diff --git a/.gitignore b/.gitignore index 21f1ca3..4285565 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,5 @@ conf/*.key src .ruby-version + +.bundle diff --git a/Gemfile.lock b/Gemfile.lock index 73aff83..4d786f6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,45 +1,45 @@ GEM remote: https://rubygems.org/ specs: - coderay (1.1.2) - diff-lcs (1.3) - docker-api (1.34.2) + coderay (1.1.3) + diff-lcs (1.4.4) + docker-api (2.0.0) excon (>= 0.47.0) multi_json - excon (0.73.0) + excon (0.79.0) method_source (1.0.0) - multi_json (1.14.1) - net-scp (2.0.0) - net-ssh (>= 2.6.5, < 6.0.0) - net-ssh (5.2.0) + multi_json (1.15.0) + net-scp (3.0.0) + net-ssh (>= 2.6.5, < 7.0.0) + net-ssh (6.1.0) net-telnet (0.1.1) - pry (0.13.1) + pry (0.14.0) coderay (~> 1.1) method_source (~> 1.0) - rake (13.0.1) - rspec (3.9.0) - rspec-core (~> 3.9.0) - rspec-expectations (~> 3.9.0) - rspec-mocks (~> 3.9.0) - rspec-core (3.9.1) - rspec-support (~> 3.9.1) - rspec-expectations (3.9.1) + rake (13.0.3) + rspec (3.10.0) + rspec-core (~> 3.10.0) + rspec-expectations (~> 3.10.0) + rspec-mocks (~> 3.10.0) + rspec-core (3.10.1) + rspec-support (~> 3.10.0) + rspec-expectations (3.10.1) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.9.0) + rspec-support (~> 3.10.0) rspec-its (1.3.0) rspec-core (>= 3.0.0) rspec-expectations (>= 3.0.0) - rspec-mocks (3.9.1) + rspec-mocks (3.10.2) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.9.0) - rspec-support (3.9.2) + rspec-support (~> 3.10.0) + rspec-support (3.10.2) serverspec (2.41.5) multi_json rspec (~> 3.0) rspec-its specinfra (~> 2.72) sfl (2.3) - specinfra (2.82.15) + specinfra (2.82.23) net-scp net-ssh (>= 2.7) net-telnet (= 0.1.1) @@ -47,6 +47,7 @@ GEM PLATFORMS ruby + x86_64-linux DEPENDENCIES docker-api @@ -55,4 +56,4 @@ DEPENDENCIES serverspec BUNDLED WITH - 1.17.2 + 2.2.6 diff --git a/debian/Dockerfile b/debian/Dockerfile index 26c3fba..d398861 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -11,11 +11,6 @@ ARG PASSBOLT_DISTRO="buster" ARG PASSBOLT_COMPONENT="stable" ARG PASSBOLT_PKG=passbolt-ce-server -ARG PASSBOLT_REPO_URL="https://download.passbolt.com/ce/debian" -ARG PASSBOLT_DISTRO="buster" -ARG PASSBOLT_COMPONENT="stable" -ARG PASSBOLT_PKG=passbolt-ce-server - RUN apt-get update \ && DEBIAN_FRONTEND=non-interactive apt-get -y install \ ca-certificates \ @@ -27,6 +22,7 @@ RUN apt-get update \ nginx \ $PASSBOLT_PKG \ supervisor \ + curl \ && rm /etc/nginx/sites-enabled/default \ && mkdir /run/php \ && cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \ @@ -36,6 +32,7 @@ RUN apt-get update \ && sed -i 's,__CERT_PATH__,/etc/ssl/certs/certificate.crt;,' /etc/nginx/snippets/passbolt-ssl.conf \ && sed -i 's,__KEY_PATH__,/etc/ssl/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf \ && sed -i 's,www-data.*$,www-data exec /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron",' /etc/cron.d/$PASSBOLT_PKG \ + && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \ && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \ && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \ && ln -sf /dev/stderr /var/log/passbolt/error.log \ diff --git a/spec/docker_image/image_spec.rb b/spec/docker_image/image_spec.rb index 92fa81c..8bb736b 100644 --- a/spec/docker_image/image_spec.rb +++ b/spec/docker_image/image_spec.rb @@ -8,30 +8,29 @@ describe 'Dockerfile' do 'DATASOURCES_DEFAULT_PASSWORD' => 'P4ssb0lt', 'DATASOURCES_DEFAULT_USERNAME' => 'passbolt', 'DATASOURCES_DEFAULT_DATABASE' => 'passbolt', - 'PASSBOLT_GPG_KEYRING' => '/var/lib/nginx/.gnupg' + 'PASSBOLT_GPG_KEYRING' => '/var/lib/passbolt/.gnupg' } - @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES) + @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => 'debian/Dockerfile' }) set :docker_image, @image.id set :docker_container_create_options, { 'Cmd' => '/bin/sh' } end let(:nginx_conf) { '/etc/nginx/nginx.conf' } - let(:php_conf) { '/usr/local/etc/php-fpm.d/expose.conf' } - let(:site_conf) { '/etc/nginx/conf.d/default.conf' } + let(:php_conf) { '/etc/php/7.3/fpm/php.ini' } + let(:site_conf) { '/etc/nginx/sites-enabled/nginx-passbolt.conf' } let(:supervisor_conf) do [ '/etc/supervisor/conf.d/nginx.conf', '/etc/supervisor/conf.d/php.conf', '/etc/supervisor/conf.d/cron.conf' ] end - let(:passbolt_home) { '/var/www/passbolt' } - let(:passbolt_tmp) { '/var/www/passbolt/tmp' } - let(:passbolt_image) { '/var/www/passbolt/webroot/img/public' } + let(:passbolt_home) { '/usr/share/php/passbolt' } + let(:passbolt_tmp) { '/var/lib/passbolt/tmp' } + let(:passbolt_image) { "#{passbolt_home}/webroot/img/public" } let(:passbolt_owner) { 'www-data' } let(:exposed_ports) { [ '80', '443' ] } - let(:composer) { '/usr/local/bin/composer'} let(:php_extensions) { [ - 'curl', 'gd', 'intl', 'json', 'mcrypt', 'mysqlnd', 'xsl', 'phar', + 'gd', 'intl', 'json', 'mysqlnd', 'xsl', 'phar', 'posix', 'xml', 'zlib', 'ctype', 'pdo', 'gnupg', 'pdo_mysql' ] } let(:wait_for) { '/usr/bin/wait-for.sh' } @@ -44,12 +43,6 @@ describe 'Dockerfile' do end end - describe 'php composer' do - it 'is not installed' do - expect(file(composer)).to_not exist - end - end - describe 'supervisor' do it 'is installed' do expect(package('supervisor')).to be_installed @@ -62,12 +55,6 @@ describe 'Dockerfile' do end end - describe 'mariadb-client' do - it 'is installed' do - expect(package('mariadb-client')).to be_installed - end - end - describe 'wait-for' do it 'is installed' do expect(file(wait_for)).to exist and be_executable @@ -82,17 +69,17 @@ describe 'Dockerfile' do end it 'must be owned by correct user' do - expect(file(passbolt_home)).to be_owned_by(passbolt_owner) + expect(file(passbolt_home)).to be_owned_by('root') expect(file(passbolt_tmp)).to be_owned_by(passbolt_owner) expect(file(passbolt_image)).to be_owned_by(passbolt_owner) end it 'must have the correct permissions on tmp' do - expect(file(passbolt_tmp)).to be_mode('775') + expect(file(passbolt_tmp)).to be_mode('755') end it 'must have the correct permissions on img' do - expect(file(passbolt_image)).to be_mode('775') + expect(file(passbolt_image)).to be_mode('755') end end @@ -102,7 +89,7 @@ describe 'Dockerfile' do end it 'does not expose php version' do - expect(file(php_conf).content).to match(/^php_flag\[expose_php\]\s+=\s+off$/) + expect(file(php_conf).content).to match(/^expose_php\s+=\s+Off$/) end end @@ -126,7 +113,7 @@ describe 'Dockerfile' do end it 'points to the correct root folder' do - expect(file(site_conf).content).to match 'root /var/www/passbolt/webroot' + expect(file(site_conf).content).to match "root #{passbolt_home}/webroot" end it 'has server tokens off' do diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb index 6578e38..972fadb 100644 --- a/spec/docker_runtime/runtime_spec.rb +++ b/spec/docker_runtime/runtime_spec.rb @@ -24,7 +24,7 @@ describe 'passbolt_api service' do sleep 1 end - @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES) + @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => 'debian/Dockerfile' }) @container = Docker::Container.create( 'Env' => [ "DATASOURCES_DEFAULT_HOST=#{@mysql.json['NetworkSettings']['IPAddress']}", @@ -54,10 +54,6 @@ describe 'passbolt_api service' do it 'is running supervised' do expect(service('php-fpm')).to be_running.under('supervisor') end - - it 'has its port open' do - expect(@container.json['Config']['ExposedPorts']).to have_key('9000/tcp') - end end describe 'email cron' do @@ -86,28 +82,8 @@ describe 'passbolt_api service' do end end - describe 'passbolt serverkey unaccessible' do - let(:uri) { '/config/gpg/serverkey.asc' } - it "returns 404" do - expect(command(curl).stdout).to eq '404' - end - end - - describe 'passbolt serverkey private unaccessible' do - let(:uri) { '/config/gpg/serverkey_private.asc' } - it 'returns 404' do - expect(command(curl).stdout).to eq '404' - end - end - - describe 'passbolt conf unaccessible' do - let(:uri) { '/config/app.php' } - it 'returns 404' do - expect(command(curl).stdout).to eq '404' - end - end - describe 'passbolt tmp folder is unaccessible' do - let(:uri) { '/tmp/cache/database/empty' } + describe 'can not access outside webroot' do + let(:uri) { '/vendor/autoload.php' } it 'returns 404' do expect(command(curl).stdout).to eq '404' end @@ -120,7 +96,7 @@ describe 'passbolt_api service' do end it 'hides nginx version' do - expect(command("#{curl} | grep 'Server:'").stdout.strip).to match(/^Server:\s+nginx$/) + expect(command("#{curl} | grep 'server:'").stdout.strip).to match(/^server:\s+nginx$/) end end diff --git a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb index 3672732..1709459 100644 --- a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb +++ b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb @@ -24,13 +24,13 @@ describe 'passbolt_api service' do sleep 1 end - @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES) + @image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => 'debian/Dockerfile' }) @container = Docker::Container.create( 'Env' => [ "DATASOURCES_DEFAULT_HOST=#{@mysql.json['NetworkSettings']['IPAddress']}", ], - 'Binds' => [ "#{FIXTURES_PATH + '/passbolt.php'}:/var/www/passbolt/config/passbolt.php" ], + 'Binds' => [ "#{FIXTURES_PATH + '/passbolt.php'}:/etc/passbolt/passbolt.php" ], 'Image' => @image.id) @container.start @@ -53,10 +53,6 @@ describe 'passbolt_api service' do it 'is running supervised' do expect(service('php-fpm')).to be_running.under('supervisor') end - - it 'has its port open' do - expect(@container.json['Config']['ExposedPorts']).to have_key('9000/tcp') - end end describe 'email cron' do @@ -85,28 +81,8 @@ describe 'passbolt_api service' do end end - describe 'passbolt serverkey unaccessible' do - let(:uri) { '/config/gpg/serverkey.asc' } - it "returns 404" do - expect(command(curl).stdout).to eq '404' - end - end - - describe 'passbolt serverkey private unaccessible' do - let(:uri) { '/config/gpg/serverkey_private.asc' } - it 'returns 404' do - expect(command(curl).stdout).to eq '404' - end - end - - describe 'passbolt conf unaccessible' do - let(:uri) { '/config/app.php' } - it 'returns 404' do - expect(command(curl).stdout).to eq '404' - end - end - describe 'passbolt tmp folder is unaccessible' do - let(:uri) { '/tmp/cache/database/empty' } + describe 'can not access outside webroot' do + let(:uri) { '/vendor/autoload.php' } it 'returns 404' do expect(command(curl).stdout).to eq '404' end @@ -119,7 +95,7 @@ describe 'passbolt_api service' do end it 'hides nginx version' do - expect(command("#{curl} | grep 'Server:'").stdout.strip).to match(/^Server:\s+nginx$/) + expect(command("#{curl} | grep 'server:'").stdout.strip).to match(/^server:\s+nginx$/) end end