From 93acf6b87ce9c5338ec20581b4e1d0645ce2fa13 Mon Sep 17 00:00:00 2001
From: mchyzer <mchyzer@isc.upenn.edu>
Date: Sat, 25 Nov 2023 16:53:30 -0500
Subject: [PATCH] 5.6.0

---
 Dockerfile                                    |  4 +-
 container_files/usr-local-bin/containerPing   | 11 +++++
 container_files/usr-local-bin/gsh             |  4 +-
 container_files/usr-local-bin/libraryPrep.sh  | 13 ++++--
 .../usr-local-bin/libraryRunCommand.sh        |  4 +-
 .../usr-local-bin/librarySetupFiles.sh        | 46 ++++++++++++++++++-
 .../usr-local-bin/librarySetupFilesTomcat.sh  |  2 +-
 7 files changed, 71 insertions(+), 13 deletions(-)
 create mode 100755 container_files/usr-local-bin/containerPing

diff --git a/Dockerfile b/Dockerfile
index 161cbef8..53cfc5cb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,8 +8,8 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
 
 ARG GROUPER_CONTAINER_VERSION
 
-ENV GROUPER_VERSION=5.5.0 \
-    GROUPER_CONTAINER_VERSION=5.5.0 \
+ENV GROUPER_VERSION=5.6.0 \
+    GROUPER_CONTAINER_VERSION=5.6.0 \
     JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto \
     PATH=$PATH:$JAVA_HOME/bin \
     GROUPER_HOME=/opt/grouper/grouperWebapp/WEB-INF
diff --git a/container_files/usr-local-bin/containerPing b/container_files/usr-local-bin/containerPing
new file mode 100755
index 00000000..18b70804
--- /dev/null
+++ b/container_files/usr-local-bin/containerPing
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+prep_daemon
+prep_finish
+setupFiles
+runCommand_unsetAll
+
+export GSH_JVMARGS="$GSH_JVMARGS -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
+
+# sample command every 10 minutes, just a ping to keep container running, for testing
+/usr/bin/ping -i 600 google.com
diff --git a/container_files/usr-local-bin/gsh b/container_files/usr-local-bin/gsh
index a9826835..27b56968 100755
--- a/container_files/usr-local-bin/gsh
+++ b/container_files/usr-local-bin/gsh
@@ -11,9 +11,9 @@ export GSH_JVMARGS="$GSH_JVMARGS -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
 set -o pipefail
 
 # openshift cannot do whoami
-if [ "$GROUPER_GSH_CHECK_USER" = "true"  ] && [ "$GROUPER_GSH_USER" != "$(whoami)" ]
+if [ "$GROUPER_GSH_USER" != "$(whoami)" ] && [ $EUID -eq 0 ]
   then
-    echo "grouperContainer; INFO: (gsh file) sudo --preserve-env -u tomcat bin/gsh.sh \"$@\" | tee /tmp/loggrouper"
+    echo "grouperContainer; INFO: (gsh file) sudo --preserve-env -u $GROUPER_GSH_USER bin/gsh.sh \"$@\" | tee /tmp/loggrouper"
     sudo --preserve-env -u tomcat bin/gsh.sh "$@" | tee /tmp/loggrouper
   else 
     echo "grouperContainer; INFO: (gsh file) bin/gsh.sh \"$@\" | tee /tmp/loggrouper"
diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh
index 71890f51..86eedf33 100644
--- a/container_files/usr-local-bin/libraryPrep.sh
+++ b/container_files/usr-local-bin/libraryPrep.sh
@@ -275,8 +275,13 @@ prep_finishBegin() {
     fi
     
     if [ -z "$GROUPER_RUN_PROCESSES_AS_USERS" ]; then 
-      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_RUN_PROCESSES_AS_USERS=true"
-      export GROUPER_RUN_PROCESSES_AS_USERS=true
+      if [[ $EUID -eq 0 ]]; then
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) running as root: export GROUPER_RUN_PROCESSES_AS_USERS=true"
+        export GROUPER_RUN_PROCESSES_AS_USERS=true
+      else
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) not running as root: export GROUPER_RUN_PROCESSES_AS_USERS=false"
+        export GROUPER_RUN_PROCESSES_AS_USERS=false
+      fi
     fi
 
     # do these before the "only" component
@@ -330,10 +335,10 @@ prep_finishBegin() {
     #Replace web.xml session timeout with env variable
     if [[ -z "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" ]]; then
       if [[ "$GROUPER_UI" != 'true' ]] && [[ "$GROUPER_WS" = 'true' ]]; then
-        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1"
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1"
         export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1
       else
-        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600 (10 hours)"
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600"
         export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600
       
       fi
diff --git a/container_files/usr-local-bin/libraryRunCommand.sh b/container_files/usr-local-bin/libraryRunCommand.sh
index cb014661..eef80f45 100644
--- a/container_files/usr-local-bin/libraryRunCommand.sh
+++ b/container_files/usr-local-bin/libraryRunCommand.sh
@@ -3,8 +3,8 @@
 runCommand() {
 
   if [ "$GROUPER_RUN_PROCESSES_AS_USERS" = "true" ]; then
-    echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo -u tomcat /opt/tomcat/bin/catalina.sh run"
-    sudo -u tomcat /opt/tomcat/bin/catalina.sh run
+    echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo --preserve-env -u tomcat /opt/tomcat/bin/catalina.sh run"
+    sudo --preserve-env -u tomcat /opt/tomcat/bin/catalina.sh run
   else
     echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: /opt/tomcat/bin/catalina.sh run"
     /opt/tomcat/bin/catalina.sh run
diff --git a/container_files/usr-local-bin/librarySetupFiles.sh b/container_files/usr-local-bin/librarySetupFiles.sh
index 07af1fe1..610ac2c7 100644
--- a/container_files/usr-local-bin/librarySetupFiles.sh
+++ b/container_files/usr-local-bin/librarySetupFiles.sh
@@ -24,6 +24,44 @@ setupFiles_rsyncSlashRoot() {
     fi
 }
 
+setupFiles_uid() {
+
+  makeChange=false
+  if [ "$GROUPER_TOMCAT_UID" != "996" ]; then
+    makeChange=true
+  elif [ "$GROUPER_TOMCAT_GID" != "994" ]; then
+    makeChange=true
+  elif [ "$GROUPER_TOMCAT_UNIX_GROUP" != "root" ]; then
+    makeChange=true
+  fi
+  
+  if [ "$makeChange" = "true" ]; then
+    if [[ $EUID -ne 0 ]]; then
+      echo "grouperContainer; ERROR: (librarySetupFiles.sh-setupFiles_uid) Cannot set tomcat UID/GID/unixGroup if not running the container as root"
+      exit 1
+    fi  
+  fi
+  
+  if [ "$GROUPER_TOMCAT_UID" != "996" ]; then
+    
+    /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID
+    returnCode=$?
+    echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID, result: $returnCode"
+    
+  fi
+
+  if [ "$GROUPER_TOMCAT_GID" != "994" ]; then
+
+    /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID
+    returnCode=$?
+    echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID, result: $returnCode"
+    
+  fi
+  
+  # this is called later: setupFiles_chownDirs to set ownership and privs on filesystem
+
+}
+
 setupFiles_localLogging() {
   additionalLoggersFile=/opt/grouper/grouperWebapp/WEB-INF/classes/log4j2.additionalLoggers.xml.txt
   if [ -f $additionalLoggersFile ]; then
@@ -108,9 +146,9 @@ setupFiles_chownDirs() {
     # do this last
     if [ "$GROUPER_CHOWN_DIRS" = "true" ]
       then
-        /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root
+        /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP
         returnCode=$?
-        echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root, result: $returnCode"
+        echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP, result: $returnCode"
         if [ $returnCode != 0 ]; then exit $returnCode; fi
     fi
 }
@@ -282,6 +320,8 @@ setupFiles() {
 
   setupFiles_rsyncSlashRoot
   
+  setupFiles_uid
+  
   setupFiles_analyzeOriginalFiles
 
   # do this first
@@ -327,6 +367,7 @@ setupFiles_unsetAll() {
   unset -f setupFiles_originalFile
   unset -f setupFiles_rsyncSlashRoot
   unset -f setupFiles_storeEnvVars
+  unset -f setupFiles_uid
   unset -f setupFiles_unsetAll
   unset -f setupFiles_unsetAllAndFromFiles
 }
@@ -341,6 +382,7 @@ setupFiles_exportAll() {
   export -f setupFiles_originalFile
   export -f setupFiles_rsyncSlashRoot
   export -f setupFiles_storeEnvVars
+  export -f setupFiles_uid
   export -f setupFiles_unsetAll
   export -f setupFiles_unsetAllAndFromFiles
 }
diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
index 62d88149..0b40ea64 100644
--- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh
+++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
@@ -239,7 +239,7 @@ setupFilesTomcat_sslCertsAnchors() {
         fi  
         
       else
-        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust"
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so you might need to run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust"
       fi
       
       chmod u+w $JAVA_HOME/lib/security/cacerts