[sso-admin] Change container not to run as root

2022-08-01 11:51:09 +02:00 · 2022-08-01 11:51:09 +02:00 · 7bf216ef69
parent c19ff6cd8d
commit 7bf216ef69
5 changed files with 26 additions and 46 deletions
--- a/dd-sso/.gitignore
+++ b/dd-sso/.gitignore
@ -6,9 +6,6 @@ docker-compose.yml
 **/custom.yaml
 **/system.yaml

-admin/src/node_modules
-admin/src/admin/node_modules/
-
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]
--- a/dd-sso/admin/docker/Dockerfile
+++ b/dd-sso/admin/docker/Dockerfile
@ -20,6 +20,9 @@
 FROM alpine:3.12.0 as production
 MAINTAINER isard <info@isardvdi.com>

+# Ensure python dependencies
+COPY admin/docker/requirements.pip3 /requirements.pip3
+
 RUN apk add python3 py3-pip py3-pyldap~=3.2.0
 RUN pip3 install --upgrade pip
 RUN apk add --no-cache --virtual .build_deps \
@ -27,37 +30,19 @@ RUN apk add --no-cache --virtual .build_deps \
    python3-dev \
    libffi-dev \
    gcc python3-dev linux-headers musl-dev postgresql-dev
-COPY admin/docker/requirements.pip3 /requirements.pip3
 RUN pip3 install --no-cache-dir -r requirements.pip3
 RUN apk del .build_deps

 RUN apk add --no-cache curl py3-yaml yarn libpq openssl py3-pillow

+# Add catalan words list (issue with newer diceweare)
 RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_ascii.txt https://raw.githubusercontent.com/1ma/diceware-cat/master/cat-wordlist-ascii.txt

-# SSH configuration
-# ARG SSH_ROOT_PWD
-# RUN apk add openssh
-# RUN echo "root:$SSH_ROOT_PWD" |chpasswd
-# RUN sed -i \
-#     -e 's|[#]*PermitRootLogin prohibit-password|PermitRootLogin yes|g' \
-#     -e 's|[#]*PasswordAuthentication yes|PasswordAuthentication yes|g' \
-#     -e 's|[#]*ChallengeResponseAuthentication yes|ChallengeResponseAuthentication yes|g' \
-#     -e 's|[#]*UsePAM yes|UsePAM yes|g' \
-#     -e 's|[#]#Port 22|Port 22|g' \
-#     /etc/ssh/sshd_config
-
-# Let's test 0.26.1 python-keycloak version
-# RUN apk add --no-cache git && \
-#     git clone -b delete_realm_roles https://github.com/isard-vdi/python-keycloak.git && \
-#     cd python-keycloak && \
-#     python3 setup.py install && \
-#     apk del git
-
+# Add code and entrypoint
 COPY admin/src /admin
-RUN cd /admin/admin && yarn install
-
 COPY admin/docker/run.sh /run.sh

-#EXPOSE 7039
-CMD [ "/run.sh" ]
+# Ensure node dependencies
+RUN cd /admin/admin && HOME=/tmp su -s /bin/sh -m nobody -c "yarn install"
+
+CMD [ "/run.sh" ]
--- a/dd-sso/admin/docker/run.sh
+++ b/dd-sso/admin/docker/run.sh
@ -18,13 +18,14 @@
 #   along with DD. If not, see <https://www.gnu.org/licenses/>.
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-# ssh-keygen -A
-## Only in development
-cd /admin/admin
-yarn install
-## End Only in development
+
+# We possibly need to fix bad old permissions
+chown -R nobody:nogroup \
+        /admin/custom \
+        /admin/moodledata/saml2 /admin/saml_certs \
+	"${DATA_FOLDER}" \
+        "${LEGAL_PATH}"
+
 cd /admin
 export PYTHONWARNINGS="ignore:Unverified HTTPS request"
-python3 start.py 
-#&
-# /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config
+exec su -s /bin/sh -m nobody -c 'python3 start.py'
--- a/dd-sso/admin/src/admin/flaskapp.py
+++ b/dd-sso/admin/src/admin/flaskapp.py
@ -73,6 +73,7 @@ class AdminFlaskApp(Flask):
    custom_dir: str
    data_dir: str
    domain : str
+    node_modules_dir : str
    ready: bool = False

    def __init__(self, *args: Any, **kwargs: Any):
@ -141,6 +142,7 @@ class AdminFlaskApp(Flask):
        try:
            self.data_dir = os.environ.get("DATA_FOLDER", ".")
            self.custom_dir = os.environ.get("CUSTOM_FOLDER", ".")
+            self.node_modules_dir = os.environ.get("NODE_MODULES_FOLDER", "node_modules")
            # Handle secrets like Flask's session key
            secret_key_file = os.path.join(self.secrets_dir, "secret_key")
            if not os.path.exists(self.secrets_dir):
@ -202,19 +204,19 @@ class AdminFlaskApp(Flask):
        @self.route("/build/<path:path>")
        def send_build(path: str) -> Response:
            return send_from_directory(
-                os.path.join(self.root_path, "node_modules/gentelella/build"), path
+                os.path.join(self.node_modules_dir, "gentelella/build"), path
            )

        @self.route("/vendors/<path:path>")
        def send_vendors(path: str) -> Response:
            return send_from_directory(
-                os.path.join(self.root_path, "node_modules/gentelella/vendors"), path
+                os.path.join(self.node_modules_dir, "gentelella/vendors"), path
            )

        @self.route("/node_modules/<path:path>")
        def send_nodes(path: str) -> Response:
            return send_from_directory(
-                os.path.join(self.root_path, "node_modules"), path
+                self.node_modules_dir, path
            )

        @self.route("/templates/<path:path>")
--- a/dd-sso/docker-compose-parts/admin.yml
+++ b/dd-sso/docker-compose-parts/admin.yml
@ -25,20 +25,14 @@ services:
      context: ${BUILD_SSO_ROOT_PATH}
      dockerfile: admin/docker/Dockerfile
      target: production
-      # args: ## DEVELOPMENT
-      #   SSH_ROOT_PWD: ${IPA_ADMIN_PWD}
-      #   SSH_PORT: 2022
    networks:
      - dd_net
-    # ports:
-    #   - "2022:22"
-    #   - "9000:9000"
    restart: unless-stopped
    volumes:
    - /etc/localtime:/etc/localtime:ro
-    - ${BUILD_SSO_ROOT_PATH}/admin/src:/admin  # Revome in production
+    - ${BUILD_SSO_ROOT_PATH}/admin/src:/admin:ro
    - ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro
-    - ${CUSTOM_PATH}/custom:/admin/custom
+    - ${CUSTOM_PATH}/custom:/admin/custom:rw
    - ${DATA_FOLDER}/avatars:/admin/avatars:ro
    - ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw
    - ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw
@ -52,3 +46,4 @@ services:
      - MANAGED_EMAIL_DOMAIN=${MANAGED_EMAIL_DOMAIN}
      - DATA_FOLDER=/data
      - CUSTOM_FOLDER=/admin/custom
+      - LEGAL_PATH=/admin/admin/static/templates/pages/legal