Merge branch 'release/v3.9.3'

.gitlab-ci.yml

@@ -20,3 +20,4 @@ include:
   - local: '/.gitlab-ci/Jobs/publish.yaml'
   - local: '/.gitlab-ci/Jobs/docker-compose-file-upload.yml'
   - local: '/.gitlab-ci/Jobs/entrypoint_test.yml'
+  - local: '/.gitlab-ci/Jobs/test_compose_files.yml'

.gitlab-ci/Jobs/publish.yaml

@@ -18,7 +18,7 @@
     --dockerfile /dev/stdin \
     --destination "$IMAGE_NAME:latest-$PASSBOLT_IMAGE_FLAVOUR" \
     --destination "$IMAGE_NAME:$PASSBOLT_VERSION" \
-    --destination "$IMAGE_NAME:$PASSBOLT_VERSION-$PASSBOLT_IMAGE_FLAVOUR" 
+    --destination "$IMAGE_NAME:$PASSBOLT_VERSION-$PASSBOLT_IMAGE_FLAVOUR"
 
 .publish-command-latest: &publish-command-latest |
   echo "FROM  $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR:-local}-${DOCKER_TAG}-latest" | /kaniko/executor --context $CI_PROJECT_DIR \
@@ -40,6 +40,8 @@
 
 publish-ce:
   extends: .publish
+  variables:
+    PASSBOLT_FLAVOUR: "ce"
   script:
     - *docker-authentication
     - *publish-command
@@ -48,6 +50,7 @@ publish-ce:
 publish-ce-non-root:
   extends: .publish
   variables:
+    PASSBOLT_FLAVOUR: "ce"
     DOCKER_TAG: "rootless"
     PASSBOLT_IMAGE_FLAVOUR: "ce-non-root"
   script:
@@ -57,6 +60,7 @@ publish-ce-non-root:
 publish-pro:
   extends: .publish
   variables:
+    PASSBOLT_FLAVOUR: "pro"
     PASSBOLT_IMAGE_FLAVOUR: "pro"
   script:
     - *docker-authentication
@@ -69,11 +73,11 @@ publish-pro-non-root:
   extends: .publish
   variables:
     DOCKER_TAG: "rootless"
+    PASSBOLT_FLAVOUR: "pro"
     PASSBOLT_IMAGE_FLAVOUR: "pro-non-root"
   script:
     - *docker-authentication
     - *publish-command
   rules:
     - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_PUBLISH == "pro"'
       when: on_success
-

.gitlab-ci/Jobs/rules.yml

@@ -1,4 +1,4 @@
 .rules:
   rules:
-  - if:  '$CI_COMMIT_BRANCH && $PASSBOLT_PUBLISH != "OPPOSITE_FLAVOUR"'
-    when: on_success
+    - if: "$CI_COMMIT_BRANCH && $PASSBOLT_PUBLISH != $OPPOSITE_FLAVOUR"
+      when: on_success

.gitlab-ci/Jobs/test_compose_files.yml

@@ -0,0 +1,4 @@
+docker_compose_files:
+  extends: .test-images
+  variables:
+    TEST_NAME: docker_compose_files

CHANGELOG.md

@@ -2,7 +2,17 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.9.2...HEAD)
+## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.9.3...HEAD)
+
+## [3.9.3](https://github.com/passbolt/passbolt_docker/compare/v3.9.2...v3.9.3) - 2023-03-17
+
+### Added
+- Allow SHA1 overwrite from build_args [#191](https://github.com/passbolt/passbolt_docker/pull/191)
+- Bumped supercronic to latest version on rootless images 0.2.2
+- Updated dev container to work with ldap
+
+### Fixed
+- Docker compose ports [#180](https://github.com/passbolt/passbolt_docker/pull/180)
 
 ## [3.9.2](https://github.com/passbolt/passbolt_docker/compare/v3.9.1...v3.9.2) - 2023-02-09
 

debian/Dockerfile.rootless

@@ -3,6 +3,8 @@ FROM debian:bullseye-slim
 LABEL maintainer="Passbolt SA <[email protected]>"
 
 ARG SUPERCRONIC_ARCH=amd64
+ARG SUPERCRONIC_SHA1SUM=2319da694833c7a147976b8e5f337cd83397d6be
+
 ARG PASSBOLT_DISTRO="buster"
 ARG PASSBOLT_COMPONENT="stable"
 ARG PASSBOLT_SERVER_KEY="hkps://keys.mailvelope.com "
@@ -13,24 +15,23 @@ ARG PASSBOLT_REPO_URL="https://download.passbolt.com/$PASSBOLT_FLAVOUR/debian"
 ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
 ENV PHP_VERSION=7.4
 ENV GNUPGHOME=/var/lib/passbolt/.gnupg
-ENV SUPERCRONIC_VERSION=0.1.12
+ENV SUPERCRONIC_VERSION=0.2.2
 ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v${SUPERCRONIC_VERSION}/supercronic-linux-${SUPERCRONIC_ARCH} \
-    SUPERCRONIC=supercronic-linux-${SUPERCRONIC_ARCH} \
-    SUPERCRONIC_SHA1SUM=048b95b48b708983effb2e5c935a1ef8483d9e3e
+    SUPERCRONIC=supercronic-linux-${SUPERCRONIC_ARCH}
 ENV PASSBOLT_FLAVOUR="${PASSBOLT_FLAVOUR}"
 
 RUN apt-get update \
     && DEBIAN_FRONTEND=non-interactive apt-get -y install \
-      ca-certificates \
-      gnupg \
+    ca-certificates \
+    gnupg \
     && apt-key adv --keyserver $PASSBOLT_SERVER_KEY --recv-keys $PASSBOLT_PKG_KEY \
     && echo "deb $PASSBOLT_REPO_URL $PASSBOLT_DISTRO $PASSBOLT_COMPONENT" > /etc/apt/sources.list.d/passbolt.list \
     && apt-get update \
     && DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
-      nginx \
-      $PASSBOLT_PKG \
-      supervisor \
-      curl \
+    nginx \
+    $PASSBOLT_PKG \
+    supervisor \
+    curl \
     && rm -f /etc/passbolt/jwt/* \
     && curl -fsSLO "$SUPERCRONIC_URL" \
     && echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - \
@@ -57,7 +58,7 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
     && sed -i "s,unix:/run/php/php$PHP_VERSION-fpm.sock,127.0.0.1:9000," /etc/nginx/sites-enabled/nginx-passbolt.conf \
     && sed -i "s,pid = /run/php/php$PHP_VERSION-fpm.pid,pid = /tmp/php$PHP_VERSION-fpm.pid," /etc/php/$PHP_VERSION/fpm/php-fpm.conf \
     && sed -i 's,/var/run/supervisor.sock,/tmp/supervisor.sock,' /etc/supervisor/supervisord.conf \
-# nginx user must own the cache and etc directory to write cache and tweak the nginx config
+    # nginx user must own the cache and etc directory to write cache and tweak the nginx config
     #&& chown -R www-data:0 /var/cache/nginx \
     #&& chmod -R g+w /var/cache/nginx \
     && chown -R www-data:0 /etc/nginx \
@@ -78,7 +79,7 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
     && sed -i "s,__PASSBOLT_PACKAGE__,$PASSBOLT_PKG," /etc/supervisor/conf.d/cron.conf \
     && touch /etc/environment \
     && chown www-data:www-data /etc/environment \
-    && chmod 600 /etc/environment 
+    && chmod 600 /etc/environment
 
 COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
 COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf

dev/Dockerfile

@@ -20,7 +20,6 @@ ARG PHP_EXTENSIONS="gd \
 
 ARG PECL_PASSBOLT_EXTENSIONS="gnupg \
       redis \
-      mcrypt\
       xdebug"
 
 ARG PASSBOLT_DEV_PACKAGES="libgpgme11-dev \
@@ -31,6 +30,7 @@ ARG PASSBOLT_DEV_PACKAGES="libgpgme11-dev \
       libmcrypt-dev \
       libldap2-dev \
       libzip-dev \
+      libldap2-dev \
       unzip \
       zip"
 

dev/README.md

@@ -68,6 +68,28 @@ docker-compose -f dev/docker-compose-ce.yaml exec passbolt /bin/bash -c \
 
 8. Copy-paste the output in the browser and you are ready!
 
+# Setup LDAP
+
+1. Add an entry for `ldap.local` inside your /etc/hosts file:
+```
+127.0.0.1   ldap.local
+```
+2. Run docker compose with the `--profile ldap` parameter
+3. Visit http://localhost:8080/ using your web browser, and login with the following credentials:
+  - Login DN:  `cn=admin,dc=example,dc=org`
+  - Password:  `admin`
+4. Click the Import button and upload the [LDAP init file](./ldap/init.ldiff)
+5. Navigate to https://passbolt.local, login and put the following configuration under Administration > User Directory:
+  - Directory Type:  `Open Ldap`
+  - Server url:      `ldap://openldap:389`
+  - Username:        `cn=admin,dc=example,dc=org`
+  - Password:        `admin`
+  - Domain:          `ldap.local`
+  - Base DN:         `dc=example,dc=org`
+6. Click the button to test the configuration, ensure the dummy data has been processed and click the button to save the settings
+
+**Note:** If you get an "Internal Server Error" while testing the configurations and you are using the php debug mode, set the debug flag to false (e.g. in passbolt.php) and try again.
+
 # Setup xDebug
 
 In order to setup xDebug with an IDE or code editor, please use dev/Dockerfile or docker-compose/docker-compose-dev.yaml to spin up a development stack, which already contains xDebug configured to run within the Passbolt server.

dev/docker-compose-dev.yaml

@@ -16,8 +16,6 @@ services:
     build:
       context: ..
       dockerfile: dev/Dockerfile
-      args:
-        PECL_PASSBOLT_EXTENSIONS: "redis gnupg xdebug"
     container_name: passbolt
     depends_on:
       - db
@@ -59,6 +57,55 @@ services:
       - "1025:1025" # SMTP server
       - "9502:8025" # Web UI
 
+  openldap:
+    image: osixia/openldap:latest
+    container_name: openldap
+    command: --copy-service # needed to copy init file
+    profiles:
+      - ldap
+    environment:
+      LDAP_LOG_LEVEL: "256"
+      LDAP_ORGANISATION: "Example Inc."
+      LDAP_DOMAIN: "example.org"
+      LDAP_BASE_DN: ""
+      LDAP_ADMIN_PASSWORD: "admin"
+      LDAP_CONFIG_PASSWORD: "config"
+      LDAP_READONLY_USER: "false"
+      LDAP_RFC2307BIS_SCHEMA: "false"
+      LDAP_BACKEND: "mdb"
+      LDAP_TLS: "true"
+      LDAP_TLS_CRT_FILENAME: "ldap.crt"
+      LDAP_TLS_KEY_FILENAME: "ldap.key"
+      LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
+      LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
+      LDAP_TLS_ENFORCE: "false"
+      LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
+      LDAP_TLS_VERIFY_CLIENT: "demand"
+      LDAP_REPLICATION: "false"
+      KEEP_EXISTING_CONFIG: "false"
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
+      LDAP_SSL_HELPER_PREFIX: "ldap"
+    tty: true
+    stdin_open: true
+    ports:
+      - "389:389"
+      - "636:636"
+    domainname: "ldap.local"
+    hostname: "ldap-server"
+
+  phpldapadmin:
+    image: osixia/phpldapadmin:latest
+    container_name: phpldapadmin
+    profiles:
+      - ldap
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
+      PHPLDAPADMIN_HTTPS: "false"
+    ports:
+      - "8080:80"
+    depends_on:
+      - openldap
+
 volumes:
   database_volume:
   gpg_volume:

dev/ldap/init.ldif

@@ -0,0 +1,117 @@
+# LDIF Export for dc=example,dc=org
+# Server: openldap (openldap)
+# Search Scope: sub
+# Search Filter: (objectClass=*)
+# Total Entries: 11
+#
+# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on November 17, 2022 8:15 am
+# Version: 1.2.5
+
+version: 1
+
+# Entry 1: dc=example,dc=org
+dn: dc=example,dc=org
+dc: example
+o: Example Inc.
+objectclass: top
+objectclass: dcObject
+objectclass: organization
+
+# Entry 2: ou=Groups,dc=example,dc=org
+dn: ou=Groups,dc=example,dc=org
+objectclass: organizationalUnit
+objectclass: top
+ou: Groups
+
+# Entry 3: cn=accounting,ou=Groups,dc=example,dc=org
+dn: cn=accounting,ou=Groups,dc=example,dc=org
+cn: accounting
+member: uid=asmith1,ou=Users,dc=example,dc=org
+member: uid=jsmith1,ou=Users,dc=example,dc=org
+member: uid=mjones1,ou=Users,dc=example,dc=org
+objectclass: groupOfNames
+objectclass: top
+
+# Entry 4: cn=admins,ou=Groups,dc=example,dc=org
+dn: cn=admins,ou=Groups,dc=example,dc=org
+cn: admins
+member: uid=asmith1,ou=Users,dc=example,dc=org
+member: uid=mjones1,ou=Users,dc=example,dc=org
+member: uid=tjones1,ou=Users,dc=example,dc=org
+objectclass: groupOfNames
+objectclass: top
+
+# Entry 5: cn=testers,ou=Groups,dc=example,dc=org
+dn: cn=testers,ou=Groups,dc=example,dc=org
+cn: testers
+member: uid=asmith1,ou=Users,dc=example,dc=org
+member: uid=jsmith1,ou=Users,dc=example,dc=org
+member: uid=mjones1,ou=Users,dc=example,dc=org
+member: uid=tjones1,ou=Users,dc=example,dc=org
+objectclass: groupOfNames
+objectclass: top
+
+# Entry 6: ou=Users,dc=example,dc=org
+dn: ou=Users,dc=example,dc=org
+objectclass: organizationalUnit
+objectclass: top
+ou: Users
+
+# Entry 7: uid=asmith1,ou=Users,dc=example,dc=org
+dn: uid=asmith1,ou=Users,dc=example,dc=org
+cn: alex Smith
+description: John Smith from Accounting.  John is the projectmanager of theb
+ uilding project, so contact him with any questions.
+givenname: Alex
+mail: [email protected]
+objectclass: inetOrgPerson
+objectclass: top
+sn: Smith
+uid: asmith1
+
+# Entry 8: uid=jsmith1,ou=Users,dc=example,dc=org
+dn: uid=jsmith1,ou=Users,dc=example,dc=org
+cn: John Smith
+description: John Smith from Accounting.  John is the projectmanager of theb
+ uilding project, so contact him with any questions.
+givenname: John
+mail: [email protected]
+objectclass: inetOrgPerson
+objectclass: top
+ou: testers
+sn: Smith
+uid: jsmith1
+
+# Entry 9: uid=mjones1,ou=Users,dc=example,dc=org
+dn: uid=mjones1,ou=Users,dc=example,dc=org
+cn: Tom Jones
+description: Mark Jones from marketing.
+givenname: Mark
+mail: [email protected]
+objectclass: inetOrgPerson
+objectclass: top
+sn: Jones
+uid: mjones1
+
+# Entry 10: uid=ssmith1,ou=Users,dc=example,dc=org
+dn: uid=ssmith1,ou=Users,dc=example,dc=org
+cn: Steve Smith
+description: Steve Smith from Accounting.  John is the projectmanager of the
+ building project, so contact him with any questions.
+givenname: Steve
+mail: [email protected]
+objectclass: inetOrgPerson
+objectclass: top
+sn: Smith
+uid: ssmith1
+
+# Entry 11: uid=tjones1,ou=Users,dc=example,dc=org
+dn: uid=tjones1,ou=Users,dc=example,dc=org
+cn: Tom Jones
+description: Tom Jones from marketing.
+givenname: Tom
+mail: [email protected]
+objectclass: inetOrgPerson
+objectclass: top
+sn: Jones
+uid: tjones1

docker-compose/docker-compose-ce-postgresql.yaml

@@ -45,8 +45,8 @@ services:
       - 80:80
       - 443:443
     #Alternatively for non-root images:
-    # - 8080:80
-    # - 4433:433
+    # - 80:8080
+    # - 443:4433
 
 volumes:
   database_volume:

docker-compose/docker-compose-ce.yaml

@@ -32,8 +32,8 @@ services:
       - 80:80
       - 443:443
     #Alternatively for non-root images:
-    # - 8080:80
-    # - 4433:433
+    # - 80:8080
+    # - 443:4433
 
 volumes:
   database_volume: