From 5ff8221f2167ef1e24d02168eb2166bfe7bcd1e4 Mon Sep 17 00:00:00 2001 From: Daniel Del Rio Date: Thu, 12 Jan 2023 15:35:19 +0000 Subject: [PATCH 1/3] Feature/pb 21815 add docker secrets support --- .gitlab-ci.yml | 3 +- .gitlab-ci/Jobs/build_image.yml | 33 +-- .gitlab-ci/Jobs/container_security_scan.yml | 61 ------ .gitlab-ci/Jobs/entrypoint_test.yml | 11 + .gitlab-ci/Jobs/publish.yaml | 4 +- .gitlab-ci/Jobs/rules.yml | 4 + .gitlab-ci/Jobs/test_images.yaml | 15 +- .gitlab-ci/Jobs/test_vulnerabilities.yaml | 27 ++- Gemfile.lock | 45 ++--- README.md | 25 ++- debian/Dockerfile | 8 +- debian/Dockerfile.rootless | 8 +- debian/bin/docker-entrypoint.sh | 190 ------------------ debian/bin/docker-entrypoint.sh.rootless | 190 ------------------ debian/entrypoint/.shellspec | 12 ++ .../entrypoint/docker-entrypoint.rootless.sh | 42 ++++ debian/entrypoint/docker-entrypoint.sh | 42 ++++ .../entrypoint/passbolt/deprecated_paths.sh | 35 ++++ debian/entrypoint/passbolt/entropy.sh | 23 +++ .../passbolt/entrypoint-rootless.sh | 95 +++++++++ debian/entrypoint/passbolt/entrypoint.sh | 97 +++++++++ debian/entrypoint/passbolt/env.sh | 44 ++++ debian/entrypoint/spec/entrypoint_spec.sh | 98 +++++++++ debian/entrypoint/spec/rootless_spec.sh | 99 +++++++++ debian/entrypoint/spec/spec_helper.sh | 7 + spec/docker_image/image_spec.rb | 10 + spec/docker_runtime/runtime_spec.rb | 7 +- .../runtime_no_envs_spec.rb | 6 +- spec/spec_helper.rb | 28 ++- 29 files changed, 756 insertions(+), 513 deletions(-) delete mode 100644 .gitlab-ci/Jobs/container_security_scan.yml create mode 100644 .gitlab-ci/Jobs/entrypoint_test.yml create mode 100644 .gitlab-ci/Jobs/rules.yml delete mode 100755 debian/bin/docker-entrypoint.sh delete mode 100755 debian/bin/docker-entrypoint.sh.rootless create mode 100644 debian/entrypoint/.shellspec create mode 100755 debian/entrypoint/docker-entrypoint.rootless.sh create mode 100755 debian/entrypoint/docker-entrypoint.sh create mode 100644 debian/entrypoint/passbolt/deprecated_paths.sh create mode 100644 debian/entrypoint/passbolt/entropy.sh create mode 100644 debian/entrypoint/passbolt/entrypoint-rootless.sh create mode 100644 debian/entrypoint/passbolt/entrypoint.sh create mode 100644 debian/entrypoint/passbolt/env.sh create mode 100644 debian/entrypoint/spec/entrypoint_spec.sh create mode 100644 debian/entrypoint/spec/rootless_spec.sh create mode 100644 debian/entrypoint/spec/spec_helper.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1120a0a..b8b8fb4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,7 +6,6 @@ variables: DOCKER_TLS_CERTDIR: "" stages: - - scanning - build - test-vulnerabilities - test @@ -15,7 +14,7 @@ stages: include: - local: '/.gitlab-ci/Jobs/build_image.yml' - - local: '/.gitlab-ci/Jobs/container_security_scan.yml' + - local: '/.gitlab-ci/Jobs/rules.yml' - local: '/.gitlab-ci/Jobs/test_vulnerabilities.yaml' - local: '/.gitlab-ci/Jobs/test_images.yaml' - local: '/.gitlab-ci/Jobs/publish.yaml' diff --git a/.gitlab-ci/Jobs/build_image.yml b/.gitlab-ci/Jobs/build_image.yml index 5bbcd49..484d643 100644 --- a/.gitlab-ci/Jobs/build_image.yml +++ b/.gitlab-ci/Jobs/build_image.yml @@ -1,4 +1,5 @@ .build: + extends: .rules stage: build image: name: gcr.io/kaniko-project/executor:debug @@ -22,40 +23,40 @@ --destination $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR:-local}-${DOCKER_TAG}-$(date +%s) \ --destination $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR:-local}-${DOCKER_TAG}-latest -.testing-build: +.stable-build: extends: .build - rules: - - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ ) && $PASSBOLT_FLAVOUR =~ /ce|pro/' - when: on_success + variables: + COMPONENT: "stable" + PASSBOLT_FLAVOUR: "ce" + OPPOSITE_FLAVOUR: "pro" -.stable-build: +.stable-build-pro: extends: .build variables: COMPONENT: "stable" - rules: - - if: '$CI_COMMIT_BRANCH == "master" && $PASSBOLT_FLAVOUR =~ /ce|pro/' - when: on_success + PASSBOLT_FLAVOUR: "pro" + OPPOSITE_FLAVOUR: "ce" -build-testing-docker: - extends: .testing-build +build-stable-docker: + extends: .stable-build variables: DOCKERFILE_PATH: "debian/Dockerfile" DOCKER_TAG: "root" -build-testing-rootless: - extends: .testing-build +build-stable-rootless: + extends: .stable-build variables: DOCKERFILE_PATH: "debian/Dockerfile.rootless" DOCKER_TAG: "rootless" -build-stable-docker: - extends: .stable-build +build-pro-stable-docker: + extends: .stable-build-pro variables: DOCKERFILE_PATH: "debian/Dockerfile" DOCKER_TAG: "root" -build-stable-rootless: - extends: .stable-build +build-pro-stable-rootless: + extends: .stable-build-pro variables: DOCKERFILE_PATH: "debian/Dockerfile.rootless" DOCKER_TAG: "rootless" diff --git a/.gitlab-ci/Jobs/container_security_scan.yml b/.gitlab-ci/Jobs/container_security_scan.yml deleted file mode 100644 index 0b740aa..0000000 --- a/.gitlab-ci/Jobs/container_security_scan.yml +++ /dev/null @@ -1,61 +0,0 @@ -# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html - -container_scanning: - stage: scanning - image: registry.gitlab.com/passbolt/passbolt-ci-docker-images/docker:latest - variables: - DOCKER_DRIVER: overlay2 - # Defining two new variables based on GitLab's CI/CD predefined variables - # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables - CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE - # Prior to this, you need to have the Container Registry running for your project and setup a build job - # with at least the following steps: - # - # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG . - # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA - # - # Container Scanning deals with Docker images only so no need to import the project's Git repository: - GIT_STRATEGY: none - # Services and containers running in the same Kubernetes pod are all sharing the same localhost address - # https://docs.gitlab.com/runner/executors/kubernetes.html - DOCKER_SERVICE: localhost - DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/ - DOCKER_TAG: rootless - # https://hub.docker.com/r/arminc/clair-local-scan/tags - CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1 - PASSBOLT_FLAVOUR: pro - allow_failure: true - services: - - docker:18-dind - script: - - export CI_APPLICATION_TAG=${PASSBOLT_FLAVOUR:-local}-${DOCKER_TAG}-latest - - echo "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi - - | - if [[ -n "$CI_REGISTRY_USER" ]]; then - echo "Logging to GitLab Container Registry with CI credentials..." - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - echo "" - fi - - docker run -d --name db arminc/clair-db:latest - - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION} - - apk add -U wget ca-certificates - - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} - - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 - - mv clair-scanner_linux_amd64 clair-scanner - - chmod +x clair-scanner - - touch clair-whitelist.yml - - retries=0 - - echo "Waiting for clair daemon to start" - - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done - - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml -t Medium ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true - artifacts: - reports: - container_scanning: gl-container-scanning-report.json - dependencies: [] - only: - refs: - - branches - except: - variables: - - $CONTAINER_SCANNING_DISABLED diff --git a/.gitlab-ci/Jobs/entrypoint_test.yml b/.gitlab-ci/Jobs/entrypoint_test.yml new file mode 100644 index 0000000..eae8c9b --- /dev/null +++ b/.gitlab-ci/Jobs/entrypoint_test.yml @@ -0,0 +1,11 @@ +entrypoint-tests: + stage: test + image: registry.gitlab.com/passbolt/passbolt-ci-docker-images/debian-bullseye-11-slim:latest + before_script: + - apt update && apt install curl git -y + - curl -fsSL https://git.io/shellspec | sh -s -- --yes + script: + - /root/.local/bin/shellspec -c debian/entrypoint -s /bin/bash -f d + rules: + - if: '$CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ || $CI_COMMIT_BRANCH == "master" + when: on_success diff --git a/.gitlab-ci/Jobs/publish.yaml b/.gitlab-ci/Jobs/publish.yaml index b6e074e..b8c1f65 100644 --- a/.gitlab-ci/Jobs/publish.yaml +++ b/.gitlab-ci/Jobs/publish.yaml @@ -35,7 +35,7 @@ IMAGE_NAME: "passbolt/passbolt" PASSBOLT_IMAGE_FLAVOUR: "ce" rules: - - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_FLAVOUR == "ce"' + - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_PUBLISH == "ce"' when: on_success publish-ce: @@ -62,7 +62,7 @@ publish-pro: - *docker-authentication - *publish-command rules: - - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_FLAVOUR == "pro"' + - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_PUBLISH == "pro"' when: on_success publish-pro-non-root: diff --git a/.gitlab-ci/Jobs/rules.yml b/.gitlab-ci/Jobs/rules.yml new file mode 100644 index 0000000..7a043a6 --- /dev/null +++ b/.gitlab-ci/Jobs/rules.yml @@ -0,0 +1,4 @@ +.rules: + rules: + - if: '$CI_COMMIT_BRANCH && $PASSBOLT_PUBLISH != "OPPOSITE_FLAVOUR"' + when: on_success diff --git a/.gitlab-ci/Jobs/test_images.yaml b/.gitlab-ci/Jobs/test_images.yaml index d053c5d..bfa1800 100644 --- a/.gitlab-ci/Jobs/test_images.yaml +++ b/.gitlab-ci/Jobs/test_images.yaml @@ -1,7 +1,10 @@ services: - - docker:19.03.0-dind + - name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/dind:latest + alias: docker + command: ["--tls=false"] .test-images: + extends: .rules stage: test image: name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/ruby:latest @@ -10,9 +13,8 @@ services: - rake spec:$TEST_NAME variables: PASSBOLT_COMPONENT: stable - rules: - - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ || $CI_COMMIT_BRANCH == "master" ) && $PASSBOLT_FLAVOUR == "ce"' - when: on_success + PASSBOLT_FLAVOUR: ce + OPPOSITE_FLAVOUR: pro .test-pro-images: extends: .test-images @@ -20,9 +22,8 @@ services: - cat $SUBSCRIPTION_KEY > subscription_key.txt variables: PASSBOLT_COMPONENT: stable - rules: - - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ || $CI_COMMIT_BRANCH == "master" ) && $PASSBOLT_FLAVOUR == "pro"' - when: on_success + PASSBOLT_FLAVOUR: pro + OPPOSITE_FLAVOUR: ce ce-docker-image: extends: .test-images diff --git a/.gitlab-ci/Jobs/test_vulnerabilities.yaml b/.gitlab-ci/Jobs/test_vulnerabilities.yaml index 53a7521..59dd760 100644 --- a/.gitlab-ci/Jobs/test_vulnerabilities.yaml +++ b/.gitlab-ci/Jobs/test_vulnerabilities.yaml @@ -1,4 +1,5 @@ .test-vulnerabilities: + extends: .rules stage: test-vulnerabilities image: name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/aquasec:latest @@ -8,13 +9,29 @@ DOCKER_TAG: root script: - trivy image --ignore-unfixed $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR}-${DOCKER_TAG}-latest - rules: - - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ ) && $PASSBOLT_FLAVOUR =~ /ce|pro/' - when: on_success -docker: +docker-ce: extends: .test-vulnerabilities -docker-non-root: + variables: + PASSBOLT_FLAVOUR: "ce" + OPPOSITE_FLAVOUR: "pro" + +docker-ce-rootless: + extends: .test-vulnerabilities + variables: + PASSBOLT_FLAVOUR: "ce" + DOCKER_TAG: "rootless" + OPPOSITE_FLAVOUR: "pro" + +docker-pro: + extends: .test-vulnerabilities + variables: + PASSBOLT_FLAVOUR: "pro" + OPPOSITE_FLAVOUR: "ce" + +docker-pro-rootless: extends: .test-vulnerabilities variables: + PASSBOLT_FLAVOUR: "pro" DOCKER_TAG: "rootless" + OPPOSITE_FLAVOUR: "ce" diff --git a/Gemfile.lock b/Gemfile.lock index 4d786f6..55c033b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -2,51 +2,50 @@ GEM remote: https://rubygems.org/ specs: coderay (1.1.3) - diff-lcs (1.4.4) - docker-api (2.0.0) + diff-lcs (1.5.0) + docker-api (2.2.0) excon (>= 0.47.0) multi_json - excon (0.79.0) + excon (0.97.0) method_source (1.0.0) multi_json (1.15.0) - net-scp (3.0.0) - net-ssh (>= 2.6.5, < 7.0.0) - net-ssh (6.1.0) + net-scp (4.0.0) + net-ssh (>= 2.6.5, < 8.0.0) + net-ssh (7.0.1) net-telnet (0.1.1) - pry (0.14.0) + pry (0.14.2) coderay (~> 1.1) method_source (~> 1.0) - rake (13.0.3) - rspec (3.10.0) - rspec-core (~> 3.10.0) - rspec-expectations (~> 3.10.0) - rspec-mocks (~> 3.10.0) - rspec-core (3.10.1) - rspec-support (~> 3.10.0) - rspec-expectations (3.10.1) + rake (13.0.6) + rspec (3.12.0) + rspec-core (~> 3.12.0) + rspec-expectations (~> 3.12.0) + rspec-mocks (~> 3.12.0) + rspec-core (3.12.0) + rspec-support (~> 3.12.0) + rspec-expectations (3.12.2) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.10.0) + rspec-support (~> 3.12.0) rspec-its (1.3.0) rspec-core (>= 3.0.0) rspec-expectations (>= 3.0.0) - rspec-mocks (3.10.2) + rspec-mocks (3.12.2) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.10.0) - rspec-support (3.10.2) - serverspec (2.41.5) + rspec-support (~> 3.12.0) + rspec-support (3.12.0) + serverspec (2.42.1) multi_json rspec (~> 3.0) rspec-its specinfra (~> 2.72) sfl (2.3) - specinfra (2.82.23) + specinfra (2.84.0) net-scp net-ssh (>= 2.7) net-telnet (= 0.1.1) sfl PLATFORMS - ruby x86_64-linux DEPENDENCIES @@ -56,4 +55,4 @@ DEPENDENCIES serverspec BUNDLED WITH - 2.2.6 + 2.4.1 diff --git a/README.md b/README.md index 1796c85..cc5b934 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ /_/ \__,_/____/____/_,___/\____/_/\__/ `,.__. ^___.-/ `-./ .'...--` The open source password manager for teams `' - (c) 2022 Passbolt SA + (c) 2023 Passbolt SA https://www.passbolt.com ``` [![Docker Pulls](https://img.shields.io/docker/pulls/passbolt/passbolt.svg?style=flat-square)](https://hub.docker.com/r/passbolt/passbolt/tags/) @@ -187,3 +187,26 @@ In order to pull custom images from the Gitlab registry, you need to set this va REGISTRY_USERNAME= REGISTRY_PASSWORD= REGISTRY_EMAIL= + +## Docker secrets support + +As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/ files. For example: + +``` +$ docker run --name passsbolt -e DATASOURCES_DEFAULT_PASSWORD_FILE=/run/secrets/db-password -d passbolt/passbolt +``` + +Currently, this is only supported for DATASOURCES_DEFAULT_PASSWORD, DATASOURCES_DEFAULT_HOST, DATASOURCES_DEFAULT_USERNAME, DATASOURCES_DEFAULT_DATABASE + +Following the behaviour we use to mount docker secrets as environment variables, it is also posible to mount docker secrets as a file inside the passbolt container. So, for some secret files the user can store them using docker secrets and then inject them into the container with a env variable and the entrypoint script will create a symlink to the proper path. + +``` +$ docker run --name passsbolt -e PASSBOLT_SSL_SERVER_CERT_FILE=/run/secrets/ssl-cert -d passbolt/passbolt +``` + +This feature is only supported for: + +- PASSBOLT_SSL_SERVER_CERT_FILE that points to /etc/ssl/certs/certificate.crt +- PASSBOLT_SSL_SERVER_KEY_FILE that points to /etc/ssl/certs/certificate.key +- PASSBOLT_GPG_SERVER_KEY_PRIVATE_FILE that points to /etc/passbolt/gpg/serverkey_private.asc +- PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE that points to /etc/passbolt/gpg/serverkey.asc diff --git a/debian/Dockerfile b/debian/Dockerfile index 9988673..f961772 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -45,11 +45,15 @@ RUN apt-get update \ COPY conf/supervisor/cron.conf /etc/supervisor/conf.d/cron.conf COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf -COPY debian/bin/docker-entrypoint.sh /docker-entrypoint.sh +COPY debian/entrypoint/docker-entrypoint.sh /docker-entrypoint.sh +COPY debian/entrypoint/passbolt/entrypoint.sh /passbolt/entrypoint.sh +COPY debian/entrypoint/passbolt/env.sh /passbolt/env.sh +COPY debian/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh +COPY debian/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh COPY scripts/wait-for.sh /usr/bin/wait-for.sh EXPOSE 80 443 WORKDIR /usr/share/php/passbolt -CMD ["/docker-entrypoint.sh"] +CMD ["//docker-entrypoint.sh"] diff --git a/debian/Dockerfile.rootless b/debian/Dockerfile.rootless index b7fc2d7..01a9b85 100644 --- a/debian/Dockerfile.rootless +++ b/debian/Dockerfile.rootless @@ -1,4 +1,4 @@ -FROM registry.gitlab.com/passbolt/passbolt-ci-docker-images/debian-bullseye-11-slim:latest +FROM debian:bullseye-slim LABEL maintainer="Passbolt SA " @@ -79,7 +79,11 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt. COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf -COPY debian/bin/docker-entrypoint.sh.rootless /docker-entrypoint.sh +COPY debian/entrypoint/docker-entrypoint.rootless.sh /docker-entrypoint.sh +COPY debian/entrypoint/passbolt/entrypoint-rootless.sh /passbolt/entrypoint-rootless.sh +COPY debian/entrypoint/passbolt/env.sh /passbolt/env.sh +COPY debian/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh +COPY debian/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh COPY scripts/wait-for.sh /usr/bin/wait-for.sh EXPOSE 8080 4433 diff --git a/debian/bin/docker-entrypoint.sh b/debian/bin/docker-entrypoint.sh deleted file mode 100755 index 996fdc7..0000000 --- a/debian/bin/docker-entrypoint.sh +++ /dev/null @@ -1,190 +0,0 @@ -#!/usr/bin/env bash - -set -eo pipefail - -passbolt_config="/etc/passbolt" -gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}" -gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}" - -ssl_key='/etc/ssl/certs/certificate.key' -ssl_cert='/etc/ssl/certs/certificate.crt' - -deprecation_message="" - -subscription_key_file_paths=("/etc/passbolt/subscription_key.txt" "/etc/passbolt/license") - -entropy_check() { - local entropy_avail - - entropy_avail=$(cat /proc/sys/kernel/random/entropy_avail) - - if [ "$entropy_avail" -lt 2000 ]; then - - cat < $gpg_private_key" -ls /bin/bash www-data - su -c "gpg --homedir $GNUPGHOME --armor --export $key_email > $gpg_public_key" -ls /bin/bash www-data -} - -gpg_import_key() { - su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_public_key" -ls /bin/bash www-data - su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_private_key" -ls /bin/bash www-data -} - -gen_ssl_cert() { - openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \ - -subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \ - -addext "subjectAltName = DNS:www.passbolt.local" \ - -keyout $ssl_key -out $ssl_cert -} - -get_subscription_file() { - if [ "${PASSBOLT_FLAVOUR}" == 'ce' ]; then - return 1 - fi - - # Look for subscription key on possible paths - for path in "${subscription_key_file_paths[@]}"; - do - if [ -f "${path}" ]; then - SUBSCRIPTION_FILE="${path}" - return 0 - fi - done - - return 1 -} - -import_subscription() { - if get_subscription_file; then - echo "Subscription file found: $SUBSCRIPTION_FILE" - su -c "/usr/share/php/passbolt/bin/cake passbolt subscription_import --file $SUBSCRIPTION_FILE" -s /bin/bash www-data - fi -} - -install_command() { - echo "Installing passbolt" - su -c '/usr/share/php/passbolt/bin/cake passbolt install --no-admin' -s /bin/bash www-data -} - -migrate_command() { - echo "Running migrations" - su -c '/usr/share/php/passbolt/bin/cake passbolt migrate' -s /bin/bash www-data -} - -jwt_keys_creation() { - if [[ $PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED == "true" && ( ! -f $passbolt_config/jwt/jwt.key || ! -f $passbolt_config/jwt/jwt.pem ) ]] - then - su -c '/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys' -s /bin/bash www-data - chmod 640 "$passbolt_config/jwt/jwt.key" && chown root:www-data "$passbolt_config/jwt/jwt.key" - chmod 640 "$passbolt_config/jwt/jwt.pem" && chown root:www-data "$passbolt_config/jwt/jwt.pem" - fi -} - -install() { - if [ ! -f "$passbolt_config/app.php" ]; then - su -c "cp $passbolt_config/app.default.php $passbolt_config/app.php" -s /bin/bash www-data - fi - - if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f "$passbolt_config/passbolt.php" ]; then - gpg_auto_fingerprint="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" - export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint - fi - - import_subscription || true - - jwt_keys_creation - install_command || migrate_command && echo "Enjoy! ☮" -} - -create_deprecation_message() { - deprecation_message+="\033[33;5;7mWARNING: $1 is deprecated, point your docker volume to $2\033[0m\n" -} - -check_deprecated_paths() { - declare -A deprecated_paths - local deprecated_avatar_path="/var/www/passbolt/webroot/img/public/Avatar" - local avatar_path="/usr/share/php/passbolt/webroot/img/public/Avatar" - local deprecated_subscription_path="/var/www/passbolt/config/license" - local subscription_path="/etc/passbolt/license" - deprecated_paths=( - ['/var/www/passbolt/config/gpg/serverkey.asc']='/etc/passbolt/gpg/serverkey.asc' - ['/var/www/passbolt/config/gpg/serverkey_private.asc']='/etc/passbolt/gpg/serverkey_private.asc' - ) - - if [ -z "$PASSBOLT_GPG_SERVER_KEY_PUBLIC" ] || [ -z "$PASSBOLT_GPG_SERVER_KEY_PRIVATE" ]; then - for path in "${!deprecated_paths[@]}" - do - if [ -f "$path" ] && [ ! -f "${deprecated_paths[$path]}" ]; then - ln -s "$path" "${deprecated_paths[$path]}" - create_deprecation_message "$path" "${deprecated_paths[$path]}" - fi - done - fi - - if [ -d "$deprecated_avatar_path" ] && [ ! -d "$avatar_path" ]; then - ln -s "$deprecated_avatar_path" "$avatar_path" - create_deprecation_message "$deprecated_avatar_path" "$avatar_path" - fi - - if [ -f "$deprecated_subscription_path" ] && [ ! -f "$subscription_path" ]; then - ln -s "$deprecated_subscription_path" "$subscription_path" - create_deprecation_message "$deprecated_subscription_path" "$subscription_path" - fi -} - -check_deprecated_paths - -if [ ! -f "$gpg_private_key" ] || \ - [ ! -f "$gpg_public_key" ]; then - gpg_gen_key - gpg_import_key -else - gpg_import_key -fi - -if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \ - [ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then - gen_ssl_cert -fi - -install - -echo -e "$deprecation_message" - -exec /usr/bin/supervisord -n diff --git a/debian/bin/docker-entrypoint.sh.rootless b/debian/bin/docker-entrypoint.sh.rootless deleted file mode 100755 index c4cb1d5..0000000 --- a/debian/bin/docker-entrypoint.sh.rootless +++ /dev/null @@ -1,190 +0,0 @@ -#!/usr/bin/env bash - -set -eo pipefail - -passbolt_config="/etc/passbolt" -gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}" -gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}" - -ssl_key='/etc/passbolt/certs/certificate.key' -ssl_cert='/etc/passbolt/certs/certificate.crt' - -deprecation_message="" - -subscription_key_file_paths=("/etc/passbolt/subscription_key.txt" "/etc/passbolt/license") - -entropy_check() { - local entropy_avail - - entropy_avail=$(cat /proc/sys/kernel/random/entropy_avail) - - if [ "$entropy_avail" -lt 2000 ]; then - - cat < $gpg_private_key - gpg --homedir $GNUPGHOME --armor --export $key_email > $gpg_public_key -} - -gpg_import_key() { - gpg --homedir $GNUPGHOME --batch --import $gpg_public_key - gpg --homedir $GNUPGHOME --batch --import $gpg_private_key -} - -gen_ssl_cert() { - openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \ - -subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \ - -addext "subjectAltName = DNS:www.passbolt.local" \ - -keyout $ssl_key -out $ssl_cert -} - -get_subscription_file() { - if [ "${PASSBOLT_FLAVOUR}" == 'ce' ]; then - return 1 - fi - - # Look for subscription key on possible paths - for path in "${subscription_key_file_paths[@]}"; - do - if [ -f "${path}" ]; then - SUBSCRIPTION_FILE="${path}" - return 0 - fi - done - - return 1 -} - -import_subscription() { - if get_subscription_file; then - echo "Subscription file found: $SUBSCRIPTION_FILE" - /usr/share/php/passbolt/bin/cake passbolt subscription_import --file $SUBSCRIPTION_FILE - fi -} - -install_command() { - echo "Installing passbolt" - /usr/share/php/passbolt/bin/cake passbolt install --no-admin -} - -migrate_command() { - echo "Running migrations" - /usr/share/php/passbolt/bin/cake passbolt migrate -} - -jwt_keys_creation() { - if [[ $PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED == "true" && ( ! -f $passbolt_config/jwt/jwt.key || ! -f $passbolt_config/jwt/jwt.pem ) ]] - then - /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys - chmod 640 "$passbolt_config/jwt/jwt.key" && chown www-data:www-data "$passbolt_config/jwt/jwt.key" - chmod 640 "$passbolt_config/jwt/jwt.pem" && chown www-data:www-data "$passbolt_config/jwt/jwt.pem" - fi -} - -install() { - if [ ! -f "$passbolt_config/app.php" ]; then - cp $passbolt_config/app.default.php $passbolt_config/app.php - fi - - if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f "$passbolt_config/passbolt.php" ]; then - gpg_auto_fingerprint="$(gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:)" - export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint - fi - - import_subscription || true - - jwt_keys_creation - install_command || migrate_command && echo "Enjoy! ☮" -} - -create_deprecation_message() { - deprecation_message+="\033[33;5;7mWARNING: $1 is deprecated, point your docker volume to $2\033[0m\n" -} - -check_deprecated_paths() { - declare -A deprecated_paths - local deprecated_avatar_path="/var/www/passbolt/webroot/img/public/Avatar" - local avatar_path="/usr/share/php/passbolt/webroot/img/public/Avatar" - local deprecated_subscription_path="/var/www/passbolt/webroot/img/public/Avatar" - local subscription_path="/etc/passbolt/license" - deprecated_paths=( - ['/var/www/passbolt/config/gpg/serverkey.asc']='/etc/passbolt/gpg/serverkey.asc' - ['/var/www/passbolt/config/gpg/serverkey_private.asc']='/etc/passbolt/gpg/serverkey_private.asc' - ) - - if [ -z "$PASSBOLT_GPG_SERVER_KEY_PUBLIC" ] || [ -z "$PASSBOLT_GPG_SERVER_KEY_PRIVATE" ]; then - for path in "${!deprecated_paths[@]}" - do - if [ -f "$path" ] && [ ! -f "${deprecated_paths[$path]}" ]; then - ln -s "$path" "${deprecated_paths[$path]}" - create_deprecation_message "$path" "${deprecated_paths[$path]}" - fi - done - fi - - if [ -d "$deprecated_avatar_path" ] && [ ! -d "$avatar_path" ]; then - ln -s "$deprecated_avatar_path" "$avatar_path" - create_deprecation_message "$deprecated_avatar_path" "$avatar_path" - fi - - if [ -f "$deprecated_subscription_path" ] && [ ! -f "$subscription_path" ]; then - ln -s "$deprecated_subscription_path" "$subscription_path" - create_deprecation_message "$deprecated_subscription_path" "$subscription_path" - fi -} - -check_deprecated_paths - -if [ ! -f "$gpg_private_key" ] || \ - [ ! -f "$gpg_public_key" ]; then - gpg_gen_key - gpg_import_key -else - gpg_import_key -fi - -if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \ - [ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then - gen_ssl_cert -fi - -install - -echo -e "$deprecation_message" - -exec /usr/bin/supervisord -n diff --git a/debian/entrypoint/.shellspec b/debian/entrypoint/.shellspec new file mode 100644 index 0000000..d567ecf --- /dev/null +++ b/debian/entrypoint/.shellspec @@ -0,0 +1,12 @@ +--require spec_helper + +## Default kcov (coverage) options +# --kcov-options "--include-path=. --path-strip-level=1" +# --kcov-options "--include-pattern=.sh" +# --kcov-options "--exclude-pattern=/.shellspec,/spec/,/coverage/,/report/" + +## Example: Include script "myprog" with no extension +# --kcov-options "--include-pattern=.sh,myprog" + +## Example: Only specified files/directories +# --kcov-options "--include-pattern=myprog,/lib/" diff --git a/debian/entrypoint/docker-entrypoint.rootless.sh b/debian/entrypoint/docker-entrypoint.rootless.sh new file mode 100755 index 0000000..5f21e74 --- /dev/null +++ b/debian/entrypoint/docker-entrypoint.rootless.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +set -eo pipefail + +passbolt_config="/etc/passbolt" +gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}" +gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}" + +ssl_key='/etc/passbolt/certs/certificate.key' +ssl_cert='/etc/passbolt/certs/certificate.crt' + +deprecation_message="" + +subscription_key_file_paths=("/etc/passbolt/subscription_key.txt" "/etc/passbolt/license") + +source $(dirname $0)/../passbolt/entrypoint-rootless.sh +source $(dirname $0)/../passbolt/entropy.sh +source $(dirname $0)/../passbolt/env.sh +source $(dirname $0)/../passbolt/deprecated_paths.sh + +manage_docker_env + +check_deprecated_paths + +if [ ! -f "$gpg_private_key" ] || \ + [ ! -f "$gpg_public_key" ]; then + gpg_gen_key + gpg_import_key +else + gpg_import_key +fi + +if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \ + [ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then + gen_ssl_cert +fi + +install + +echo -e "$deprecation_message" + +exec /usr/bin/supervisord -n diff --git a/debian/entrypoint/docker-entrypoint.sh b/debian/entrypoint/docker-entrypoint.sh new file mode 100755 index 0000000..96ca52f --- /dev/null +++ b/debian/entrypoint/docker-entrypoint.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +set -eo pipefail + +passbolt_config="/etc/passbolt" +gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}" +gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}" + +ssl_key='/etc/ssl/certs/certificate.key' +ssl_cert='/etc/ssl/certs/certificate.crt' + +deprecation_message="" + +subscription_key_file_paths=("/etc/passbolt/subscription_key.txt" "/etc/passbolt/license") + +source $(dirname $0)/../passbolt/entrypoint.sh +source $(dirname $0)/../passbolt/entropy.sh +source $(dirname $0)/../passbolt/env.sh +source $(dirname $0)/../passbolt/deprecated_paths.sh + +manage_docker_env + +check_deprecated_paths + +if [ ! -f "$gpg_private_key" ] || \ + [ ! -f "$gpg_public_key" ]; then + gpg_gen_key + gpg_import_key +else + gpg_import_key +fi + +if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \ + [ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then + gen_ssl_cert +fi + +install + +echo -e "$deprecation_message" + +exec /usr/bin/supervisord -n diff --git a/debian/entrypoint/passbolt/deprecated_paths.sh b/debian/entrypoint/passbolt/deprecated_paths.sh new file mode 100644 index 0000000..f560581 --- /dev/null +++ b/debian/entrypoint/passbolt/deprecated_paths.sh @@ -0,0 +1,35 @@ +function create_deprecation_message() { + deprecation_message+="\033[33;5;7mWARNING: $1 is deprecated, point your docker volume to $2\033[0m\n" +} + +function check_deprecated_paths() { + declare -A deprecated_paths + local deprecated_avatar_path="/var/www/passbolt/webroot/img/public/Avatar" + local avatar_path="/usr/share/php/passbolt/webroot/img/public/Avatar" + local deprecated_subscription_path="/var/www/passbolt/webroot/img/public/Avatar" + local subscription_path="/etc/passbolt/license" + deprecated_paths=( + ['/var/www/passbolt/config/gpg/serverkey.asc']='/etc/passbolt/gpg/serverkey.asc' + ['/var/www/passbolt/config/gpg/serverkey_private.asc']='/etc/passbolt/gpg/serverkey_private.asc' + ) + + if [ -z "$PASSBOLT_GPG_SERVER_KEY_PUBLIC" ] || [ -z "$PASSBOLT_GPG_SERVER_KEY_PRIVATE" ]; then + for path in "${!deprecated_paths[@]}" + do + if [ -f "$path" ] && [ ! -f "${deprecated_paths[$path]}" ]; then + ln -s "$path" "${deprecated_paths[$path]}" + create_deprecation_message "$path" "${deprecated_paths[$path]}" + fi + done + fi + + if [ -d "$deprecated_avatar_path" ] && [ ! -d "$avatar_path" ]; then + ln -s "$deprecated_avatar_path" "$avatar_path" + create_deprecation_message "$deprecated_avatar_path" "$avatar_path" + fi + + if [ -f "$deprecated_subscription_path" ] && [ ! -f "$subscription_path" ]; then + ln -s "$deprecated_subscription_path" "$subscription_path" + create_deprecation_message "$deprecated_subscription_path" "$subscription_path" + fi +} diff --git a/debian/entrypoint/passbolt/entropy.sh b/debian/entrypoint/passbolt/entropy.sh new file mode 100644 index 0000000..6ab9332 --- /dev/null +++ b/debian/entrypoint/passbolt/entropy.sh @@ -0,0 +1,23 @@ +function entropy_check() { + local entropy_avail + + entropy_avail=$(cat /proc/sys/kernel/random/entropy_avail) + + if [ "$entropy_avail" -lt 2000 ]; then + + cat < "$gpg_private_key" + gpg --homedir "$GNUPGHOME" --armor --export "$key_email" > "$gpg_public_key" +} + +function gpg_import_key() { + gpg --homedir "$GNUPGHOME" --batch --import "$gpg_public_key" + gpg --homedir "$GNUPGHOME" --batch --import "$gpg_private_key" +} + +function gen_ssl_cert() { + openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \ + -subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \ + -addext "subjectAltName = DNS:www.passbolt.local" \ + -keyout "$ssl_key" -out "$ssl_cert" +} + +function get_subscription_file() { + if [ "${PASSBOLT_FLAVOUR}" == 'ce' ]; then + return 1 + fi + + # Look for subscription key on possible paths + for path in "${subscription_key_file_paths[@]}"; + do + if [ -f "${path}" ]; then + SUBSCRIPTION_FILE="${path}" + return 0 + fi + done + + return 1 +} + +function import_subscription() { + if get_subscription_file; then + echo "Subscription file found: $SUBSCRIPTION_FILE" + /usr/share/php/passbolt/bin/cake passbolt subscription_import --file "$SUBSCRIPTION_FILE" + fi +} + +function install_command() { + echo "Installing passbolt" + /usr/share/php/passbolt/bin/cake passbolt install --no-admin +} + +function migrate_command() { + echo "Running migrations" + /usr/share/php/passbolt/bin/cake passbolt migrate +} + +function jwt_keys_creation() { + if [[ $PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED == "true" && ( ! -f $passbolt_config/jwt/jwt.key || ! -f $passbolt_config/jwt/jwt.pem ) ]] + then + /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys + chmod 640 "$passbolt_config/jwt/jwt.key" && chown www-data:www-data "$passbolt_config/jwt/jwt.key" + chmod 640 "$passbolt_config/jwt/jwt.pem" && chown www-data:www-data "$passbolt_config/jwt/jwt.pem" + fi +} + +function install() { + if [ ! -f "$passbolt_config/app.php" ]; then + cp $passbolt_config/app.default.php $passbolt_config/app.php + fi + + if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f "$passbolt_config/passbolt.php" ]; then + gpg_auto_fingerprint="$(gpg --homedir "$GNUPGHOME" --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:)" + export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint + fi + + import_subscription || true + + jwt_keys_creation + install_command || migrate_command && echo "Enjoy! ☮" +} diff --git a/debian/entrypoint/passbolt/entrypoint.sh b/debian/entrypoint/passbolt/entrypoint.sh new file mode 100644 index 0000000..e316e40 --- /dev/null +++ b/debian/entrypoint/passbolt/entrypoint.sh @@ -0,0 +1,97 @@ + +function gpg_gen_key() { + key_email="${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com}" + key_name="${PASSBOLT_KEY_NAME:-Passbolt default user}" + key_length="${PASSBOLT_KEY_LENGTH:-3072}" + subkey_length="${PASSBOLT_SUBKEY_LENGTH:-3072}" + expiration="${PASSBOLT_KEY_EXPIRATION:-0}" + + entropy_check + + su -c "gpg --homedir $GNUPGHOME --batch --no-tty --gen-key < $gpg_private_key" -ls /bin/bash www-data + su -c "gpg --homedir $GNUPGHOME --armor --export $key_email > $gpg_public_key" -ls /bin/bash www-data +} + +function gpg_import_key() { + su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_public_key" -ls /bin/bash www-data + su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_private_key" -ls /bin/bash www-data +} + +function gen_ssl_cert() { + openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \ + -subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \ + -addext "subjectAltName = DNS:www.passbolt.local" \ + -keyout "$ssl_key" -out "$ssl_cert" +} + +function get_subscription_file() { + if [ "${PASSBOLT_FLAVOUR}" == 'ce' ]; then + return 1 + fi + + # Look for subscription key on possible paths + for path in "${subscription_key_file_paths[@]}"; + do + if [ -f "${path}" ]; then + SUBSCRIPTION_FILE="${path}" + return 0 + fi + done + + return 1 +} + +function import_subscription() { + if get_subscription_file; then + echo "Subscription file found: $SUBSCRIPTION_FILE" + su -c "/usr/share/php/passbolt/bin/cake passbolt subscription_import --file $SUBSCRIPTION_FILE" -s /bin/bash www-data + fi +} + +function install_command() { + echo "Installing passbolt" + su -c '/usr/share/php/passbolt/bin/cake passbolt install --no-admin' -s /bin/bash www-data +} + +function migrate_command() { + echo "Running migrations" + su -c '/usr/share/php/passbolt/bin/cake passbolt migrate' -s /bin/bash www-data +} + +function jwt_keys_creation() { + if [[ $PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED == "true" && ( ! -f $passbolt_config/jwt/jwt.key || ! -f $passbolt_config/jwt/jwt.pem ) ]] + then + su -c '/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys' -s /bin/bash www-data + chmod 640 "$passbolt_config/jwt/jwt.key" && chown root:www-data "$passbolt_config/jwt/jwt.key" + chmod 640 "$passbolt_config/jwt/jwt.pem" && chown root:www-data "$passbolt_config/jwt/jwt.pem" + fi +} + +function install() { + if [ ! -f "$passbolt_config/app.php" ]; then + su -c "cp $passbolt_config/app.default.php $passbolt_config/app.php" -s /bin/bash www-data + fi + + if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f "$passbolt_config/passbolt.php" ]; then + gpg_auto_fingerprint="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" + export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint + fi + + import_subscription || true + + jwt_keys_creation + install_command || migrate_command && echo "Enjoy! ☮" +} + diff --git a/debian/entrypoint/passbolt/env.sh b/debian/entrypoint/passbolt/env.sh new file mode 100644 index 0000000..c2bc8ea --- /dev/null +++ b/debian/entrypoint/passbolt/env.sh @@ -0,0 +1,44 @@ +# usage: file_env VAR [DEFAULT] +# ie: file_env 'DATASOURCES_DEFAULT_USERNAME' 'example' +# (will allow for "$DATASOURCES_DEFAULT_USERNAME_FILE" to fill in the value of +# "$DATASOURCES_DEFAULT_USERNAME" from a file, especially for Docker's secrets feature) +function env_from_file() { + local var="$1" + local fileVar="${var}_FILE" + local default="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo "Error: Both $var and $fileVar are set (but are exclusive)" + return 1 + fi + local val="$default" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +function secret_file_to_path() { + local secret_file="${!1}" + local path="$2" + if [ -f "$secret_file" ]; then + mkdir -p "$(dirname "$path")" + ln -s "$secret_file" "$path" + fi +} + +function manage_docker_env() { + # Setup env variables from docker secrets + env_from_file 'DATASOURCES_DEFAULT_PASSWORD' + env_from_file 'DATASOURCES_DEFAULT_USERNAME' + env_from_file 'DATASOURCES_DEFAULT_HOST' + env_from_file 'DATASOURCES_DEFAULT_DATABASE' + + # Get docker secrets values if exist and set them on new paths + secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' "$gpg_public_key" + secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PRIVATE_FILE' "$gpg_private_key" + secret_file_to_path 'PASSBOLT_SSL_SERVER_CERT_FILE' "$ssl_cert" + secret_file_to_path 'PASSBOLT_SSL_SERVER_KEY_FILE' "$ssl_key" +} diff --git a/debian/entrypoint/spec/entrypoint_spec.sh b/debian/entrypoint/spec/entrypoint_spec.sh new file mode 100644 index 0000000..cf3d487 --- /dev/null +++ b/debian/entrypoint/spec/entrypoint_spec.sh @@ -0,0 +1,98 @@ +Describe "secret_file_to_path function" + # Mocks + function mkdir() { + echo > /dev/null + } + function ln() { + echo "ln $1 $2 $3" + } + + function environment() { + echo "public.key" > /tmp/public.key + export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="/tmp/public.key" + } + Before "environment" + Include "./lib/entrypoint.sh" + It "should create the symlink to the secret file" + + When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' + The status should be success + The output should include "ln -s /tmp/public.key /etc/passbolt/gpg/serverkey.asc" + End + + function environment() { + export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="NOT_A_FILE" + } + Before "environment" + Include "./lib/entrypoint.sh" + It "should NOT create the symlink to the secret file" + When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' + The status should be success + The output should be blank + End +End + +Describe "env_from_file function" + + function environment() { + cat << EOF >> /tmp/passbolt-username + passbolt-username +EOF + export DATASOURCES_DEFAULT_USERNAME_FILE="/tmp/passbolt-username" + export DATASOURCES_DEFAULT_USERNAME="username" + } + function cleanup() { + unset DATASOURCES_DEFAULT_USERNAME_FILE="/tmp/passbolt-username" + unset DATASOURCES_DEFAULT_USERNAME="username" + rm -f /tmp/passbolt-* + } + Before "environment" + After "cleanup" + Include "./lib/entrypoint.sh" + It "should return an error because none of the variables are empty" + When call env_from_file 'DATASOURCES_DEFAULT_USERNAME' + The status should be failure + The output should include "Error: Both DATASOURCES_DEFAULT_USERNAME and DATASOURCES_DEFAULT_USERNAME_FILE are set (but are exclusive)" + End + + function cleanup() { + unset DATASOURCES_DEFAULT_PASSWORD_FILE + rm -f /tmp/passbolt-* + } + function environment() { + echo "passbolt-password" > /tmp/passbolt-password + export DATASOURCES_DEFAULT_PASSWORD_FILE="/tmp/passbolt-password" + } + + Before "environment" + Include "./lib/entrypoint.sh" + After "cleanup" + It "should set the right value on the DATASOURCES_DEFAULT_PASSWORD variable using the DATASOURCES_DEFAULT_PASSWORD_FILE variable" + function check() { + env_from_file 'DATASOURCES_DEFAULT_PASSWORD' + if [ "$DATASOURCES_DEFAULT_PASSWORD" != "passbolt-password" ]; then + echo "Error: DATASOURCES_DEFAULT_PASSWORD is not set to the expected value" + return 1 + fi + } + When call check + The status should be success + End + + function environment() { + export DATASOURCES_DEFAULT_PASSWORD="password" + } + Before "environment" + Include "./lib/entrypoint.sh" + It "should not change the DATASOURCES_DEFAULT_PASSWORD if it is set" + function check() { + env_from_file 'DATASOURCES_DEFAULT_PASSWORD' + if [ "$DATASOURCES_DEFAULT_PASSWORD" != "password" ]; then + echo "Error: DATASOURCES_DEFAULT_PASSWORD is not set to the expected value" + return 1 + fi + } + When call check + The status should be success + End +End diff --git a/debian/entrypoint/spec/rootless_spec.sh b/debian/entrypoint/spec/rootless_spec.sh new file mode 100644 index 0000000..5e5037b --- /dev/null +++ b/debian/entrypoint/spec/rootless_spec.sh @@ -0,0 +1,99 @@ +Describe "secret_file_to_path function from rootless lib" + # Mocks + function mkdir() { + echo > /dev/null + } + function ln() { + echo "ln $1 $2 $3" + } + + function environment() { + echo "public.key" > /tmp/public.key + export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="/tmp/public.key" + } + Before "environment" + Include "./lib/entrypoint-rootless.sh" + It "should create the symlink to the secret file" + + When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' + The status should be success + The output should include "ln -s /tmp/public.key /etc/passbolt/gpg/serverkey.asc" + End + + function environment() { + export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="NOT_A_FILE" + } + Before "environment" + Include "./lib/entrypoint-rootless.sh" + It "should NOT create the symlink to the secret file" + When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' + The status should be success + The output should be blank + End +End + +Describe "env_from_file function from rootless lib" + + function environment() { + cat << EOF >> /tmp/passbolt-username + passbolt-username +EOF + export DATASOURCES_DEFAULT_USERNAME_FILE="/tmp/passbolt-username" + export DATASOURCES_DEFAULT_USERNAME="username" + } + function cleanup() { + unset DATASOURCES_DEFAULT_USERNAME_FILE="/tmp/passbolt-username" + unset DATASOURCES_DEFAULT_USERNAME="username" + rm -f /tmp/passbolt-* + } + Before "environment" + After "cleanup" + Include "./lib/entrypoint-rootless.sh" + It "should return an error because none of the variables are empty" + When call env_from_file 'DATASOURCES_DEFAULT_USERNAME' + The status should be failure + The output should include "Error: Both DATASOURCES_DEFAULT_USERNAME and DATASOURCES_DEFAULT_USERNAME_FILE are set (but are exclusive)" + End + + function cleanup() { + unset DATASOURCES_DEFAULT_PASSWORD_FILE + rm -f /tmp/passbolt-* + } + function environment() { + echo "passbolt-password" > /tmp/passbolt-password + export DATASOURCES_DEFAULT_PASSWORD_FILE="/tmp/passbolt-password" + } + + Before "environment" + Include "./lib/entrypoint-rootless.sh" + After "cleanup" + It "should set the right value on the DATASOURCES_DEFAULT_PASSWORD variable using the DATASOURCES_DEFAULT_PASSWORD_FILE variable" + function check() { + env_from_file 'DATASOURCES_DEFAULT_PASSWORD' + if [ "$DATASOURCES_DEFAULT_PASSWORD" != "passbolt-password" ]; then + echo "Error: DATASOURCES_DEFAULT_PASSWORD is not set to the expected value" + return 1 + fi + } + When call check + The status should be success + End + + function environment() { + export DATASOURCES_DEFAULT_PASSWORD="password" + } + Before "environment" + Include "./lib/entrypoint-rootless.sh" + It "should not change the DATASOURCES_DEFAULT_PASSWORD if it is set" + function check() { + env_from_file 'DATASOURCES_DEFAULT_PASSWORD' + if [ "$DATASOURCES_DEFAULT_PASSWORD" != "password" ]; then + echo "Error: DATASOURCES_DEFAULT_PASSWORD is not set to the expected value" + return 1 + fi + } + When call check + The status should be success + End +End + diff --git a/debian/entrypoint/spec/spec_helper.sh b/debian/entrypoint/spec/spec_helper.sh new file mode 100644 index 0000000..197e06f --- /dev/null +++ b/debian/entrypoint/spec/spec_helper.sh @@ -0,0 +1,7 @@ +#shellcheck shell=sh + +# set -eu + +# shellspec_spec_helper_configure() { +# shellspec_import 'support/custom_matcher' +# } diff --git a/spec/docker_image/image_spec.rb b/spec/docker_image/image_spec.rb index c05d2be..9d34df7 100644 --- a/spec/docker_image/image_spec.rb +++ b/spec/docker_image/image_spec.rb @@ -67,6 +67,16 @@ expect(file(wait_for)).to exist and be_executable end end + + describe 'entrypoint' do + it 'is installed' do + expect(file('/docker-entrypoint.sh')).to exist and be_executable + expect(file('/passbolt/entrypoint.sh')).to exist and be_owned_by(passbolt_owner) + expect(file('/passbolt/env.sh')).to exist and be_owned_by(passbolt_owner) + expect(file('/passbolt/entropy.sh')).to exist and be_owned_by(passbolt_owner) + expect(file('/passbolt/deprecated_paths.sh')).to exist and be_executable + end + end describe 'passbolt directory structure' do it 'must exist and be directories' do diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb index be79ae5..b474535 100644 --- a/spec/docker_runtime/runtime_spec.rb +++ b/spec/docker_runtime/runtime_spec.rb @@ -3,7 +3,12 @@ describe 'passbolt_api service' do before(:all) do - @mysql_image = Docker::Image.create('fromImage' => 'registry.gitlab.com/passbolt/passbolt-ci-docker-images/mariadb-10.3:latest') + if ENV['GITLAB_CI'] + @mysql_image = Docker::Image.create('fromImage' => 'registry.gitlab.com/passbolt/passbolt-ci-docker-images/mariadb-10.3:latest') + else + @mysql_image = Docker::Image.create('fromImage' => 'mariadb:latest') + end + @mysql = Docker::Container.create( 'Env' => [ 'MYSQL_ROOT_PASSWORD=test', diff --git a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb index 7b6ca0e..c819ce8 100644 --- a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb +++ b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb @@ -3,7 +3,11 @@ describe 'passbolt_api service' do before(:all) do - @mysql_image = Docker::Image.create('fromImage' => 'registry.gitlab.com/passbolt/passbolt-ci-docker-images/mariadb-10.3:latest') + if ENV['GITLAB_CI'] + @mysql_image = Docker::Image.create('fromImage' => 'registry.gitlab.com/passbolt/passbolt-ci-docker-images/mariadb-10.3:latest') + else + @mysql_image = Docker::Image.create('fromImage' => 'mariadb:latest') + end @mysql = Docker::Container.create( 'Env' => [ 'MYSQL_ROOT_PASSWORD=test', diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index e5175a4..5aa2eb0 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,9 +1,11 @@ +# frozen_string_literal: true + require 'serverspec' require 'docker' -ROOT_DOCKERFILES = File.expand_path('../../', __FILE__) -FIXTURES_PATH = File::expand_path("fixtures", File::dirname(__FILE__)) -LOCAL_SUBSCRIPTION_KEY_PATH = File.expand_path('../../subscription_key.txt', __FILE__) +ROOT_DOCKERFILES = File.expand_path('..', __dir__) +FIXTURES_PATH = File.expand_path('fixtures', File.dirname(__FILE__)) +LOCAL_SUBSCRIPTION_KEY_PATH = File.expand_path('../subscription_key.txt', __dir__) SUBSCRIPTION_KEY_PATH = '/etc/passbolt/subscription_key.txt' $cron_binary = '/usr/sbin/cron' @@ -15,20 +17,26 @@ $binds = [] $buildargs = { - :PASSBOLT_FLAVOUR=>"#{ENV['PASSBOLT_FLAVOUR']}", - :PASSBOLT_COMPONENT=>"#{ENV['PASSBOLT_COMPONENT']}", + PASSBOLT_FLAVOUR: ENV['PASSBOLT_FLAVOUR'].to_s, + PASSBOLT_COMPONENT: ENV['PASSBOLT_COMPONENT'].to_s } -if ENV['PASSBOLT_FLAVOUR'] == "pro" - $binds = ["#{LOCAL_SUBSCRIPTION_KEY_PATH}:#{SUBSCRIPTION_KEY_PATH}"] -end +$binds = ["#{LOCAL_SUBSCRIPTION_KEY_PATH}:#{SUBSCRIPTION_KEY_PATH}"] if ENV['PASSBOLT_FLAVOUR'] == 'pro' set :backend, :docker Docker.options[:read_timeout] = 3600 Docker.options[:write_timeout] = 3600 -Docker.authenticate!('username' => "#{ENV['REGISTRY_USERNAME']}", 'password' => "#{ENV['REGISTRY_PASSWORD']}", 'email' => "#{ENV['REGISTRY_EMAIL']}", 'serveraddress' => 'https://registry.gitlab.com/') -if ENV['ROOTLESS'] == "true" +if ENV['GITLAB_CI'] + Docker.authenticate!( + 'username' => ENV['REGISTRY_USERNAME'].to_s, + 'password' => ENV['REGISTRY_PASSWORD'].to_s, + 'email' => ENV['REGISTRY_EMAIL'].to_s, + 'serveraddress' => 'https://registry.gitlab.com/' + ) +end + +if ENV['ROOTLESS'] == true $cron_binary = '/usr/local/bin/supercronic' $dockerfile = 'debian/Dockerfile.rootless' $http_port = '8080' From c5163c55c576f91f1109f484ad6237f82ec494dd Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Fri, 13 Jan 2023 15:25:46 +0100 Subject: [PATCH 2/3] Changelog docker 3.8.0 --- CHANGELOG.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6cd51ab..346fcaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,18 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.7.5...HEAD) +## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.8.0...HEAD) + +## [3.8.0](https://github.com/passbolt/passbolt_docker/compare/v3.7.5...v3.8.0) - 2023-01-13 + +### Added + +- Support for docker secrets +- Shellspec for entrypoint testing + +### Changed + +- Entrypoint refactor in separated libraries for increased testability ## [3.7.5](https://github.com/passbolt/passbolt_docker/compare/v3.7.4...v3.7.5) - 2022-12-01 From 90f3e08460fbe298ba5479d91d74a06d4fc65416 Mon Sep 17 00:00:00 2001 From: Daniel Del Rio Date: Fri, 13 Jan 2023 15:44:10 +0000 Subject: [PATCH 3/3] Feature/pb 22138 fix entrypoint tests --- .gitlab-ci.yml | 1 + .gitlab-ci/Jobs/entrypoint_test.yml | 6 ++---- debian/entrypoint/.shellspec => .shellspec | 1 + debian/Dockerfile | 10 +++++----- debian/Dockerfile.rootless | 10 +++++----- scripts/entrypoint/.shellspec-basedir | 0 .../entrypoint/docker-entrypoint.rootless.sh | 0 {debian => scripts}/entrypoint/docker-entrypoint.sh | 0 .../entrypoint/passbolt/deprecated_paths.sh | 0 {debian => scripts}/entrypoint/passbolt/entropy.sh | 0 .../entrypoint/passbolt/entrypoint-rootless.sh | 0 {debian => scripts}/entrypoint/passbolt/entrypoint.sh | 0 {debian => scripts}/entrypoint/passbolt/env.sh | 0 .../spec => spec/shell/entrypoint}/entrypoint_spec.sh | 11 ++++++----- .../spec => spec/shell/entrypoint}/rootless_spec.sh | 10 +++++----- {debian/entrypoint/spec => spec}/spec_helper.sh | 0 16 files changed, 25 insertions(+), 24 deletions(-) rename debian/entrypoint/.shellspec => .shellspec (92%) create mode 100644 scripts/entrypoint/.shellspec-basedir rename {debian => scripts}/entrypoint/docker-entrypoint.rootless.sh (100%) rename {debian => scripts}/entrypoint/docker-entrypoint.sh (100%) rename {debian => scripts}/entrypoint/passbolt/deprecated_paths.sh (100%) rename {debian => scripts}/entrypoint/passbolt/entropy.sh (100%) rename {debian => scripts}/entrypoint/passbolt/entrypoint-rootless.sh (100%) rename {debian => scripts}/entrypoint/passbolt/entrypoint.sh (100%) rename {debian => scripts}/entrypoint/passbolt/env.sh (100%) rename {debian/entrypoint/spec => spec/shell/entrypoint}/entrypoint_spec.sh (93%) rename {debian/entrypoint/spec => spec/shell/entrypoint}/rootless_spec.sh (93%) rename {debian/entrypoint/spec => spec}/spec_helper.sh (100%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b8b8fb4..7c232e7 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,3 +19,4 @@ include: - local: '/.gitlab-ci/Jobs/test_images.yaml' - local: '/.gitlab-ci/Jobs/publish.yaml' - local: '/.gitlab-ci/Jobs/docker-compose-file-upload.yml' + - local: '/.gitlab-ci/Jobs/entrypoint_test.yml' diff --git a/.gitlab-ci/Jobs/entrypoint_test.yml b/.gitlab-ci/Jobs/entrypoint_test.yml index eae8c9b..5fbdba3 100644 --- a/.gitlab-ci/Jobs/entrypoint_test.yml +++ b/.gitlab-ci/Jobs/entrypoint_test.yml @@ -1,11 +1,9 @@ entrypoint-tests: + extends: .rules stage: test image: registry.gitlab.com/passbolt/passbolt-ci-docker-images/debian-bullseye-11-slim:latest before_script: - apt update && apt install curl git -y - curl -fsSL https://git.io/shellspec | sh -s -- --yes script: - - /root/.local/bin/shellspec -c debian/entrypoint -s /bin/bash -f d - rules: - - if: '$CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ || $CI_COMMIT_BRANCH == "master" - when: on_success + - /root/.local/bin/shellspec -s /bin/bash -f d diff --git a/debian/entrypoint/.shellspec b/.shellspec similarity index 92% rename from debian/entrypoint/.shellspec rename to .shellspec index d567ecf..ade7cd7 100644 --- a/debian/entrypoint/.shellspec +++ b/.shellspec @@ -10,3 +10,4 @@ ## Example: Only specified files/directories # --kcov-options "--include-pattern=myprog,/lib/" +--execdir @basedir/debian/scripts diff --git a/debian/Dockerfile b/debian/Dockerfile index f961772..d647555 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -45,11 +45,11 @@ RUN apt-get update \ COPY conf/supervisor/cron.conf /etc/supervisor/conf.d/cron.conf COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf -COPY debian/entrypoint/docker-entrypoint.sh /docker-entrypoint.sh -COPY debian/entrypoint/passbolt/entrypoint.sh /passbolt/entrypoint.sh -COPY debian/entrypoint/passbolt/env.sh /passbolt/env.sh -COPY debian/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh -COPY debian/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh +COPY scripts/entrypoint/docker-entrypoint.sh /docker-entrypoint.sh +COPY scripts/entrypoint/passbolt/entrypoint.sh /passbolt/entrypoint.sh +COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh +COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh +COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh COPY scripts/wait-for.sh /usr/bin/wait-for.sh EXPOSE 80 443 diff --git a/debian/Dockerfile.rootless b/debian/Dockerfile.rootless index 01a9b85..93ff30f 100644 --- a/debian/Dockerfile.rootless +++ b/debian/Dockerfile.rootless @@ -79,11 +79,11 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt. COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf -COPY debian/entrypoint/docker-entrypoint.rootless.sh /docker-entrypoint.sh -COPY debian/entrypoint/passbolt/entrypoint-rootless.sh /passbolt/entrypoint-rootless.sh -COPY debian/entrypoint/passbolt/env.sh /passbolt/env.sh -COPY debian/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh -COPY debian/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh +COPY scripts/entrypoint/docker-entrypoint.rootless.sh /docker-entrypoint.sh +COPY scripts/entrypoint/passbolt/entrypoint-rootless.sh /passbolt/entrypoint-rootless.sh +COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh +COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh +COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh COPY scripts/wait-for.sh /usr/bin/wait-for.sh EXPOSE 8080 4433 diff --git a/scripts/entrypoint/.shellspec-basedir b/scripts/entrypoint/.shellspec-basedir new file mode 100644 index 0000000..e69de29 diff --git a/debian/entrypoint/docker-entrypoint.rootless.sh b/scripts/entrypoint/docker-entrypoint.rootless.sh similarity index 100% rename from debian/entrypoint/docker-entrypoint.rootless.sh rename to scripts/entrypoint/docker-entrypoint.rootless.sh diff --git a/debian/entrypoint/docker-entrypoint.sh b/scripts/entrypoint/docker-entrypoint.sh similarity index 100% rename from debian/entrypoint/docker-entrypoint.sh rename to scripts/entrypoint/docker-entrypoint.sh diff --git a/debian/entrypoint/passbolt/deprecated_paths.sh b/scripts/entrypoint/passbolt/deprecated_paths.sh similarity index 100% rename from debian/entrypoint/passbolt/deprecated_paths.sh rename to scripts/entrypoint/passbolt/deprecated_paths.sh diff --git a/debian/entrypoint/passbolt/entropy.sh b/scripts/entrypoint/passbolt/entropy.sh similarity index 100% rename from debian/entrypoint/passbolt/entropy.sh rename to scripts/entrypoint/passbolt/entropy.sh diff --git a/debian/entrypoint/passbolt/entrypoint-rootless.sh b/scripts/entrypoint/passbolt/entrypoint-rootless.sh similarity index 100% rename from debian/entrypoint/passbolt/entrypoint-rootless.sh rename to scripts/entrypoint/passbolt/entrypoint-rootless.sh diff --git a/debian/entrypoint/passbolt/entrypoint.sh b/scripts/entrypoint/passbolt/entrypoint.sh similarity index 100% rename from debian/entrypoint/passbolt/entrypoint.sh rename to scripts/entrypoint/passbolt/entrypoint.sh diff --git a/debian/entrypoint/passbolt/env.sh b/scripts/entrypoint/passbolt/env.sh similarity index 100% rename from debian/entrypoint/passbolt/env.sh rename to scripts/entrypoint/passbolt/env.sh diff --git a/debian/entrypoint/spec/entrypoint_spec.sh b/spec/shell/entrypoint/entrypoint_spec.sh similarity index 93% rename from debian/entrypoint/spec/entrypoint_spec.sh rename to spec/shell/entrypoint/entrypoint_spec.sh index cf3d487..49ae0bb 100644 --- a/debian/entrypoint/spec/entrypoint_spec.sh +++ b/spec/shell/entrypoint/entrypoint_spec.sh @@ -12,7 +12,7 @@ Describe "secret_file_to_path function" export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="/tmp/public.key" } Before "environment" - Include "./lib/entrypoint.sh" + Include "./entrypoint/passbolt/env.sh" It "should create the symlink to the secret file" When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' @@ -24,7 +24,7 @@ Describe "secret_file_to_path function" export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="NOT_A_FILE" } Before "environment" - Include "./lib/entrypoint.sh" + Include "./entrypoint/passbolt/env.sh" It "should NOT create the symlink to the secret file" When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' The status should be success @@ -48,7 +48,7 @@ EOF } Before "environment" After "cleanup" - Include "./lib/entrypoint.sh" + Include "./entrypoint/passbolt/env.sh" It "should return an error because none of the variables are empty" When call env_from_file 'DATASOURCES_DEFAULT_USERNAME' The status should be failure @@ -65,7 +65,7 @@ EOF } Before "environment" - Include "./lib/entrypoint.sh" + Include "./entrypoint/passbolt/env.sh" After "cleanup" It "should set the right value on the DATASOURCES_DEFAULT_PASSWORD variable using the DATASOURCES_DEFAULT_PASSWORD_FILE variable" function check() { @@ -83,7 +83,7 @@ EOF export DATASOURCES_DEFAULT_PASSWORD="password" } Before "environment" - Include "./lib/entrypoint.sh" + Include "./entrypoint/passbolt/env.sh" It "should not change the DATASOURCES_DEFAULT_PASSWORD if it is set" function check() { env_from_file 'DATASOURCES_DEFAULT_PASSWORD' @@ -95,4 +95,5 @@ EOF When call check The status should be success End + End diff --git a/debian/entrypoint/spec/rootless_spec.sh b/spec/shell/entrypoint/rootless_spec.sh similarity index 93% rename from debian/entrypoint/spec/rootless_spec.sh rename to spec/shell/entrypoint/rootless_spec.sh index 5e5037b..e3b1c02 100644 --- a/debian/entrypoint/spec/rootless_spec.sh +++ b/spec/shell/entrypoint/rootless_spec.sh @@ -12,7 +12,7 @@ Describe "secret_file_to_path function from rootless lib" export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="/tmp/public.key" } Before "environment" - Include "./lib/entrypoint-rootless.sh" + Include "./entrypoint/passbolt/env.sh" It "should create the symlink to the secret file" When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' @@ -24,7 +24,7 @@ Describe "secret_file_to_path function from rootless lib" export PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE="NOT_A_FILE" } Before "environment" - Include "./lib/entrypoint-rootless.sh" + Include "./entrypoint/passbolt/env.sh" It "should NOT create the symlink to the secret file" When call secret_file_to_path 'PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE' '/etc/passbolt/gpg/serverkey.asc' The status should be success @@ -48,7 +48,7 @@ EOF } Before "environment" After "cleanup" - Include "./lib/entrypoint-rootless.sh" + Include "./entrypoint/passbolt/env.sh" It "should return an error because none of the variables are empty" When call env_from_file 'DATASOURCES_DEFAULT_USERNAME' The status should be failure @@ -65,7 +65,7 @@ EOF } Before "environment" - Include "./lib/entrypoint-rootless.sh" + Include "./entrypoint/passbolt/env.sh" After "cleanup" It "should set the right value on the DATASOURCES_DEFAULT_PASSWORD variable using the DATASOURCES_DEFAULT_PASSWORD_FILE variable" function check() { @@ -83,7 +83,7 @@ EOF export DATASOURCES_DEFAULT_PASSWORD="password" } Before "environment" - Include "./lib/entrypoint-rootless.sh" + Include "./entrypoint/passbolt/env.sh" It "should not change the DATASOURCES_DEFAULT_PASSWORD if it is set" function check() { env_from_file 'DATASOURCES_DEFAULT_PASSWORD' diff --git a/debian/entrypoint/spec/spec_helper.sh b/spec/spec_helper.sh similarity index 100% rename from debian/entrypoint/spec/spec_helper.sh rename to spec/spec_helper.sh