From 779b89a25fafa82fed589d406b862748d00ee984 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Tue, 9 Mar 2021 13:45:47 +0000
Subject: [PATCH 1/7] SCMOD-12755: Allow startup scripts to run as non-root
 user.

---
 src/main/docker/Dockerfile.jdk | 9 ++++++---
 src/main/docker/Dockerfile.jre | 8 ++++++--
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index ec169d8..511c67d 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -20,7 +20,7 @@ ARG DOCKER_HUB_PUBLIC=docker.io
 #
 # Preliminary image that updates java.security to disable weaker SSL algorithms
 #
-FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT AS builder
+FROM dev/cafapi/opensuse-base:2.3.0-SNAPSHOT AS builder
 
 # Refresh the OS repositories and install OpenJDK 8 Development Kit
 RUN zypper -n refresh && \
@@ -42,7 +42,7 @@ RUN cd $JAVA_HOME/jre/lib/security && \
 #
 # The actual image definition
 #
-FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT
+FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SCMOD-12755-SNAPSHOT
 
 # Refresh the OS repositories and install OpenJDK 8 Development Kit
 RUN zypper -n refresh && \
@@ -50,11 +50,14 @@ RUN zypper -n refresh && \
     zypper -n install java-1_8_0-openjdk-devel && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
+RUN chmod a+rwx /etc/pki/trust/anchors && \
+    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
+    chmod -R a+rw /etc/ssl
 
 # Install Java certificate installation script
 ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
     /startup/startup.d/
-RUN chmod +x /startup/startup.d/install-ca-cert-java.sh
+RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set Java Home
 ENV JAVA_HOME=/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index d104af3..19cb870 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -39,7 +39,7 @@ RUN cd /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/security && \
 #
 # The actual image definition
 #
-FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT
+FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SCMOD-12755-SNAPSHOT
 
 # Refresh the OS repositories and install OpenJDK 8 Runtime Environment 
 RUN zypper -n refresh && \
@@ -48,10 +48,14 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
+RUN chmod a+rwx /etc/pki/trust/anchors && \
+    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
+    chmod -R a+rw /etc/ssl
+
 # Install Java certificate installation script
 ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
     /startup/startup.d/
-RUN chmod +x /startup/startup.d/install-ca-cert-java.sh
+RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set JRE Home
 ENV JRE_HOME=/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre

From a723779f40ba9b6d53d8eb0649977955bbf77e22 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Tue, 9 Mar 2021 14:25:12 +0000
Subject: [PATCH 2/7] Remove ref to dev image

---
 src/main/docker/Dockerfile.jdk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index 511c67d..c860e64 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -20,7 +20,7 @@ ARG DOCKER_HUB_PUBLIC=docker.io
 #
 # Preliminary image that updates java.security to disable weaker SSL algorithms
 #
-FROM dev/cafapi/opensuse-base:2.3.0-SNAPSHOT AS builder
+FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT AS builder
 
 # Refresh the OS repositories and install OpenJDK 8 Development Kit
 RUN zypper -n refresh && \

From 6c068910fa1650a1c99fee1d3cf13ad79c982eab Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Wed, 10 Mar 2021 11:13:38 +0000
Subject: [PATCH 3/7] simplify

---
 src/main/docker/Dockerfile.jdk | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index c860e64..483f5ba 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -50,9 +50,7 @@ RUN zypper -n refresh && \
     zypper -n install java-1_8_0-openjdk-devel && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
-RUN chmod a+rwx /etc/pki/trust/anchors && \
-    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
-    chmod -R a+rw /etc/ssl
+RUN chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts
 
 # Install Java certificate installation script
 ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \

From 9a92050059a1cece21c45514d73600216a493bba Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Wed, 10 Mar 2021 11:56:00 +0000
Subject: [PATCH 4/7] run keytool as sudo

---
 src/main/docker/Dockerfile.jdk | 5 +++--
 src/main/docker/Dockerfile.jre | 6 ++----
 src/main/docker/caf-java       | 1 +
 3 files changed, 6 insertions(+), 6 deletions(-)
 create mode 100644 src/main/docker/caf-java

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index 483f5ba..5645a72 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -50,10 +50,11 @@ RUN zypper -n refresh && \
     zypper -n install java-1_8_0-openjdk-devel && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
-RUN chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts
+
+COPY caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
+ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
     /startup/startup.d/
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index 19cb870..081702b 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -48,12 +48,10 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
-RUN chmod a+rwx /etc/pki/trust/anchors && \
-    chmod -R a+rwx /var/lib/ca-certificates /usr/lib64/jvm/jre/lib/security/cacerts && \
-    chmod -R a+rw /etc/ssl
+COPY caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
+ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
     /startup/startup.d/
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
diff --git a/src/main/docker/caf-java b/src/main/docker/caf-java
new file mode 100644
index 0000000..c0b2c10
--- /dev/null
+++ b/src/main/docker/caf-java
@@ -0,0 +1 @@
+ %CAF ALL=(ALL) NOPASSWD: /usr/lib64/jvm/jre/bin/keytool

From 5b3687bc0e087c30a8900d188efbdaa2dae7f200 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Wed, 10 Mar 2021 16:33:02 +0000
Subject: [PATCH 5/7] code review

---
 src/main/docker/Dockerfile.jdk          |  5 +--
 src/main/docker/Dockerfile.jre          |  5 +--
 src/main/docker/caf-java                |  1 -
 src/main/docker/install-ca-cert-java.sh | 50 +++++++++++++++++++++++++
 src/main/docker/permissions/caf-java    |  1 +
 5 files changed, 55 insertions(+), 7 deletions(-)
 delete mode 100644 src/main/docker/caf-java
 create mode 100644 src/main/docker/install-ca-cert-java.sh
 create mode 100644 src/main/docker/permissions/caf-java

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index 5645a72..1a62c98 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -51,11 +51,10 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
-COPY caf-java /etc/sudoers.d/caf-java
+COPY permissions/caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
-    /startup/startup.d/
+COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set Java Home
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index 081702b..e399435 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -48,11 +48,10 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
-COPY caf-java /etc/sudoers.d/caf-java
+COPY permissions/caf-java /etc/sudoers.d/caf-java
 
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert-java.sh \
-    /startup/startup.d/
+COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set JRE Home
diff --git a/src/main/docker/caf-java b/src/main/docker/caf-java
deleted file mode 100644
index c0b2c10..0000000
--- a/src/main/docker/caf-java
+++ /dev/null
@@ -1 +0,0 @@
- %CAF ALL=(ALL) NOPASSWD: /usr/lib64/jvm/jre/bin/keytool
diff --git a/src/main/docker/install-ca-cert-java.sh b/src/main/docker/install-ca-cert-java.sh
new file mode 100644
index 0000000..154c23d
--- /dev/null
+++ b/src/main/docker/install-ca-cert-java.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# Copyright 2015-2021 Micro Focus or one of its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+JAVA_KEYSTORE_PASSWORD=${JAVA_KEYSTORE_PASSWORD:-changeit}
+MESOS_SANDBOX=${SSL_CA_CRT_DIR:-$MESOS_SANDBOX}
+
+import_java_cert() {
+    echo "Importing CA cert into Java Keystore on $1"
+    sudo keytool -noprompt -keystore $2 -storepass $JAVA_KEYSTORE_PASSWORD -importcert -alias caf-ssl-ca-cert-$4 -file $3
+}
+
+import_java_certs() {
+    IFS=',' read -a caFiles <<< "$SSL_CA_CRT"
+
+    index=0
+    for caFile in "${caFiles[@]}"
+    do
+        if ! [ -e $MESOS_SANDBOX/$caFile ]
+        then
+            echo "CA Certificate at '$MESOS_SANDBOX/$caFile' not found"
+            echo "Aborting further Java CA certificate load attempts."
+            exit 1
+        fi
+
+        import_java_cert $1 $2 $MESOS_SANDBOX/$caFile $index
+	    (( index++ ))
+        echo "CA Certificate '$caFile' added to cacerts"
+    done
+}
+
+if [ -n "$MESOS_SANDBOX" ] && [ -n "$SSL_CA_CRT" ]
+then
+    import_java_certs "OpenSUSE" /usr/lib64/jvm/jre/lib/security/cacerts
+else
+    echo "Not installing CA Certificate for Java"
+fi
diff --git a/src/main/docker/permissions/caf-java b/src/main/docker/permissions/caf-java
new file mode 100644
index 0000000..12d9dd3
--- /dev/null
+++ b/src/main/docker/permissions/caf-java
@@ -0,0 +1 @@
+ ALL ALL=(ALL) NOPASSWD: /usr/lib64/jvm/jre/bin/keytool

From daaf8b48f496c80cd6a6f308ac259fcd96177a39 Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Thu, 11 Mar 2021 12:10:54 +0000
Subject: [PATCH 6/7] license header

---
 src/main/docker/install-ca-cert-java.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/docker/install-ca-cert-java.sh b/src/main/docker/install-ca-cert-java.sh
index 154c23d..23e946f 100644
--- a/src/main/docker/install-ca-cert-java.sh
+++ b/src/main/docker/install-ca-cert-java.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2015-2021 Micro Focus or one of its affiliates.
+# Copyright 2017-2020 Micro Focus or one of its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

From 0b877944dea5b9010dcd88b3a48f466d4a23c83c Mon Sep 17 00:00:00 2001
From: Dom Gibson <dominic.gibson@microfocus.com>
Date: Tue, 16 Mar 2021 09:57:40 +0000
Subject: [PATCH 7/7] review

---
 src/main/docker/Dockerfile.jdk                                | 4 ++--
 src/main/docker/Dockerfile.jre                                | 4 ++--
 src/main/docker/{ => startup.d}/install-ca-cert-java.sh       | 0
 .../{permissions/caf-java => sudoers.d/install-ca-cert-java}  | 0
 4 files changed, 4 insertions(+), 4 deletions(-)
 rename src/main/docker/{ => startup.d}/install-ca-cert-java.sh (100%)
 rename src/main/docker/{permissions/caf-java => sudoers.d/install-ca-cert-java} (100%)

diff --git a/src/main/docker/Dockerfile.jdk b/src/main/docker/Dockerfile.jdk
index 1a62c98..9d4e88e 100644
--- a/src/main/docker/Dockerfile.jdk
+++ b/src/main/docker/Dockerfile.jdk
@@ -51,10 +51,10 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
-COPY permissions/caf-java /etc/sudoers.d/caf-java
+COPY sudoers.d/install-ca-cert-java /etc/sudoers.d/install-ca-cert-java
 
 # Install Java certificate installation script
-COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
+COPY startup.d/install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set Java Home
diff --git a/src/main/docker/Dockerfile.jre b/src/main/docker/Dockerfile.jre
index e399435..4b8be5e 100644
--- a/src/main/docker/Dockerfile.jre
+++ b/src/main/docker/Dockerfile.jre
@@ -48,10 +48,10 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
-COPY permissions/caf-java /etc/sudoers.d/caf-java
+COPY sudoers.d/install-ca-cert-java /etc/sudoers.d/install-ca-cert-java
 
 # Install Java certificate installation script
-COPY install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
+COPY startup.d/install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
 RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set JRE Home
diff --git a/src/main/docker/install-ca-cert-java.sh b/src/main/docker/startup.d/install-ca-cert-java.sh
similarity index 100%
rename from src/main/docker/install-ca-cert-java.sh
rename to src/main/docker/startup.d/install-ca-cert-java.sh
diff --git a/src/main/docker/permissions/caf-java b/src/main/docker/sudoers.d/install-ca-cert-java
similarity index 100%
rename from src/main/docker/permissions/caf-java
rename to src/main/docker/sudoers.d/install-ca-cert-java