From 00d24164db7d667f03c9d1adefeffaf81984a6ad Mon Sep 17 00:00:00 2001
From: Steve Smith <ssmith@atlassian.com>
Date: Tue, 6 Aug 2019 14:19:28 +1000
Subject: [PATCH] DCD-545: Import config templates from Ansible, and expand and
 normalise the two Dockerfiles with limited permissions.

---
 Dockerfile                           | 33 ++++++++-----
 Dockerfile-alpine                    | 37 +++++++++------
 config/confluence-init.properties.j2 |  1 +
 config/confluence.cfg.xml.j2         | 42 +++++++++++++++++
 config/seraph-config.xml.j2          | 69 +++++++++++++++++++++++++++
 config/server.xml.j2                 | 70 ++++++++++++++++++++++++++++
 6 files changed, 227 insertions(+), 25 deletions(-)
 create mode 100644 config/confluence-init.properties.j2
 create mode 100644 config/confluence.cfg.xml.j2
 create mode 100644 config/seraph-config.xml.j2
 create mode 100644 config/server.xml.j2

diff --git a/Dockerfile b/Dockerfile
index 2bdfa14..b83f757 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,10 @@
 FROM adoptopenjdk/openjdk8:slim
+MAINTAINER Atlassian Confluence
 
-ENV RUN_USER            					daemon
-ENV RUN_GROUP           					daemon
+ENV RUN_USER							confluence
+ENV RUN_GROUP							confluence
+ENV RUN_UID							2002
+ENV RUN_GID							2002
 
 # https://confluence.atlassian.com/doc/confluence-home-and-other-important-directories-590259707.html
 ENV CONFLUENCE_HOME          				/var/atlassian/application-data/confluence
@@ -15,24 +18,32 @@ EXPOSE 8090
 EXPOSE 8091
 
 CMD ["/entrypoint.sh", "-fg"]
-ENTRYPOINT ["/tini", "--"]
+ENTRYPOINT ["/sbin/tini", "--"]
 
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends fontconfig \
 	&& apt-get clean autoclean && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
 
 ARG TINI_VERSION=v0.18.0
-ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
-RUN chmod +x /tini
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /sbin/tini
+RUN chmod +x /sbin/tini
 
 COPY entrypoint.sh              			/entrypoint.sh
+COPY scripts/*						/opt/atlassian/bin/
+COPY config/*						/opt/atlassian/etc/
 
 ARG CONFLUENCE_VERSION
 ARG DOWNLOAD_URL=https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz
 
-RUN mkdir -p                             	${CONFLUENCE_INSTALL_DIR} \
-    && curl -L --silent                  	${DOWNLOAD_URL} | tar -xz --strip-components=1 -C "${CONFLUENCE_INSTALL_DIR}" \
-    && chown -R ${RUN_USER}:${RUN_GROUP} 	${CONFLUENCE_INSTALL_DIR}/ \
-    && sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh \
-    && sed -i -e 's/port="8090"/port="8090" secure="${catalinaConnectorSecure}" scheme="${catalinaConnectorScheme}" proxyName="${catalinaConnectorProxyName}" proxyPort="${catalinaConnectorProxyPort}"/' ${CONFLUENCE_INSTALL_DIR}/conf/server.xml \
-    && sed -i -e 's/Context path=""/Context path="${catalinaContextPath}"/' ${CONFLUENCE_INSTALL_DIR}/conf/server.xml
+RUN groupadd --gid ${RUN_GID} ${RUN_GROUP} \
+    && useradd --uid ${RUN_UID} --gid ${RUN_GID} --home-dir ${CONFLUENCE_HOME} ${RUN_USER} \
+    \
+    && mkdir -p                       	 ${CONFLUENCE_INSTALL_DIR} \
+    && curl -L --silent                  ${DOWNLOAD_URL} | tar -xz --strip-components=1 -C "${CONFLUENCE_INSTALL_DIR}" \
+    && chmod -R "u=rwX,g=rX,o=rX"        ${CONFLUENCE_INSTALL_DIR}/ \
+    && chown -R root.                    ${CONFLUENCE_INSTALL_DIR}/ \
+    && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/logs \
+    && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/temp \
+    && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/work \
+    \
+    && sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh
diff --git a/Dockerfile-alpine b/Dockerfile-alpine
index a16f387..ae48145 100644
--- a/Dockerfile-alpine
+++ b/Dockerfile-alpine
@@ -1,21 +1,22 @@
 FROM adoptopenjdk/openjdk8:alpine
 MAINTAINER Atlassian Confluence
 
-ENV RUN_USER            daemon
-ENV RUN_GROUP           daemon
+ENV RUN_USER							confluence
+ENV RUN_GROUP							confluence
+ENV RUN_UID							2002
+ENV RUN_GID							2002
 
 # https://confluence.atlassian.com/doc/confluence-home-and-other-important-directories-590259707.html
-ENV CONFLUENCE_HOME          /var/atlassian/application-data/confluence
-ENV CONFLUENCE_INSTALL_DIR   /opt/atlassian/confluence
+ENV CONFLUENCE_HOME          				/var/atlassian/application-data/confluence
+ENV CONFLUENCE_INSTALL_DIR   				/opt/atlassian/confluence
 
 VOLUME ["${CONFLUENCE_HOME}"]
+WORKDIR $CONFLUENCE_HOME
 
 # Expose HTTP and Synchrony ports
 EXPOSE 8090
 EXPOSE 8091
 
-WORKDIR $CONFLUENCE_HOME
-
 CMD ["/entrypoint.sh", "-fg"]
 ENTRYPOINT ["/sbin/tini", "--"]
 
@@ -27,14 +28,22 @@ RUN ln -s /usr/lib/libfontconfig.so.1 /usr/lib/libfontconfig.so \
     && ln -s /lib/libc.musl-x86_64.so.1 /usr/lib/libc.musl-x86_64.so.1
 ENV LD_LIBRARY_PATH /usr/lib
 
-COPY entrypoint.sh              /entrypoint.sh
+COPY entrypoint.sh              			/entrypoint.sh
+COPY scripts/*						/opt/atlassian/bin/
+COPY config/*						/opt/atlassian/etc/
 
 ARG CONFLUENCE_VERSION
-ARG DOWNLOAD_URL=http://www.atlassian.com/software/confluence/downloads/binary/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz
+ARG DOWNLOAD_URL=https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz
 
-RUN mkdir -p                             ${CONFLUENCE_INSTALL_DIR} \
-    && curl -L --silent                  ${DOWNLOAD_URL} | tar -xz --strip-components=1 -C "$CONFLUENCE_INSTALL_DIR" \
-    && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/ \
-    && sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh \
-    && sed -i -e 's/port="8090"/port="8090" secure="${catalinaConnectorSecure}" scheme="${catalinaConnectorScheme}" proxyName="${catalinaConnectorProxyName}" proxyPort="${catalinaConnectorProxyPort}"/' ${CONFLUENCE_INSTALL_DIR}/conf/server.xml  \
-    && sed -i -e 's/Context path=""/Context path="${catalinaContextPath}"/' ${CONFLUENCE_INSTALL_DIR}/conf/server.xml
+RUN addgroup -g ${RUN_GID} ${RUN_GROUP} \
+    && adduser -u ${RUN_UID} -G ${RUN_GROUP} -h ${CONFLUENCE_HOME} -D ${RUN_USER} \
+    \
+    && mkdir -p                          ${CONFLUENCE_INSTALL_DIR} \
+    && curl -L --silent                  ${DOWNLOAD_URL} | tar -xz --strip-components=1 -C "${CONFLUENCE_INSTALL_DIR}" \
+    && chmod -R "u=rwX,g=rX,o=rX"        ${CONFLUENCE_INSTALL_DIR}/ \
+    && chown -R root.                    ${CONFLUENCE_INSTALL_DIR}/ \
+    && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/logs \
+    && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/temp \
+    && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/work \
+    \
+    && sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh
diff --git a/config/confluence-init.properties.j2 b/config/confluence-init.properties.j2
new file mode 100644
index 0000000..b2ecc60
--- /dev/null
+++ b/config/confluence-init.properties.j2
@@ -0,0 +1 @@
+confluence.home = {{ atl_product_home }}
diff --git a/config/confluence.cfg.xml.j2 b/config/confluence.cfg.xml.j2
new file mode 100644
index 0000000..4b5368c
--- /dev/null
+++ b/config/confluence.cfg.xml.j2
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<confluence-configuration>
+
+  <setupStep>setupstart</setupStep>
+  <setupType>custom</setupType>
+  <buildNumber>0</buildNumber>
+
+  <properties>
+    <property name="confluence.database.choice">postgresql</property>
+    <property name="confluence.database.connection.type">database-type-standard</property>
+    <property name="hibernate.dialect">com.atlassian.confluence.impl.hibernate.dialect.PostgreSQLDialect</property>
+    <property name="webwork.multipart.saveDir">${localHome}/temp</property>
+    <property name="attachments.dir">${confluenceHome}/attachments</property>
+
+    <property name="hibernate.connection.driver_class">{{ atl_db_driver }}</property>
+    <property name="hibernate.connection.url">{{ atl_jdbc_url }}</property>
+    <property name="hibernate.connection.username">{{ atl_jdbc_user }}</property>
+    <property name="hibernate.connection.password">{{ atl_jdbc_password }}</property>
+    <property name="hibernate.c3p0.min_size">{{ atl_db_poolminsize }}</property>
+    <property name="hibernate.c3p0.max_size">{{ atl_db_poolmaxsize }}</property>
+    <property name="hibernate.c3p0.timeout">{{ atl_db_timeout }}</property>
+    <property name="hibernate.c3p0.idle_test_period">{{ atl_db_idletestperiod }}</property>
+    <property name="hibernate.c3p0.max_statements">{{ atl_db_maxstatements }}</property>
+    <property name="hibernate.c3p0.validate">{{ atl_db_validate }}</property>
+    <property name="hibernate.c3p0.acquire_increment">{{ atl_db_acquireincrement }}</property>
+    <property name="hibernate.c3p0.preferredTestQuery">select version();</property>
+
+    <property name="shared-home">{{ atl_product_home_shared }}</property>
+    <property name="confluence.cluster">true</property>
+    <property name="confluence.cluster.home">{{ atl_product_home_shared }}</property>
+    <property name="confluence.cluster.aws.iam.role">{{ atl_hazelcast_network_aws_iam_role }}</property>
+    <property name="confluence.cluster.aws.region">{{ atl_hazelcast_network_aws_iam_region }}</property>
+    <property name="confluence.cluster.aws.host.header">{{ atl_hazelcast_network_aws_host_header }}</property>
+    <property name="confluence.cluster.aws.tag.key">{{ atl_hazelcast_network_aws_tag_key }}</property>
+    <property name="confluence.cluster.aws.tag.value">{{ atl_hazelcast_network_aws_tag_value }}</property>
+    <property name="confluence.cluster.join.type">aws</property>
+    <property name="confluence.cluster.name">{{ atl_aws_stack_name }}</property>
+    <property name="confluence.cluster.ttl">1</property>
+
+  </properties>
+</confluence-configuration>
diff --git a/config/seraph-config.xml.j2 b/config/seraph-config.xml.j2
new file mode 100644
index 0000000..8b16d54
--- /dev/null
+++ b/config/seraph-config.xml.j2
@@ -0,0 +1,69 @@
+<security-config>
+    <parameters>
+        <init-param>
+            <param-name>login.url</param-name>
+            <param-value>/login.action?os_destination=${originalurl}&amp;permissionViolation=true</param-value>
+        </init-param>
+        <init-param>
+            <param-name>link.login.url</param-name>
+            <param-value>/login.action</param-value>
+        </init-param>
+        <init-param>
+            <param-name>cookie.encoding</param-name>
+            <param-value>cNf</param-value>
+        </init-param>
+        <init-param>
+            <param-name>login.cookie.key</param-name>
+            <param-value>seraph.confluence</param-value>
+        </init-param>
+ 
+        <init-param>
+            <param-name>autologin.cookie.age</param-name>
+            <param-value>{{ atl_autologin_cookie_age }}</param-value>
+        </init-param>
+
+        <!--only basic authentication available-->
+        <init-param>
+            <param-name>authentication.type</param-name>
+            <param-value>os_authType</param-value>
+        </init-param>
+
+        <!-- Invalidate session on login to prevent session fixation attack -->
+         <init-param>
+            <param-name>invalidate.session.on.login</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <!-- Add names for session attributes that must not be copied to a new session when the old one gets invalidated.
+          Currently it is empty (i.e. all attributes will be copied). -->
+        <init-param>
+            <param-name>invalidate.session.exclude.list</param-name>
+            <param-value></param-value>
+        </init-param>
+    </parameters>
+
+    <rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
+    <controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>
+
+    <!-- Default Confluence authenticator, which uses the configured user management for authentication. -->
+    <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
+
+    <!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->
+
+    <!-- Authenticator with support for Crowd single-sign on (SSO). -->
+    <!-- <authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/> -->
+
+    <!-- Specialised version of the default authenticator which adds authenticated users to confluence-users if they aren't already a member. -->
+    <!-- <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/> -->
+
+    <services>
+        <service class="com.atlassian.seraph.service.PathService">
+            <init-param>
+                <param-name>config.file</param-name>
+                <param-value>seraph-paths.xml</param-value>
+            </init-param>
+        </service>
+    </services>
+
+    <elevatedsecurityguard class="com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard"/>
+
+</security-config>
diff --git a/config/server.xml.j2 b/config/server.xml.j2
new file mode 100644
index 0000000..e11cb8b
--- /dev/null
+++ b/config/server.xml.j2
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<Server port="{{ atl_tomcat_mgmt_port }}"
+        shutdown="SHUTDOWN">
+
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
+  <Listener className="org.apache.catalina.core.AprLifecycleListener"
+            SSLEngine="on"/>
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
+
+  <Service name="Catalina">
+
+    <Connector port="{{ atl_tomcat_port }}"
+               maxThreads="{{ atl_tomcat_maxthreads }}"
+               minSpareThreads="{{ atl_tomcat_minsparethreads }}"
+               connectionTimeout="{{ atl_tomcat_connectiontimeout }}"
+               enableLookups="{{ atl_tomcat_enablelookups }}"
+               protocol="{{ atl_tomcat_protocol }}"
+               redirectPort="{{ atl_tomcat_redirectport }}"
+               acceptCount="{{ atl_tomcat_acceptcount }}"
+               secure="{{ atl_tomcat_secure }}"
+               scheme="{{ atl_tomcat_scheme }}"
+               proxyName="{{ atl_proxy_name }}"
+               proxyPort="{{ atl_proxy_port }}"
+
+               relaxedPathChars="[]|"
+               relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;"
+               bindOnInit="false"
+               maxHttpHeaderSize="8192"
+               useBodyEncodingForURI="true"
+               disableUploadTimeout="true" />
+
+    <Engine name="Standalone"
+            defaultHost="localhost"
+            debug="0">
+      <Host name="localhost"
+            debug="0"
+            appBase="webapps"
+            unpackWARs="true"
+            autoDeploy="false"
+            startStopThreads="4">
+        <Context path="{{ atl_tomcat_contextpath }}"
+                 docBase="../confluence"
+                 debug="0"
+                 reloadable="false"
+                 useHttpOnly="true">
+          <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
+          <Manager pathname=""/>
+          <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve"
+                 threshold="60"/>
+        </Context>
+
+        <Context path="${confluence.context.path}/synchrony-proxy"
+                 docBase="../synchrony-proxy"
+                 debug="0"
+                 reloadable="false"
+                 useHttpOnly="true">
+          <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve"
+                 threshold="60"/>
+        </Context>
+
+      </Host>
+    </Engine>
+
+  </Service>
+
+</Server>
+