Merge branch 'pr/apanzerj/444'

bnfinet · bnfinet · commit a901c3f927d0 · 2021-12-06T16:11:31.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@
 
 Coming soon! Please document any work in progress here as part of your PR. It will be moved to the next tag when released.
 
+## v0.36.0
+
+- [run Docker containers as non-root user](https://github.com/vouch/vouch-proxy/pull/444)
+
+Permissions may need to be adjusted for `/config/secret` and `/config/config.yml` in Docker environemnts. See the [README](https://github.com/vouch/vouch-proxy#running-from-docker)
+
 ## v0.35.1
 
 - [include DocumentRoot if configured in error pages](https://github.com/vouch/vouch-proxy/pull/439)
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,19 @@
-# voucher/vouch-proxy
+# quay.io/vouch/vouch-proxy
 # https://github.com/vouch/vouch-proxy
 FROM golang:1.16 AS builder
 
+ARG UID=999
+ARG GID=999
 LABEL maintainer="vouch@bnf.net"
 
 RUN mkdir -p ${GOPATH}/src/github.com/vouch/vouch-proxy
 WORKDIR ${GOPATH}/src/github.com/vouch/vouch-proxy
 
+RUN groupadd -g $GID vouch \
+    && useradd --system vouch --uid=$UID --gid=$GID
+
 COPY . .
 
-# RUN go-wrapper download  # "go get -d -v ./..."
-# RUN ./do.sh build    # see `do.sh` for vouch build details
-# RUN go-wrapper install # "go install -v ./..."
 
 RUN ./do.sh goget
 RUN ./do.sh gobuildstatic # see `do.sh` for vouch-proxy build details
@@ -20,7 +22,12 @@ RUN ./do.sh install
 FROM scratch
 LABEL maintainer="vouch@bnf.net"
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
 COPY --from=builder /go/bin/vouch-proxy /vouch-proxy
+
+USER vouch
+
 EXPOSE 9090
 ENTRYPOINT ["/vouch-proxy"]
 HEALTHCHECK --interval=1m --timeout=5s CMD [ "/vouch-proxy", "-healthcheck" ]
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
@@ -1,7 +1,9 @@
-# voucher/vouch-proxy
+# quay.io/vouch/vouch-proxy
 # https://github.com/vouch/vouch-proxy
 FROM golang:1.16 AS builder
 
+ARG UID=999
+ARG GID=999
 LABEL maintainer="vouch@bnf.net"
 
 RUN mkdir -p ${GOPATH}/src/github.com/vouch/vouch-proxy
@@ -13,6 +15,9 @@ RUN ./do.sh goget
 RUN ./do.sh gobuildstatic # see `do.sh` for vouch-proxy build details
 RUN ./do.sh install
 
+RUN groupadd -g $GID vouch \
+    && useradd --system vouch --uid=$UID --gid=$GID
+
 FROM alpine:latest
 LABEL maintainer="vouch@bnf.net"
 ENV VOUCH_ROOT=/
@@ -22,7 +27,12 @@ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certifi
 RUN apk add --no-cache bash
 COPY do.sh /do.sh
 
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
 COPY --from=builder /go/bin/vouch-proxy /vouch-proxy
+
+USER vouch
+
 EXPOSE 9090
 ENTRYPOINT ["/vouch-proxy"]
 HEALTHCHECK --interval=1m --timeout=5s CMD [ "/vouch-proxy", "-healthcheck" ]
diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ Vouch Proxy supports many OAuth and OIDC login providers and can enforce authent
 - [OAuth2 Server Library for PHP](https://github.com/vouch/vouch-proxy/issues/99)
 - [HomeAssistant](https://developers.home-assistant.io/docs/en/auth_api.html)
 - [OpenStax](https://github.com/vouch/vouch-proxy/pull/141)
+- [Ory Hydra](https://github.com/vouch/vouch-proxy/issues/288)
 - [Nextcloud](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html)
 - most other OpenID Connect (OIDC) providers
 
@@ -317,6 +318,8 @@ docker run -d \
     quay.io/vouch/vouch-proxy
 ```
 
+As of `v0.36.0` the docker process in the container runs as user `vouch` with UID 999 and GID 999. You may need to set the permissions of `/config/config.yml` and `/config/secret` to correspond to be readable by this user, or otherwise use `docker run --user $UID:$GID ...` or perhaps build the docker container from source and use the available ARGs for UID and GID.
+
 Automated container builds for each Vouch Proxy release are available from [quay.io](https://quay.io/repository/vouch/vouch-proxy). Each release produces..
 
 a minimal go binary container built from `Dockerfile`
diff --git a/do.sh b/do.sh
@@ -11,8 +11,8 @@ if [ -z "$VOUCH_ROOT" ]; then
   export VOUCH_ROOT=${GOPATH}/src/github.com/vouch/vouch-proxy/
 fi
 
-IMAGE=voucher/vouch-proxy:latest
-ALPINE=voucher/vouch-proxy:alpine
+IMAGE=quay.io/vouch/vouch-proxy:latest
+ALPINE=quay.io/vouch/vouch-proxy:alpine-latest
 GOIMAGE=golang:1.16
 NAME=vouch-proxy
 HTTPPORT=9090
@@ -394,7 +394,7 @@ usage() {
      $0 bug_report domain.com [badstr2..]  - print config file and log removing secrets and each provided string
      $0 gogo [gocmd]                       - run, build, any go cmd
      $0 stats                              - simple metrics (lines of code in project, number of go files)
-     $0 watch [cmd]                        - watch the $CWD for any change and re-reun the [cmd]
+     $0 watch [cmd]                        - watch the \$CWD for any change and re-reun the [cmd] (defaults to 'go run main.go')
      $0 license [file]                     - apply the license to the file
 
   do is like make
diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go
@@ -20,6 +20,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"os/user"
 	"path"
 	"path/filepath"
 	"reflect"
@@ -193,6 +194,7 @@ func Configure() {
 
 	if !didConfigFromEnv && configFileErr != nil {
 		// then it's probably config file not found
+		logSysInfo()
 		log.Fatal(configFileErr)
 	}
 
@@ -207,7 +209,6 @@ func Configure() {
 	if *CmdLine.port != -1 {
 		Cfg.Port = *CmdLine.port
 	}
-
 	logConfigIfDebug()
 }
 
@@ -285,6 +286,7 @@ func parseConfigFile() error {
 	}
 	err := viper.ReadInConfig() // Find and read the config file
 	if err != nil {             // Handle errors reading the config file
+
 		return fmt.Errorf("%w: %s", errConfigNotFound, err)
 	}
 
@@ -677,3 +679,44 @@ func SigningKey() (interface{}, error) {
 
 	return key, nil
 }
+
+// Check that we have read permission for this file
+// https://stackoverflow.com/questions/60128401/how-to-check-if-a-file-is-executable-in-go
+func canRead(file string) bool {
+	stat, err := os.Stat(file)
+	if err != nil {
+		log.Debug(err)
+		return false
+	}
+
+	m := stat.Mode()
+	return m&0400 != 0
+}
+
+// detect if we're in a docker environment
+func isDocker() bool {
+	return canRead("/.dockerenv")
+}
+
+func logSysInfo() {
+	if isDocker() {
+		log.Warn("detected Docker environment, beware of Docker userid and permissions changes in v0.36.0")
+	}
+	u, err := user.Current()
+	if err != nil {
+		log.Error(err)
+	}
+	g, err := user.LookupGroupId(u.Gid)
+	if err != nil {
+		log.Error(err)
+	}
+	p, err := os.FindProcess(os.Getpid())
+	if err != nil {
+		log.Error(err)
+	}
+	exe, err := os.Executable()
+	if err != nil {
+		log.Error(err)
+	}
+	log.Debugf("%s was executed as '%s' (pid: %d) running as user %s (uid: %s) with group %s (gid: %s)", Branding.FullName, exe, p.Pid, u.Username, u.Uid, g.Name, u.Gid)
+}
diff --git a/pkg/cfg/jwt.go b/pkg/cfg/jwt.go
@@ -35,7 +35,8 @@ func getOrGenerateJWTSecret() string {
 		b = []byte(rstr)
 		err = ioutil.WriteFile(secretFile, b, 0600)
 		if err != nil {
-			log.Debug(err)
+			log.Error(err)
+			logSysInfo()
 		}
 	}
 	return string(b)

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,8 @@ func getOrGenerateJWTSecret() string {`
`35`	`35`	`b = []byte(rstr)`
`36`	`36`	`err = ioutil.WriteFile(secretFile, b, 0600)`
`37`	`37`	`if err != nil {`
`38`		`- log.Debug(err)`
	`38`	`+ log.Error(err)`
	`39`	`+ logSysInfo()`
`39`	`40`	`}`
`40`	`41`	`}`
`41`	`42`	`return string(b)`