Merge branch 'feature/non-root-tests' into 'develop'

Feature/non root tests See merge request passbolt/passbolt_docker!129
2021-03-12 11:11:41 +00:00 · 2021-03-12 11:11:41 +00:00 · 4d9078cfcc
parent 7c921f4da1 d3fd5b2d37
commit 4d9078cfcc
9 changed files with 47 additions and 31 deletions
--- a/conf/supervisor/cron.conf.rootless
+++ b/conf/supervisor/cron.conf.rootless
@ -1,5 +1,5 @@
 [program:cron]
-command=/usr/local/bin/supercronic /etc/cron.d/passbolt-ce-server
+command=/usr/local/bin/supercronic /etc/cron.d/__PASSBOLT_PACKAGE__
 autostart=true
 priority=20
 stdout_logfile=/dev/stdout
--- a/debian/Dockerfile.rootless
+++ b/debian/Dockerfile.rootless
@ -34,6 +34,8 @@ RUN apt-get update \
    && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
    && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic

+COPY conf/supervisor/cron.conf.rootless /etc/supervisor/conf.d/cron.conf
+
 RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
    && rm /etc/nginx/sites-enabled/default \
    && cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \
@ -66,9 +68,9 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
    && chown -R www-data:0 /var/log/supervisor \
    && touch /var/www/.profile \
    && chown www-data:www-data /var/www/.profile \
-    && sed -i 's,www-data\s,,' /etc/cron.d/$PASSBOLT_PKG
+    && sed -i 's,www-data\s,,' /etc/cron.d/$PASSBOLT_PKG \
+    && sed -i "s,__PASSBOLT_PACKAGE__,$PASSBOLT_PKG," /etc/supervisor/conf.d/cron.conf

-COPY conf/supervisor/cron.conf.rootless /etc/supervisor/conf.d/cron.conf
 COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
 COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf
 COPY debian/bin/docker-entrypoint.sh.rootless /docker-entrypoint.sh
--- a/docker-compose-pro.yml
+++ b/docker-compose-pro.yml
@ -10,9 +10,9 @@ services:
      - "127.0.0.1:3306:3306"

  passbolt:
-    image: passbolt/passbolt:3.0.1-pro
+    image: passbolt/passbolt:latest-pro
    #Alternatively you can use rootless:
-    #image: passbolt/passbolt:3.0.0-pro-non-root
+    #image: passbolt/passbolt:latest-pro-non-root
    tty: true
    depends_on:
      - db
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -10,9 +10,9 @@ services:
      - "127.0.0.1:3306:3306"

  passbolt:
-    image: passbolt/passbolt:3.0.1-ce
+    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
-    #image: passbolt/passbolt:3.0.0-ce-non-root
+    #image: passbolt/passbolt:latest-ce-non-root
    tty: true
    depends_on:
      - db
--- a/env/passbolt.env
+++ b/env/passbolt.env
@ -1,7 +1,5 @@
 # URL
 APP_FULL_BASE_URL=https://passbolt.local
-# For rootless images
-#APP_FULL_BASE_URL=https://passbolt.local:4433

 # Database settings
 DATASOURCES_DEFAULT_HOST=db
--- a/spec/docker_image/image_spec.rb
+++ b/spec/docker_image/image_spec.rb
@ -11,7 +11,7 @@ describe 'Dockerfile' do
      'PASSBOLT_GPG_KEYRING'         => '/var/lib/passbolt/.gnupg'
    }

-    @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => 'debian/Dockerfile' })
+    @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => $dockerfile })
    set :docker_image, @image.id
    set :docker_container_create_options, { 'Cmd' => '/bin/sh' }
  end
@ -28,7 +28,7 @@ describe 'Dockerfile' do
  let(:passbolt_tmp)    { '/var/lib/passbolt/tmp' }
  let(:passbolt_image)  { "#{passbolt_home}/webroot/img/public" }
  let(:passbolt_owner)  { 'www-data' }
-  let(:exposed_ports)   { [ '80', '443' ] }
+  let(:exposed_ports)   { [ $http_port, $https_port ] }
  let(:php_extensions)  { [
    'gd', 'intl', 'json', 'mysqlnd', 'xsl', 'phar',
    'posix', 'xml', 'zlib', 'ctype', 'pdo', 'gnupg', 'pdo_mysql'
@ -55,6 +55,10 @@ describe 'Dockerfile' do
    end
  end

+  describe file($cron_service) do
+    it { should exist and be_executable }
+  end
+
  describe 'wait-for' do
    it 'is installed' do
      expect(file(wait_for)).to exist and be_executable
@ -99,7 +103,7 @@ describe 'Dockerfile' do
    end

    it 'has the correct permissions' do
-      expect(file(nginx_conf)).to be_owned_by 'root'
+      expect(file(nginx_conf)).to be_owned_by $root_user
    end
  end

@ -109,16 +113,12 @@ describe 'Dockerfile' do
    end

    it 'has the correct permissions' do
-      expect(file(site_conf)).to be_owned_by 'root'
+      expect(file(site_conf)).to be_owned_by $root_user
    end

    it 'points to the correct root folder' do
      expect(file(site_conf).content).to match "root #{passbolt_home}/webroot"
    end
-
-    it 'has server tokens off' do
-      expect(file(nginx_conf).content).to match(/^\s+server_tokens off;/)
-    end
  end

  describe 'ports exposed' do
--- a/spec/docker_runtime/runtime_spec.rb
+++ b/spec/docker_runtime/runtime_spec.rb
@ -24,7 +24,7 @@ describe 'passbolt_api service' do
      sleep 1
    end

-    @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => 'debian/Dockerfile' })
+    @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => $dockerfile })
    @container = Docker::Container.create(
      'Env' => [
        "DATASOURCES_DEFAULT_HOST=#{@mysql.json['NetworkSettings']['IPAddress']}",
@ -48,7 +48,7 @@ describe 'passbolt_api service' do

  let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
  let(:uri)               { "/healthcheck/status.json" }
-  let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/#{uri}" }
+  let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }

  describe 'php service' do
    it 'is running supervised' do
@ -67,12 +67,12 @@ describe 'passbolt_api service' do
      expect(service('nginx')).to be_running.under('supervisor')
    end

-    it 'is listening on port 80' do
-      expect(@container.json['Config']['ExposedPorts']).to have_key('80/tcp')
+    it "is listening on port #{$http_port}" do
+      expect(@container.json['Config']['ExposedPorts']).to have_key("#{$http_port}/tcp")
    end

-    it 'is listening on port 443' do
-      expect(@container.json['Config']['ExposedPorts']).to have_key('443/tcp')
+    it "is listening on port #{$https_port}" do
+      expect(@container.json['Config']['ExposedPorts']).to have_key("#{$https_port}/tcp")
    end
  end

@ -90,13 +90,13 @@ describe 'passbolt_api service' do
  end

  describe 'hide information' do
-    let(:curl) { "curl -Isk -H 'Host: passbolt.local' https://#{passbolt_host}/" }
+    let(:curl) { "curl -Isk -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/" }
    it 'hides php version' do
      expect(command("#{curl} | grep 'X-Powered-By: PHP'").stdout).to be_empty
    end

    it 'hides nginx version' do
-      expect(command("#{curl} | grep 'server:'").stdout.strip).to match(/^server:\s+nginx$/)
+      expect(command("#{curl} | grep 'server:'").stdout.strip).to match(/^server:\s+nginx.*$/)
    end
  end

--- a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb
+++ b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb
@ -24,7 +24,7 @@ describe 'passbolt_api service' do
      sleep 1
    end

-    @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => 'debian/Dockerfile' })
+    @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => $dockerfile })

    @container = Docker::Container.create(
      'Env' => [
@ -47,7 +47,7 @@ describe 'passbolt_api service' do

  let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
  let(:uri)               { "/healthcheck/status.json" }
-  let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/#{uri}" }
+  let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }

  describe 'php service' do
    it 'is running supervised' do
@ -67,11 +67,11 @@ describe 'passbolt_api service' do
    end

    it 'is listening on port 80' do
-      expect(@container.json['Config']['ExposedPorts']).to have_key('80/tcp')
+      expect(@container.json['Config']['ExposedPorts']).to have_key("#{$http_port}/tcp")
    end

    it 'is listening on port 443' do
-      expect(@container.json['Config']['ExposedPorts']).to have_key('443/tcp')
+      expect(@container.json['Config']['ExposedPorts']).to have_key("#{$https_port}/tcp")
    end
  end

@ -89,13 +89,13 @@ describe 'passbolt_api service' do
  end

  describe 'hide information' do
-    let(:curl) { "curl -Isk -H 'Host: passbolt.local' https://#{passbolt_host}/" }
+    let(:curl) { "curl -Isk -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/" }
    it 'hides php version' do
      expect(command("#{curl} | grep 'X-Powered-By: PHP'").stdout).to be_empty
    end

    it 'hides nginx version' do
-      expect(command("#{curl} | grep 'server:'").stdout.strip).to match(/^server:\s+nginx$/)
+      expect(command("#{curl} | grep 'server:'").stdout.strip).to match(/^server:\s+nginx.*$/)
    end
  end

--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -4,7 +4,23 @@ require 'docker'
 ROOT_DOCKERFILES = File.expand_path('../../', __FILE__)
 FIXTURES_PATH    = File::expand_path("fixtures", File::dirname(__FILE__))

+$cron_binary = '/usr/sbin/cron'
+$dockerfile = 'debian/Dockerfile'
+$http_port = '80'
+$https_port = '443'
+$root_user = 'root'
+
 set :backend, :docker
 Docker.options[:read_timeout]  = 3600
 Docker.options[:write_timeout] = 3600

+if ENV['ROOTLESS'] == "true"
+  $cron_binary = '/usr/local/bin/supercronic'
+  $dockerfile = 'debian/Dockerfile.rootless'
+  $http_port = '8080'
+  $https_port = '4433'
+  # Where www-data has to be the owner instead of root
+  $root_user = 'www-data'
+end
+
+puts($root_user)