[sso-admin] Change container not to run as root

dd-sso/.gitignore

@@ -6,9 +6,6 @@ docker-compose.yml
 **/custom.yaml
 **/system.yaml
 
-admin/src/node_modules
-admin/src/admin/node_modules/
-
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]

dd-sso/admin/docker/Dockerfile

@@ -20,6 +20,9 @@
 FROM alpine:3.12.0 as production
 MAINTAINER isard <info@isardvdi.com>
 
+# Ensure python dependencies
+COPY admin/docker/requirements.pip3 /requirements.pip3
+
 RUN apk add python3 py3-pip py3-pyldap~=3.2.0
 RUN pip3 install --upgrade pip
 RUN apk add --no-cache --virtual .build_deps \
@@ -27,37 +30,19 @@ RUN apk add --no-cache --virtual .build_deps \
     python3-dev \
     libffi-dev \
     gcc python3-dev linux-headers musl-dev postgresql-dev
-COPY admin/docker/requirements.pip3 /requirements.pip3
 RUN pip3 install --no-cache-dir -r requirements.pip3
 RUN apk del .build_deps
 
 RUN apk add --no-cache curl py3-yaml yarn libpq openssl py3-pillow
 
+# Add catalan words list (issue with newer diceweare)
 RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_ascii.txt https://raw.githubusercontent.com/1ma/diceware-cat/master/cat-wordlist-ascii.txt
 
-# SSH configuration
+# Add code and entrypoint
-# ARG SSH_ROOT_PWD
-# RUN apk add openssh
-# RUN echo "root:$SSH_ROOT_PWD" |chpasswd
-# RUN sed -i \
-#     -e 's|[#]*PermitRootLogin prohibit-password|PermitRootLogin yes|g' \
-#     -e 's|[#]*PasswordAuthentication yes|PasswordAuthentication yes|g' \
-#     -e 's|[#]*ChallengeResponseAuthentication yes|ChallengeResponseAuthentication yes|g' \
-#     -e 's|[#]*UsePAM yes|UsePAM yes|g' \
-#     -e 's|[#]#Port 22|Port 22|g' \
-#     /etc/ssh/sshd_config
-
-# Let's test 0.26.1 python-keycloak version
-# RUN apk add --no-cache git && \
-#     git clone -b delete_realm_roles https://github.com/isard-vdi/python-keycloak.git && \
-#     cd python-keycloak && \
-#     python3 setup.py install && \
-#     apk del git
-
 COPY admin/src /admin
-RUN cd /admin/admin && yarn install
-
 COPY admin/docker/run.sh /run.sh
 
-#EXPOSE 7039
+# Ensure node dependencies
-CMD [ "/run.sh" ]
+RUN cd /admin/admin && HOME=/tmp su -s /bin/sh -m nobody -c "yarn install"
+
+CMD [ "/run.sh" ]

dd-sso/admin/docker/run.sh

@@ -18,13 +18,14 @@
 #   along with DD. If not, see <https://www.gnu.org/licenses/>.
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-# ssh-keygen -A
+
-## Only in development
+# We possibly need to fix bad old permissions
-cd /admin/admin
+chown -R nobody:nogroup \
-yarn install
+        /admin/custom \
-## End Only in development
+        /admin/moodledata/saml2 /admin/saml_certs \
+	"${DATA_FOLDER}" \
+        "${LEGAL_PATH}"
+
 cd /admin
 export PYTHONWARNINGS="ignore:Unverified HTTPS request"
-python3 start.py 
+exec su -s /bin/sh -m nobody -c 'python3 start.py'
-#&
-# /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config

dd-sso/admin/src/admin/flaskapp.py

@@ -73,6 +73,7 @@ class AdminFlaskApp(Flask):
     custom_dir: str
     data_dir: str
     domain : str
+    node_modules_dir : str
     ready: bool = False
 
     def __init__(self, *args: Any, **kwargs: Any):
@@ -141,6 +142,7 @@ class AdminFlaskApp(Flask):
         try:
             self.data_dir = os.environ.get("DATA_FOLDER", ".")
             self.custom_dir = os.environ.get("CUSTOM_FOLDER", ".")
+            self.node_modules_dir = os.environ.get("NODE_MODULES_FOLDER", "node_modules")
             # Handle secrets like Flask's session key
             secret_key_file = os.path.join(self.secrets_dir, "secret_key")
             if not os.path.exists(self.secrets_dir):
@@ -202,19 +204,19 @@ class AdminFlaskApp(Flask):
         @self.route("/build/<path:path>")
         def send_build(path: str) -> Response:
             return send_from_directory(
-                os.path.join(self.root_path, "node_modules/gentelella/build"), path
+                os.path.join(self.node_modules_dir, "gentelella/build"), path
             )
 
         @self.route("/vendors/<path:path>")
         def send_vendors(path: str) -> Response:
             return send_from_directory(
-                os.path.join(self.root_path, "node_modules/gentelella/vendors"), path
+                os.path.join(self.node_modules_dir, "gentelella/vendors"), path
             )
 
         @self.route("/node_modules/<path:path>")
         def send_nodes(path: str) -> Response:
             return send_from_directory(
-                os.path.join(self.root_path, "node_modules"), path
+                self.node_modules_dir, path
             )
 
         @self.route("/templates/<path:path>")

dd-sso/docker-compose-parts/admin.yml

@@ -25,20 +25,14 @@ services:
       context: ${BUILD_SSO_ROOT_PATH}
       dockerfile: admin/docker/Dockerfile
       target: production
-      # args: ## DEVELOPMENT
-      #   SSH_ROOT_PWD: ${IPA_ADMIN_PWD}
-      #   SSH_PORT: 2022
     networks:
       - dd_net
-    # ports:
-    #   - "2022:22"
-    #   - "9000:9000"
     restart: unless-stopped
     volumes:
     - /etc/localtime:/etc/localtime:ro
-    - ${BUILD_SSO_ROOT_PATH}/admin/src:/admin  # Revome in production
+    - ${BUILD_SSO_ROOT_PATH}/admin/src:/admin:ro
     - ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro
-    - ${CUSTOM_PATH}/custom:/admin/custom
+    - ${CUSTOM_PATH}/custom:/admin/custom:rw
     - ${DATA_FOLDER}/avatars:/admin/avatars:ro
     - ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw
     - ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw
@@ -52,3 +46,4 @@ services:
       - MANAGED_EMAIL_DOMAIN=${MANAGED_EMAIL_DOMAIN}
       - DATA_FOLDER=/data
       - CUSTOM_FOLDER=/admin/custom
+      - LEGAL_PATH=/admin/admin/static/templates/pages/legal