GRP-5153: add option to run tomcat as another use

Dockerfile

@@ -19,8 +19,8 @@ RUN yum update -y \
     && yum install -y diffutils logrotate python3-pip rsync sudo patch supervisor wget tar unzip dos2unix file \
     && pip3 install --upgrade setuptools \
     && yum clean -y all \
-    && groupadd -r tomcat \
-    && useradd -r -m -s /sbin/nologin -g tomcat tomcat \
+    && groupadd -g 994 -r tomcat \
+    && useradd -u 996 -r -m -s /sbin/nologin -g tomcat tomcat \
     && mkdir -p /opt/container_files
 
 # Install Corretto Java JDK

container_files/usr-local-bin/changeGid.sh

@@ -13,6 +13,11 @@ newGid=$2
 getentOutput="$(getent group "$groupname")"
 oldGid="$( echo "$getentOutput" |cut -d\: -f3 )"
 groupmod -g "$newGid" "$groupname"
-echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi
+
 find / -xdev -group "$oldGid" -exec chgrp -h "$groupname" {} \;
-echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi

container_files/usr-local-bin/changeUid.sh

@@ -12,6 +12,11 @@ username=$1
 newUid=$2
 oldUid="$(id -u "$username")"
 usermod -u "$newUid" "$username"
-echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi
+
 find / -xdev -user "$oldUid" -exec chown -h "$username" {} \;
-echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi

container_files/usr-local-bin/libraryPrep.sh

@@ -223,6 +223,18 @@ prep_finishBegin() {
       echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_UI=false"
       export GROUPER_UI=false
     fi
+    if [ -z "$GROUPER_TOMCAT_UID" ] ; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UID=996"
+      export GROUPER_TOMCAT_UID=996
+    fi
+    if [ -z "$GROUPER_TOMCAT_GID" ] ; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_GID=994"
+      export GROUPER_TOMCAT_GID=994
+    fi
+    if [ -z "$GROUPER_TOMCAT_UNIX_GROUP" ] ; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UNIX_GROUP=root"
+      export GROUPER_TOMCAT_UNIX_GROUP=root
+    fi
     if [ -z "$GROUPER_WS" ] ; then 
       echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_WS=false"
       export GROUPER_WS=false
@@ -314,8 +326,13 @@ prep_finishBegin() {
     fi
 
     if [ -z "$GROUPER_RUN_PROCESSES_AS_USERS" ]; then 
-      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_RUN_PROCESSES_AS_USERS=true"
-      export GROUPER_RUN_PROCESSES_AS_USERS=true
+      if [[ $EUID -eq 0 ]]; then
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) running as root: export GROUPER_RUN_PROCESSES_AS_USERS=true"
+        export GROUPER_RUN_PROCESSES_AS_USERS=true
+      else
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) not running as root: export GROUPER_RUN_PROCESSES_AS_USERS=false"
+        export GROUPER_RUN_PROCESSES_AS_USERS=false
+      fi
     fi
 
     # do these before the "only" component
@@ -398,10 +415,10 @@ prep_finishBegin() {
     #Replace web.xml session timeout with env variable
     if [[ -z "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" ]]; then
       if [[ "$GROUPER_UI" != 'true' ]] && [[ "$GROUPER_WS" = 'true' ]]; then
-        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1"
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1"
         export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1
       else
-        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600 (10 hours)"
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600"
         export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600
 
       fi

container_files/usr-local-bin/libraryRunCommand.sh

@@ -11,12 +11,16 @@ runCommand() {
 
   runCommand_unsetAll
 
-  if [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" = "true" ]
-    then
-      echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat not supervisor"
-      /opt/tomcat/bin/catalina.sh run
+  if [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" = "true" ]; then
+    if [ "$GROUPER_RUN_PROCESSES_AS_USERS" = "true" ]; then
+      echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo -u tomcat /opt/tomcat/bin/catalina.sh run"
+      sudo -u tomcat /opt/tomcat/bin/catalina.sh run
     else
-      echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting supervisor"
+      echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: /opt/tomcat/bin/catalina.sh run"
+      /opt/tomcat/bin/catalina.sh run
+    fi
+  else
+      echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting supervisor: exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf"
       exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
   fi
 

container_files/usr-local-bin/librarySetupFiles.sh

@@ -34,6 +34,44 @@ setupFiles_rsyncSlashRoot() {
     fi
 }
 
+setupFiles_uid() {
+
+  makeChange=false
+  if [ "$GROUPER_TOMCAT_UID" != "996" ]; then
+    makeChange=true
+  elif [ "$GROUPER_TOMCAT_GID" != "994" ]; then
+    makeChange=true
+  elif [ "$GROUPER_TOMCAT_UNIX_GROUP" != "root" ]; then
+    makeChange=true
+  fi
+
+  if [ "$makeChange" = "true" ]; then
+    if [[ $EUID -ne 0 ]]; then
+      echo "grouperContainer; ERROR: (librarySetupFiles.sh-setupFiles_uid) Cannot set tomcat UID/GID/unixGroup if not running the container as root"
+      exit 1
+    fi  
+  fi
+
+  if [ "$GROUPER_TOMCAT_UID" != "996" ]; then
+
+    /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID
+    returnCode=$?
+    echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID, result: $returnCode"
+
+  fi
+
+  if [ "$GROUPER_TOMCAT_GID" != "994" ]; then
+
+    /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID
+    returnCode=$?
+    echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID, result: $returnCode"
+
+  fi
+
+  # this is called later: setupFiles_chownDirs to set ownership and privs on filesystem
+
+}
+
 setupFiles_localLogging() {
   additionalLoggersFile=/opt/grouper/grouperWebapp/WEB-INF/classes/log4j2.additionalLoggers.xml.txt
   if [ -f $additionalLoggersFile ]; then
@@ -139,9 +177,9 @@ setupFiles_chownDirs() {
     # do this last
     if [ "$GROUPER_CHOWN_DIRS" = "true" ]
       then
-        /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root
+        /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP
         returnCode=$?
-        echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root, result: $returnCode"
+        echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP, result: $returnCode"
         if [ $returnCode != 0 ]; then exit $returnCode; fi
     fi
 }
@@ -371,6 +409,8 @@ setupFiles() {
   fi
 
   setupFiles_rsyncSlashRoot
+
+  setupFiles_uid
 
   setupFiles_analyzeOriginalFiles
 
@@ -431,6 +471,7 @@ setupFiles_unsetAll() {
   unset -f setupFiles_removePids
   unset -f setupFiles_rsyncSlashRoot
   unset -f setupFiles_storeEnvVars
+  unset -f setupFiles_uid
   unset -f setupFiles_unsetAll
   unset -f setupFiles_unsetAllAndFromFiles
 }
@@ -446,6 +487,7 @@ setupFiles_exportAll() {
   export -f setupFiles_removePids
   export -f setupFiles_rsyncSlashRoot
   export -f setupFiles_storeEnvVars
+  export -f setupFiles_uid
   export -f setupFiles_unsetAll
   export -f setupFiles_unsetAllAndFromFiles
 }

container_files/usr-local-bin/librarySetupFilesTomcat.sh

@@ -273,9 +273,8 @@ setupFilesTomcat_sslCertsAnchors() {
     # openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem
 
     if [ -n "$(ls -A /opt/grouper/certs/anchors/ 2>/dev/null)" ]; then
-
-      amiroot=`whoami`
-      if [ "$amiroot" = "root" ]; then
+      # if root
+      if [[ $EUID -eq 0 ]]; then
 
         echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process"
 
@@ -296,7 +295,7 @@ setupFilesTomcat_sslCertsAnchors() {
         fi  
 
       else
-        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust"
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so you might need to run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust"
       fi
 
       chmod u+w $JAVA_HOME/lib/security/cacerts