From 126bb442cad31f85dff8a55ff7f7d4c86c0e00ce Mon Sep 17 00:00:00 2001
From: Abdulrhmn Ghanem <abdoghanem160@gmail.com>
Date: Thu, 13 Oct 2022 21:07:38 +0200
Subject: [PATCH 1/5] docker: stop running `frontend` and `processor` with root
 user

---
 frontend/Dockerfile                         | 20 +++++++++++---------
 processor/.dockerignore                     |  1 +
 processor/Dockerfile                        | 10 +++++++---
 scripts/clear_volumes_and_test_processor.sh |  3 ++-
 4 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index d89e19bfa2..dc63968a1e 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -22,12 +22,14 @@ COPY yarn.lock .
 RUN yarn --frozen-lockfile
 
 FROM base AS production
-COPY --from=build /build/.next/ .next/
-COPY --from=build /deps/node_modules/ node_modules/
-COPY package.json .
-COPY next.config.js .
-COPY public/ public/
-RUN mkdir src/
-COPY src/server.js src/server.js
-ENV NODE_ENV=production
-CMD yarn start
+COPY --chown=node:node --from=build /build/.next/ .next/
+COPY --chown=node:node --from=build /deps/node_modules/ node_modules/
+COPY --chown=node:node package.json .
+COPY --chown=node:node next.config.js .
+COPY --chown=node:node public/ public/
+RUN mkdir src/ &&  chown -R node src
+COPY --chown=node:node src/server.js src/server.js
+ENV NODE_ENV=productionu
+USER node
+
+CMD ["node", "src/server.js"]
diff --git a/processor/.dockerignore b/processor/.dockerignore
index 476b7d85f6..917d7ed50b 100644
--- a/processor/.dockerignore
+++ b/processor/.dockerignore
@@ -2,3 +2,4 @@
 *Dockerfile*
 *docker-compose*
 node_modules
+dist
diff --git a/processor/Dockerfile b/processor/Dockerfile
index bbb9e68d4d..0ab20e568e 100644
--- a/processor/Dockerfile
+++ b/processor/Dockerfile
@@ -19,14 +19,18 @@ RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y \
     python3-pip \
     git
 
-RUN mkdir /app
 WORKDIR /app
-
 COPY . .
-
 RUN pip3 install -r requirements.txt
 RUN yarn install
 RUN yarn tsc
 RUN yarn cp-assets
 
+RUN addgroup --gid 1000 node && \
+    adduser -u 1000 --gid 1000 node --shell /bin/bash --home /home/node && \
+    mkdir /data /gitea-data && \
+    chown -R node /data /gitea-data
+
+USER node
 CMD ["node", "dist/src/server.js"]
+
diff --git a/scripts/clear_volumes_and_test_processor.sh b/scripts/clear_volumes_and_test_processor.sh
index 08806b4e11..51e70fc9fc 100755
--- a/scripts/clear_volumes_and_test_processor.sh
+++ b/scripts/clear_volumes_and_test_processor.sh
@@ -21,6 +21,7 @@ docker-compose down -v
 # you can pass arguments to mocha e.g. `-g multi`
 args="$(concatenate_args "$@")"
 docker-compose run \
+    -u node \
     -e LOG_LEVEL=debug \
     -e DATA_DIR=/data/test \
-    processor sh -c "yarn install && yarn tsc && yarn cp-assets && yarn cp-test-assets && yarn test ${args}"
+    processor sh -c "whoami && stat /data /gitea-data /app"

From 929e1ae0afef687c5cdd3576ae2ebd0c79b43c10 Mon Sep 17 00:00:00 2001
From: Abdulrhmn Ghanem <abdoghanem160@gmail.com>
Date: Fri, 14 Oct 2022 07:35:06 +0200
Subject: [PATCH 2/5] docker: make gitea-data ro for the processor

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 775f158764..9999103b1b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -80,7 +80,7 @@ services:
       - redis
       - meilisearch
     volumes:
-      - gitea-data:/gitea-data
+      - gitea-data:/gitea-data:ro
       - processor-data:/data
       # share docker daemon when running docker inside docker
       - /var/run/docker.sock:/var/run/docker.sock

From 133a200fde77c8434af00954cc3b74e91411c383 Mon Sep 17 00:00:00 2001
From: Abdulrhmn Ghanem <abdoghanem160@gmail.com>
Date: Fri, 14 Oct 2022 07:43:31 +0200
Subject: [PATCH 3/5] processor: run tests as root in the container

- We need to install packages, compile ts, and move assets before running
the actual testing code.
- The `node` user doesn't have permessions to do anything of these
  tasks.

Update scripts/clear_volumes_and_test_processor.sh

Co-authored-by: Kaspar Emanuel <kaspar.emanuel@gmail.com>
---
 docker-compose.override.yml                 | 1 +
 processor/Dockerfile                        | 1 -
 scripts/clear_volumes_and_test_processor.sh | 7 +++++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index 1629a979b6..04192920ee 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -40,6 +40,7 @@ services:
       dockerfile: Dockerfile
 
   processor:
+    user: root
     build:
       context: processor/
       dockerfile: Dockerfile
diff --git a/processor/Dockerfile b/processor/Dockerfile
index 0ab20e568e..2ff4ecebe9 100644
--- a/processor/Dockerfile
+++ b/processor/Dockerfile
@@ -33,4 +33,3 @@ RUN addgroup --gid 1000 node && \
 
 USER node
 CMD ["node", "dist/src/server.js"]
-
diff --git a/scripts/clear_volumes_and_test_processor.sh b/scripts/clear_volumes_and_test_processor.sh
index 51e70fc9fc..290dbf7ce3 100755
--- a/scripts/clear_volumes_and_test_processor.sh
+++ b/scripts/clear_volumes_and_test_processor.sh
@@ -20,8 +20,11 @@ docker-compose down -v
 
 # you can pass arguments to mocha e.g. `-g multi`
 args="$(concatenate_args "$@")"
+
+# We need to install packages, compile ts, and move assets before running the actual testing code.
+# The `node` user doesn't have permission to do any of these tasks.
 docker-compose run \
-    -u node \
+    -u root \
     -e LOG_LEVEL=debug \
     -e DATA_DIR=/data/test \
-    processor sh -c "whoami && stat /data /gitea-data /app"
+    processor sh -c "yarn install && yarn tsc && yarn cp-assets && yarn cp-test-assets && yarn test ${args}"

From aaa7f96480c49b4185b0472d8c1ccffab83d140f Mon Sep 17 00:00:00 2001
From: Ghanem <37152329+AbdulrhmnGhanem@users.noreply.github.com>
Date: Thu, 27 Oct 2022 16:12:49 +0200
Subject: [PATCH 4/5] docker: replace chown with read/execute permissions

Co-authored-by: Kaspar Emanuel <kaspar.emanuel@gmail.com>
---
 frontend/Dockerfile | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index dc63968a1e..eb329e35d8 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -22,14 +22,20 @@ COPY yarn.lock .
 RUN yarn --frozen-lockfile
 
 FROM base AS production
+
+ENV NODE_ENV=production
+# give the node user read-only permissions
+ARG PERMISSION=644
+COPY --chmod=${PERMISSION} --from=build /deps/node_modules/ node_modules/
+COPY --chmod=${PERMISSION} package.json .
+COPY --chmod=${PERMISSION} next.config.js .
+COPY --chmod=${PERMISSION} public/ public/
+COPY --chmod=${PERMISSION} src/server.js server.js
+
+# The `.next` directory is used by `next/image` to cache optimized images.
+# So it needs to be owned by the `node` user.
 COPY --chown=node:node --from=build /build/.next/ .next/
-COPY --chown=node:node --from=build /deps/node_modules/ node_modules/
-COPY --chown=node:node package.json .
-COPY --chown=node:node next.config.js .
-COPY --chown=node:node public/ public/
-RUN mkdir src/ &&  chown -R node src
-COPY --chown=node:node src/server.js src/server.js
-ENV NODE_ENV=productionu
+
 USER node
 
-CMD ["node", "src/server.js"]
+CMD ["node", "server.js"]

From b9e69a2daf4ed0fab12d1184787c1e1fa0fe2f89 Mon Sep 17 00:00:00 2001
From: Abdulrhmn Ghanem <abdoghanem160@gmail.com>
Date: Tue, 18 Oct 2022 08:11:39 +0200
Subject: [PATCH 5/5] processor: delete the testing container on exit

---
 scripts/clear_volumes_and_test_processor.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/clear_volumes_and_test_processor.sh b/scripts/clear_volumes_and_test_processor.sh
index 290dbf7ce3..53e12b0a8c 100755
--- a/scripts/clear_volumes_and_test_processor.sh
+++ b/scripts/clear_volumes_and_test_processor.sh
@@ -25,6 +25,7 @@ args="$(concatenate_args "$@")"
 # The `node` user doesn't have permission to do any of these tasks.
 docker-compose run \
     -u root \
+    --rm \
     -e LOG_LEVEL=debug \
     -e DATA_DIR=/data/test \
     processor sh -c "yarn install && yarn tsc && yarn cp-assets && yarn cp-test-assets && yarn test ${args}"