Run as non-root user (#30)

.github/workflows/lint-test-build.yml

@@ -77,3 +77,22 @@ jobs:
       contents: read
       id-token: write
     secrets: inherit
+
+  integration-tests:
+    needs: [build-push]
+    name: Integration tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Extract branch name as docker tag
+        shell: bash
+        run: |-
+          BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | sed 's/[^a-zA-Z0-9._-]//g' | awk '{print substr($0, length($0)-120)}')
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+        id: extract_branch
+      - name: Run tests
+        id: images
+        run: ./ci/run.sh
+        env:
+          DOCKER_REPOSITORY_BASE: us-docker.pkg.dev/${{ secrets.GCLOUD_PROJECT }}/public/scyllaridae
+          DOCKER_TAG: ${{steps.extract_branch.outputs.branch}}

Dockerfile

@@ -1,16 +1,39 @@
 FROM golang:1.22-alpine
 
+SHELL ["/bin/ash", "-o", "pipefail", "-c"]
+
+ENV GOSU_VERSION 1.17
+RUN apk add --no-cache --virtual .gosu-deps \
+		ca-certificates==20240705-r0 \
+		dpkg==1.22.6-r1 \
+		gnupg==2.4.5-r0 && \
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" && \
+	wget -q -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" && \
+	wget -q -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" && \
+	GNUPGHOME="$(mktemp -d)" && \
+	export GNUPGHOME && \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu && \
+	gpgconf --kill all && \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc && \
+	apk del --no-network .gosu-deps && \
+	chmod +x /usr/local/bin/gosu
+
 WORKDIR /app
 
-SHELL ["/bin/ash", "-o", "pipefail", "-c"]
+RUN adduser -S -G nobody scyllaridae
 
 RUN apk update && \
     apk add --no-cache \
       curl==8.9.0-r0 \
       bash==5.2.26-r0 \
       ca-certificates==20240705-r0 \
       openssl==3.3.1-r3
+
 COPY . ./
+
+RUN chown -R scyllaridae:nobody /app
+
 RUN go mod download && \
   go build -o /app/scyllaridae && \
   go clean -cache -modcache && \

ci/docker-compose.yml

@@ -0,0 +1,21 @@
+networks:
+    default:
+services:
+    fits:
+        image: islandora/fits:main
+    crayfits:
+        image: ${DOCKER_REPOSITORY_BASE}-fits:${DOCKER_TAG}
+    ffmpeg:
+        image: ${DOCKER_REPOSITORY_BASE}-ffmpeg:${DOCKER_TAG}
+    imagemagick:
+        image: ${DOCKER_REPOSITORY_BASE}-imagemagick:${DOCKER_TAG}
+    tesseract:
+        image: ${DOCKER_REPOSITORY_BASE}-tesseract:${DOCKER_TAG}
+    test:
+        image: alpine
+        command: sleep 300
+        environment:
+            DOCKER_REPOSITORY_BASE: ${DOCKER_REPOSITORY_BASE}
+            DOCKER_TAG: ${DOCKER_TAG}
+        volumes:
+            - ./test.sh:/test.sh

ci/run.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+SCRIPT_DIR=$(dirname "$(realpath "$0")")
+cd "$SCRIPT_DIR"
+docker compose up -d --quiet-pull 2>&1 > /dev/null
+
+docker exec ci-test-1 apk update 2>&1 > /dev/null
+docker exec ci-test-1 apk add bash curl file 2>&1 > /dev/null
+docker exec ci-test-1 /test.sh
+echo $?
+
+docker compose down 2>&1 > /dev/null
+docker compose rm 2>&1 > /dev/null

ci/test.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+hash() {
+  if command -v md5sum >/dev/null 2>&1; then
+    md5sum "$@"
+  else
+    md5 "$@"
+  fi
+}
+
+SERVICES=(
+  "tesseract"
+  "imagemagick"
+  "crayfits"
+  "ffmpeg"
+)
+for SERVICE in "${SERVICES[@]}"; do
+  URL="http://$SERVICE:8080/"
+  echo "Testing $SERVICE at $URL"
+
+  if [ "$SERVICE" == "crayfits" ]; then
+    curl -s -o fits.xml \
+        --header "Accept: application/xml" \
+        --header "Apix-Ldp-Resource: https://preserve.lehigh.edu/_flysystem/fedora/2024-01/384659.pdf" \
+        "$URL"
+    # check the md5 of that file exists in the FITS XML
+    grep c4b7c84671428767e3b0d9193c9c444b fits.xml | grep -q md5checksum && echo "FITS ran successfully"
+    rm fits.xml
+  elif [ "$SERVICE" == "ffmpeg" ]; then
+    curl -s -o image.jpg \
+        --header "X-Islandora-Args: -ss 00:00:45.000 -frames 1 -vf scale=720:-2" \
+        --header "Accept: image/jpeg" \
+        --header "Apix-Ldp-Resource: http://commondatastorage.googleapis.com/gtv-videos-bucket/sample/BigBuckBunny.mp4" \
+        "$URL"
+    hash image.jpg | grep fe7dd57460dbaf50faa38affde54b694
+    rm image.jpg
+  elif [ "$SERVICE" == "imagemagick" ]; then
+    curl -s -o image.png \
+        --header "Accept: image/png" \
+        --header "Apix-Ldp-Resource: https://preserve.lehigh.edu/_flysystem/fedora/2024-01/384659.pdf" \
+        "$URL"
+    file image.png | grep -q PNG && echo "PNG thumbnail created from PDF"
+    rm image.png
+  elif [ "$SERVICE" == "tesseract" ]; then
+    curl -s -o ocr.txt \
+        --header "Accept: text/plain" \
+        --header "Apix-Ldp-Resource: https://preserve.lehigh.edu/sites/default/files/2023-12/285660.jpg" \
+        "$URL"
+    grep -q Pyrases ocr.txt || exit 1
+    echo "Image OCR as expected"
+
+    curl -s -o ocr.txt \
+        --header "Accept: text/plain" \
+        --header "Apix-Ldp-Resource: https://preserve.lehigh.edu/_flysystem/fedora/2024-01/384659.pdf" \
+        "$URL"
+    grep "One time I was ridin' along on the mule" ocr.txt || exit 1
+    echo "PDF OCR as expected"
+    rm ocr.txt
+  else
+    echo "Unknown service"
+    exit 1
+  fi
+done

docker-entrypoint.sh

@@ -8,4 +8,4 @@ if [ -f /app/ca.pem ]; then
     update-ca-certificates
 fi
 
-exec /app/scyllaridae
+exec gosu scyllaridae /app/scyllaridae

examples/imagemagick/Dockerfile

@@ -3,6 +3,8 @@ ARG DOCKER_REPOSITORY=local
 FROM ${DOCKER_REPOSITORY}/scyllaridae:${TAG}
 
 RUN apk update && \
-    apk add --no-cache imagemagick==7.1.1.32-r2
+    apk add --no-cache \
+      imagemagick==7.1.1.32-r2 \
+      ghostscript==10.03.1-r0
 
 COPY scyllaridae.yml /app/scyllaridae.yml

examples/imagemagick/scyllaridae.yml

@@ -7,7 +7,7 @@ cmdByMimeType:
     args:
       - "pdf:-[0]"
       - "%args"
-      - "pdf:-"
+      - "%destination-mime-ext:-"
   default:
     cmd: convert
     args: