From c1c6b161f032471e5391451afd9665fabf028fbd Mon Sep 17 00:00:00 2001
From: Oliver Bertuch <o.bertuch@fz-juelich.de>
Date: Mon, 15 Jul 2024 14:56:56 +0200
Subject: [PATCH] refactor(ct): change security related variable names for
 clarity

Variable names related to user, password, and domain in Dockerfile and scripts have been modified for better clarity and consistency.

This includes changing the names of admin user and password, domain master password, and Linux password and user.
---
 .../container-base/src/main/docker/Dockerfile | 35 ++++++++++---------
 .../docker/scripts/init_1_change_passwords.sh | 28 +++++++--------
 .../main/docker/scripts/startInForeground.sh  | 16 ++++-----
 3 files changed, 41 insertions(+), 38 deletions(-)

diff --git a/modules/container-base/src/main/docker/Dockerfile b/modules/container-base/src/main/docker/Dockerfile
index f9360c13bb6..29078e6896c 100644
--- a/modules/container-base/src/main/docker/Dockerfile
+++ b/modules/container-base/src/main/docker/Dockerfile
@@ -41,16 +41,18 @@ ENV PAYARA_DIR="${HOME_DIR}/appserver" \
     STORAGE_DIR="/dv" \
     SECRETS_DIR="/secrets" \
     DUMPS_DIR="/dumps" \
-    ADMIN_USER="admin" \
+    PAYARA_ADMIN_USER="admin" \
     # This is a public default, easy to change via this env var at runtime
-    ADMIN_PASSWORD="admin" \
+    PAYARA_ADMIN_PASSWORD="admin" \
     DOMAIN_NAME="domain1" \
     # This is the public default as per https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Security%20Guide/Administering%20System%20Security.html#to-change-the-master-password
     # Can be changed at runtime via this env var
-    DOMAIN_MASTER_PASSWORD="changeit" \
+    DOMAIN_PASSWORD="changeit" \
     PAYARA_ARGS="" \
+    LINUX_USER="payara" \
+    LINUX_GROUP="payara" \
     # This is a public default and can be changed at runtime using this env var
-    LINUX_USER_PASSWORD="payara"
+    LINUX_PASSWORD="payara"
 ENV PATH="${PATH}:${PAYARA_DIR}/bin:${SCRIPT_DIR}" \
     DOMAIN_DIR="${PAYARA_DIR}/glassfish/domains/${DOMAIN_NAME}" \
     DEPLOY_PROPS="" \
@@ -77,6 +79,7 @@ ARG GID=1000
 # Auto-populated by BuildKit / buildx
 #ARG TARGETARCH="amd64"
 ARG TARGETARCH
+
 USER root
 WORKDIR /
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
@@ -90,13 +93,13 @@ RUN <<EOF
     userdel --force --remove ubuntu || true
     groupdel -f ubuntu || true # for some reason, groupdel on Ubuntu 22.04 does not like --force
     # Create user
-    groupadd --gid ${GID} payara
-    useradd --system --uid ${UID} --no-create-home --shell /bin/false --home "${HOME_DIR}" --gid payara payara
-    echo "payara:$LINUX_USER_PASSWORD" | chpasswd
+    groupadd --gid "${GID}" "${LINUX_GROUP}"
+    useradd --system --uid "${UID}" --no-create-home --shell /bin/false --home "${HOME_DIR}" --gid "${LINUX_GROUP}" "${LINUX_USER}"
+    echo "${LINUX_USER}:$LINUX_PASSWORD" | chpasswd
     # Set permissions
     # Note: Following OpenShift best practices for arbitrary user id support:
     #       https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images
-    chown -R payara:0 "${HOME_DIR}" "${STORAGE_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
+    chown -R "${LINUX_USER}:0" "${HOME_DIR}" "${STORAGE_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
     chmod -R g=u "${HOME_DIR}" "${STORAGE_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
 EOF
 
@@ -132,14 +135,14 @@ EOF
 
 ### PART 2: PAYARA ###
 # After setting up system, now configure Payara
-USER payara
+USER ${LINUX_USER}
 WORKDIR ${HOME_DIR}
 
 # Copy Payara from build context (cached by Maven)
-COPY --chown=payara:payara maven/appserver ${PAYARA_DIR}/
+COPY --chown=${LINUX_USER}:${LINUX_GROUP} maven/appserver ${PAYARA_DIR}/
 
 # Copy the system (appserver level) scripts like entrypoint, etc
-COPY --chown=payara:payara maven/scripts ${SCRIPT_DIR}/
+COPY --chown=${LINUX_USER}:${LINUX_USER} maven/scripts ${SCRIPT_DIR}/
 
 # Configure the domain to be container and production ready
 # -- This is mostly inherited from the "production domain template", experience with Dataverse and
@@ -147,13 +150,13 @@ COPY --chown=payara:payara maven/scripts ${SCRIPT_DIR}/
 RUN <<EOF
     # Set admin password
     echo "AS_ADMIN_PASSWORD=" > /tmp/password-change-file.txt
-    echo "AS_ADMIN_NEWPASSWORD=${ADMIN_PASSWORD}" >> /tmp/password-change-file.txt
-    asadmin --user=${ADMIN_USER} --passwordfile=/tmp/password-change-file.txt change-admin-password --domain_name=${DOMAIN_NAME}
+    echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> /tmp/password-change-file.txt
+    asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=/tmp/password-change-file.txt change-admin-password --domain_name=${DOMAIN_NAME}
 
     # Prepare shorthand
     PASSWORD_FILE=$(mktemp)
-    echo "AS_ADMIN_PASSWORD=${ADMIN_PASSWORD}" >> ${PASSWORD_FILE}
-    ASADMIN="${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE}"
+    echo "AS_ADMIN_PASSWORD=${PAYARA_ADMIN_PASSWORD}" >> ${PASSWORD_FILE}
+    ASADMIN="${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PASSWORD_FILE}"
 
     # Start domain for configuration
     ${ASADMIN} start-domain ${DOMAIN_NAME}
@@ -243,7 +246,7 @@ USER root
 RUN true && \
     chgrp -R 0 "${DOMAIN_DIR}" && \
     chmod -R g=u "${DOMAIN_DIR}"
-USER payara
+USER ${LINUX_USER}
 
 # Set the entrypoint to tini (as a process supervisor)
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
index 07dd90a1b98..0bf9d0b80fb 100644
--- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
+++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
@@ -7,23 +7,23 @@ set -euo pipefail
 
 # Someone set the env var for passwords - get the new password in. Otherwise print warning.
 # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords
-if [ "$LINUX_USER_PASSWORD" != "payara" ]; then
-  echo -e "payara\n$LINUX_USER_PASSWORD\n$LINUX_USER_PASSWORD" | passwd
+if [ "$LINUX_PASSWORD" != "payara" ]; then
+  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd
 else
-  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER payara! ('payara')"
-  echo "           To change the password, set the LINUX_USER_PASSWORD env var."
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')"
+  echo "           To change the password, set the LINUX_PASSWORD env var."
 fi
 
 # Change the domain admin password if necessary
-if [ "$ADMIN_PASSWORD" != "admin" ]; then
+if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then
   PASSWORD_FILE=$(mktemp)
   echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE"
-  echo "AS_ADMIN_NEWPASSWORD=${ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
-  asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
+  echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
+  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
   rm "$PASSWORD_FILE"
 else
-  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ASADMIN! ('admin')"
-  echo "           To change the password, set the ADMIN_PASSWORD env var."
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')"
+  echo "           To change the password, set the PAYARA_ADMIN_PASSWORD env var."
 fi
 
 # Change the domain master password if necessary
@@ -31,13 +31,13 @@ fi
 # > Instead, Payara Server strictly uses the master password to ONLY encrypt the keystore and truststore used to store keys and certificates for the DAS and instances usage.
 # It will be requested when booting the application server!
 # https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Security%20Guide/Administering%20System%20Security.html#to-change-the-master-password
-if [ "$DOMAIN_MASTER_PASSWORD" != "changeit" ]; then
+if [ "$DOMAIN_PASSWORD" != "changeit" ]; then
   PASSWORD_FILE=$(mktemp)
   echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE"
-  echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_MASTER_PASSWORD}" >> "$PASSWORD_FILE"
-  asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
+  echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE"
+  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
   rm "$PASSWORD_FILE"
 else
-  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT MASTER PASSWORD FOR THE DOMAIN! ('changeit')"
-  echo "           To change the password, set the DOMAIN_MASTER_PASSWORD env var."
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')"
+  echo "           To change the password, set the DOMAIN_PASSWORD env var."
 fi
diff --git a/modules/container-base/src/main/docker/scripts/startInForeground.sh b/modules/container-base/src/main/docker/scripts/startInForeground.sh
index 262cadd9aca..fa7d533b0d1 100644
--- a/modules/container-base/src/main/docker/scripts/startInForeground.sh
+++ b/modules/container-base/src/main/docker/scripts/startInForeground.sh
@@ -32,9 +32,9 @@
 ##########################################################################################################
 
 # Check required variables are set
-if [ -z "$ADMIN_USER" ]; then echo "Variable ADMIN_USER is not set."; exit 1; fi
-if [ -z "$ADMIN_PASSWORD" ]; then echo "Variable ADMIN_PASSWORD is not set."; exit 1; fi
-if [ -z "$DOMAIN_MASTER_PASSWORD" ]; then echo "Variable DOMAIN_MASTER_PASSWORD is not set."; exit 1; fi
+if [ -z "$PAYARA_ADMIN_USER" ]; then echo "Variable ADMIN_USER is not set."; exit 1; fi
+if [ -z "$PAYARA_ADMIN_PASSWORD" ]; then echo "Variable ADMIN_PASSWORD is not set."; exit 1; fi
+if [ -z "$DOMAIN_PASSWORD" ]; then echo "Variable DOMAIN_PASSWORD is not set."; exit 1; fi
 if [ -z "$PREBOOT_COMMANDS_FILE" ]; then echo "Variable PREBOOT_COMMANDS_FILE is not set."; exit 1; fi
 if [ -z "$POSTBOOT_COMMANDS_FILE" ]; then echo "Variable POSTBOOT_COMMANDS_FILE is not set."; exit 1; fi
 if [ -z "$DOMAIN_NAME" ]; then echo "Variable DOMAIN_NAME is not set."; exit 1; fi
@@ -46,10 +46,10 @@ fi
 
 # For safety reasons, do no longer expose the passwords - malicious code could extract it!
 # (We need to save the master password for booting the server though)
-MASTER_PASSWORD="${DOMAIN_MASTER_PASSWORD}"
-export LINUX_USER_PASSWORD="have-some-scrambled-eggs"
-export ADMIN_PASSWORD="have-some-scrambled-eggs"
-export DOMAIN_MASTER_PASSWORD="have-some-scrambled-eggs"
+MASTER_PASSWORD="${DOMAIN_PASSWORD}"
+export LINUX_PASSWORD="have-some-scrambled-eggs"
+export PAYARA_ADMIN_PASSWORD="have-some-scrambled-eggs"
+export DOMAIN_PASSWORD="have-some-scrambled-eggs"
 
 # The following command gets the command line to be executed by start-domain
 # - print the command line to the server with --dry-run, each argument on a separate line
@@ -66,7 +66,7 @@ PASSWORD_FILE=$(mktemp)
 echo "AS_ADMIN_MASTERPASSWORD=$MASTER_PASSWORD" > "$PASSWORD_FILE"
 # shellcheck disable=SC2068
 #   -- Using $@ is necessary here as asadmin cannot deal with options enclosed in ""!
-OUTPUT=$("${PAYARA_DIR}"/bin/asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" start-domain --dry-run --prebootcommandfile="${PREBOOT_COMMANDS_FILE}" --postbootcommandfile="${POSTBOOT_COMMANDS_FILE}" $@ "$DOMAIN_NAME")
+OUTPUT=$("${PAYARA_DIR}"/bin/asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" start-domain --dry-run --prebootcommandfile="${PREBOOT_COMMANDS_FILE}" --postbootcommandfile="${POSTBOOT_COMMANDS_FILE}" $@ "$DOMAIN_NAME")
 STATUS=$?
 rm "$PASSWORD_FILE"
 if [ "$STATUS" -ne 0 ]