wso2 · tharindu1st · May 30, 2024 · May 30, 2024
@@ -14,117 +14,138 @@
 # limitations under the License.
 # -----------------------------------------------------------------------
 
-FROM ubuntu:22.04
-
-ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
-
-# Upgrade Ubuntu Dependencies
-RUN apt-get update \
-    && apt-get upgrade -y
-
-# install JDK Dependencies
-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
-    && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
-    && locale-gen en_US.UTF-8 \
-    && rm -rf /var/lib/apt/lists/*
-
-ENV JAVA_VERSION jdk-17.0.8.1+1
-
-RUN set -eux; \
-    ARCH="$(dpkg --print-architecture)"; \
-    case "${ARCH}" in \
-        amd64|i386:x86-64) \
-             ESUM='ab68857594792474a3049ede09ea1178e42df29803a6a41be771794f571b2d4e'; \
-             BINARY_URL='https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.8.1%2B1/OpenJDK17U-jre_x64_linux_hotspot_17.0.8.1_1.tar.gz'; \
-            ;; \
-        aarch64|arm64) \
-             ESUM='0a1c5c9ee9d20832c87bd1e99a4c4a96947b59bb35c72683fe895d705f202737'; \
-             BINARY_URL='https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.8.1%2B1/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.8.1_1.tar.gz'; \
-            ;; \
-        *) \
-            echo "Unsupported arch: ${ARCH}"; \
-            exit 1; \
-            ;; \
-    esac; \
-    curl -LfsSo /tmp/openjdk.tar.gz ${BINARY_URL}; \
-    echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \
-    mkdir -p /opt/java/openjdk; \
-    cd /opt/java/openjdk; \
-    tar -xf /tmp/openjdk.tar.gz --strip-components=1; \
-    rm -rf /tmp/openjdk.tar.gz;
-
-ENV JAVA_HOME=/opt/java/openjdk \
-    PATH="/opt/java/openjdk/bin:$PATH"
-
-LABEL maintainer="WSO2 Docker Maintainers <wso2.com>"
-
-ENV LANG=C.UTF-8
-
-ARG APK_USER=wso2
-ARG APK_USER_ID=10001
-ARG APK_USER_GROUP=wso2
-ARG APK_USER_GROUP_ID=10001
-ARG APK_USER_HOME=/home/${APK_USER}
-ARG GRPC_HEALTH_PROBE_PATH=/bin/grpc_health_probe
-ARG TARGETARCH
-ARG APK_VERSION=1.1.0-SNAPSHOT
-
-ENV VERSION=${APK_VERSION}
-ENV JAVA_OPTS=""
-ENV ENFORCER_HOME=${APK_USER_HOME}
-ARG CHECKSUM_AMD64="7e564681110ee4563637457b91e42f62f96b79618a835bb05ae2305acdcc3db0"
-ARG CHECKSUM_ARM64="3759148e22a494149a4abae269adee0d20c428b966683426e2319f9047da521d"
-ENV ENFORCER_PRIVATE_KEY_PATH=/home/wso2/security/keystore/mg.key
-ENV ENFORCER_PUBLIC_CERT_PATH=/home/wso2/security/keystore/mg.pem
-ENV TRUSTED_CA_CERTS_PATH=/home/wso2/security/truststore
-ENV ADAPTER_HOST_NAME=adapter
-ENV ADAPTER_HOST=adapter
-ENV ADAPTER_XDS_PORT=18000
-ENV COMMON_CONTROLLER_HOST_NAME=common-controller
-ENV COMMON_CONTROLLER_HOST=common-controller
-ENV COMMON_CONTROLLER_XDS_PORT=18002
-ENV ENFORCER_LABEL="default"
-ENV XDS_MAX_MSG_SIZE=4194304
-ENV XDS_MAX_RETRIES=3
-#todo update the connection string
-ENV APPLICATIONINSIGHTS_CONNECTION_STRING=InstrumentationKey=;IngestionEndpoint=https://westus2-2.in.applicationinsights.azure.com/
-
-ARG MOTD="\n\
- Welcome to WSO2 Docker Resources \n\
- --------------------------------- \n\
- This Docker container comprises of a WSO2 product, which is under the Apache License, Version 2.0. \n\
- Read more about Apache License, Version 2.0 here @ http://www.apache.org/licenses/LICENSE-2.0.\n"
-
-RUN \
-    apt-get update && apt-get dist-upgrade -y && apt-get autoclean -y && apt-get autoremove -y
-RUN \
-    groupadd --system -g ${APK_USER_GROUP_ID} ${APK_USER_GROUP} \
-    && useradd --system --create-home --home-dir ${APK_USER_HOME} --no-log-init -g ${APK_USER_GROUP} -u ${APK_USER_ID} ${APK_USER} \
-    && mkdir ${APK_USER_HOME}/logs && mkdir -p ${APK_USER_HOME}/lib/dropins \
-    && chown -R ${APK_USER}:${APK_USER_GROUP} ${APK_USER_HOME} \
-    && echo '[ ! -z "${TERM}" -a -r /etc/motd ] && cat /etc/motd' >> /etc/bash.bashrc; echo "${MOTD}" > /etc/motd
-
-RUN \
-    wget -q https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/v0.4.24/grpc_health_probe-linux-${TARGETARCH} \
-    && mv grpc_health_probe-linux-${TARGETARCH} ${GRPC_HEALTH_PROBE_PATH}\
-    && if [ "${TARGETARCH}" = "amd64" ]; then echo "${CHECKSUM_AMD64}  ${GRPC_HEALTH_PROBE_PATH}" | sha256sum -c -; fi
-
-RUN \
-    chmod +x ${GRPC_HEALTH_PROBE_PATH} \
-    && chown ${APK_USER}:${APK_USER_GROUP} ${GRPC_HEALTH_PROBE_PATH} \
-    && chgrp -R 0 ${APK_USER_HOME} \
-    && chmod -R g=u ${APK_USER_HOME}
-
-WORKDIR ${APK_USER_HOME}
-USER ${APK_USER_ID}
-
-COPY resources/lib lib/
-COPY resources/conf/log4j2.properties conf/log4j2.properties
-COPY resources/security security
-COPY resources/check_health.sh .
-
-#todo add applicationinsights.json file and point it to the appInsightsAgent jar
-#Add the agent using JVM arg -javaagent:/home/wso2/conf/applicationinsights-agent-3.1.1.jar
-#Add the config file using System property -Dapplicationinsights.configuration.file=/home/wso2/conf/applicationinsights.json
-CMD java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath="${ENFORCER_HOME}/logs/heap-dump.hprof" $JAVA_OPTS -Dlog4j.configurationFile="${ENFORCER_HOME}/conf/log4j2.properties" -DtracingEnabled="true" -jar lib/enforcer-${VERSION}.jar
+    FROM ghcr.io/graalvm/native-image-community:17-ol8 as build
+
+    LABEL maintainer="WSO2 Docker Maintainers <wso2.com>"
+
+    ENV LANG=C.UTF-8
+
+    ARG APK_USER=wso2
+    ARG APK_USER_ID=10001
+    ARG APK_USER_GROUP=wso2
+    ARG APK_USER_GROUP_ID=10001
+    ARG APK_USER_HOME=/home/${APK_USER}
+    ARG GRPC_HEALTH_PROBE_PATH=/bin/grpc_health_probe
+    ARG TARGETARCH
+    ARG APK_VERSION=1.1.0-SNAPSHOT
+
+    ENV VERSION=${APK_VERSION}
+
+    WORKDIR /app/build
+
+    COPY resources/lib/enforcer-${VERSION}.jar .
+
+    RUN native-image -jar enforcer-${VERSION}.jar -H:Name=enforcer --no-fallback
+
+    FROM ubuntu:22.04
+
+    ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+    # Upgrade Ubuntu Dependencies
+    RUN apt-get update \
+        && apt-get upgrade -y
+
+    # install JDK Dependencies
+    RUN apt-get update \
+        && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
+        && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
+        && locale-gen en_US.UTF-8 \
+        && rm -rf /var/lib/apt/lists/*
+
+    # ENV JAVA_VERSION jdk-17.0.8.1+1
+
+    # RUN set -eux; \
+    #     ARCH="$(dpkg --print-architecture)"; \
+    #     case "${ARCH}" in \
+    #         amd64|i386:x86-64) \
+    #              ESUM='ab68857594792474a3049ede09ea1178e42df29803a6a41be771794f571b2d4e'; \
+    #              BINARY_URL='https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.8.1%2B1/OpenJDK17U-jre_x64_linux_hotspot_17.0.8.1_1.tar.gz'; \
+    #             ;; \
+    #         aarch64|arm64) \
+    #              ESUM='0a1c5c9ee9d20832c87bd1e99a4c4a96947b59bb35c72683fe895d705f202737'; \
+    #              BINARY_URL='https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.8.1%2B1/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.8.1_1.tar.gz'; \
+    #             ;; \
+    #         *) \
+    #             echo "Unsupported arch: ${ARCH}"; \
+    #             exit 1; \
+    #             ;; \
+    #     esac; \
+    #     curl -LfsSo /tmp/openjdk.tar.gz ${BINARY_URL}; \
+    #     echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \
+    #     mkdir -p /opt/java/openjdk; \
+    #     cd /opt/java/openjdk; \
+    #     tar -xf /tmp/openjdk.tar.gz --strip-components=1; \
+    #     rm -rf /tmp/openjdk.tar.gz;
+
+    # ENV JAVA_HOME=/opt/java/openjdk \
+    #     PATH="/opt/java/openjdk/bin:$PATH"
+
+
+    ARG APK_USER=wso2
+    ARG APK_USER_ID=10001
+    ARG APK_USER_GROUP=wso2
+    ARG APK_USER_GROUP_ID=10001
+    ARG APK_USER_HOME=/home/${APK_USER}
+    ARG GRPC_HEALTH_PROBE_PATH=/bin/grpc_health_probe
+    ARG TARGETARCH
+    ARG APK_VERSION=1.1.0-SNAPSHOT
+
+    ENV VERSION=${APK_VERSION}
+    ENV JAVA_OPTS=""
+    ENV ENFORCER_HOME=${APK_USER_HOME}
+    ARG CHECKSUM_AMD64="7e564681110ee4563637457b91e42f62f96b79618a835bb05ae2305acdcc3db0"
+    ARG CHECKSUM_ARM64="3759148e22a494149a4abae269adee0d20c428b966683426e2319f9047da521d"
+    ENV ENFORCER_PRIVATE_KEY_PATH=/home/wso2/security/keystore/mg.key
+    ENV ENFORCER_PUBLIC_CERT_PATH=/home/wso2/security/keystore/mg.pem
+    ENV TRUSTED_CA_CERTS_PATH=/home/wso2/security/truststore
+    ENV ADAPTER_HOST_NAME=adapter
+    ENV ADAPTER_HOST=adapter
+    ENV ADAPTER_XDS_PORT=18000
+    ENV COMMON_CONTROLLER_HOST_NAME=common-controller
+    ENV COMMON_CONTROLLER_HOST=common-controller
+    ENV COMMON_CONTROLLER_XDS_PORT=18002
+    ENV ENFORCER_LABEL="default"
+    ENV XDS_MAX_MSG_SIZE=4194304
+    ENV XDS_MAX_RETRIES=3
+    #todo update the connection string
+    ENV APPLICATIONINSIGHTS_CONNECTION_STRING=InstrumentationKey=;IngestionEndpoint=https://westus2-2.in.applicationinsights.azure.com/
+
+    ARG MOTD="\n\
+     Welcome to WSO2 Docker Resources \n\
+     --------------------------------- \n\
+     This Docker container comprises of a WSO2 product, which is under the Apache License, Version 2.0. \n\
+     Read more about Apache License, Version 2.0 here @ http://www.apache.org/licenses/LICENSE-2.0.\n"
+
+    RUN \
+        apt-get update && apt-get dist-upgrade -y && apt-get autoclean -y && apt-get autoremove -y
+    RUN \
+        groupadd --system -g ${APK_USER_GROUP_ID} ${APK_USER_GROUP} \
+        && useradd --system --create-home --home-dir ${APK_USER_HOME} --no-log-init -g ${APK_USER_GROUP} -u ${APK_USER_ID} ${APK_USER} \
+        && mkdir ${APK_USER_HOME}/logs && mkdir -p ${APK_USER_HOME}/lib/dropins \
+        && chown -R ${APK_USER}:${APK_USER_GROUP} ${APK_USER_HOME} \
+        && echo '[ ! -z "${TERM}" -a -r /etc/motd ] && cat /etc/motd' >> /etc/bash.bashrc; echo "${MOTD}" > /etc/motd
+
+    RUN \
+        wget -q https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/v0.4.24/grpc_health_probe-linux-${TARGETARCH} \
+        && mv grpc_health_probe-linux-${TARGETARCH} ${GRPC_HEALTH_PROBE_PATH}\
+        && if [ "${TARGETARCH}" = "amd64" ]; then echo "${CHECKSUM_AMD64}  ${GRPC_HEALTH_PROBE_PATH}" | sha256sum -c -; fi
+
+    RUN \
+        chmod +x ${GRPC_HEALTH_PROBE_PATH} \
+        && chown ${APK_USER}:${APK_USER_GROUP} ${GRPC_HEALTH_PROBE_PATH} \
+        && chgrp -R 0 ${APK_USER_HOME} \
+        && chmod -R g=u ${APK_USER_HOME}
+
+    WORKDIR ${APK_USER_HOME}
+    USER ${APK_USER_ID}
+
+    COPY --from=build /app/build/enforcer lib/
+    COPY resources/conf/log4j2.properties conf/log4j2.properties
+    COPY resources/security security
+    COPY resources/check_health.sh .
+
+    #todo add applicationinsights.json file and point it to the appInsightsAgent jar
+    #Add the agent using JVM arg -javaagent:/home/wso2/conf/applicationinsights-agent-3.1.1.jar
+    #Add the config file using System property -Dapplicationinsights.configuration.file=/home/wso2/conf/applicationinsights.json
+    CMD ./lib/enforcer $JAVA_OPTS -Dlog4j.configurationFile="${ENFORCER_HOME}/conf/log4j2.properties" -DtracingEnabled="true"
+
@@ -30,6 +30,11 @@ dependencies {
     implementation libs.json.simple
     implementation libs.commons.lang3
     implementation libs.gson
+    implementation group: 'org.bouncycastle', name: 'bcpkix-jdk18on', version: "1.78"
+    implementation group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: "1.78"
+    implementation group: 'org.bouncycastle', name: 'bcutil-jdk18on', version: "1.78"
+    implementation group: 'org.bouncycastle', name: 'bctls-jdk18on', version: "1.78"
+    compileOnly group: 'org.graalvm.nativeimage', name: 'svm', version: "22.2.0"
     implementation project(':org.wso2.apk.enforcer.analytics.publishers')
     annotationProcessor('org.apache.logging.log4j:log4j-core:2.19.0')
 }
@@ -0,0 +1,22 @@
+package org.wso2.apk.enforcer.commons.svm;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
+import org.graalvm.nativeimage.hosted.Feature;
+import org.graalvm.nativeimage.hosted.RuntimeClassInitialization;
+
+import java.security.Security;
+
+/**
+ * This is a class used in GraalVM to register BC as the security provider at runtime.
+ */
+public class BouncyCastleFeature implements Feature {
+
+    @Override
+    public void afterRegistration(AfterRegistrationAccess access) {
+        RuntimeClassInitialization.initializeAtBuildTime("org.bouncycastle");
+        Security.addProvider(new BouncyCastleProvider());
+        Security.addProvider(new BouncyCastleJsseProvider());
+    }
+
+}
@@ -93,7 +93,7 @@ dependencies {
     implementation libs.commons.lang3
     implementation libs.openfeign.feign.gson
     implementation libs.openfeign.feign.slf4j
-
+    implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
     test {
         implementation libs.junit
         implementation libs.mockito.inline

@@ -0,0 +1,100 @@
+[
+{
+  "name":"[B"
+},
+{
+  "name":"[Lcom.sun.management.internal.DiagnosticCommandArgumentInfo;"
+},
+{
+  "name":"[Lcom.sun.management.internal.DiagnosticCommandInfo;"
+},
+{
+  "name":"[Ljava.lang.String;"
+},
+{
+  "name":"com.sun.management.internal.DiagnosticCommandArgumentInfo",
+  "methods":[{"name":"<init>","parameterTypes":["java.lang.String","java.lang.String","java.lang.String","java.lang.String","boolean","boolean","boolean","int"] }]
+},
+{
+  "name":"com.sun.management.internal.DiagnosticCommandInfo",
+  "methods":[{"name":"<init>","parameterTypes":["java.lang.String","java.lang.String","java.lang.String","java.lang.String","java.lang.String","java.lang.String","boolean","java.util.List"] }]
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.Buffer"
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.CertificateCallbackTask",
+  "methods":[{"name":"<init>","parameterTypes":["long","byte[]","byte[][]","io.grpc.netty.shaded.io.netty.internal.tcnative.CertificateCallback"] }]
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.CertificateVerifierTask",
+  "methods":[{"name":"<init>","parameterTypes":["long","byte[][]","java.lang.String","io.grpc.netty.shaded.io.netty.internal.tcnative.CertificateVerifier"] }]
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.Library"
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods"
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.SSL"
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.SSLContext"
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.SSLPrivateKeyMethodDecryptTask",
+  "methods":[{"name":"<init>","parameterTypes":["long","byte[]","io.grpc.netty.shaded.io.netty.internal.tcnative.AsyncSSLPrivateKeyMethod"] }]
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.SSLPrivateKeyMethodSignTask",
+  "methods":[{"name":"<init>","parameterTypes":["long","int","byte[]","io.grpc.netty.shaded.io.netty.internal.tcnative.AsyncSSLPrivateKeyMethod"] }]
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.SSLPrivateKeyMethodTask",
+  "fields":[{"name":"resultBytes"}]
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.SSLSession"
+},
+{
+  "name":"io.grpc.netty.shaded.io.netty.internal.tcnative.SSLTask",
+  "fields":[{"name":"complete"}, {"name":"returnValue"}]
+},
+{
+  "name":"java.lang.Boolean",
+  "methods":[{"name":"getBoolean","parameterTypes":["java.lang.String"] }]
+},
+{
+  "name":"java.lang.Exception"
+},
+{
+  "name":"java.lang.IllegalArgumentException"
+},
+{
+  "name":"java.lang.NullPointerException"
+},
+{
+  "name":"java.lang.OutOfMemoryError"
+},
+{
+  "name":"java.lang.SecurityManager",
+  "fields":[{"name":"initialized"}]
+},
+{
+  "name":"java.lang.String",
+  "methods":[{"name":"<init>","parameterTypes":["byte[]"] }, {"name":"getBytes","parameterTypes":[] }]
+},
+{
+  "name":"java.util.Arrays",
+  "methods":[{"name":"asList","parameterTypes":["java.lang.Object[]"] }]
+},
+{
+  "name":"org.wso2.apk.enforcer.server.AuthServer",
+  "methods":[{"name":"main","parameterTypes":["java.lang.String[]"] }]
+},
+{
+  "name":"sun.management.VMManagementImpl",
+  "fields":[{"name":"compTimeMonitoringSupport"}, {"name":"currentThreadCpuTimeSupport"}, {"name":"objectMonitorUsageSupport"}, {"name":"otherThreadCpuTimeSupport"}, {"name":"remoteDiagnosticCommandsSupport"}, {"name":"synchronizerUsageSupport"}, {"name":"threadAllocatedMemorySupport"}, {"name":"threadContentionMonitoringSupport"}]
+}
+]