From e41d28ca88de6e25a3a69b4af980aee937087f37 Mon Sep 17 00:00:00 2001
From: ecaiyanlinux <martin.c.yan@est.tech>
Date: Wed, 1 Dec 2021 16:18:36 +0100
Subject: [PATCH] Use non-root user in Dockerfile

Signed-off-by: ecaiyanlinux <martin.c.yan@est.tech>
Issue-ID: NONRTRIC-656
Change-Id: Ib85abd9de806b30b73af34a863b06c7663026c3d
---
 a1-policy-management-service/Dockerfile                          | 7 +++++--
 dmaap-adaptor-java/Dockerfile                                    | 8 ++++++--
 helm-manager/Dockerfile                                          | 4 ++++
 information-coordinator-service/Dockerfile                       | 9 ++++++---
 r-app-catalogue/Dockerfile                                       | 8 +++++++-
 test/cr/Dockerfile                                               | 4 ++++
 test/http-https-proxy/Dockerfile                                 | 4 ++++
 test/mrstub/Dockerfile                                           | 4 ++++
 test/prodstub/Dockerfile                                         | 4 ++++
 test/usecases/oruclosedlooprecovery/scriptversion/app/Dockerfile | 4 ++++
 10 files changed, 48 insertions(+), 8 deletions(-)

diff --git a/a1-policy-management-service/Dockerfile b/a1-policy-management-service/Dockerfile
index f64eebb6..3775b396 100644
--- a/a1-policy-management-service/Dockerfile
+++ b/a1-policy-management-service/Dockerfile
@@ -34,8 +34,11 @@ ADD /config/application_configuration.json /opt/app/policy-agent/data/applicatio
 ADD /config/keystore.jks /opt/app/policy-agent/etc/cert/keystore.jks
 ADD /config/truststore.jks /opt/app/policy-agent/etc/cert/truststore.jks
 
-RUN chmod -R 777 /opt/app/policy-agent/config/
-RUN chmod -R 777 /opt/app/policy-agent/data/
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+RUN chown -R appuser:appuser /opt/app/policy-agent
+RUN chown -R appuser:appuser /var/log/policy-agent
+USER appuser
 
 ADD target/${JAR} /opt/app/policy-agent/policy-agent.jar
 CMD ["java", "-jar", "/opt/app/policy-agent/policy-agent.jar"]
diff --git a/dmaap-adaptor-java/Dockerfile b/dmaap-adaptor-java/Dockerfile
index b2c0c30c..9843699a 100644
--- a/dmaap-adaptor-java/Dockerfile
+++ b/dmaap-adaptor-java/Dockerfile
@@ -30,14 +30,18 @@ WORKDIR /opt/app/dmaap-adaptor-service
 RUN mkdir -p /var/log/dmaap-adaptor-service
 RUN mkdir -p /opt/app/dmaap-adaptor-service/etc/cert/
 RUN mkdir -p /var/dmaap-adaptor-service
-RUN chmod -R 777 /var/dmaap-adaptor-service
 
 ADD /config/application.yaml /opt/app/dmaap-adaptor-service/config/application.yaml
 ADD /config/application_configuration.json /opt/app/dmaap-adaptor-service/data/application_configuration.json_example
 ADD /config/keystore.jks /opt/app/dmaap-adaptor-service/etc/cert/keystore.jks
 ADD /config/truststore.jks /opt/app/dmaap-adaptor-service/etc/cert/truststore.jks
 
-RUN chmod -R 777 /opt/app/dmaap-adaptor-service/config/
+
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+RUN chown -R appuser:appuser /var/dmaap-adaptor-service/
+RUN chown -R appuser:appuser /opt/app/dmaap-adaptor-service/
+USER appuser
 
 ADD target/${JAR} /opt/app/dmaap-adaptor-service/dmaap-adaptor.jar
 CMD ["java", "-jar", "/opt/app/dmaap-adaptor-service/dmaap-adaptor.jar"]
diff --git a/helm-manager/Dockerfile b/helm-manager/Dockerfile
index 90164fd7..d15ddc78 100644
--- a/helm-manager/Dockerfile
+++ b/helm-manager/Dockerfile
@@ -49,4 +49,8 @@ COPY config/application.yaml .
 WORKDIR /opt/app/helm-manager
 COPY target/app.jar app.jar
 
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+USER appuser
+
 CMD [ "java", "-jar", "app.jar" ]
diff --git a/information-coordinator-service/Dockerfile b/information-coordinator-service/Dockerfile
index e9d179df..226d2ec3 100644
--- a/information-coordinator-service/Dockerfile
+++ b/information-coordinator-service/Dockerfile
@@ -25,7 +25,6 @@ WORKDIR /opt/app/information-coordinator-service
 RUN mkdir -p /var/log/information-coordinator-service
 RUN mkdir -p /opt/app/information-coordinator-service/etc/cert/
 RUN mkdir -p /var/information-coordinator-service
-RUN chmod -R 777 /var/information-coordinator-service
 
 EXPOSE 8083 8434
 
@@ -34,8 +33,12 @@ ADD target/${JAR} /opt/app/information-coordinator-service/information-coordinat
 ADD /config/keystore.jks /opt/app/information-coordinator-service/etc/cert/keystore.jks
 ADD /config/truststore.jks /opt/app/information-coordinator-service/etc/cert/truststore.jks
 
-
-RUN chmod -R 777 /opt/app/information-coordinator-service/config/
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+RUN chown -R appuser:appuser /opt/app/information-coordinator-service
+RUN chown -R appuser:appuser /var/information-coordinator-service
+RUN chown -R appuser:appuser /var/log/information-coordinator-service
+USER appuser
 
 CMD ["java", "-jar", "/opt/app/information-coordinator-service/information-coordinator-service.jar"]
 
diff --git a/r-app-catalogue/Dockerfile b/r-app-catalogue/Dockerfile
index cd2efc9b..0f77256e 100644
--- a/r-app-catalogue/Dockerfile
+++ b/r-app-catalogue/Dockerfile
@@ -32,7 +32,13 @@ ADD /config/r-app-catalogue-keystore.jks /opt/app/r-app-catalogue/etc/cert/keyst
 ADD target/${JAR} /opt/app/r-app-catalogue/r-app-catalogue.jar
 
 
-RUN chmod -R 777 /opt/app/r-app-catalogue/config/
+RUN chmod -R 644 /opt/app/r-app-catalogue/config/
+
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+RUN chown -R appuser:appuser /opt/app/r-app-catalogue/
+RUN chown -R appuser:appuser /var/log/r-app-catalogue/
+USER appuser
 
 CMD ["java", "-jar", "/opt/app/r-app-catalogue/r-app-catalogue.jar"]
 
diff --git a/test/cr/Dockerfile b/test/cr/Dockerfile
index e66d30f3..ad61ab32 100644
--- a/test/cr/Dockerfile
+++ b/test/cr/Dockerfile
@@ -31,4 +31,8 @@ RUN pip install -r requirements.txt
 
 RUN chmod +x start.sh
 
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+USER appuser
+
 CMD [ "./start.sh" ]
diff --git a/test/http-https-proxy/Dockerfile b/test/http-https-proxy/Dockerfile
index d7a78ad1..0d9b9775 100644
--- a/test/http-https-proxy/Dockerfile
+++ b/test/http-https-proxy/Dockerfile
@@ -13,4 +13,8 @@ COPY cert/pass .
 WORKDIR /usr/src/app
 COPY http_proxy.js .
 
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+USER appuser
+
 CMD [ "node", "http_proxy.js" ]
\ No newline at end of file
diff --git a/test/mrstub/Dockerfile b/test/mrstub/Dockerfile
index 676c77ca..a5f9ea01 100644
--- a/test/mrstub/Dockerfile
+++ b/test/mrstub/Dockerfile
@@ -34,4 +34,8 @@ RUN pip install -r requirements.txt
 
 RUN chmod +x start.sh
 
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+USER appuser
+
 CMD [ "./start.sh" ]
\ No newline at end of file
diff --git a/test/prodstub/Dockerfile b/test/prodstub/Dockerfile
index 4768bf95..0a027e4d 100644
--- a/test/prodstub/Dockerfile
+++ b/test/prodstub/Dockerfile
@@ -32,4 +32,8 @@ RUN chmod +x start.sh
 RUN apt-get update
 RUN apt-get install -y nginx=1.14.*
 
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+USER appuser
+
 CMD [ "./start.sh" ]
diff --git a/test/usecases/oruclosedlooprecovery/scriptversion/app/Dockerfile b/test/usecases/oruclosedlooprecovery/scriptversion/app/Dockerfile
index 4cb03c74..3c1a064e 100644
--- a/test/usecases/oruclosedlooprecovery/scriptversion/app/Dockerfile
+++ b/test/usecases/oruclosedlooprecovery/scriptversion/app/Dockerfile
@@ -29,4 +29,8 @@ RUN apt-get install iputils-ping -y
 
 RUN pip install -r requirements.txt
 
+RUN groupadd -g 999 appuser && \
+    useradd -r -u 999 -g appuser appuser
+USER appuser
+
 CMD [ "python3", "-u", "main.py" ]
-- 
2.16.6