From fb45d7d7acbc587fe1e392cd602e4ce1524517f3 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Tue, 14 Nov 2023 13:00:24 +0800 Subject: [PATCH 01/13] Added support for jwt based calls --- docs-web-common/pom.xml | 21 +++ .../com/sismics/feign/KeycloakClient.java | 10 ++ .../sismics/feign/model/KeycloakCertKey.java | 27 ++++ .../sismics/feign/model/KeycloakCertKeys.java | 18 +++ .../util/filter/JwtBasedSecurityFilter.java | 131 ++++++++++++++++++ docs-web/src/main/webapp/WEB-INF/web.xml | 11 ++ 6 files changed, 218 insertions(+) create mode 100644 docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java create mode 100644 docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java create mode 100644 docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java create mode 100644 docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java diff --git a/docs-web-common/pom.xml b/docs-web-common/pom.xml index c1ff6b9e5..9cbd5bb2c 100644 --- a/docs-web-common/pom.xml +++ b/docs-web-common/pom.xml @@ -68,6 +68,27 @@ org.slf4j jul-to-slf4j + + + io.github.openfeign + feign-okhttp + 13.0 + + + io.github.openfeign + feign-gson + 13.0 + + + io.github.openfeign + feign-slf4j + 13.0 + + + com.auth0 + java-jwt + 4.4.0 + diff --git a/docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java b/docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java new file mode 100644 index 000000000..ba5b5efe5 --- /dev/null +++ b/docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java @@ -0,0 +1,10 @@ +package com.sismics.feign; + +import com.sismics.feign.model.KeycloakCertKeys; +import feign.RequestLine; + +public interface KeycloakClient { + + @RequestLine("GET /protocol/openid-connect/certs") + KeycloakCertKeys getCert(); +} diff --git a/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java b/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java new file mode 100644 index 000000000..ef25544b4 --- /dev/null +++ b/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java @@ -0,0 +1,27 @@ +package com.sismics.feign.model; + +import java.util.List; + +public class KeycloakCertKey { + public String kid; + public List x5c; + + public KeycloakCertKey() { + } + + public List getX5c() { + return x5c; + } + + public void setX5c(List x5c) { + this.x5c = x5c; + } + + public String getKid() { + return kid; + } + + public void setKid(String kid) { + this.kid = kid; + } +} diff --git a/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java b/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java new file mode 100644 index 000000000..8cf387e12 --- /dev/null +++ b/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java @@ -0,0 +1,18 @@ +package com.sismics.feign.model; + +import java.util.List; + +public class KeycloakCertKeys { + public List keys; + + public KeycloakCertKeys() { + } + + public List getKeys() { + return keys; + } + + public void setKeys(List keys) { + this.keys = keys; + } +} diff --git a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java new file mode 100644 index 000000000..f7ece132a --- /dev/null +++ b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java @@ -0,0 +1,131 @@ +package com.sismics.util.filter; + +import com.auth0.jwt.algorithms.Algorithm; +import com.auth0.jwt.JWT; +import com.auth0.jwt.exceptions.JWTVerificationException; +import com.auth0.jwt.impl.JWTParser; +import com.auth0.jwt.interfaces.DecodedJWT; +import com.auth0.jwt.interfaces.JWTVerifier; +import java.util.Base64; +import com.sismics.docs.core.constant.Constants; +import com.sismics.docs.core.dao.UserDao; +import com.sismics.docs.core.model.jpa.User; +import com.sismics.feign.KeycloakClient; +import feign.Feign; +import feign.gson.GsonDecoder; +import feign.gson.GsonEncoder; +import feign.okhttp.OkHttpClient; +import feign.slf4j.Slf4jLogger; +import jakarta.servlet.http.HttpServletRequest; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.ByteArrayInputStream; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.interfaces.RSAPublicKey; +import java.util.Objects; +import java.util.UUID; + +import static java.util.Optional.ofNullable; + +/** + * This filter is used to authenticate the user having an active session by validating a jwt token. + * The filter extracts the jwt token stored from Authorization header. + * It validates the token by calling an Identity Broker like KeyCloak. + * If validated, the user is retrieved, and the filter injects a UserPrincipal into the request attribute. + * + * @author smitra + */ +public class JwtBasedSecurityFilter extends SecurityFilter { + private static final Logger log = LoggerFactory.getLogger(JwtBasedSecurityFilter.class); + /** + * Name of the cookie used to store the authentication token. + */ + public static final String HEADER_NAME = "Authorization"; + + @Override + protected User authenticate(final HttpServletRequest request) { + log.info("Jwt authentication started"); + User user = null; + String token = extractAuthToken(request).replace("Bearer ", ""); + DecodedJWT jwt = JWT.decode(token); + if (verifyJwt(jwt, token)) { + String email = jwt.getClaim("preferred_username").toString(); + UserDao userDao = new UserDao(); + user = userDao.getActiveByUsername(email); + if (user == null) { + user = new User(); + user.setRoleId(Constants.DEFAULT_USER_ROLE); + user.setUsername(email); + user.setEmail(email); + user.setStorageQuota(10L); + user.setPassword(UUID.randomUUID().toString()); + try { + userDao.create(user, email); + log.info("user created"); + } catch (Exception e) { + log.info("Error:" + e.getMessage()); + return null; + } + } + } + return user; + } + + private boolean verifyJwt(final DecodedJWT jwt, final String token) { + + try { + buildJWTVerifier(jwt).verify(token); + // if token is valid no exception will be thrown + log.info("Valid TOKEN"); + return Boolean.TRUE; + } catch (CertificateException e) { + //if CertificateException comes from buildJWTVerifier() + log.info("InValid TOKEN"); + e.printStackTrace(); + return Boolean.FALSE; + } catch (JWTVerificationException e) { + // if JWT Token in invalid + log.info("InValid TOKEN"); + e.printStackTrace(); + return Boolean.FALSE; + } catch (Exception e) { + // If any other exception comes + log.info("InValid TOKEN, Exception Occurred"); + e.printStackTrace(); + return Boolean.FALSE; + } + } + + private String extractAuthToken(final HttpServletRequest request) { + return ofNullable(request.getHeader("Authorization")).orElse(""); + } + + private RSAPublicKey getPublicKey(DecodedJWT jwt) { + KeycloakClient client = Feign.builder() + .client(new OkHttpClient()) + .encoder(new GsonEncoder()) + .decoder(new GsonDecoder()) + .logLevel(feign.Logger.Level.BASIC) + .logger(new Slf4jLogger(KeycloakClient.class)) + .target(KeycloakClient.class, jwt.getIssuer()); + String publicKey = client.getCert().getKeys().stream().filter(k -> Objects.equals(k.getKid(), jwt.getKeyId())) + .findFirst() + .map(k -> k.getX5c().get(0)) + .orElse(""); + try { + var decode = Base64.getDecoder().decode(publicKey); + var certificate = CertificateFactory.getInstance("X.509") + .generateCertificate(new ByteArrayInputStream(decode)); + return (RSAPublicKey)certificate.getPublicKey(); + } catch (CertificateException ex) { + return null; + } + } + + private JWTVerifier buildJWTVerifier(DecodedJWT jwt) throws CertificateException { + var algo = Algorithm.RSA256(getPublicKey(jwt), null); + return JWT.require(algo).build(); + } +} diff --git a/docs-web/src/main/webapp/WEB-INF/web.xml b/docs-web/src/main/webapp/WEB-INF/web.xml index 720b328e4..e5c06e240 100644 --- a/docs-web/src/main/webapp/WEB-INF/web.xml +++ b/docs-web/src/main/webapp/WEB-INF/web.xml @@ -44,6 +44,12 @@ true + + jwtBasedSecurityFilter + com.sismics.util.filter.JwtBasedSecurityFilter + true + + headerBasedSecurityFilter com.sismics.util.filter.HeaderBasedSecurityFilter @@ -59,6 +65,11 @@ /api/* + + jwtBasedSecurityFilter + /api/* + + headerBasedSecurityFilter /api/* From b2b7dc2cb79744ba60369a3523a2b21a1cffa579 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Wed, 15 Nov 2023 08:56:32 +0800 Subject: [PATCH 02/13] removed printstacktrace --- .../sismics/util/filter/JwtBasedSecurityFilter.java | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java index f7ece132a..79767e6da 100644 --- a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java +++ b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java @@ -40,7 +40,7 @@ public class JwtBasedSecurityFilter extends SecurityFilter { private static final Logger log = LoggerFactory.getLogger(JwtBasedSecurityFilter.class); /** - * Name of the cookie used to store the authentication token. + * Name of the header used to store the authentication token. */ public static final String HEADER_NAME = "Authorization"; @@ -82,18 +82,15 @@ private boolean verifyJwt(final DecodedJWT jwt, final String token) { return Boolean.TRUE; } catch (CertificateException e) { //if CertificateException comes from buildJWTVerifier() - log.info("InValid TOKEN"); - e.printStackTrace(); + log.info("InValid TOKEN: " + e.getMessage()); return Boolean.FALSE; } catch (JWTVerificationException e) { // if JWT Token in invalid - log.info("InValid TOKEN"); - e.printStackTrace(); + log.info("InValid TOKEN: " + e.getMessage() ); return Boolean.FALSE; } catch (Exception e) { // If any other exception comes - log.info("InValid TOKEN, Exception Occurred"); - e.printStackTrace(); + log.info("InValid TOKEN, Exception Occurred: " + e.getMessage()); return Boolean.FALSE; } } From 65e2f3d0078db07e38d03e06bf28aea909d578fd Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Sun, 19 Nov 2023 14:17:54 +0800 Subject: [PATCH 03/13] Removed feign client and using okHttp instead --- docs-web-common/pom.xml | 16 +---- .../com/sismics/feign/KeycloakClient.java | 10 --- .../{feign => }/model/KeycloakCertKey.java | 2 +- .../{feign => }/model/KeycloakCertKeys.java | 2 +- .../util/filter/JwtBasedSecurityFilter.java | 64 +++++++++++-------- 5 files changed, 44 insertions(+), 50 deletions(-) delete mode 100644 docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java rename docs-web-common/src/main/java/com/sismics/{feign => }/model/KeycloakCertKey.java (92%) rename docs-web-common/src/main/java/com/sismics/{feign => }/model/KeycloakCertKeys.java (90%) diff --git a/docs-web-common/pom.xml b/docs-web-common/pom.xml index 9cbd5bb2c..7eb37698e 100644 --- a/docs-web-common/pom.xml +++ b/docs-web-common/pom.xml @@ -70,19 +70,9 @@ - io.github.openfeign - feign-okhttp - 13.0 - - - io.github.openfeign - feign-gson - 13.0 - - - io.github.openfeign - feign-slf4j - 13.0 + com.google.code.gson + gson + 2.10.1 com.auth0 diff --git a/docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java b/docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java deleted file mode 100644 index ba5b5efe5..000000000 --- a/docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java +++ /dev/null @@ -1,10 +0,0 @@ -package com.sismics.feign; - -import com.sismics.feign.model.KeycloakCertKeys; -import feign.RequestLine; - -public interface KeycloakClient { - - @RequestLine("GET /protocol/openid-connect/certs") - KeycloakCertKeys getCert(); -} diff --git a/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java b/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKey.java similarity index 92% rename from docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java rename to docs-web-common/src/main/java/com/sismics/model/KeycloakCertKey.java index ef25544b4..0e6fed49b 100644 --- a/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java +++ b/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKey.java @@ -1,4 +1,4 @@ -package com.sismics.feign.model; +package com.sismics.model; import java.util.List; diff --git a/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java b/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKeys.java similarity index 90% rename from docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java rename to docs-web-common/src/main/java/com/sismics/model/KeycloakCertKeys.java index 8cf387e12..f582cc4d0 100644 --- a/docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java +++ b/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKeys.java @@ -1,4 +1,4 @@ -package com.sismics.feign.model; +package com.sismics.model; import java.util.List; diff --git a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java index 79767e6da..191205a38 100644 --- a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java +++ b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java @@ -3,20 +3,21 @@ import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.JWT; import com.auth0.jwt.exceptions.JWTVerificationException; -import com.auth0.jwt.impl.JWTParser; import com.auth0.jwt.interfaces.DecodedJWT; import com.auth0.jwt.interfaces.JWTVerifier; + +import java.io.IOException; +import java.io.Reader; import java.util.Base64; + +import com.google.gson.Gson; import com.sismics.docs.core.constant.Constants; import com.sismics.docs.core.dao.UserDao; import com.sismics.docs.core.model.jpa.User; -import com.sismics.feign.KeycloakClient; -import feign.Feign; -import feign.gson.GsonDecoder; -import feign.gson.GsonEncoder; -import feign.okhttp.OkHttpClient; -import feign.slf4j.Slf4jLogger; +import com.sismics.model.KeycloakCertKeys; import jakarta.servlet.http.HttpServletRequest; +import okhttp3.Request; +import okhttp3.Response; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -39,6 +40,7 @@ */ public class JwtBasedSecurityFilter extends SecurityFilter { private static final Logger log = LoggerFactory.getLogger(JwtBasedSecurityFilter.class); + private static final okhttp3.OkHttpClient client = new okhttp3.OkHttpClient(); /** * Name of the header used to store the authentication token. */ @@ -100,25 +102,37 @@ private String extractAuthToken(final HttpServletRequest request) { } private RSAPublicKey getPublicKey(DecodedJWT jwt) { - KeycloakClient client = Feign.builder() - .client(new OkHttpClient()) - .encoder(new GsonEncoder()) - .decoder(new GsonDecoder()) - .logLevel(feign.Logger.Level.BASIC) - .logger(new Slf4jLogger(KeycloakClient.class)) - .target(KeycloakClient.class, jwt.getIssuer()); - String publicKey = client.getCert().getKeys().stream().filter(k -> Objects.equals(k.getKid(), jwt.getKeyId())) - .findFirst() - .map(k -> k.getX5c().get(0)) - .orElse(""); - try { - var decode = Base64.getDecoder().decode(publicKey); - var certificate = CertificateFactory.getInstance("X.509") - .generateCertificate(new ByteArrayInputStream(decode)); - return (RSAPublicKey)certificate.getPublicKey(); - } catch (CertificateException ex) { - return null; + String jwtIssuer = jwt.getIssuer() + "/protocol/openid-connect/certs"; + String publicKey = ""; + RSAPublicKey rsaPublicKey = null; + Request request = new Request.Builder() + .url(jwtIssuer) + .get() + .build(); + try (Response response = client.newCall(request).execute()) { + log.info("Successfully called the jwt issuer at: " + jwtIssuer + " - " + response.code()); + assert response.body() != null; + if (response.isSuccessful()) { + try (Reader reader = response.body().charStream()) { + Gson gson = new Gson(); + KeycloakCertKeys keys = gson.fromJson(reader, KeycloakCertKeys.class); + publicKey = keys.getKeys().stream().filter(k -> Objects.equals(k.getKid(), jwt.getKeyId())) + .findFirst() + .map(k -> k.getX5c().get(0)) + .orElse(""); + log.info("Decoded public key - " + publicKey); + var decode = Base64.getDecoder().decode(publicKey); + var certificate = CertificateFactory.getInstance("X.509") + .generateCertificate(new ByteArrayInputStream(decode)); + rsaPublicKey = (RSAPublicKey)certificate.getPublicKey(); + } + } + } catch (IOException e) { + log.error("Error calling the jwt issuer at: " + jwtIssuer, e); + } catch (CertificateException e) { + log.error("Error in getting the certificate: ", e); } + return rsaPublicKey; } private JWTVerifier buildJWTVerifier(DecodedJWT jwt) throws CertificateException { From 386a30045a99361853afa615ae0262a3bd29ea8e Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Mon, 20 Nov 2023 22:15:13 +0800 Subject: [PATCH 04/13] Added default storage quota for all users --- .../sismics/util/filter/JwtBasedSecurityFilter.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java index 191205a38..5e996d32e 100644 --- a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java +++ b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java @@ -61,7 +61,8 @@ protected User authenticate(final HttpServletRequest request) { user.setRoleId(Constants.DEFAULT_USER_ROLE); user.setUsername(email); user.setEmail(email); - user.setStorageQuota(10L); + user.setStorageQuota(Long.parseLong(ofNullable(System.getenv(Constants.GLOBAL_QUOTA_ENV)) + .orElse("1073741824"))); user.setPassword(UUID.randomUUID().toString()); try { userDao.create(user, email); @@ -102,15 +103,15 @@ private String extractAuthToken(final HttpServletRequest request) { } private RSAPublicKey getPublicKey(DecodedJWT jwt) { - String jwtIssuer = jwt.getIssuer() + "/protocol/openid-connect/certs"; + String jwtIssuerCerts = jwt.getIssuer() + "/protocol/openid-connect/certs"; String publicKey = ""; RSAPublicKey rsaPublicKey = null; Request request = new Request.Builder() - .url(jwtIssuer) + .url(jwtIssuerCerts) .get() .build(); try (Response response = client.newCall(request).execute()) { - log.info("Successfully called the jwt issuer at: " + jwtIssuer + " - " + response.code()); + log.info("Successfully called the jwt issuer at: " + jwtIssuerCerts + " - " + response.code()); assert response.body() != null; if (response.isSuccessful()) { try (Reader reader = response.body().charStream()) { @@ -128,7 +129,7 @@ private RSAPublicKey getPublicKey(DecodedJWT jwt) { } } } catch (IOException e) { - log.error("Error calling the jwt issuer at: " + jwtIssuer, e); + log.error("Error calling the jwt issuer at: " + jwtIssuerCerts, e); } catch (CertificateException e) { log.error("Error in getting the certificate: ", e); } From f80b23369d8a741222ab270a5f4115a2ca0fb3ae Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Sat, 2 Dec 2023 18:32:37 +0800 Subject: [PATCH 05/13] changed gson to jakarta.json --- docs-web-common/pom.xml | 5 --- .../com/sismics/model/KeycloakCertKey.java | 27 ---------------- .../com/sismics/model/KeycloakCertKeys.java | 18 ----------- .../util/filter/JwtBasedSecurityFilter.java | 32 +++++++++++-------- 4 files changed, 19 insertions(+), 63 deletions(-) delete mode 100644 docs-web-common/src/main/java/com/sismics/model/KeycloakCertKey.java delete mode 100644 docs-web-common/src/main/java/com/sismics/model/KeycloakCertKeys.java diff --git a/docs-web-common/pom.xml b/docs-web-common/pom.xml index 7eb37698e..2de08cee6 100644 --- a/docs-web-common/pom.xml +++ b/docs-web-common/pom.xml @@ -69,11 +69,6 @@ jul-to-slf4j - - com.google.code.gson - gson - 2.10.1 - com.auth0 java-jwt diff --git a/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKey.java b/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKey.java deleted file mode 100644 index 0e6fed49b..000000000 --- a/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKey.java +++ /dev/null @@ -1,27 +0,0 @@ -package com.sismics.model; - -import java.util.List; - -public class KeycloakCertKey { - public String kid; - public List x5c; - - public KeycloakCertKey() { - } - - public List getX5c() { - return x5c; - } - - public void setX5c(List x5c) { - this.x5c = x5c; - } - - public String getKid() { - return kid; - } - - public void setKid(String kid) { - this.kid = kid; - } -} diff --git a/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKeys.java b/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKeys.java deleted file mode 100644 index f582cc4d0..000000000 --- a/docs-web-common/src/main/java/com/sismics/model/KeycloakCertKeys.java +++ /dev/null @@ -1,18 +0,0 @@ -package com.sismics.model; - -import java.util.List; - -public class KeycloakCertKeys { - public List keys; - - public KeycloakCertKeys() { - } - - public List getKeys() { - return keys; - } - - public void setKeys(List keys) { - this.keys = keys; - } -} diff --git a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java index 5e996d32e..78f13eb13 100644 --- a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java +++ b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java @@ -10,11 +10,13 @@ import java.io.Reader; import java.util.Base64; -import com.google.gson.Gson; import com.sismics.docs.core.constant.Constants; import com.sismics.docs.core.dao.UserDao; import com.sismics.docs.core.model.jpa.User; -import com.sismics.model.KeycloakCertKeys; +import jakarta.json.Json; +import jakarta.json.JsonArray; +import jakarta.json.JsonObject; +import jakarta.json.JsonReader; import jakarta.servlet.http.HttpServletRequest; import okhttp3.Request; import okhttp3.Response; @@ -115,17 +117,21 @@ private RSAPublicKey getPublicKey(DecodedJWT jwt) { assert response.body() != null; if (response.isSuccessful()) { try (Reader reader = response.body().charStream()) { - Gson gson = new Gson(); - KeycloakCertKeys keys = gson.fromJson(reader, KeycloakCertKeys.class); - publicKey = keys.getKeys().stream().filter(k -> Objects.equals(k.getKid(), jwt.getKeyId())) - .findFirst() - .map(k -> k.getX5c().get(0)) - .orElse(""); - log.info("Decoded public key - " + publicKey); - var decode = Base64.getDecoder().decode(publicKey); - var certificate = CertificateFactory.getInstance("X.509") - .generateCertificate(new ByteArrayInputStream(decode)); - rsaPublicKey = (RSAPublicKey)certificate.getPublicKey(); + try (JsonReader jsonReader = Json.createReader(reader)) { + JsonObject jwks = jsonReader.readObject(); + JsonArray keys = jwks.getJsonArray("keys"); + publicKey = keys.stream().filter(key -> Objects.equals(key.asJsonObject().getString("kid"), + jwt.getKeyId())) + .findFirst() + .map(k -> k.asJsonObject().getJsonArray("x5c").getString(0)) + .orElse(""); + log.info("X5c is " + publicKey); + var decode = Base64.getDecoder().decode(publicKey); + log.info("Decoded public key - " + publicKey); + var certificate = CertificateFactory.getInstance("X.509") + .generateCertificate(new ByteArrayInputStream(decode)); + rsaPublicKey = (RSAPublicKey) certificate.getPublicKey(); + } } } } catch (IOException e) { From 10ff18597d8d65a7e5c3f208512a3ce9d8dfadd6 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Sat, 2 Dec 2023 18:36:07 +0800 Subject: [PATCH 06/13] Removed log --- .../java/com/sismics/util/filter/JwtBasedSecurityFilter.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java index 78f13eb13..ed2eefa4d 100644 --- a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java +++ b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java @@ -125,9 +125,7 @@ private RSAPublicKey getPublicKey(DecodedJWT jwt) { .findFirst() .map(k -> k.asJsonObject().getJsonArray("x5c").getString(0)) .orElse(""); - log.info("X5c is " + publicKey); var decode = Base64.getDecoder().decode(publicKey); - log.info("Decoded public key - " + publicKey); var certificate = CertificateFactory.getInstance("X.509") .generateCertificate(new ByteArrayInputStream(decode)); rsaPublicKey = (RSAPublicKey) certificate.getPublicKey(); From 20874992027b88b78c4823ae39caf74cdd35080d Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Sat, 2 Dec 2023 21:25:31 +0800 Subject: [PATCH 07/13] Switched off Jwt header authentication by default --- .../util/filter/JwtBasedSecurityFilter.java | 14 ++++++++++++++ docs-web/src/main/webapp/WEB-INF/web.xml | 4 ++++ 2 files changed, 18 insertions(+) diff --git a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java index ed2eefa4d..49d1c14b9 100644 --- a/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java +++ b/docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java @@ -17,6 +17,7 @@ import jakarta.json.JsonArray; import jakarta.json.JsonObject; import jakarta.json.JsonReader; +import jakarta.servlet.FilterConfig; import jakarta.servlet.http.HttpServletRequest; import okhttp3.Request; import okhttp3.Response; @@ -47,9 +48,22 @@ public class JwtBasedSecurityFilter extends SecurityFilter { * Name of the header used to store the authentication token. */ public static final String HEADER_NAME = "Authorization"; + /** + * True if this authentication method is enabled. + */ + private boolean enabled; + + @Override + public void init(FilterConfig filterConfig) { + enabled = Boolean.parseBoolean(filterConfig.getInitParameter("enabled")) + || Boolean.parseBoolean(System.getProperty("docs.jwt_authentication")); + } @Override protected User authenticate(final HttpServletRequest request) { + if (!enabled) { + return null; + } log.info("Jwt authentication started"); User user = null; String token = extractAuthToken(request).replace("Bearer ", ""); diff --git a/docs-web/src/main/webapp/WEB-INF/web.xml b/docs-web/src/main/webapp/WEB-INF/web.xml index e5c06e240..fb1190403 100644 --- a/docs-web/src/main/webapp/WEB-INF/web.xml +++ b/docs-web/src/main/webapp/WEB-INF/web.xml @@ -48,6 +48,10 @@ jwtBasedSecurityFilter com.sismics.util.filter.JwtBasedSecurityFilter true + + enabled + false + From a1c619571ab3e752584adff6b2a1743e8b5ad126 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Thu, 25 Jan 2024 22:19:16 +0800 Subject: [PATCH 08/13] Updated Dockerfile to create the ubuntu-jetty here only from ubuntu base image --- Dockerfile | 50 +++- entrypoint.sh | 7 + etc/bashrc.d/init.sh | 5 + etc/dircolors | 480 ++++++++++++++++++++++++++++++++ etc/vim/vimrc.local | 1 + opt/jetty/etc/jetty-logging.xml | 5 + opt/jetty/etc/jetty.conf | 12 + 7 files changed, 558 insertions(+), 2 deletions(-) create mode 100644 entrypoint.sh create mode 100644 etc/bashrc.d/init.sh create mode 100644 etc/dircolors create mode 100644 etc/vim/vimrc.local create mode 100644 opt/jetty/etc/jetty-logging.xml create mode 100644 opt/jetty/etc/jetty.conf diff --git a/Dockerfile b/Dockerfile index a6a1a2e89..45481153f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,47 @@ -FROM sismics/ubuntu-jetty:11.0.14 +FROM ubuntu:22.04 + +# Run Debian in non interactive mode +ENV DEBIAN_FRONTEND noninteractive + +# Install Sismics repository +RUN apt-get update && apt-get install -y apt-transport-https ca-certificates software-properties-common curl gnupg tzdata +RUN curl -fsSL https://www.sismics.com/pgp | apt-key add - +# RUN add-apt-repository "deb [arch=amd64] https://nexus.sismics.com/repository/apt-bionic/ bionic main" + +# Configure settings +ENV LANG C.UTF-8 +ENV LC_ALL C.UTF-8 +RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime +RUN dpkg-reconfigure -f noninteractive tzdata +COPY etc /etc +RUN echo "for f in \`ls /etc/bashrc.d/*\`; do . \$f; done;" >> ~/.bashrc +RUN apt-get -y -q install vim less procps unzip wget && \ + rm -rf /var/lib/apt/lists/* + +RUN apt-get update && \ + apt-get -y -q install openjdk-11-jdk && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + +ENV JAVA_HOME /usr/lib/jvm/java-11-openjdk-amd64/ +ENV JAVA_OPTS -Duser.timezone=Europe/Paris -Dfile.encoding=UTF-8 -Xmx1024m + +ENV JETTY_VERSION 11.0.14 +RUN wget -nv -O /tmp/jetty.tar.gz \ + "https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${JETTY_VERSION}/jetty-home-${JETTY_VERSION}.tar.gz" \ + && tar xzf /tmp/jetty.tar.gz -C /opt \ + && mv /opt/jetty* /opt/jetty \ + && useradd jetty -U -s /bin/false \ + && chown -R jetty:jetty /opt/jetty \ + && mkdir /opt/jetty/webapps +WORKDIR /opt/jetty +RUN chmod +x bin/jetty.sh + +# Init configuration +COPY opt /opt +EXPOSE 8080 +ENV JETTY_HOME /opt/jetty +ENV JAVA_OPTIONS -Xmx512m + LABEL maintainer="b.gamard@sismics.com" RUN apt-get update && \ @@ -44,5 +87,8 @@ ADD docs-web/target/docs-web-*.war /app/webapps/docs.war ENV JAVA_OPTIONS -Xmx1g WORKDIR /app -CMD ["java", "-jar", "/opt/jetty/start.jar"] +# Set the default command to run when starting the container +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh +CMD ["/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 000000000..18f16ff5a --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Your first command +/bin/jetty.sh run & + +# Your second command +java -jar /opt/jetty/start.jar \ No newline at end of file diff --git a/etc/bashrc.d/init.sh b/etc/bashrc.d/init.sh new file mode 100644 index 000000000..073dbd012 --- /dev/null +++ b/etc/bashrc.d/init.sh @@ -0,0 +1,5 @@ +export SHELL=/bin/bash +export LS_OPTIONS='--color=auto' +eval "`dircolors /etc/dircolors`" +alias ls='ls $LS_OPTIONS' +alias ll='ls -l' diff --git a/etc/dircolors b/etc/dircolors new file mode 100644 index 000000000..9386afa4e --- /dev/null +++ b/etc/dircolors @@ -0,0 +1,480 @@ +# Exact Solarized Light color theme for the color GNU ls utility. +# Designed for dircolors (GNU coreutils) 5.97 +# +# This simple theme was simultaneously designed for these terminal color schemes: +# - Solarized dark +# - Solarized light (best) +# - default dark +# - default light +# with a slight optimization for Solarized Light. +# +# How the colors were selected: +# - Terminal emulators often have an option typically enabled by default that makes +# bold a different color. It is important to leave this option enabled so that +# you can access the entire 16-color Solarized palette, and not just 8 colors. +# - We favor universality over a greater number of colors. So we limit the number +# of colors so that this theme will work out of the box in all terminals, +# Solarized or not, dark or light. +# - We choose to have the following category of files: +# NORMAL & FILE, DIR, LINK, EXEC and +# editable text including source, unimportant text, binary docs & multimedia source +# files, viewable multimedia, archived/compressed, and unimportant non-text +# - For uniqueness, we stay away from the Solarized foreground colors are -- either +# base00 (brightyellow) or base0 (brightblue). However, they can be used if +# you know what the bg/fg colors of your terminal are, in order to optimize the display. +# - 3 different options are provided: universal, solarized dark, and solarized light. +# The only difference between the universal scheme and one that's optimized for +# dark/light is the color of "unimportant" files, which should blend more with the +# background +# - We note that blue is the hardest color to see on dark bg and yellow is the hardest +# color to see on light bg (with blue being particularly bad). So we choose yellow +# for multimedia files which are usually accessed in a GUI folder browser anyway. +# And blue is kept for custom use of this scheme's user. +# - See table below to see the assignments. + + +# Installation instructions: +# This file goes in the /etc directory, and must be world readable. +# You can copy this file to .dir_colors in your $HOME directory to override +# the system defaults. + +# COLOR needs one of these arguments: 'tty' colorizes output to ttys, but not +# pipes. 'all' adds color characters to all output. 'none' shuts colorization +# off. +COLOR tty + +# Below, there should be one TERM entry for each termtype that is colorizable +TERM ansi +TERM color_xterm +TERM color-xterm +TERM con132x25 +TERM con132x30 +TERM con132x43 +TERM con132x60 +TERM con80x25 +TERM con80x28 +TERM con80x30 +TERM con80x43 +TERM con80x50 +TERM con80x60 +TERM cons25 +TERM console +TERM cygwin +TERM dtterm +TERM dvtm +TERM dvtm-256color +TERM Eterm +TERM eterm-color +TERM fbterm +TERM gnome +TERM gnome-256color +TERM jfbterm +TERM konsole +TERM konsole-256color +TERM kterm +TERM linux +TERM linux-c +TERM mach-color +TERM mlterm +TERM nxterm +TERM putty +TERM putty-256color +TERM rxvt +TERM rxvt-256color +TERM rxvt-cygwin +TERM rxvt-cygwin-native +TERM rxvt-unicode +TERM rxvt-unicode256 +TERM rxvt-unicode-256color +TERM screen +TERM screen-16color +TERM screen-16color-bce +TERM screen-16color-s +TERM screen-16color-bce-s +TERM screen-256color +TERM screen-256color-bce +TERM screen-256color-s +TERM screen-256color-bce-s +TERM screen-256color-italic +TERM screen-bce +TERM screen-w +TERM screen.linux +TERM screen.xterm-256color +TERM screen.xterm-new +TERM st +TERM st-meta +TERM st-256color +TERM st-meta-256color +TERM tmux +TERM tmux-256color +TERM vt100 +TERM xterm +TERM xterm-new +TERM xterm-16color +TERM xterm-256color +TERM xterm-256color-italic +TERM xterm-88color +TERM xterm-color +TERM xterm-debian +TERM xterm-termite + +# EIGHTBIT, followed by '1' for on, '0' for off. (8-bit output) +EIGHTBIT 1 + +############################################################################# +# Below are the color init strings for the basic file types. A color init +# string consists of one or more of the following numeric codes: +# +# Attribute codes: +# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed +# Text color codes: +# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white +# Background color codes: +# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white +# +# NOTES: +# - See http://www.oreilly.com/catalog/wdnut/excerpt/color_names.html +# - Color combinations +# ANSI Color code Solarized Notes Universal SolDark SolLight +# ~~~~~~~~~~~~~~~ ~~~~~~~~~ ~~~~~ ~~~~~~~~~ ~~~~~~~ ~~~~~~~~ +# 00 none NORMAL, FILE +# 30 black base02 +# 01;30 bright black base03 bg of SolDark +# 31 red red docs & mm src +# 01;31 bright red orange EXEC +# 32 green green editable text +# 01;32 bright green base01 unimportant text +# 33 yellow yellow unclear in light bg multimedia +# 01;33 bright yellow base00 fg of SolLight unimportant non-text +# 34 blue blue unclear in dark bg user customized +# 01;34 bright blue base0 fg in SolDark unimportant text +# 35 magenta magenta LINK +# 01;35 bright magenta violet archive/compressed +# 36 cyan cyan DIR +# 01;36 bright cyan base1 unimportant non-text +# 37 white base2 +# 01;37 bright white base3 bg in SolLight +# 05;37;41 unclear in Putty dark + + +### By file type + +# global default +NORMAL 00 +# normal file +FILE 00 +# directory +DIR 36 +# XX2, XX3, XX6, and XX7 directories +OTHER_WRITABLE 34;47 +# symbolic link +LINK 35 + +# pipe, socket, block device, character device (blue bg) +FIFO 30;44 +SOCK 35;44 +DOOR 35;44 # Solaris 2.5 and later +BLK 33;44 +CHR 37;44 + + +############################################################################# +### By file attributes + +# Orphaned symlinks (blinking white on red) +# Blink may or may not work (works on iTerm dark or light, and Putty dark) +ORPHAN 05;37;41 +# ... and the files that orphaned symlinks point to (blinking white on red) +MISSING 05;37;41 + +# files with execute permission +EXEC 01;31 # Unix +.cmd 01;31 # Win +.exe 01;31 # Win +.com 01;31 # Win +.bat 01;31 # Win +.reg 01;31 # Win +.app 01;31 # OSX + +############################################################################# +### By extension + +# List any file extensions like '.gz' or '.tar' that you would like ls +# to colorize below. Put the extension, a space, and the color init string. +# (and any comments you want to add after a '#') + +### Text formats + +# Text that we can edit with a regular editor +.txt 32 +.org 32 +.md 32 +.mkd 32 + +# Source text +.h 32 +.hpp 32 +.c 32 +.C 32 +.cc 32 +.cpp 32 +.cxx 32 +.objc 32 +.cl 32 +.sh 32 +.bash 32 +.csh 32 +.zsh 32 +.el 32 +.vim 32 +.java 32 +.pl 32 +.pm 32 +.py 32 +.rb 32 +.hs 32 +.php 32 +.htm 32 +.html 32 +.shtml 32 +.erb 32 +.haml 32 +.xml 32 +.rdf 32 +.css 32 +.sass 32 +.scss 32 +.less 32 +.js 32 +.coffee 32 +.man 32 +.0 32 +.1 32 +.2 32 +.3 32 +.4 32 +.5 32 +.6 32 +.7 32 +.8 32 +.9 32 +.l 32 +.n 32 +.p 32 +.pod 32 +.tex 32 +.go 32 +.sql 32 +.csv 32 +.sv 32 +.svh 32 +.v 32 +.vh 32 +.vhd 32 + +### Multimedia formats + +# Image +.bmp 33 +.cgm 33 +.dl 33 +.dvi 33 +.emf 33 +.eps 33 +.gif 33 +.jpeg 33 +.jpg 33 +.JPG 33 +.mng 33 +.pbm 33 +.pcx 33 +.pdf 33 +.pgm 33 +.png 33 +.PNG 33 +.ppm 33 +.pps 33 +.ppsx 33 +.ps 33 +.svg 33 +.svgz 33 +.tga 33 +.tif 33 +.tiff 33 +.xbm 33 +.xcf 33 +.xpm 33 +.xwd 33 +.xwd 33 +.yuv 33 + +# Audio +.aac 33 +.au 33 +.flac 33 +.m4a 33 +.mid 33 +.midi 33 +.mka 33 +.mp3 33 +.mpa 33 +.mpeg 33 +.mpg 33 +.ogg 33 +.opus 33 +.ra 33 +.wav 33 + +# Video +.anx 33 +.asf 33 +.avi 33 +.axv 33 +.flc 33 +.fli 33 +.flv 33 +.gl 33 +.m2v 33 +.m4v 33 +.mkv 33 +.mov 33 +.MOV 33 +.mp4 33 +.mp4v 33 +.mpeg 33 +.mpg 33 +.nuv 33 +.ogm 33 +.ogv 33 +.ogx 33 +.qt 33 +.rm 33 +.rmvb 33 +.swf 33 +.vob 33 +.webm 33 +.wmv 33 + +### Misc + +# Binary document formats and multimedia source +.doc 31 +.docx 31 +.rtf 31 +.odt 31 +.dot 31 +.dotx 31 +.ott 31 +.xls 31 +.xlsx 31 +.ods 31 +.ots 31 +.ppt 31 +.pptx 31 +.odp 31 +.otp 31 +.fla 31 +.psd 31 + +# Archives, compressed +.7z 1;35 +.apk 1;35 +.arj 1;35 +.bin 1;35 +.bz 1;35 +.bz2 1;35 +.cab 1;35 # Win +.deb 1;35 +.dmg 1;35 # OSX +.gem 1;35 +.gz 1;35 +.iso 1;35 +.jar 1;35 +.msi 1;35 # Win +.rar 1;35 +.rpm 1;35 +.tar 1;35 +.tbz 1;35 +.tbz2 1;35 +.tgz 1;35 +.tx 1;35 +.war 1;35 +.xpi 1;35 +.xz 1;35 +.z 1;35 +.Z 1;35 +.zip 1;35 + +# For testing +.ANSI-30-black 30 +.ANSI-01;30-brblack 01;30 +.ANSI-31-red 31 +.ANSI-01;31-brred 01;31 +.ANSI-32-green 32 +.ANSI-01;32-brgreen 01;32 +.ANSI-33-yellow 33 +.ANSI-01;33-bryellow 01;33 +.ANSI-34-blue 34 +.ANSI-01;34-brblue 01;34 +.ANSI-35-magenta 35 +.ANSI-01;35-brmagenta 01;35 +.ANSI-36-cyan 36 +.ANSI-01;36-brcyan 01;36 +.ANSI-37-white 37 +.ANSI-01;37-brwhite 01;37 + +############################################################################# +# Your customizations + +# Unimportant text files +# For universal scheme, use brightgreen 01;32 +# For optimal on light bg (but too prominent on dark bg), use white 01;34 +#.log 01;32 +#*~ 01;32 +#*# 01;32 +.log 01;34 +*~ 01;34 +*# 01;34 + +# Unimportant non-text files +# For universal scheme, use brightcyan 01;36 +# For optimal on dark bg (but too prominent on light bg), change to 01;33 +.bak 01;36 +.BAK 01;36 +.old 01;36 +.OLD 01;36 +.org_archive 01;36 +.off 01;36 +.OFF 01;36 +.dist 01;36 +.DIST 01;36 +.orig 01;36 +.ORIG 01;36 +.swp 01;36 +.swo 01;36 +*,v 01;36 +#.bak 01;33 +#.BAK 01;33 +#.old 01;33 +#.OLD 01;33 +#.org_archive 01;33 +#.off 01;33 +#.OFF 01;33 +#.dist 01;33 +#.DIST 01;33 +#.orig 01;33 +#.ORIG 01;33 +#.swp 01;33 +#.swo 01;33 +#*,v 01;33 + +# The brightmagenta (Solarized: purple) color is free for you to use for your +# custom file type +.gpg 34 +.gpg 34 +.pgp 34 +.asc 34 +.3des 34 +.aes 34 +.enc 34 +.sqlite 34 diff --git a/etc/vim/vimrc.local b/etc/vim/vimrc.local new file mode 100644 index 000000000..b19008d13 --- /dev/null +++ b/etc/vim/vimrc.local @@ -0,0 +1 @@ +:color desert \ No newline at end of file diff --git a/opt/jetty/etc/jetty-logging.xml b/opt/jetty/etc/jetty-logging.xml new file mode 100644 index 000000000..f76e4e267 --- /dev/null +++ b/opt/jetty/etc/jetty-logging.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/opt/jetty/etc/jetty.conf b/opt/jetty/etc/jetty.conf new file mode 100644 index 000000000..2030b52bb --- /dev/null +++ b/opt/jetty/etc/jetty.conf @@ -0,0 +1,12 @@ +# ======================================================== +# jetty.conf Configuration for jetty.sh script +# -------------------------------------------------------- +# This file is used by the jetty.sh script to provide +# extra configuration arguments for the start.jar command +# created by that script. +# +# Each line in this file becomes an arguement to start.jar +# in addition to those found in the start.ini file +# ======================================================= +jetty-logging.xml +jetty-started.xml From 9da8e9654c54702e557c992674c240f6321e1fc3 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Sat, 27 Jan 2024 11:20:38 +0800 Subject: [PATCH 09/13] Removed commneted lines and organised code into docker folder --- Dockerfile | 11 +++-------- entrypoint.sh => docker/entrypoint.sh | 0 {etc => docker/etc}/bashrc.d/init.sh | 0 {etc => docker/etc}/dircolors | 0 {etc => docker/etc}/vim/vimrc.local | 0 {opt => docker/opt}/jetty/etc/jetty-logging.xml | 0 {opt => docker/opt}/jetty/etc/jetty.conf | 0 7 files changed, 3 insertions(+), 8 deletions(-) rename entrypoint.sh => docker/entrypoint.sh (100%) rename {etc => docker/etc}/bashrc.d/init.sh (100%) rename {etc => docker/etc}/dircolors (100%) rename {etc => docker/etc}/vim/vimrc.local (100%) rename {opt => docker/opt}/jetty/etc/jetty-logging.xml (100%) rename {opt => docker/opt}/jetty/etc/jetty.conf (100%) diff --git a/Dockerfile b/Dockerfile index 45481153f..0098bef07 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,17 +3,12 @@ FROM ubuntu:22.04 # Run Debian in non interactive mode ENV DEBIAN_FRONTEND noninteractive -# Install Sismics repository -RUN apt-get update && apt-get install -y apt-transport-https ca-certificates software-properties-common curl gnupg tzdata -RUN curl -fsSL https://www.sismics.com/pgp | apt-key add - -# RUN add-apt-repository "deb [arch=amd64] https://nexus.sismics.com/repository/apt-bionic/ bionic main" - # Configure settings ENV LANG C.UTF-8 ENV LC_ALL C.UTF-8 RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime RUN dpkg-reconfigure -f noninteractive tzdata -COPY etc /etc +COPY docker/etc /etc RUN echo "for f in \`ls /etc/bashrc.d/*\`; do . \$f; done;" >> ~/.bashrc RUN apt-get -y -q install vim less procps unzip wget && \ rm -rf /var/lib/apt/lists/* @@ -37,7 +32,7 @@ WORKDIR /opt/jetty RUN chmod +x bin/jetty.sh # Init configuration -COPY opt /opt +COPY docker/opt /opt EXPOSE 8080 ENV JETTY_HOME /opt/jetty ENV JAVA_OPTIONS -Xmx512m @@ -88,7 +83,7 @@ ENV JAVA_OPTIONS -Xmx1g WORKDIR /app # Set the default command to run when starting the container -COPY entrypoint.sh /entrypoint.sh +COPY docker/entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh CMD ["/entrypoint.sh"] diff --git a/entrypoint.sh b/docker/entrypoint.sh similarity index 100% rename from entrypoint.sh rename to docker/entrypoint.sh diff --git a/etc/bashrc.d/init.sh b/docker/etc/bashrc.d/init.sh similarity index 100% rename from etc/bashrc.d/init.sh rename to docker/etc/bashrc.d/init.sh diff --git a/etc/dircolors b/docker/etc/dircolors similarity index 100% rename from etc/dircolors rename to docker/etc/dircolors diff --git a/etc/vim/vimrc.local b/docker/etc/vim/vimrc.local similarity index 100% rename from etc/vim/vimrc.local rename to docker/etc/vim/vimrc.local diff --git a/opt/jetty/etc/jetty-logging.xml b/docker/opt/jetty/etc/jetty-logging.xml similarity index 100% rename from opt/jetty/etc/jetty-logging.xml rename to docker/opt/jetty/etc/jetty-logging.xml diff --git a/opt/jetty/etc/jetty.conf b/docker/opt/jetty/etc/jetty.conf similarity index 100% rename from opt/jetty/etc/jetty.conf rename to docker/opt/jetty/etc/jetty.conf From 88ae84339fec430a6107f198dff89ca9d7e3eee8 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Sat, 27 Jan 2024 11:50:09 +0800 Subject: [PATCH 10/13] Added tzdata reinstall so that dpkg-reconfigure works --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 0098bef07..597c4747d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,7 @@ ENV DEBIAN_FRONTEND noninteractive ENV LANG C.UTF-8 ENV LC_ALL C.UTF-8 RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime +RUN apt-get update && apt-get -y -q install --reinstall tzdata RUN dpkg-reconfigure -f noninteractive tzdata COPY docker/etc /etc RUN echo "for f in \`ls /etc/bashrc.d/*\`; do . \$f; done;" >> ~/.bashrc From 48897a04e586f7f36fe60d16497cedd4a70600b0 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Sat, 27 Jan 2024 12:42:06 +0800 Subject: [PATCH 11/13] Removed entrypoint as the /bin/jetty/run.sh command is not required --- Dockerfile | 5 +---- docker/entrypoint.sh | 7 ------- 2 files changed, 1 insertion(+), 11 deletions(-) delete mode 100644 docker/entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 597c4747d..c5f0e2582 100644 --- a/Dockerfile +++ b/Dockerfile @@ -84,7 +84,4 @@ ENV JAVA_OPTIONS -Xmx1g WORKDIR /app # Set the default command to run when starting the container -COPY docker/entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh - -CMD ["/entrypoint.sh"] +CMD ["java", "-jar", "/opt/jetty/start.jar"] diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh deleted file mode 100644 index 18f16ff5a..000000000 --- a/docker/entrypoint.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# Your first command -/bin/jetty.sh run & - -# Your second command -java -jar /opt/jetty/start.jar \ No newline at end of file From 25b553cbd7655e591b8c1f376a11c50ddf13720b Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Mon, 29 Jan 2024 14:09:13 +0800 Subject: [PATCH 12/13] upgraded libgnutls30 version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c5f0e2582..9d29c33d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ENV DEBIAN_FRONTEND noninteractive ENV LANG C.UTF-8 ENV LC_ALL C.UTF-8 RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime -RUN apt-get update && apt-get -y -q install --reinstall tzdata +RUN apt-get update && apt-get -y -q install --reinstall tzdata && apt-get upgrade libgnutls30 -y -q RUN dpkg-reconfigure -f noninteractive tzdata COPY docker/etc /etc RUN echo "for f in \`ls /etc/bashrc.d/*\`; do . \$f; done;" >> ~/.bashrc From 75b122bef088306a56851720540177e5513c1fd0 Mon Sep 17 00:00:00 2001 From: Sukalpo Mitra Date: Mon, 29 Jan 2024 14:10:19 +0800 Subject: [PATCH 13/13] removed the libgnutls30 upgrade and will be added in the vulnerabilities upgrade --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9d29c33d9..c5f0e2582 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ENV DEBIAN_FRONTEND noninteractive ENV LANG C.UTF-8 ENV LC_ALL C.UTF-8 RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime -RUN apt-get update && apt-get -y -q install --reinstall tzdata && apt-get upgrade libgnutls30 -y -q +RUN apt-get update && apt-get -y -q install --reinstall tzdata RUN dpkg-reconfigure -f noninteractive tzdata COPY docker/etc /etc RUN echo "for f in \`ls /etc/bashrc.d/*\`; do . \$f; done;" >> ~/.bashrc