From 2d4711b345483bd66cc94281103e36271da66a81 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Tue, 9 Mar 2021 13:53:12 +0000
Subject: [PATCH 1/5] SCMOD-12755: Allow startup scripts to run as non-root
 user.

---
 src/main/docker/Dockerfile.jdk | 5 ++++-
 src/main/docker/Dockerfile.jre | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index e7d04c7..84d3ae0 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -42,7 +42,7 @@ RUN cd $JAVA_HOME/conf/security && \
 #
 # The actual image definition
 #
-FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT
+FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SCMOD-12755-SNAPSHOT
 
 # Refresh the OS repositories and install OpenJDK 11 Development Kit
 RUN zypper -n refresh && \
@@ -50,6 +50,9 @@ RUN zypper -n refresh && \
     zypper -n install java-11-openjdk-devel && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
+RUN chmod a+rwx /etc/pki/trust/anchors && \
+    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
+    chmod -R a+rw /etc/ssl
 
 # Install Java certificate installation script
 ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index 60b80d7..41e4ff0 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -39,7 +39,7 @@ RUN cd /usr/lib64/jvm/java-11-openjdk-11/conf/security && \
 #
 # The actual image definition
 #
-FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT
+FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SCMOD-12755-SNAPSHOT
 
 # Refresh the OS repositories and install OpenJDK 11 Runtime Environment
 RUN zypper -n refresh && \
@@ -47,6 +47,9 @@ RUN zypper -n refresh && \
     zypper -n install java-11-openjdk && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
+RUN chmod a+rwx /etc/pki/trust/anchors && \
+    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
+    chmod -R a+rw /etc/ssl
 
 # Install Java certificate installation script
 ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \

From 2570949abc14d79e12fd0edc5f3d7c5bcd8adc03 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Wed, 10 Mar 2021 12:10:36 +0000
Subject: [PATCH 2/5] grant sudo permissions to keytool

---
 src/main/docker/Dockerfile.jdk | 9 ++++-----
 src/main/docker/Dockerfile.jre | 9 ++++-----
 src/main/docker/caf-java       | 1 +
 3 files changed, 9 insertions(+), 10 deletions(-)
 create mode 100644 src/main/docker/caf-java

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index 84d3ae0..ba4a542 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -50,14 +50,13 @@ RUN zypper -n refresh && \
     zypper -n install java-11-openjdk-devel && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
-RUN chmod a+rwx /etc/pki/trust/anchors && \
-    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
-    chmod -R a+rw /etc/ssl
+
+COPY caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
+ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
     /startup/startup.d/
-RUN chmod +x /startup/startup.d/install-ca-cert-java.sh
+RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set Java Home
 ENV JAVA_HOME=/usr/lib64/jvm/java-11-openjdk-11
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index 41e4ff0..62ac2ab 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -47,14 +47,13 @@ RUN zypper -n refresh && \
     zypper -n install java-11-openjdk && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
-RUN chmod a+rwx /etc/pki/trust/anchors && \
-    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
-    chmod -R a+rw /etc/ssl
+
+COPY caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
+ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
     /startup/startup.d/
-RUN chmod +x /startup/startup.d/install-ca-cert-java.sh
+RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set JRE Home
 ENV JRE_HOME=/usr/lib64/jvm/java-11-openjdk-11
diff --git a/src/main/docker/caf-java b/src/main/docker/caf-java
new file mode 100644
index 0000000..c0b2c10
--- /dev/null
+++ b/src/main/docker/caf-java
@@ -0,0 +1 @@
+ %CAF ALL=(ALL) NOPASSWD: /usr/lib64/jvm/jre/bin/keytool

From ecbd949ac3638b954866f5805105a9976501ad70 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Wed, 10 Mar 2021 16:33:16 +0000
Subject: [PATCH 3/5] code review

---
 src/main/docker/Dockerfile.jdk          |  5 +--
 src/main/docker/Dockerfile.jre          |  5 +--
 src/main/docker/caf-java                |  1 -
 src/main/docker/install-ca-cert-java.sh | 50 +++++++++++++++++++++++++
 src/main/docker/permissions/caf-java    |  1 +
 5 files changed, 55 insertions(+), 7 deletions(-)
 delete mode 100644 src/main/docker/caf-java
 create mode 100644 src/main/docker/install-ca-cert-java.sh
 create mode 100644 src/main/docker/permissions/caf-java

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index ba4a542..a46d9bb 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -51,11 +51,10 @@ RUN zypper -n refresh && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
 
-COPY caf-java /etc/sudoers.d/caf-java
+COPY permissions/caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
-    /startup/startup.d/
+COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set Java Home
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index 62ac2ab..468c042 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -48,11 +48,10 @@ RUN zypper -n refresh && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
 
-COPY caf-java /etc/sudoers.d/caf-java
+COPY permissions/caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
-    /startup/startup.d/
+COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set JRE Home
diff --git a/src/main/docker/caf-java b/src/main/docker/caf-java
deleted file mode 100644
index c0b2c10..0000000
--- a/src/main/docker/caf-java
+++ /dev/null
@@ -1 +0,0 @@
- %CAF ALL=(ALL) NOPASSWD: /usr/lib64/jvm/jre/bin/keytool
diff --git a/src/main/docker/install-ca-cert-java.sh b/src/main/docker/install-ca-cert-java.sh
new file mode 100644
index 0000000..154c23d
--- /dev/null
+++ b/src/main/docker/install-ca-cert-java.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# Copyright 2015-2021 Micro Focus or one of its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+JAVA_KEYSTORE_PASSWORD=${JAVA_KEYSTORE_PASSWORD:-changeit}
+MESOS_SANDBOX=${SSL_CA_CRT_DIR:-$MESOS_SANDBOX}
+
+import_java_cert() {
+    echo "Importing CA cert into Java Keystore on $1"
+    sudo keytool -noprompt -keystore $2 -storepass $JAVA_KEYSTORE_PASSWORD -importcert -alias caf-ssl-ca-cert-$4 -file $3
+}
+
+import_java_certs() {
+    IFS=',' read -a caFiles <<< "$SSL_CA_CRT"
+
+    index=0
+    for caFile in "${caFiles[@]}"
+    do
+        if ! [ -e $MESOS_SANDBOX/$caFile ]
+        then
+            echo "CA Certificate at '$MESOS_SANDBOX/$caFile' not found"
+            echo "Aborting further Java CA certificate load attempts."
+            exit 1
+        fi
+
+        import_java_cert $1 $2 $MESOS_SANDBOX/$caFile $index
+	    (( index++ ))
+        echo "CA Certificate '$caFile' added to cacerts"
+    done
+}
+
+if [ -n "$MESOS_SANDBOX" ] && [ -n "$SSL_CA_CRT" ]
+then
+    import_java_certs "OpenSUSE" /usr/lib64/jvm/jre/lib/security/cacerts
+else
+    echo "Not installing CA Certificate for Java"
+fi
diff --git a/src/main/docker/permissions/caf-java b/src/main/docker/permissions/caf-java
new file mode 100644
index 0000000..12d9dd3
--- /dev/null
+++ b/src/main/docker/permissions/caf-java
@@ -0,0 +1 @@
+ ALL ALL=(ALL) NOPASSWD: /usr/lib64/jvm/jre/bin/keytool

From 88a361cc08de33101b18811bc0d4aace8cd18ded Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Thu, 11 Mar 2021 08:27:51 +0000
Subject: [PATCH 4/5] fix license header

---
 src/main/docker/install-ca-cert-java.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/docker/install-ca-cert-java.sh b/src/main/docker/install-ca-cert-java.sh
index 154c23d..23e946f 100644
--- a/src/main/docker/install-ca-cert-java.sh
+++ b/src/main/docker/install-ca-cert-java.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2015-2021 Micro Focus or one of its affiliates.
+# Copyright 2017-2020 Micro Focus or one of its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

From b86f24225710b71d7c5e7c48a1bf1233ad67eae0 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Tue, 16 Mar 2021 09:58:01 +0000
Subject: [PATCH 5/5] review

---
 src/main/docker/Dockerfile.jdk                                | 4 ++--
 src/main/docker/Dockerfile.jre                                | 4 ++--
 src/main/docker/{ => startup.d}/install-ca-cert-java.sh       | 0
 .../{permissions/caf-java => sudoers.d/install-ca-cert-java}  | 0
 4 files changed, 4 insertions(+), 4 deletions(-)
 rename src/main/docker/{ => startup.d}/install-ca-cert-java.sh (100%)
 rename src/main/docker/{permissions/caf-java => sudoers.d/install-ca-cert-java} (100%)

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index a46d9bb..ad25664 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -51,10 +51,10 @@ RUN zypper -n refresh && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
 
-COPY permissions/caf-java /etc/sudoers.d/caf-java
+COPY sudoers.d/install-ca-cert-java /etc/sudoers.d/install-ca-cert-java
 
 # Install Java certificate installation script
-COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
+COPY startup.d/install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set Java Home
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index 468c042..3670412 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -48,10 +48,10 @@ RUN zypper -n refresh && \
     zypper al java-11-openjdk && \
     zypper -n clean --all
 
-COPY permissions/caf-java /etc/sudoers.d/caf-java
+COPY sudoers.d/install-ca-cert-java /etc/sudoers.d/install-ca-cert-java
 
 # Install Java certificate installation script
-COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
+COPY startup.d/install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set JRE Home
diff --git a/src/main/docker/install-ca-cert-java.sh b/src/main/docker/startup.d/install-ca-cert-java.sh
similarity index 100%
rename from src/main/docker/install-ca-cert-java.sh
rename to src/main/docker/startup.d/install-ca-cert-java.sh
diff --git a/src/main/docker/permissions/caf-java b/src/main/docker/sudoers.d/install-ca-cert-java
similarity index 100%
rename from src/main/docker/permissions/caf-java
rename to src/main/docker/sudoers.d/install-ca-cert-java