 	}
 	if len(specs.Args) > 0 && strings.TrimSpace(strings.ToLower(specs.Args[0])) != "cmd" {
 		specs.Args = append([]string{"cmd", "/c"}, specs.Args...)
 	}
+
+	// HostProcessInheritUser is set to explicit true or false during container create.
+	if taskSpec.Annotations[annotations.HostProcessInheritUser] == "true" {
+		// For privileged containers within the sandbox, if the annotation to inherit user is set
+		// we will set the user to NT AUTHORITY\SYSTEM.
+		specs.User.Username = `NT AUTHORITY\SYSTEM`
+	}
 }
 
 func isMountTypeSupported(hostPath, mountType string) bool {

cmd/containerd-shim-runhcs-v1/task_hcs_test.go

@@ -10,6 +10,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/Microsoft/hcsshim/pkg/annotations"
 	"github.com/containerd/errdefs"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
@@ -322,96 +323,153 @@ func Test_hcsTask_DeleteExec_2ndExecID_ExitedState_Success(t *testing.T) {
 }
 
 func Test_handleProcessArgsForIsolatedJobContainer(t *testing.T) {
+	ntAuthorityUser := `NT AUTHORITY\SYSTEM`
+	testUserName := "testUser"
+
 	tests := []struct {
-		name            string
-		specs           *specs.Process
-		expectedCmdLine string
-		expectedArgs    []string
+		name             string
+		taskAnnotations  map[string]string
+		specs            *specs.Process
+		expectedCmdLine  string
+		expectedArgs     []string
+		initialUsername  string
+		expectedUsername string
 	}{
 		{
 			name:            "CommandLine starts with 'cmd' (lowercase) – unchanged",
 			specs:           &specs.Process{CommandLine: "cmd /c dir"},
 			expectedCmdLine: "cmd /c dir",
-			expectedArgs:    nil,
 		},
 		{
 			name:            "CommandLine starts with 'CMD' (uppercase) – unchanged",
 			specs:           &specs.Process{CommandLine: "CMD /C whoami"},
 			expectedCmdLine: "CMD /C whoami",
-			expectedArgs:    nil,
 		},
 		{
 			name:            "CommandLine starts with 'cmd.exe' – unchanged",
 			specs:           &specs.Process{CommandLine: "cmd.exe /c ipconfig"},
 			expectedCmdLine: "cmd.exe /c ipconfig",
-			expectedArgs:    nil,
 		},
 		{
 			name:            "CommandLine plain – gets prefixed with 'cmd /c '",
 			specs:           &specs.Process{CommandLine: "echo hello"},
 			expectedCmdLine: "cmd /c echo hello",
-			expectedArgs:    nil,
 		},
 		{
 			name:            "CommandLine mixed case 'CmD' – unchanged",
 			specs:           &specs.Process{CommandLine: "CmD /c ping 127.0.0.1"},
 			expectedCmdLine: "CmD /c ping 127.0.0.1",
-			expectedArgs:    nil,
 		},
 		{
-			name:            "Args plain – gets ['cmd','/c',...] prefix",
-			specs:           &specs.Process{Args: []string{"echo", "hello"}},
-			expectedCmdLine: "",
-			expectedArgs:    []string{"cmd", "/c", "echo", "hello"},
+			name:            "CommandLine has leading spaces before 'cmd' – unchanged",
+			specs:           &specs.Process{CommandLine: "  cmd /c echo spaced"},
+			expectedCmdLine: "  cmd /c echo spaced",
 		},
 		{
-			name:            "Args already start with 'CMD' (uppercase) – unchanged",
-			specs:           &specs.Process{Args: []string{"CMD", "/C", "echo", "hi"}},
-			expectedCmdLine: "",
-			expectedArgs:    []string{"CMD", "/C", "echo", "hi"},
+			name:            "CommandLine has leading spaces before 'CMD' – unchanged",
+			specs:           &specs.Process{CommandLine: "   CMD /C echo spaced"},
+			expectedCmdLine: "   CMD /C echo spaced",
 		},
 		{
-			name:            "Args already start with 'cmd' (lowercase) – unchanged",
-			specs:           &specs.Process{Args: []string{"cmd", "/c", "type", "file.txt"}},
-			expectedCmdLine: "",
-			expectedArgs:    []string{"cmd", "/c", "type", "file.txt"},
+			name:            "CommandLine whitespace-only – gets prefixed preserving spaces",
+			specs:           &specs.Process{CommandLine: "    "},
+			expectedCmdLine: "cmd /c     ",
+		},
+		{
+			name:         "Args plain – gets ['cmd','/c',...] prefix",
+			specs:        &specs.Process{Args: []string{"echo", "hello"}},
+			expectedArgs: []string{"cmd", "/c", "echo", "hello"},
+		},
+		{
+			name:         "Args already start with 'CMD' (uppercase) – unchanged",
+			specs:        &specs.Process{Args: []string{"CMD", "/C", "echo", "hi"}},
+			expectedArgs: []string{"CMD", "/C", "echo", "hi"},
+		},
+		{
+			name:         "Args already start with 'cmd' (lowercase) – unchanged",
+			specs:        &specs.Process{Args: []string{"cmd", "/c", "type", "file.txt"}},
+			expectedArgs: []string{"cmd", "/c", "type", "file.txt"},
+		},
+		{
+			name:         "Args first element mixed case 'Cmd' – unchanged",
+			specs:        &specs.Process{Args: []string{"Cmd", "/c", "echo", "hi"}},
+			expectedArgs: []string{"Cmd", "/c", "echo", "hi"},
+		},
+		{
+			name:         "Args first element has leading/trailing spaces '  CMD  ' – unchanged (trimmed comparison)",
+			specs:        &specs.Process{Args: []string{"  CMD  ", "/C", "echo", "trimmed"}},
+			expectedArgs: []string{"  CMD  ", "/C", "echo", "trimmed"},
 		},
 		{
 			name:            "Empty CommandLine and empty Args – unchanged",
 			specs:           &specs.Process{},
 			expectedCmdLine: "",
-			expectedArgs:    nil,
 		},
 		{
 			name:            "Empty CommandLine and empty slice Args – unchanged (empty slice preserved)",
 			specs:           &specs.Process{Args: []string{}},
 			expectedCmdLine: "",
 			expectedArgs:    []string{},
 		},
+		// --- User inheritance behavior ---
 		{
-			name:            "CommandLine has leading spaces before 'cmd' – treated as not starting with cmd - unchanged",
-			specs:           &specs.Process{CommandLine: "  cmd /c echo spaced"},
-			expectedCmdLine: "  cmd /c echo spaced",
-			expectedArgs:    nil,
+			name:             "HostProcessInheritUser=true – sets Username to NT AUTHORITY\\SYSTEM",
+			taskAnnotations:  map[string]string{annotations.HostProcessInheritUser: "true"},
+			specs:            &specs.Process{},
+			expectedUsername: ntAuthorityUser,
 		},
 		{
-			name:            "Args first element mixed case 'Cmd' – unchanged",
-			specs:           &specs.Process{Args: []string{"Cmd", "/c", "echo", "hi"}},
-			expectedCmdLine: "",
-			expectedArgs:    []string{"Cmd", "/c", "echo", "hi"},
+			name:             "HostProcessInheritUser=false – does not set Username",
+			taskAnnotations:  map[string]string{annotations.HostProcessInheritUser: "false"},
+			specs:            &specs.Process{User: specs.User{Username: testUserName}},
+			expectedUsername: testUserName,
+		},
+		{
+			name:             "HostProcessInheritUser missing – does not set Username",
+			taskAnnotations:  map[string]string{},
+			specs:            &specs.Process{User: specs.User{Username: testUserName}},
+			expectedUsername: testUserName,
+		},
+		{
+			name:             "HostProcessInheritUser=true – overrides preexisting Username",
+			taskAnnotations:  map[string]string{annotations.HostProcessInheritUser: "true"},
+			specs:            &specs.Process{User: specs.User{Username: testUserName}},
+			expectedUsername: ntAuthorityUser,
+		},
+		{
+			name:             "HostProcessInheritUser=false – preserves preexisting Username",
+			taskAnnotations:  map[string]string{annotations.HostProcessInheritUser: "false"},
+			specs:            &specs.Process{User: specs.User{Username: testUserName}},
+			expectedUsername: testUserName,
+		},
+		{
+			name: "Nil annotation map – safely no change to Username",
+			// Note: Annotations=nil is fine; indexing a nil map returns zero value
+			taskAnnotations:  nil,
+			specs:            &specs.Process{User: specs.User{Username: testUserName}},
+			expectedUsername: testUserName,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			handleProcessArgsForIsolatedJobContainer(tt.specs)
+			taskSpec := &specs.Spec{Annotations: tt.taskAnnotations}
+			// Ensure initial Username is set if provided
+			if tt.initialUsername != "" {
+				tt.specs.User.Username = tt.initialUsername
+			}
+
+			handleProcessArgsForIsolatedJobContainer(taskSpec, tt.specs)
 
 			if tt.specs.CommandLine != tt.expectedCmdLine {
 				t.Errorf("CommandLine mismatch:  got:  %q  want: %q", tt.specs.CommandLine, tt.expectedCmdLine)
 			}
 			if !reflect.DeepEqual(tt.specs.Args, tt.expectedArgs) {
 				t.Errorf("Args mismatch:  got:  %#v  want: %#v", tt.specs.Args, tt.expectedArgs)
 			}
+			if tt.specs.User.Username != tt.expectedUsername {
+				t.Errorf("Username mismatch:  got:  %q  want: %q", tt.specs.User.Username, tt.expectedUsername)
+			}
 		})
 	}
 }