Merge pull request #39 from CanDIG/fnguyen/candig-user

DIG-1377: Be consistent in our use of candig user inside containers

Dockerfile

@@ -7,6 +7,8 @@ LABEL "candigv2"="opa"
 
 USER root
 
+RUN addgroup -S candig && adduser -S candig -G candig
+
 RUN apk update
 
 RUN apk add --no-cache \
@@ -19,5 +21,12 @@ COPY ./ /app/
 
 RUN pip install --no-cache-dir -r /app/requirements.txt
 
-RUN touch initial_setup
+WORKDIR /app/
+
+RUN chown -R candig:candig /app
+
+USER candig
+
+RUN touch /app/initial_setup
+
 ENTRYPOINT ["bash", "/app/entrypoint.sh"]

entrypoint.sh

@@ -2,18 +2,18 @@
 
 set -Euo pipefail
 
-if [[ -f "initial_setup" ]]; then
-    sed -i s/CLIENT_ID/$KEYCLOAK_CLIENT_ID/ app/permissions_engine/idp.rego && sed -i s/CLIENT_ID/$KEYCLOAK_CLIENT_ID/ app/permissions_engine/authz.rego
-    sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ app/permissions_engine/idp.rego && sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ app/permissions_engine/authz.rego
+if [[ -f "/app/initial_setup" ]]; then
+    sed -i s/CLIENT_ID/$KEYCLOAK_CLIENT_ID/ /app/permissions_engine/idp.rego && sed -i s/CLIENT_ID/$KEYCLOAK_CLIENT_ID/ /app/permissions_engine/authz.rego
+    sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ /app/permissions_engine/idp.rego && sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ /app/permissions_engine/authz.rego
 
     OPA_SERVICE_TOKEN=$(cat /run/secrets/opa-service-token)
-    sed -i s/OPA_SERVICE_TOKEN/$OPA_SERVICE_TOKEN/ app/permissions_engine/authz.rego
+    sed -i s/OPA_SERVICE_TOKEN/$OPA_SERVICE_TOKEN/ /app/permissions_engine/authz.rego
 
     OPA_ROOT_TOKEN=$(cat /run/secrets/opa-root-token)
-    sed -i s/OPA_ROOT_TOKEN/$OPA_ROOT_TOKEN/ app/permissions_engine/authz.rego
-
-    python3 app/permissions_engine/initialize_idp.py
-    rm initial_setup
+    sed -i s/OPA_ROOT_TOKEN/$OPA_ROOT_TOKEN/ /app/permissions_engine/authz.rego
+    echo "initializing idp"
+    python3 /app/permissions_engine/initialize_idp.py
+    rm /app/initial_setup
 fi
 
 while [ 0 -eq 0 ]