GRP-2782: grouper running with nonroot and non supervisor

docker · May 11, 2020 · 47e7171 · 47e7171
1 parent 7c0eefd
commit 47e7171
Show file tree

Hide file tree

Showing 12 changed files with 330 additions and 67 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -77,13 +77,13 @@ RUN groupadd -r tomcat \
     && chown -R tomcat:tomcat /opt/tomee  \
     && ln -s $JAVA_HOME/bin/java /etc/alternatives/java \
     && mkdir -p /opt/tomee/conf/Catalina/localhost/ \
-    && chown -R tomcat:tomcat /opt/grouper/grouperWebapp \
+    && chown -R tomcat:tomcat /opt/grouper \
     && mkdir /opt/hsqldb \
     && chown tomcat:tomcat /opt/hsqldb
 
-
 COPY container_files/tier-support/ /opt/tier-support/
 COPY container_files/usr-local-bin/ /usr/local/bin/
+RUN chmod +x /usr/local/bin/*.sh
 COPY container_files/httpd/* /etc/httpd/conf.d/
 COPY container_files/shibboleth/* /etc/shibboleth/
 RUN cp /dev/null /etc/httpd/conf.d/ssl.conf 

diff --git a/container_files/tier-support/test/grouperContainerUnitTest.sh b/container_files/tier-support/test/grouperContainerUnitTest.sh
@@ -5,7 +5,7 @@ if [ "$#" -ne 3 ]; then
   exit 1
 fi
 
-expectedSuccesses=412
+expectedSuccesses=521
 
 export containerName=$1
 export imageName=$2
@@ -27,6 +27,8 @@ export failureCount=0
 . ./grouperContainerUnitTestScim.sh
 . ./grouperContainerUnitTestWs.sh
 . ./grouperContainerUnitTestQuickstart.sh
+. ./grouperContainerUnitTestUiSubimage.sh
+. ./grouperContainerUnitTestUiSubimageNonroot.sh
 
 
 testContainerUi
@@ -38,8 +40,12 @@ testContainerScim
 testContainerWs
 testContainerQuickstart
 testContainerDaemon
+testContainerUiSubimage
+testContainerUiSubimageNonroot
 
 dockerRemoveContainer
+dockerRemoveSubimage
+
 echo ""
 echo "$successCount successes, $failureCount failures"
 if [ "$successCount" = "$expectedSuccesses" ] && [ "$failureCount" = "0" ]  ; then
@@ -57,6 +63,8 @@ unset -f globalSleepSecondsAfterRun
 unset -f testContainerQuickstart
 unset -f testContainerDaemon
 unset -f testContainerUi
+unset -f testContainerUiSubimage
+unset -f testContainerUiSubimageNonroot
 unset -f testContainerUiNoSsl
 unset -f testContainerUiDifferentPorts
 unset -f testContainerSlashRoot

diff --git a/container_files/tier-support/test/grouperContainerUnitTestLibrary.sh b/container_files/tier-support/test/grouperContainerUnitTestLibrary.sh
@@ -11,6 +11,19 @@ dockerRemoveContainer() {
   fi
 }
 
+dockerRemoveSubimage() {
+  if [ "$#" -ne 0 ]; then
+    echo "You must enter exactly 0 arguments"
+    exit 1
+  fi
+  subimageId="my_$containerName"
+  subimageName="$subimageId:latest"
+  if [ "$(docker images | grep $subimageId)" ]
+    then
+      docker rmi -f $subimageName
+  fi
+}
+
 # pass in string description, expected value, actual value
 assertEquals() {
   if [ "$#" -ne 3 ]; then
@@ -230,6 +243,7 @@ grouperContainerUnitTestLibrary_unsetAll() {
   unset -f assertNumberOfShibProcesses
   unset -f assertNumberOfTomcatProcesses
   unset -f dockerRemoveContainer
+  unset -f dockerRemoveSubimage
   unset -f grouperContainerUnitTestLibrary_unsetAll
   unset -f runCommand
 }
@@ -250,6 +264,7 @@ grouperContainerUnitTestLibrary_exportAll() {
   export -f assertNumberOfShibProcesses
   export -f assertNumberOfTomcatProcesses
   export -f dockerRemoveContainer
+  export -f dockerRemoveSubimage
   export -f grouperContainerUnitTestLibrary_unsetAll
   export -f runCommand
 }

diff --git a/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh b/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+testContainerUiSubimage() {
+
+  if [ "$#" -ne 0 ]; then
+    echo "You must enter exactly 0 command line arguments"
+    exit 1
+  fi
+
+  dockerRemoveContainer
+  dockerRemoveSubimage
+
+  subimageId="my_$containerName"
+  subimageName="$subimageId:latest"
+
+  echo "" > Dockerfile
+  echo "FROM $imageName" >> Dockerfile
+  echo "ENV GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES 1.1.1.1/32" >> Dockerfile
+  echo "" >> Dockerfile
+
+  echo
+  echo '################'
+  echo Running container with subimage as ui
+  echo cat DockerFile
+  cat Dockerfile
+  echo "docker build -t $subimageId ."
+  echo "docker run --detach --name $containerName --publish 443:443 $subimageId ui"
+  echo '################'
+  echo
+
+  docker build -t "$subimageId" .
+
+  docker run --detach --name $containerName --publish 443:443 $subimageId ui
+  sleep $globalSleepSecondsAfterRun
+
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libWs/axis2-kernel-1.6.4.jar
+  assertFileNotExists /opt/grouper/grouperWebapp/WEB-INF/lib/axis2-kernel-1.6.4.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libScim/stax-api-1.0-2.jar
+  assertFileNotExists /opt/grouper/grouperWebapp/WEB-INF/lib/stax-api-1.0-2.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/lib/grouper-messaging-activemq-2.5.27.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/grouper-messaging-activemq-2.5.27.jar
+
+  assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "Listen 443 https"
+  assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "__"
+  assertFileContains /etc/httpd/conf/httpd.conf "Listen 80"
+  assertFileContains /opt/tier-support/supervisord.conf "program:shibbolethsp"
+  assertFileContains /opt/tier-support/supervisord.conf "program:tomee"
+  assertFileContains /opt/tier-support/supervisord.conf "program:httpd"
+  assertFileContains /opt/tier-support/supervisord.conf "user=shibd"
+  assertFileNotContains /opt/tier-support/supervisord.conf "program:hsqldb"
+  assertFileNotContains /opt/tier-support/supervisord.conf "__"
+  assertFileContains /etc/httpd/conf.d/ssl-enabled.conf cachain.pem
+  assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
+
+  assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "/tmp/logpipe"
+  assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "grouper-ui;"
+
+  assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties grouperPasswordConfigOverride_UI_GrouperSystem_pass.elConfig
+  assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties thisPassIsCopyrightedDontUse
+
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "3600"
+  assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "__"
+
+  assertEnvVar GROUPERSCIM_PROXY_PASS "#"
+  assertEnvVar GROUPERSCIM_URL_CONTEXT "grouper-ws-scim"
+  assertEnvVar GROUPERWS_PROXY_PASS "#"
+  assertEnvVar GROUPERWS_URL_CONTEXT "grouper-ws"
+  assertEnvVar GROUPER_APACHE_AJP_TIMEOUT_SECONDS "3600"
+  assertEnvVar GROUPER_APACHE_NONSSL_PORT "80"
+  assertEnvVar GROUPER_APACHE_SSL_PORT "443"
+  assertEnvVar GROUPER_CHOWN_DIRS "true"
+  assertEnvVar GROUPER_CONTAINER_VERSION "$containerVersion"
+  assertEnvVar GROUPER_DAEMON "false"
+  assertEnvVar GROUPER_GSH_CHECK_USER "true"
+  assertEnvVar GROUPER_GSH_USER "tomcat"
+  assertEnvVar GROUPER_HOME "/opt/grouper/grouperWebapp/WEB-INF"
+  assertEnvVar GROUPER_LOG_PREFIX "grouper-ui"
+  assertEnvVar GROUPER_MAX_MEMORY "1500m"
+  assertEnvVar GROUPER_PROXY_PASS ""
+  assertEnvVar GROUPER_RUN_APACHE "true"
+  assertEnvVar GROUPER_RUN_PROCESSES_AS_USERS "true"
+  assertEnvVar GROUPER_RUN_SHIB_SP "true"
+  assertEnvVar GROUPER_RUN_TOMEE "true"
+  assertEnvVar GROUPER_SCIM "false"
+  assertEnvVar GROUPER_SCIM_GROUPER_AUTH "false"
+  assertEnvVar GROUPER_TOMCAT_CONTEXT "grouper"
+  assertEnvVar GROUPER_UI "true"
+  assertEnvVar GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES "1.1.1.1/32"
+  assertEnvVar GROUPER_UI_GROUPER_AUTH "false"
+  assertEnvVar GROUPER_UI_ONLY "true"
+  assertEnvVar GROUPER_URL_CONTEXT "grouper"
+  assertEnvVar GROUPER_USE_SSL "true"
+  assertEnvVar GROUPER_WS "false"
+  assertEnvVar GROUPER_WS_GROUPER_AUTH "false"
+
+  assertNumberOfTomcatProcesses 1
+  # bad cert apache wont start
+  assertNumberOfApacheProcesses 0
+  assertNumberOfShibProcesses 1
+
+  assertNotListeningOnPort 443
+  assertNotListeningOnPort 80
+  assertListeningOnPort 8009
+  assertNotListeningOnPort 9001
+
+
+}
+export -f testContainerUiSubimage
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUiSubimageNonroot.sh b/container_files/tier-support/test/grouperContainerUnitTestUiSubimageNonroot.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+testContainerUiSubimageNonroot() {
+
+  if [ "$#" -ne 0 ]; then
+    echo "You must enter exactly 0 command line arguments"
+    exit 1
+  fi
+
+  dockerRemoveContainer
+  dockerRemoveSubimage
+
+  subimageId="my_$containerName"
+  subimageName="$subimageId:latest"
+  myId="$(id -u)"
+
+  echo "" > Dockerfile
+  echo "FROM $imageName" >> Dockerfile
+  echo "RUN /usr/local/bin/changeUid.sh tomcat $myId" >> Dockerfile
+  echo "" >> Dockerfile
+
+  echo
+  echo '################'
+  echo Running container with subimage as ui without root
+  echo cat DockerFile
+  cat Dockerfile
+  echo "docker build -t $subimageId ."
+  echo "docker run --detach --name $containerName -u $myId -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true --publish 8080:8080 $subimageId ui"
+  echo '################'
+  echo
+
+  docker build -t "$subimageId" .
+
+  docker run --detach --name $containerName -u $myId -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true --publish 8080:8080 $subimageId ui
+  sleep $globalSleepSecondsAfterRun
+
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libWs/axis2-kernel-1.6.4.jar
+  assertFileNotExists /opt/grouper/grouperWebapp/WEB-INF/lib/axis2-kernel-1.6.4.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libScim/stax-api-1.0-2.jar
+  assertFileNotExists /opt/grouper/grouperWebapp/WEB-INF/lib/stax-api-1.0-2.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/lib/grouper-messaging-activemq-2.5.27.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/grouper-messaging-activemq-2.5.27.jar
+
+  assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "/tmp/logpipe"
+  assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "grouper-ui;"
+
+  assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties grouperPasswordConfigOverride_UI_GrouperSystem_pass.elConfig
+  assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties thisPassIsCopyrightedDontUse
+
+  assertEnvVar GROUPERSCIM_PROXY_PASS "#"
+  assertEnvVar GROUPERSCIM_URL_CONTEXT "grouper-ws-scim"
+  assertEnvVar GROUPERWS_PROXY_PASS "#"
+  assertEnvVar GROUPERWS_URL_CONTEXT "grouper-ws"
+  assertEnvVar GROUPER_APACHE_AJP_TIMEOUT_SECONDS "3600"
+  assertEnvVar GROUPER_APACHE_NONSSL_PORT "80"
+  assertEnvVar GROUPER_APACHE_SSL_PORT "443"
+  assertEnvVar GROUPER_CHOWN_DIRS "true"
+  assertEnvVar GROUPER_CONTAINER_VERSION "$containerVersion"
+  assertEnvVar GROUPER_DAEMON "false"
+  assertEnvVar GROUPER_GSH_CHECK_USER "true"
+  assertEnvVar GROUPER_GSH_USER "tomcat"
+  assertEnvVar GROUPER_HOME "/opt/grouper/grouperWebapp/WEB-INF"
+  assertEnvVar GROUPER_LOG_PREFIX "grouper-ui"
+  assertEnvVar GROUPER_MAX_MEMORY "1500m"
+  assertEnvVar GROUPER_PROXY_PASS ""
+  assertEnvVarNot GROUPER_RUN_APACHE "true"
+  assertEnvVar GROUPER_RUN_PROCESSES_AS_USERS "true"
+  assertEnvVarNot GROUPER_RUN_SHIB_SP "true"
+  assertEnvVar GROUPER_RUN_TOMEE "true"
+  assertEnvVar GROUPER_SCIM "false"
+  assertEnvVar GROUPER_SCIM_GROUPER_AUTH "false"
+  assertEnvVar GROUPER_TOMCAT_CONTEXT "grouper"
+  assertEnvVar GROUPER_UI "true"
+  assertEnvVar GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES "127.0.0.1/32"
+  assertEnvVar GROUPER_UI_GROUPER_AUTH "false"
+  assertEnvVar GROUPER_UI_ONLY "true"
+  assertEnvVar GROUPER_URL_CONTEXT "grouper"
+  assertEnvVar GROUPER_USE_SSL "true"
+  assertEnvVar GROUPER_WS "false"
+  assertEnvVar GROUPER_WS_GROUPER_AUTH "false"
+
+  assertNumberOfTomcatProcesses 13
+  # bad cert apache wont start
+  assertNumberOfApacheProcesses 0
+  assertNumberOfShibProcesses 0
+
+  assertNotListeningOnPort 443
+  assertNotListeningOnPort 80
+  assertListeningOnPort 8009
+  assertNotListeningOnPort 9001
+
+}
+export -f testContainerUiSubimageNonroot
diff --git a/container_files/usr-local-bin/changeGid.sh b/container_files/usr-local-bin/changeGid.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root" 
+   exit 1
+fi
+if [ "$#" -ne 2 ]; then
+  echo "You must enter exactly 2 command line arguments: groupname, and gid to change to"
+  exit 1
+fi
+groupname=$1
+newGid=$2
+getentOutput="$(getent group "$groupname")"
+oldGid="$( echo "$getentOutput" |cut -d\: -f3 )"
+groupmod -g "$newGid" "$groupname"
+find / -xdev -type d -group "$oldGid" -exec chgrp -h "$groupname" {} \;
diff --git a/container_files/usr-local-bin/changeUid.sh b/container_files/usr-local-bin/changeUid.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root" 
+   exit 1
+fi
+if [ "$#" -ne 2 ]; then
+  echo "You must enter exactly 2 command line arguments: username, and uid to change to"
+  exit 1
+fi
+username=$1
+newUid=$2
+oldUid="$(id -u "$username")"
+usermod -u "$newUid" "$username"
+find / -xdev -type d -user "$oldUid" -exec chown -h "$username" {} \;
diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh
@@ -2,20 +2,22 @@
 
 prep_quickstart() {
 
-    if [ -z "$GROUPER_RUN_HSQLDB" ]; then export GROUPER_RUN_HSQLDB=true; fi
+
+
+    if [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" != "true" ]; then
+      if [ -z "$GROUPER_RUN_HSQLDB" ]; then export GROUPER_RUN_HSQLDB=true; fi
+      if [ -z "$GROUPER_SELF_SIGNED_CERT" ]; then export GROUPER_SELF_SIGNED_CERT=true; fi
+      if [ -z "$GROUPER_START_DELAY_SECONDS" ]; then export GROUPER_START_DELAY_SECONDS='10'; fi
+      if [ -z "$GROUPER_DATABASE_URL_FILE" ] && [ -z "$GROUPER_DATABASE_URL" ]; then export GROUPER_DATABASE_URL=jdbc:hsqldb:hsql://localhost:9001/grouper; fi
+      if [ -z "$GROUPER_DATABASE_USERNAME_FILE" ] && [ -z "$GROUPER_DATABASE_USERNAME" ]; then export GROUPER_DATABASE_USERNAME=sa; fi
+    fi
     if [ -z "$GROUPER_RUN_SHIB_SP" ]; then export GROUPER_RUN_SHIB_SP=false; fi
-    if [ -z "$GROUPER_SELF_SIGNED_CERT" ]; then export GROUPER_SELF_SIGNED_CERT=true; fi
     if [ -z "$GROUPER_AUTO_DDL_UPTOVERSION" ]; then export GROUPER_AUTO_DDL_UPTOVERSION='v2.5.*'; fi
     if [ -z "$GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES" ]; then export GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES='0.0.0.0/0'; fi
     # wait for database to start
-    if [ -z "$GROUPER_START_DELAY_SECONDS" ]; then export GROUPER_START_DELAY_SECONDS='10'; fi
     if [ -z "$GROUPER_UI_GROUPER_AUTH" ]; then export GROUPER_UI_GROUPER_AUTH='true'; fi
     if [ -z "$GROUPER_WS_GROUPER_AUTH" ]; then export GROUPER_WS_GROUPER_AUTH='true'; fi
     if [ -z "$GROUPER_SCIM_GROUPER_AUTH" ] ; then export GROUPER_SCIM_GROUPER_AUTH=true; fi
-
-    if [ -z "$GROUPER_DATABASE_URL_FILE" ] && [ -z "$GROUPER_DATABASE_URL" ] ; then export GROUPER_DATABASE_URL=jdbc:hsqldb:hsql://localhost:9001/grouper; fi
-    if [ -z "$GROUPER_DATABASE_USERNAME_FILE" ] && [ -z "$GROUPER_DATABASE_USERNAME" ] ; then export GROUPER_DATABASE_USERNAME=sa; fi
-
     if [ -z "$GROUPER_QUICKSTART" ]; then export GROUPER_QUICKSTART=true; fi
 
 }
@@ -28,14 +30,14 @@ prep_daemon() {
 
 prep_scim() {
     if [ -z "$GROUPER_SCIM" ]; then export GROUPER_SCIM=true; fi
-    if [ -z "$GROUPER_RUN_APACHE" ]; then export GROUPER_RUN_APACHE=true; fi
+    if [ -z "$GROUPER_RUN_APACHE" ] && [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" != "true" ]; then export GROUPER_RUN_APACHE=true; fi
     if [ -z "$GROUPER_RUN_TOMEE" ]; then export GROUPER_RUN_TOMEE=true; fi
 }
 
 prep_ui() {
     if [ -z "$GROUPER_UI" ]; then export GROUPER_UI=true; fi
-    if [ -z "$GROUPER_RUN_APACHE" ]; then export GROUPER_RUN_APACHE=true; fi
-    if [ -z "$GROUPER_RUN_SHIB_SP" ]; then export GROUPER_RUN_SHIB_SP=true; fi
+    if [ -z "$GROUPER_RUN_APACHE" ] && [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" != "true" ]; then export GROUPER_RUN_APACHE=true; fi
+    if [ -z "$GROUPER_RUN_SHIB_SP" ] && [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" != "true" ]; then export GROUPER_RUN_SHIB_SP=true; fi
     if [ -z "$GROUPER_RUN_TOMEE" ]; then export GROUPER_RUN_TOMEE=true; fi
 }
 
@@ -80,7 +82,7 @@ prep_runScim() {
 prep_ws() {
 
     if [ -z "$GROUPER_WS" ]; then export GROUPER_WS=true; fi
-    if [ -z "$GROUPER_RUN_APACHE" ]; then export GROUPER_RUN_APACHE=true; fi
+    if [ -z "$GROUPER_RUN_APACHE" ] && [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" != "true" ]; then export GROUPER_RUN_APACHE=true; fi
     if [ -z "$GROUPER_RUN_TOMEE" ]; then export GROUPER_RUN_TOMEE=true; fi
 }
 
@@ -154,6 +156,8 @@ prep_finishBegin() {
     if [ -z "$GROUPER_GSH_CHECK_USER" ] ; then export GROUPER_GSH_CHECK_USER=true; fi
     if [ -z "$GROUPER_GSH_USER" ] ; then export GROUPER_GSH_USER=tomcat; fi
 
+     if [ -z "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" ]; then export GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=false; fi
+
 }
 
 prep_finishEnd() {