Merge pull request apache#16842 from [BEAM-13932][Playground] Contain…

…er's user privileges * [BEAM-13932][Playground] Change Dockerfiles * [BEAM-13932][Playground] Update proxy and permissions for the container's user * [BEAM-13932][Playground] Update permissions for the container's user for scio
nancyxu123 · Mar 9, 2022 · 346d2e2 · 346d2e2
1 parent 37f571a
commit 346d2e2
Show file tree

Hide file tree

Showing 17 changed files with 68 additions and 137 deletions.
diff --git a/playground/backend/containers/go/Dockerfile b/playground/backend/containers/go/Dockerfile
@@ -70,16 +70,16 @@ ENV HTTP_PROXY="http://127.0.0.1:8081"
 ENV HTTPS_PROXY="http://127.0.0.1:8081"
 
 COPY entrypoint.sh /
-COPY proxy.sh /
-# Run proxy
-RUN sh /proxy.sh
 
 # Create a user group `appgroup` and a user `appuser`
 RUN groupadd --gid 20000 appgroup \
   && useradd --uid 20000 --gid appgroup --shell /bin/bash --create-home appuser
-# Chown all the files to the app user.
-RUN chown -R appuser:appgroup /opt/playground/backend/ && chown -R appuser:appgroup /opt/playground/prepared_folder/ \
-  && chmod +x /entrypoint.sh
+
+RUN mkdir -p /opt/playground/backend/executable_files/
+
+# Chown all required files to the `appuser`.
+RUN chown -R appuser:appgroup /opt/playground/backend/executable_files/ \
+  && chmod -R 777 /usr/local/share/ca-certificates/extra/ && chmod -R 777 /etc/ssl/certs && chmod +x /entrypoint.sh
 
 # Switch to appuser
 USER appuser

diff --git a/playground/backend/containers/go/build.gradle b/playground/backend/containers/go/build.gradle
@@ -43,10 +43,6 @@ task copyDockerfileDependencies(type: Copy) {
       from 'entrypoint.sh'
       into 'build/'
    }
-   copy {
-      from 'proxy.sh'
-      into 'build/'
-   }
    copy {
       from '../../../infrastructure/proxy/allow_list.py'
       into 'build/'

diff --git a/playground/backend/containers/go/entrypoint.sh b/playground/backend/containers/go/entrypoint.sh
@@ -14,4 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+nohup /opt/mitmproxy/mitmdump -s /opt/mitmproxy/allow_list_proxy.py -p 8081 &
+while [ ! -f /home/appuser/.mitmproxy/mitmproxy-ca.pem ] ;
+do
+      sleep 2
+done
+openssl x509 -in /home/appuser/.mitmproxy/mitmproxy-ca.pem -inform PEM -out /home/appuser/.mitmproxy/mitmproxy-ca.crt
+cp /home/appuser/.mitmproxy/mitmproxy-ca.crt /usr/local/share/ca-certificates/extra/
+update-ca-certificates
+
 /opt/playground/backend/server_go_backend
diff --git a/playground/backend/containers/go/proxy.sh b/playground/backend/containers/go/proxy.sh
diff --git a/playground/backend/containers/java/Dockerfile b/playground/backend/containers/java/Dockerfile
@@ -88,16 +88,17 @@ ENV HTTP_PROXY="http://127.0.0.1:8081"
 ENV HTTPS_PROXY="http://127.0.0.1:8081"
 
 COPY entrypoint.sh /
-COPY proxy.sh /
-# Run proxy
-RUN sh /proxy.sh
 
 # Create a user group `appgroup` and a user `appuser`
 RUN groupadd --gid 20000 appgroup \
   && useradd --uid 20000 --gid appgroup --shell /bin/bash --create-home appuser
-# Chown all the files to the app user.
-RUN chown -R appuser:appgroup /opt/playground/backend/ && chown -R appuser:appgroup /opt/apache/beam/jars/ \
-  && chmod +x /entrypoint.sh
+
+RUN mkdir -p /opt/playground/backend/executable_files/
+
+# Chown all required files to the `appuser`.
+RUN chown -R appuser:appgroup /opt/playground/backend/executable_files/ && chmod -R 775 /opt/apache/beam/jars/ \
+  && chmod -R 777 /usr/local/share/ca-certificates/extra/ && chmod -R 777 /usr/local/openjdk-8/jre/lib/security/ \
+  && chmod -R 777 /etc/ssl/certs && chmod +x /entrypoint.sh
 
 # Switch to appuser
 USER appuser

diff --git a/playground/backend/containers/java/build.gradle b/playground/backend/containers/java/build.gradle
@@ -43,10 +43,6 @@ task copyDockerfileDependencies(type: Copy) {
       from 'entrypoint.sh'
       into 'build/'
    }
-   copy {
-      from 'proxy.sh'
-      into 'build/'
-   }
    copy {
       from '../../../infrastructure/proxy/allow_list.py'
       into 'build/'

diff --git a/playground/backend/containers/java/entrypoint.sh b/playground/backend/containers/java/entrypoint.sh
@@ -14,4 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+nohup /opt/mitmproxy/mitmdump -s /opt/mitmproxy/allow_list_proxy.py -p 8081 &
+while [ ! -f /home/appuser/.mitmproxy/mitmproxy-ca.pem ] ;
+do
+      sleep 2
+done
+openssl x509 -in /home/appuser/.mitmproxy/mitmproxy-ca.pem -inform PEM -out /home/appuser/.mitmproxy/mitmproxy-ca.crt
+cp /home/appuser/.mitmproxy/mitmproxy-ca.crt /usr/local/share/ca-certificates/extra/
+update-ca-certificates
+
 /opt/playground/backend/server_java_backend
diff --git a/playground/backend/containers/java/proxy.sh b/playground/backend/containers/java/proxy.sh
diff --git a/playground/backend/containers/python/Dockerfile b/playground/backend/containers/python/Dockerfile
@@ -64,15 +64,17 @@ ENV HTTP_PROXY="http://127.0.0.1:8081"
 ENV HTTPS_PROXY="http://127.0.0.1:8081"
 
 COPY entrypoint.sh /
-COPY proxy.sh /
-# Run proxy
-RUN sh /proxy.sh
 
 # Create a user group `appgroup` and a user `appuser`
 RUN groupadd --gid 20000 appgroup \
   && useradd --uid 20000 --gid appgroup --shell /bin/bash --create-home appuser
-# Chown all the files to the app user.
-RUN chown -R appuser:appgroup /opt/playground/backend/ && chmod +x /entrypoint.sh
+
+RUN mkdir -p /opt/playground/backend/executable_files/
+
+# Chown all required files to the `appuser`.
+RUN chown -R appuser:appgroup /opt/playground/backend/executable_files/ \
+  && chmod 777 /usr/local/lib/python3.7/site-packages/certifi/cacert.pem \
+  && chmod -R 777 /usr/local/share/ca-certificates/extra/ && chmod -R 777 /etc/ssl/certs && chmod +x /entrypoint.sh
 
 # Switch to appuser
 USER appuser

diff --git a/playground/backend/containers/python/build.gradle b/playground/backend/containers/python/build.gradle
@@ -43,10 +43,6 @@ task copyDockerfileDependencies(type: Copy) {
       from 'entrypoint.sh'
       into 'build/'
    }
-   copy {
-      from 'proxy.sh'
-      into 'build/'
-   }
    copy {
       from '../../../infrastructure/proxy/allow_list.py'
       into 'build/'

diff --git a/playground/backend/containers/python/entrypoint.sh b/playground/backend/containers/python/entrypoint.sh
@@ -14,4 +14,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+nohup /opt/mitmproxy/mitmdump -s /opt/mitmproxy/allow_list_proxy.py -p 8081 &
+while [ ! -f /home/appuser/.mitmproxy/mitmproxy-ca.pem ] ;
+do
+      sleep 2
+done
+openssl x509 -in /home/appuser/.mitmproxy/mitmproxy-ca.pem -inform PEM -out /home/appuser/.mitmproxy/mitmproxy-ca.crt
+cp /home/appuser/.mitmproxy/mitmproxy-ca.crt /usr/local/share/ca-certificates/extra/
+update-ca-certificates
+cat /home/appuser/.mitmproxy/mitmproxy-ca.pem >> /usr/local/lib/python3.7/site-packages/certifi/cacert.pem
+
 /opt/playground/backend/server_python_backend
diff --git a/playground/backend/containers/python/proxy.sh b/playground/backend/containers/python/proxy.sh
diff --git a/playground/backend/containers/scio/Dockerfile b/playground/backend/containers/scio/Dockerfile
@@ -68,15 +68,17 @@ ENV HTTP_PROXY="http://127.0.0.1:8081"
 ENV HTTPS_PROXY="http://127.0.0.1:8081"
 
 COPY entrypoint.sh /
-COPY proxy.sh /
-# Run proxy
-RUN sh /proxy.sh
 
 # Create a user group `appgroup` and a user `appuser`
 RUN groupadd --gid 20000 appgroup \
   && useradd --uid 20000 --gid appgroup --shell /bin/bash --create-home appuser
-# Chown all the files to the app user.
-RUN chown -R appuser:appgroup /opt/playground/backend/ && chmod +x /entrypoint.sh
+
+RUN mkdir -p /opt/playground/backend/executable_files/
+
+# Chown all required files to the `appuser`.
+RUN chown -R appuser:appgroup /opt/playground/backend/executable_files/ \
+  && chmod -R 777 /usr/local/share/ca-certificates/extra/ && chmod -R 777 /usr/local/openjdk-8/jre/lib/security/ \
+  && chmod -R 777 /etc/ssl/certs && chmod +x /entrypoint.sh
 
 # Switch to appuser
 USER appuser

diff --git a/playground/backend/containers/scio/build.gradle b/playground/backend/containers/scio/build.gradle
@@ -43,10 +43,6 @@ task copyDockerfileDependencies(type: Copy) {
       from 'entrypoint.sh'
       into 'build/'
    }
-   copy {
-      from 'proxy.sh'
-      into 'build/'
-   }
    copy {
       from '../../../infrastructure/proxy/allow_list.py'
       into 'build/'

diff --git a/playground/backend/containers/scio/entrypoint.sh b/playground/backend/containers/scio/entrypoint.sh
@@ -14,4 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+nohup /opt/mitmproxy/mitmdump -s /opt/mitmproxy/allow_list_proxy.py -p 8081 &
+while [ ! -f /home/appuser/.mitmproxy/mitmproxy-ca.pem ] ;
+do
+      sleep 2
+done
+openssl x509 -in /home/appuser/.mitmproxy/mitmproxy-ca.pem -inform PEM -out /home/appuser/.mitmproxy/mitmproxy-ca.crt
+cp /home/appuser/.mitmproxy/mitmproxy-ca.crt /usr/local/share/ca-certificates/extra/
+update-ca-certificates
+
 /opt/playground/backend/server_scio_backend
diff --git a/playground/backend/containers/scio/proxy.sh b/playground/backend/containers/scio/proxy.sh
diff --git a/playground/infrastructure/proxy/allow_list_proxy.py b/playground/infrastructure/proxy/allow_list_proxy.py
@@ -21,10 +21,12 @@
 
 def request(flow: http.HTTPFlow) -> None:
   allowed_bucket = flow.request.pretty_host == GCS_HOST and \
-                   flow.request.path.split("/")[1] in ALLOWED_BUCKET_LIST
+  (flow.request.path.split("/")[1] in ALLOWED_BUCKET_LIST or \
+  flow.request.path.split("/")[4] in ALLOWED_BUCKET_LIST)
   allowed_host = flow.request.pretty_host in ALLOWED_LIST
   if not (allowed_bucket or allowed_host):
     flow.response = http.Response.make(
         status_code=403,
         content="Making requests to the hosts that are not listed "
-        "in the allowed list is forbidden.")
+        "in the allowed list is forbidden. "
+        "host:" + flow.request.pretty_host + ", path: " + flow.request.path)