[ADF-4158] improved Docker image security (#4371)

* improved Docker image security * remove layer duplication * update scripts
2025-05-12 17:04:57 +00:00 · 2019-03-04 11:18:32 +00:00 · 2019-03-04 11:18:32 +00:00 · d6f856f1c5
commit d6f856f1c5
parent bbf1f20439
4 changed files with 105 additions and 4 deletions
--- a/39
+++ b/39
@ -1,6 +1,41 @@
-FROM nginx:alpine
+# 1. Generate licenses

-COPY demo-shell/nginx.conf /etc/nginx/nginx.conf
+FROM node:11.9-alpine AS builder
+WORKDIR /usr/src/alfresco
+COPY package.json package.json
+
+RUN mkdir -p ./licenses && \
+  yarn licenses list > ./licenses/licenses.txt && \
+  yarn licenses generate-disclaimer > ./licenses/disclaimer.txt
+
+# 2. Generate image
+
+FROM nginx:stable-alpine
+LABEL version="3.0.0"
+
+ARG GROUPNAME=Alfresco
+ARG GROUPID=1000
+ARG USERNAME=adf
+ARG USERID=33011
+
+ARG BUILD_NUMBER
+
+COPY ./docker/nginx.conf /etc/nginx/nginx.conf
+COPY ./docker/entrypoint.sh /

 WORKDIR /usr/share/nginx/html
 COPY demo-shell/dist/ .
+COPY --from=builder /usr/src/alfresco/licenses ./licenses
+
+RUN addgroup -g ${GROUPID} ${GROUPNAME} && \
+  adduser -S -u ${USERID} -G ${GROUPNAME} -s "/bin/bash" ${USERNAME} && \
+  chown -R ${USERNAME}:${GROUPNAME} ./${BUILD_NUMBER}/app.config.json && \
+  chown -R ${USERNAME}:${GROUPNAME} /var/cache/nginx && \
+  touch /var/run/nginx.pid && \
+  chown -R ${USERNAME}:${GROUPNAME} /var/run/nginx.pid && \
+  chmod +x /entrypoint.sh && \
+  chown -R ${USERNAME}:${GROUPNAME} /entrypoint.sh
+
+EXPOSE 8080
+USER ${USERNAME}
+ENTRYPOINT [ "/entrypoint.sh" ]
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@ -0,0 +1,60 @@
+#!/bin/sh
+
+if [ -n "${APP_CONFIG_AUTH_TYPE}" ];then
+  sed -e "s/\"authType\": \".*\"/\"authType\": \"${APP_CONFIG_AUTH_TYPE}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_HOST}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_HOST//\//$replace}
+  sed -e "s/\"host\": \".*\"/\"host\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_CLIENTID}" ];then
+  sed -e "s/\"clientId\": \".*\"/\"clientId\": \"${APP_CONFIG_OAUTH2_CLIENTID}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}" ];then
+ sed "/implicitFlow/s/true/${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}/" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_SILENT_LOGIN}" ];then
+ sed "/silentLogin/s/true/${APP_CONFIG_OAUTH2_SILENT_LOGIN}/" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI//\//$replace}
+  sed -e "s/\"redirectSilentIframeUri\": \".*\"/\"redirectSilentIframeUri\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_LOGIN}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_REDIRECT_LOGIN//\//$replace}
+  sed -e "s/\"redirectUri\": \".*\"/\"redirectUri\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_LOGOUT}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_REDIRECT_LOGOUT//\//$replace}
+  sed -e "s/\"redirectUriLogout\": \".*\"/\"redirectUriLogout\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [[ $ACSURL ]]; then
+  sed -i s%{protocol}//{hostname}{:port}%"$ACSURL"%g /usr/share/nginx/html/app.config.json
+fi
+
+if [ -n "${APP_BASE_SHARE_URL}" ];then
+  sed -e "s/\"baseShareUrl\": \".*\"/\"baseShareUrl\": \"${APP_BASE_SHARE_URL}\"/g" \
+    -i ./app.config.json
+fi
+
+nginx -g "daemon off;"
--- a/demo-shell/nginx.conf
+++ b/demo-shell/nginx.conf
@ -6,7 +6,7 @@ events {

 http {
    server {
-        listen 80;
+        listen 8080;
        server_name  localhost;

        root   /usr/share/nginx/html;
@ -22,6 +22,12 @@ http {
            try_files $uri $uri/ /index.html;
        }

+        location ~ \.html$ {
+            add_header Cache-Control "private, no-cache, no-store, must-revalidate";
+            add_header Expires "Sat, 01 Jan 2000 00:00:00 GMT";
+            add_header Pragma no-cache;
+        }
+
        location ~ ^/[a-zA-Z0-9_-]+/ {
            try_files $uri $uri/ /index.html;
        }
--- a/scripts/pr-publish.sh
+++ b/scripts/pr-publish.sh
@ -40,7 +40,7 @@ cd $DIR/..

 echo "====== PUBLISH DOCKER IMAGE TAG pr $NAME_PR ====="

-docker build -t $DOCKER_REPO/adf/demo-shell:$NAME_PR .
+docker build -t $DOCKER_REPO/adf/demo-shell:$NAME_PR --build-arg BUILD_NUMBER=$NAME_PR .

 echo "====== LOGIN  ====="
 docker login http://$DOCKER_REPO -p $PASSWORD_DOCKER -u $USERNAME_DOCKER