From 66fa785f2717689f60fe7294594625c997db0911 Mon Sep 17 00:00:00 2001
From: Daniel Del Rio <daniel@passbolt.com>
Date: Tue, 23 Feb 2021 11:57:52 +0000
Subject: [PATCH] Fix cron

---
 conf/supervisor/cron.conf                |   2 +-
 debian/Dockerfile.rootless               |  26 +++--
 debian/bin/docker-entrypoint.sh          |   2 -
 debian/bin/docker-entrypoint.sh.rootless | 141 +++++++++++++++++++++++
 4 files changed, 160 insertions(+), 11 deletions(-)
 create mode 100755 debian/bin/docker-entrypoint.sh.rootless

diff --git a/conf/supervisor/cron.conf b/conf/supervisor/cron.conf
index 07bce67..d2b105d 100644
--- a/conf/supervisor/cron.conf
+++ b/conf/supervisor/cron.conf
@@ -1,5 +1,5 @@
 [program:cron]
-command=/bin/bash -c "declare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' > /etc/environment; cron -f -l"
+command=/usr/local/bin/supercronic /etc/cron.d/passbolt-ce-server
 autostart=true
 priority=20
 stdout_logfile=/dev/stdout
diff --git a/debian/Dockerfile.rootless b/debian/Dockerfile.rootless
index 9a1fd7a..254337d 100644
--- a/debian/Dockerfile.rootless
+++ b/debian/Dockerfile.rootless
@@ -2,15 +2,20 @@ FROM debian:buster-slim
 
 LABEL maintainer="Passbolt SA <contact@passbolt.com>"
 
-ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
-ENV PHP_VERSION=7.3
-ENV GNUPGHOME=/var/lib/passbolt/.gnupg
-
+ARG SUPERCRONIC_ARCH=amd64
 ARG PASSBOLT_REPO_URL="https://download.passbolt.com/ce/debian"
 ARG PASSBOLT_DISTRO="buster"
 ARG PASSBOLT_COMPONENT="stable"
 ARG PASSBOLT_PKG=passbolt-ce-server
 
+ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
+ENV PHP_VERSION=7.3
+ENV GNUPGHOME=/var/lib/passbolt/.gnupg
+ENV SUPERCRONIC_VERSION=0.1.12
+ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v${SUPERCRONIC_VERSION}/supercronic-linux-${SUPERCRONIC_ARCH} \
+    SUPERCRONIC=supercronic-linux-${SUPERCRONIC_ARCH} \
+    SUPERCRONIC_SHA1SUM=048b95b48b708983effb2e5c935a1ef8483d9e3e
+
 RUN apt-get update \
     && DEBIAN_FRONTEND=non-interactive apt-get -y install \
       ca-certificates \
@@ -21,7 +26,13 @@ RUN apt-get update \
     && DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
       nginx \
       $PASSBOLT_PKG \
-      supervisor
+      supervisor \
+      curl \
+    && curl -fsSLO "$SUPERCRONIC_URL" \
+    && echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - \
+    && chmod +x "$SUPERCRONIC" \
+    && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
+    && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
 
 RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
     && rm /etc/nginx/sites-enabled/default \
@@ -55,11 +66,10 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
     && chown -R www-data:0 /var/log/supervisor \
     && touch /var/www/.profile \
     && chown www-data:www-data /var/www/.profile \
-    && sed -i 's,www-data.*$,www-data exec /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron",' /etc/cron.d/$PASSBOLT_PKG \
-    && crontab /etc/cron.d/$PASSBOLT_PKG
+    && sed -i 's,www-data\s,,' /etc/cron.d/$PASSBOLT_PKG
 
 COPY conf/supervisor/*.conf /etc/supervisor/conf.d/
-COPY debian/bin/docker-entrypoint.sh /docker-entrypoint.sh
+COPY debian/bin/docker-entrypoint.sh.rootless /docker-entrypoint.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh
 
 EXPOSE 8080 4443
diff --git a/debian/bin/docker-entrypoint.sh b/debian/bin/docker-entrypoint.sh
index 0eddac9..5c1f803 100755
--- a/debian/bin/docker-entrypoint.sh
+++ b/debian/bin/docker-entrypoint.sh
@@ -138,6 +138,4 @@ install
 
 echo -e "$deprecation_message"
 
-echo -e "$deprecation_message"
-
 exec /usr/bin/supervisord -n
diff --git a/debian/bin/docker-entrypoint.sh.rootless b/debian/bin/docker-entrypoint.sh.rootless
new file mode 100755
index 0000000..7a6ced1
--- /dev/null
+++ b/debian/bin/docker-entrypoint.sh.rootless
@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+passbolt_config="/etc/passbolt"
+gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}"
+gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}"
+
+ssl_key='/etc/passbolt/certs/certificate.key'
+ssl_cert='/etc/passbolt/certs/certificate.crt'
+
+deprecation_message=""
+
+entropy_check() {
+  local entropy_avail
+
+  entropy_avail=$(cat /proc/sys/kernel/random/entropy_avail)
+
+  if [ "$entropy_avail" -lt 2000 ]; then
+
+    cat <<EOF
+==================================================================================
+  Your entropy pool is low. This situation could lead GnuPG to not
+  be able to create the gpg serverkey so the container start process will hang
+  until enough entropy is obtained.
+  Please consider installing rng-tools and/or virtio-rng on your host as the
+  preferred method to generate random numbers using a TRNG.
+  If rngd (rng-tools) does not provide enough or fast enough randomness you could
+  consider installing haveged as a helper to speed up this process.
+  Using haveged as a replacement for rngd is not recommended. You can read more
+  about this topic here: https://lwn.net/Articles/525459/
+==================================================================================
+EOF
+  fi
+}
+
+gpg_gen_key() {
+  key_email="${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com}"
+  key_name="${PASSBOLT_KEY_NAME:-Passbolt default user}"
+  key_length="${PASSBOLT_KEY_LENGTH:-2048}"
+  subkey_length="${PASSBOLT_SUBKEY_LENGTH:-2048}"
+  expiration="${PASSBOLT_KEY_EXPIRATION:-0}"
+
+  entropy_check
+
+  gpg --homedir $GNUPGHOME --batch --no-tty --gen-key <<EOF
+    Key-Type: default
+		Key-Length: $key_length
+		Subkey-Type: default
+		Subkey-Length: $subkey_length
+    Name-Real: $key_name
+    Name-Email: $key_email
+    Expire-Date: $expiration
+    %no-protection
+		%commit
+EOF
+
+  gpg --homedir $GNUPGHOME --armor --export-secret-keys $key_email > $gpg_private_key
+  gpg --homedir $GNUPGHOME --armor --export $key_email > $gpg_public_key
+}
+
+gpg_import_key() {
+  gpg --homedir $GNUPGHOME --batch --import $gpg_public_key
+  gpg --homedir $GNUPGHOME --batch --import $gpg_private_key
+}
+
+gen_ssl_cert() {
+  openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
+    -subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \
+    -keyout $ssl_key -out $ssl_cert
+}
+
+install() {
+  if [ ! -f "$passbolt_config/app.php" ]; then
+    cp $passbolt_config/app.default.php $passbolt_config/app.php
+  fi
+
+  if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  "$passbolt_config/passbolt.php" ]; then
+    gpg_auto_fingerprint="$(gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:)"
+    export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
+  fi
+
+  /usr/share/php/passbolt/bin/cake passbolt install --no-admin || /usr/share/php/passbolt/bin/cake passbolt migrate && echo "Enjoy! ☮"
+}
+
+create_deprecation_message() {
+  deprecation_message+="\033[33;5;7mWARNING: $1 is deprecated, point your docker volume to $2\033[0m\n"
+}
+
+check_deprecated_paths() {
+  declare -A deprecated_paths
+  local deprecated_avatar_path="/var/www/passbolt/webroot/img/public/Avatar"
+  local avatar_path="/usr/share/php/passbolt/webroot/img/public/Avatar"
+  local deprecated_subscription_path="/var/www/passbolt/webroot/img/public/Avatar"
+  local subscription_path="/etc/passbolt/license"
+  deprecated_paths=(
+    ['/var/www/passbolt/config/gpg/serverkey.asc']='/etc/passbolt/gpg/serverkey.asc'
+    ['/var/www/passbolt/config/gpg/serverkey_private.asc']='/etc/passbolt/gpg/serverkey_private.asc'
+  )
+
+  if [ -z "$PASSBOLT_GPG_SERVER_KEY_PUBLIC" ] || [ -z "$PASSBOLT_GPG_SERVER_KEY_PRIVATE" ]; then
+    for path in "${!deprecated_paths[@]}"
+    do
+      if [ -f "$path" ] && [ ! -f "${deprecated_paths[$path]}" ]; then
+        ln -s "$path" "${deprecated_paths[$path]}"
+        create_deprecation_message "$path" "${deprecated_paths[$path]}"
+      fi
+    done
+  fi
+
+  if [ -d "$deprecated_avatar_path" ] && [ ! -d "$avatar_path" ]; then
+    ln -s "$deprecated_avatar_path" "$avatar_path"
+    create_deprecation_message "$deprecated_avatar_path" "$avatar_path"
+  fi
+
+  if [ -f "$deprecated_subscription_path" ] && [ ! -f "$subscription_path" ]; then
+    ln -s "$deprecated_subscription_path" "$subscription_path"
+    create_deprecation_message "$deprecated_subscription_path" "$subscription_path"
+  fi
+}
+
+check_deprecated_paths
+
+if [ ! -f "$gpg_private_key" ] || \
+   [ ! -f "$gpg_public_key" ]; then
+  gpg_gen_key
+  gpg_import_key
+else
+  gpg_import_key
+fi
+
+if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \
+   [ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then
+  gen_ssl_cert
+fi
+
+install
+
+echo -e "$deprecation_message"
+
+exec /usr/bin/supervisord -n