Make zap's and browserker's uid configurable at build time

What are the relevant issue numbers?

• gitlab-org/gitlab#288010 (closed)

What does this MR do?

allows zap and browserker user's uid to be configured at image build time.

Why?

when you mount a volume with docker, the uid of the files and directories remain the same as those on the host. as a result, you may not be able to to write to those files or directories when you mount them. this issue is manifest on my local development environment which uses docker-machine and virtualbox and i've also been able to reproduce it on a fresh debian installation on a vm.

How to test

$ ZAP_UID=1000 BROWSERKER_UID=1001 invoke dast.build --set-zap-and-browserker-uid

Demo

running on fresh debian vm.

Before

pcunningham@pcunningham-ubuntu-docker-test-env:~/dast$ id -u
1048
pcunningham@pcunningham-ubuntu-docker-test-env:~/dast$ docker run -it --rm -v "${PWD}":/zap/wrk dast /bin/bash
zap@5e050ed1425c:/output$ id -u
1001
zap@5e050ed1425c:/output$ ls -la /zap/wrk/
total 144
drwxr-xr-x 12 1048 1049  4096 Nov 26 03:51 .
drwxrwxrwx  1 zap  zap   4096 Nov 26 03:52 ..
-rw-r--r--  1 1048 1049   206 Nov 26 03:48 .editorconfig
-rw-r--r--  1 1048 1049    97 Nov 26 03:48 .flake8
drwxr-xr-x  8 1048 1049  4096 Nov 26 03:51 .git
-rw-r--r--  1 1048 1049  1378 Nov 26 03:48 .gitignore
drwxr-xr-x  2 1048 1049  4096 Nov 26 03:48 .gitlab
-rw-r--r--  1 1048 1049  7245 Nov 26 03:48 .gitlab-ci.yml
-rw-r--r--  1 1048 1049  2310 Nov 26 03:48 .markdownlint.json
-rw-r--r--  1 1048 1049     6 Nov 26 03:48 .python-version
-rw-r--r--  1 1048 1049 14382 Nov 26 03:51 CHANGELOG.md
-rw-r--r--  1 1048 1049  1514 Nov 26 03:48 CONTRIBUTING.md
-rw-r--r--  1 1048 1049  9271 Nov 26 03:51 Dockerfile
-rw-r--r--  1 1048 1049  2210 Nov 26 03:48 LICENSE
-rw-r--r--  1 1048 1049  4488 Nov 26 03:48 README.md
-rwxr-xr-x  1 1048 1049   547 Nov 26 03:48 analyze
-rwxr-xr-x  1 1048 1049   182 Nov 26 03:48 analyze.py
drwxr-xr-x  2 1048 1049  4096 Nov 26 03:48 artifacts
drwxr-xr-x  3 1048 1049  4096 Nov 26 03:51 doc
-rw-r--r--  1 1048 1049     0 Nov 26 03:50 hello-world
drwxr-xr-x  7 1048 1049  4096 Nov 26 03:48 lib
-rw-r--r--  1 1048 1049   159 Nov 26 03:48 mypy.ini
drwxr-xr-x  2 1048 1049  4096 Nov 26 03:48 profiling
-rw-r--r--  1 1048 1049   300 Nov 26 03:48 requirements-test.txt
-rw-r--r--  1 1048 1049   200 Nov 26 03:48 requirements.txt
drwxr-xr-x  4 1048 1049  4096 Nov 26 03:48 resources
drwxr-xr-x  2 1048 1049  4096 Nov 26 03:48 scripts
drwxr-xr-x  7 1048 1049  4096 Nov 26 03:48 src
-rwxr-xr-x  1 1048 1049   305 Nov 26 03:48 tasks.py
drwxr-xr-x  6 1048 1049  4096 Nov 26 03:48 test
zap@5e050ed1425c:/output$ ls -ln /zap/wrk/
total 100
-rw-r--r-- 1 1048 1049 14382 Nov 26 03:51 CHANGELOG.md
-rw-r--r-- 1 1048 1049  1514 Nov 26 03:48 CONTRIBUTING.md
-rw-r--r-- 1 1048 1049  9271 Nov 26 03:51 Dockerfile
-rw-r--r-- 1 1048 1049  2210 Nov 26 03:48 LICENSE
-rw-r--r-- 1 1048 1049  4488 Nov 26 03:48 README.md
-rwxr-xr-x 1 1048 1049   547 Nov 26 03:48 analyze
-rwxr-xr-x 1 1048 1049   182 Nov 26 03:48 analyze.py
drwxr-xr-x 2 1048 1049  4096 Nov 26 03:48 artifacts
drwxr-xr-x 3 1048 1049  4096 Nov 26 03:51 doc
-rw-r--r-- 1 1048 1049     0 Nov 26 03:50 hello-world
drwxr-xr-x 7 1048 1049  4096 Nov 26 03:48 lib
-rw-r--r-- 1 1048 1049   159 Nov 26 03:48 mypy.ini
drwxr-xr-x 2 1048 1049  4096 Nov 26 03:48 profiling
-rw-r--r-- 1 1048 1049   300 Nov 26 03:48 requirements-test.txt
-rw-r--r-- 1 1048 1049   200 Nov 26 03:48 requirements.txt
drwxr-xr-x 4 1048 1049  4096 Nov 26 03:48 resources
drwxr-xr-x 2 1048 1049  4096 Nov 26 03:48 scripts
drwxr-xr-x 7 1048 1049  4096 Nov 26 03:48 src
-rwxr-xr-x 1 1048 1049   305 Nov 26 03:48 tasks.py
drwxr-xr-x 6 1048 1049  4096 Nov 26 03:48 test
zap@5e050ed1425c:/output$ touch /zap/wrk/hello-world
touch: cannot touch '/zap/wrk/hello-world': Permission denied

After

zap@ab0f41e007ca:/output$ id -u
1048
zap@ab0f41e007ca:/output$ ls -la /zap/wrk/
total 164
drwxr-xr-x 12 zap 1049  4096 Nov 30 06:06 .
drwxrwxrwx  1 zap zap   4096 Nov 30 06:13 ..
-rw-r--r--  1 zap 1049   206 Nov 26 03:48 .editorconfig
-rw-r--r--  1 zap 1049    97 Nov 26 03:48 .flake8
drwxr-xr-x  8 zap 1049  4096 Nov 30 06:06 .git
-rw-r--r--  1 zap 1049  1378 Nov 26 03:48 .gitignore
drwxr-xr-x  2 zap 1049  4096 Nov 26 03:48 .gitlab
-rw-r--r--  1 zap 1049  7245 Nov 26 03:48 .gitlab-ci.yml
-rw-r--r--  1 zap 1049  2310 Nov 26 03:48 .markdownlint.json
-rw-r--r--  1 zap 1049     6 Nov 26 03:48 .python-version
-rw-r--r--  1 zap 1049 14442 Nov 30 06:06 CHANGELOG.md
-rw-r--r--  1 zap 1049  1514 Nov 26 03:48 CONTRIBUTING.md
-rw-r--r--  1 zap 1049  9441 Nov 30 06:06 Dockerfile
-rw-r--r--  1 zap 1049  2210 Nov 26 03:48 LICENSE
-rw-r--r--  1 zap 1049  4488 Nov 26 03:48 README.md
-rw-r--r--  1 zap 1049  4137 Nov 26 05:01 addons.json
-rwxr-xr-x  1 zap 1049   547 Nov 26 03:48 analyze
-rwxr-xr-x  1 zap 1049   182 Nov 26 03:48 analyze.py
drwxr-xr-x  2 zap 1049  4096 Nov 26 03:48 artifacts
-rwxr-xr-x  1 zap 1049  8382 Nov 27 04:43 bash_unit
drwxr-xr-x  3 zap 1049  4096 Nov 30 06:06 doc
-rw-r--r--  1 zap 1049     0 Nov 26 04:46 hello
-rw-r--r--  1 zap 1049     0 Nov 26 03:50 hello-world
drwxr-xr-x  7 zap 1049  4096 Nov 26 03:48 lib
-rw-r--r--  1 zap 1049   159 Nov 26 03:48 mypy.ini
drwxr-xr-x  2 zap 1049  4096 Nov 30 03:49 profiling
-rw-r--r--  1 zap 1049   300 Nov 26 03:48 requirements-test.txt
-rw-r--r--  1 zap 1049   200 Nov 26 03:48 requirements.txt
drwxr-xr-x  4 zap 1049  4096 Nov 26 03:48 resources
drwxr-xr-x  2 zap 1049  4096 Nov 30 05:54 scripts
drwxr-xr-x  7 zap 1049  4096 Nov 26 03:48 src
-rwxr-xr-x  1 zap 1049   305 Nov 26 03:48 tasks.py
drwxr-xr-x  6 zap 1049  4096 Nov 26 03:48 test
zap@ab0f41e007ca:/output$ ls -ln /zap/wrk/
total 120
-rw-r--r-- 1 1048 1049 14442 Nov 30 06:06 CHANGELOG.md
-rw-r--r-- 1 1048 1049  1514 Nov 26 03:48 CONTRIBUTING.md
-rw-r--r-- 1 1048 1049  9441 Nov 30 06:06 Dockerfile
-rw-r--r-- 1 1048 1049  2210 Nov 26 03:48 LICENSE
-rw-r--r-- 1 1048 1049  4488 Nov 26 03:48 README.md
-rw-r--r-- 1 1048 1049  4137 Nov 26 05:01 addons.json
-rwxr-xr-x 1 1048 1049   547 Nov 26 03:48 analyze
-rwxr-xr-x 1 1048 1049   182 Nov 26 03:48 analyze.py
drwxr-xr-x 2 1048 1049  4096 Nov 26 03:48 artifacts
-rwxr-xr-x 1 1048 1049  8382 Nov 27 04:43 bash_unit
drwxr-xr-x 3 1048 1049  4096 Nov 30 06:06 doc
-rw-r--r-- 1 1048 1049     0 Nov 26 04:46 hello
-rw-r--r-- 1 1048 1049     0 Nov 26 03:50 hello-world
drwxr-xr-x 7 1048 1049  4096 Nov 26 03:48 lib
-rw-r--r-- 1 1048 1049   159 Nov 26 03:48 mypy.ini
drwxr-xr-x 2 1048 1049  4096 Nov 30 03:49 profiling
-rw-r--r-- 1 1048 1049   300 Nov 26 03:48 requirements-test.txt
-rw-r--r-- 1 1048 1049   200 Nov 26 03:48 requirements.txt
drwxr-xr-x 4 1048 1049  4096 Nov 26 03:48 resources
drwxr-xr-x 2 1048 1049  4096 Nov 30 05:54 scripts
drwxr-xr-x 7 1048 1049  4096 Nov 26 03:48 src
-rwxr-xr-x 1 1048 1049   305 Nov 26 03:48 tasks.py
drwxr-xr-x 6 1048 1049  4096 Nov 26 03:48 test
zap@ab0f41e007ca:/output$ touch /zap/wrk/hello-world
zap@ab0f41e007ca:/output$ ls -la /zap/wrk/hello-world 
-rw-r--r-- 1 zap 1049 0 Nov 30 06:14 /zap/wrk/hello-world

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Job definition example
  • Vendored CI Templates (also in CE)
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer