From 4fbfec94bfb9b3a00cc233d26b9d55bdf2eb78ed Mon Sep 17 00:00:00 2001
From: mchyzer <mchyzer@client0478vag.vpn.private.upenn.edu>
Date: Sun, 19 Jul 2020 11:14:44 -0400
Subject: [PATCH] GRP-2862: turn off directory indexes in apache in container

---
 container_files/httpd/httpd.conf.noindexes.patch     | 11 +++++++++++
 .../tier-support/test/grouperContainerUnitTestUi.sh  |  2 ++
 .../test/grouperContainerUnitTestUiNoSsl.sh          |  4 +++-
 container_files/usr-local-bin/libraryPrep.sh         |  1 +
 .../usr-local-bin/librarySetupFilesApache.sh         | 12 ++++++++++++
 5 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 container_files/httpd/httpd.conf.noindexes.patch

diff --git a/container_files/httpd/httpd.conf.noindexes.patch b/container_files/httpd/httpd.conf.noindexes.patch
new file mode 100644
index 00000000..d76a47fb
--- /dev/null
+++ b/container_files/httpd/httpd.conf.noindexes.patch
@@ -0,0 +1,11 @@
+--- httpd.conf.20200720	2020-07-19 14:50:57.470136000 +0000
++++ httpd.conf	2020-07-19 14:51:35.994475000 +0000
+@@ -141,7 +141,7 @@
+     # http://httpd.apache.org/docs/2.4/mod/core.html#options
+     # for more information.
+     #
+-    Options Indexes FollowSymLinks
++    Options FollowSymLinks
+ 
+     #
+     # AllowOverride controls what directives may be placed in .htaccess files.
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUi.sh b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
index 7fc79b23..f09d55b3 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUi.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
@@ -40,6 +40,8 @@ testContainerUi() {
 
   assertFileContains /opt/tomee/conf/Catalina/localhost/grouper.xml 'cookies="true"'
 
+  assertFileNotContains /etc/httpd/conf/httpd.conf "Options Indexes"
+
   assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "/tmp/logpipe"
   assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "grouper-ui;"
 
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh b/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
index 0dd091df..c016d436 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
@@ -12,7 +12,7 @@ testContainerUiNoSsl() {
   echo
   echo '################'
   echo Running container as ui without SSL
-  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true $imageName ui"
   echo '################'
   echo
 
@@ -24,6 +24,8 @@ testContainerUiNoSsl() {
   assertFileNotExists /etc/httpd/conf.d/ssl-enabled.conf
   assertFileNotExists /etc/httpd/conf.d/ssl.conf
 
+  assertFileContains /etc/httpd/conf/httpd.conf "Options Indexes"
+
   assertFileContains /etc/httpd/conf/httpd.conf "Listen 80"
   assertFileContains /opt/tier-support/supervisord.conf "program:shibbolethsp"
   assertFileContains /opt/tier-support/supervisord.conf "program:tomee"
diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh
index 7aa60213..867d0604 100644
--- a/container_files/usr-local-bin/libraryPrep.sh
+++ b/container_files/usr-local-bin/libraryPrep.sh
@@ -152,6 +152,7 @@ prep_finishBegin() {
     
     if [ -z "$GROUPER_APACHE_SSL_PORT" ] ; then export GROUPER_APACHE_SSL_PORT=443; fi
     if [ -z "$GROUPER_APACHE_NONSSL_PORT" ] ; then export GROUPER_APACHE_NONSSL_PORT=80; fi
+    if [ -z "$GROUPER_APACHE_DIRECTORY_INDEXES" ] ; then export GROUPER_APACHE_DIRECTORY_INDEXES=false; fi
     
     if [ -z "$GROUPER_GSH_CHECK_USER" ] ; then export GROUPER_GSH_CHECK_USER=true; fi
     if [ -z "$GROUPER_GSH_USER" ] ; then export GROUPER_GSH_USER=tomcat; fi
diff --git a/container_files/usr-local-bin/librarySetupFilesApache.sh b/container_files/usr-local-bin/librarySetupFilesApache.sh
index cb1054cf..676ea0b5 100644
--- a/container_files/usr-local-bin/librarySetupFilesApache.sh
+++ b/container_files/usr-local-bin/librarySetupFilesApache.sh
@@ -1,5 +1,14 @@
 #!/bin/bash
 
+setupFilesApache_indexes() {
+    if [ "$GROUPER_APACHE_DIRECTORY_INDEXES" = "false" ]
+      then
+        # take out the directory indexes from the docroot
+        cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.pre_noindexes
+        patch /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/httpd.conf.noindexes.patch
+    fi
+}
+
 setupFilesApache_selfSignedCert() {
     if [ "$GROUPER_RUN_APACHE" = "true" ] && [ "$GROUPER_SELF_SIGNED_CERT" = "true" ] && [ "$GROUPER_USE_SSL" = "true" ]
        then
@@ -74,10 +83,12 @@ setupFilesApache() {
   setupFilesApache_ports
   setupFilesApache_ssl
   setupFilesApache_serverName
+  setupFilesApache_indexes
 }
 
 setupFilesApache_unsetAll() {
   unset -f setupFilesApache
+  unset -f setupFilesApache_indexes
   unset -f setupFilesApache_logging
   unset -f setupFilesApache_ports
   unset -f setupFilesApache_selfSignedCert
@@ -89,6 +100,7 @@ setupFilesApache_unsetAll() {
 
 setupFilesApache_exportAll() {
   export -f setupFilesApache
+  export -f setupFilesApache_indexes
   export -f setupFilesApache_logging
   export -f setupFilesApache_ports
   export -f setupFilesApache_selfSignedCert