From f6a8a8322d09d5f6012167d298dea6f0471cb82c Mon Sep 17 00:00:00 2001
From: Andrew Gauld <agauld@att.com>
Date: Fri, 27 Mar 2020 15:30:36 +0000
Subject: Update images to run as non-root

Images updated and the new versions are:
adapter.acumos:1.0.2
mod.distributorapi:1.0.1
mod.onboardingapi:2.12.1
mod.designtool-web:1.0.2
mod.genprocessor-job:1.0.1
mod.genprocessor-http:1.0.1
mod.runtime-web:1.0.2
Note: image names all start with "onap/org.onap.dcaegen2.platform."

designtool-web was already running as a non-root user.  The others have been
changed to create user "dcaemod" and run as that user.

The listen port numbers on mod.distributorapi, mod.onboardingapi, and
mod.genprocessor-http are changed from 80 to 8080.

URLs in designtool-web, distributorapi, and genprocessor-job are adjusted
to reflect the new port numbers.

Change-Id: I510122952666c21cb92f3f64552e99d50af7c355
Issue-ID: DCAEGEN2-2170
Signed-off-by: Andrew Gauld <agauld@att.com>
---
 adapter/acumos/Changelog.md               |  2 ++
 adapter/acumos/Dockerfile                 |  7 ++++++-
 adapter/acumos/README.md                  |  2 +-
 adapter/acumos/aoconversion/scanner.py    |  4 ++--
 adapter/acumos/pom.xml                    |  2 +-
 adapter/acumos/setup.py                   |  2 +-
 mod/designtool/designtool-web/pom.xml     |  3 ++-
 mod/designtool/designtool-web/sh/start.sh | 11 ++---------
 mod/distributorapi/Changelog.md           | 10 ++++++++++
 mod/distributorapi/Dockerfile             |  9 +++++++--
 mod/distributorapi/distributor/config.py  |  2 +-
 mod/distributorapi/distributor/http.py    |  2 +-
 mod/distributorapi/distributor/version.py |  2 +-
 mod/distributorapi/pom.xml                |  2 +-
 mod/genprocessor/nginx.conf               |  2 +-
 mod/genprocessor/pom.xml                  | 12 ++++++++++--
 mod/onboardingapi/ChangeLog.md            |  4 ++++
 mod/onboardingapi/Dockerfile              | 18 ++++++++++++------
 mod/onboardingapi/dcae_cli/_version.py    |  2 +-
 mod/onboardingapi/dcae_cli/http.py        |  2 +-
 mod/onboardingapi/pom.xml                 |  2 +-
 mod/onboardingapi/start.sh                |  1 +
 mod/runtimeapi/runtime-web/pom.xml        |  6 +++++-
 23 files changed, 74 insertions(+), 35 deletions(-)
 create mode 100644 mod/distributorapi/Changelog.md

diff --git a/adapter/acumos/Changelog.md b/adapter/acumos/Changelog.md
index e900ad7..55bafa8 100644
--- a/adapter/acumos/Changelog.md
+++ b/adapter/acumos/Changelog.md
@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.0.2] - 3/26/2020
+    * Run as non-root
 ## [1.0.1] - 3/20/2020
     * Adjust URL paths for consistency with DCAE GEN design tool
 ## [1.0.0] - 11/13/2019
diff --git a/adapter/acumos/Dockerfile b/adapter/acumos/Dockerfile
index 7ec9656..d1a0984 100644
--- a/adapter/acumos/Dockerfile
+++ b/adapter/acumos/Dockerfile
@@ -17,6 +17,8 @@
 # ============LICENSE_END======================================================
 
 FROM python:3.7
+ARG UID=1000
+ARG GID=1000
 COPY setup.py /tmp/build/
 COPY aoconversion/ /tmp/build/aoconversion/
 RUN apt-get update && \
@@ -26,9 +28,12 @@ RUN apt-get update && \
     cd /tmp/build/ && \
     python setup.py install && \
     cd / && \
-    rm -rf /tmp/*
+    rm -rf /tmp/* && \
+    groupadd -g $GID dcaemod && \
+    useradd -s /bin/bash -u $UID -g $GID -m dcaemod
 
 EXPOSE 9000
 ENV PYTHONUNBUFFERED TRUE
+USER dcaemod
 ENTRYPOINT [ "/usr/local/bin/acumos-adapter" ]
 CMD [ "/run/config/config.yaml" ]
diff --git a/adapter/acumos/README.md b/adapter/acumos/README.md
index 55490ba..2de3845 100644
--- a/adapter/acumos/README.md
+++ b/adapter/acumos/README.md
@@ -56,7 +56,7 @@ This operates in 2 modes:
     Gateway of the ACUMOS instance.
   certfile - The file path for the PEM file containing the private key, etc.
   dockerhost - (optional) The URL for the docker host.  By default,
-    unix:///var/run/docker.sock.
+    tcp://localhost:2375.
   dockerregistry - The host:port for the ONAP docker registry.
   dockeruser - The user ID for uploading images to the docker registry.
   dockerpass - The password for uploading images to the docker registry.
diff --git a/adapter/acumos/aoconversion/scanner.py b/adapter/acumos/aoconversion/scanner.py
index 41f18de..cf3ac79 100644
--- a/adapter/acumos/aoconversion/scanner.py
+++ b/adapter/acumos/aoconversion/scanner.py
@@ -47,7 +47,7 @@ class Config(object):
     Configuration parameters as attributes, make sure the required ones are there,
     populate defaults.
     """
-    def __init__(self, dcaeurl, dcaeuser, onboardingurl, onboardinguser, onboardingpass, certfile, dockerregistry, dockeruser, dockerpass, acumosurl=None, interval=900, dockerhost='unix:///var/run/docker.sock', tmpdir='/var/tmp/aoadapter', certverify=True, catalogs=None, port=None, **extras):
+    def __init__(self, dcaeurl, dcaeuser, onboardingurl, onboardinguser, onboardingpass, certfile, dockerregistry, dockeruser, dockerpass, acumosurl=None, interval=900, dockerhost='tcp://localhost:2375', tmpdir='/var/tmp/aoadapter', certverify=True, catalogs=None, port=None, **extras):
         self.dcaeurl = dcaeurl
         self.dcaeuser = dcaeuser
 
@@ -299,7 +299,7 @@ class Apihandler(BaseHTTPRequestHandler):
             else:
                 solution = aa.jsonget('/solutions/{}', self.qparams['solutionId'])
                 onboard(aa, callback, solution, self.qparams['revisionId'])
-            self.replyraw('OK', 'text/plain')
+            self.replyraw('OK'.encode('utf-8'), 'text/plain')
             return
         self.send_error(400)
 
diff --git a/adapter/acumos/pom.xml b/adapter/acumos/pom.xml
index 7d872ef..1ea941d 100644
--- a/adapter/acumos/pom.xml
+++ b/adapter/acumos/pom.xml
@@ -23,7 +23,7 @@ limitations under the License.
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.onap.dcaegen2.platform.adapter</groupId>
 	<artifactId>dcaegen2-platform-adapter-acumos</artifactId>
-	<version>1.0.1</version>
+	<version>1.0.2-SNAPSHOT</version>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<sonar.sources>.</sonar.sources>
diff --git a/adapter/acumos/setup.py b/adapter/acumos/setup.py
index 9001cd5..e833307 100644
--- a/adapter/acumos/setup.py
+++ b/adapter/acumos/setup.py
@@ -20,7 +20,7 @@ from setuptools import setup, find_packages
 
 setup(
     name="aoconversion",
-    version="1.0.1",
+    version="1.0.2",
     packages=find_packages(exclude=["tests.*", "tests"]),
     author="Tommy Carpenter, Andrew Gauld",
     author_email="tommy@research.att.com, agauld@att.com",
diff --git a/mod/designtool/designtool-web/pom.xml b/mod/designtool/designtool-web/pom.xml
index 8806964..fc24024 100644
--- a/mod/designtool/designtool-web/pom.xml
+++ b/mod/designtool/designtool-web/pom.xml
@@ -27,6 +27,7 @@ limitations under the License.
     <version>1.0.1-SNAPSHOT</version>
   </parent>
   <artifactId>designtool-web</artifactId>
+  <version>1.0.2-SNAPSHOT</version>
   <packaging>war</packaging>
   <name>dcaegen2-platform-mod-designtool-web</name>
   <properties>
@@ -84,7 +85,7 @@ limitations under the License.
     <dependency>
       <groupId>org.onap.dcaegen2.platform.mod</groupId>
       <artifactId>nifi-war-to-jar</artifactId>
-      <version>${project.version}</version>
+      <version>1.0.1-SNAPSHOT</version>
       <scope>provided</scope>
     </dependency>
     <dependency>
diff --git a/mod/designtool/designtool-web/sh/start.sh b/mod/designtool/designtool-web/sh/start.sh
index 8658983..b0393de 100755
--- a/mod/designtool/designtool-web/sh/start.sh
+++ b/mod/designtool/designtool-web/sh/start.sh
@@ -51,16 +51,9 @@ prop_replace 'nifi.web.proxy.context.path'                  "${NIFI_WEB_PROXY_CO
 # replace value conditionally if the property name exists otherwise append
 if grep -q 'nifi.dcae.jars.index.url' $nifi_props_file
 then
-    prop_replace 'nifi.dcae.jars.index.url'                     "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http/nifi-jars/}"
+    prop_replace 'nifi.dcae.jars.index.url'                     "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http:8080/nifi-jars/}"
 else
-    prop_append 'nifi.dcae.jars.index.url'                     "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http/nifi-jars/}"
-fi
-
-if grep -q 'nifi.ui.dcae.distibutor.api.url' $nifi_props_file
-then
-    prop_replace 'nifi.ui.dcae.distibutor.api.url' "${NIFI_DCAE_DISTRIBUTOR_API_URL:-http://distributor-api}"
-else
-    prop_append 'nifi.ui.dcae.distibutor.api.url' "${NIFI_DCAE_DISTRIBUTOR_API_URL:-http://distributor-api}"
+    prop_append 'nifi.dcae.jars.index.url'                     "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http:8080/nifi-jars/}"
 fi
 
 . "${scripts_dir}/update_cluster_state_management.sh"
diff --git a/mod/distributorapi/Changelog.md b/mod/distributorapi/Changelog.md
new file mode 100644
index 0000000..2e0327b
--- /dev/null
+++ b/mod/distributorapi/Changelog.md
@@ -0,0 +1,10 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [1.0.1] - 3/26/2020
+    * Run as non-root
+## [1.0.0] - 11/11/2019
+    * Distributor API - initial version
diff --git a/mod/distributorapi/Dockerfile b/mod/distributorapi/Dockerfile
index cc10c68..f82607d 100644
--- a/mod/distributorapi/Dockerfile
+++ b/mod/distributorapi/Dockerfile
@@ -15,9 +15,14 @@
 # ============LICENSE_END=========================================================
 FROM python:3.7-alpine
 
+ARG UID=1000
+ARG GID=1000
 COPY . /code
 WORKDIR /code
-RUN pip install .
-EXPOSE 80
+RUN pip install . && \
+    addgroup -g $GID dcaemod && \
+    adduser -s /bin/bash -u $UID -G dcaemod -D dcaemod
+USER dcaemod
+EXPOSE 8080
 ENV DISTRIBUTOR_DEBUG=0
 CMD start-distributor-api
diff --git a/mod/distributorapi/distributor/config.py b/mod/distributorapi/distributor/config.py
index 8d2cede..d83eee1 100644
--- a/mod/distributorapi/distributor/config.py
+++ b/mod/distributorapi/distributor/config.py
@@ -35,4 +35,4 @@ def init():
 
     global onboarding_api_url
     onboarding_api_url = _grab_env("ONBOARDING_API_URL"
-            , default="http://onboarding-api/onboarding")
+            , default="http://onboarding-api:8080/onboarding")
diff --git a/mod/distributorapi/distributor/http.py b/mod/distributorapi/distributor/http.py
index 963a852..f1aa2fd 100644
--- a/mod/distributorapi/distributor/http.py
+++ b/mod/distributorapi/distributor/http.py
@@ -253,4 +253,4 @@ def start_http_server():
     if is_debug():
         _app.run(debug=True)
     else:
-        _app.run(host="0.0.0.0", port=80, debug=False)
+        _app.run(host="0.0.0.0", port=8080, debug=False)
diff --git a/mod/distributorapi/distributor/version.py b/mod/distributorapi/distributor/version.py
index 57c4da3..9da6f0f 100644
--- a/mod/distributorapi/distributor/version.py
+++ b/mod/distributorapi/distributor/version.py
@@ -13,4 +13,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ============LICENSE_END=========================================================
-__version__ = "1.0.0"
+__version__ = "1.0.1"
diff --git a/mod/distributorapi/pom.xml b/mod/distributorapi/pom.xml
index 3cfd949..45096b1 100644
--- a/mod/distributorapi/pom.xml
+++ b/mod/distributorapi/pom.xml
@@ -23,7 +23,7 @@ limitations under the License.
 	<groupId>org.onap.dcaegen2.platform.mod</groupId>
     <artifactId>dcaegen2-platform-mod-distributorapi</artifactId>
     <!-- NOTE: Must keep this version synchronized with the version in distributor/version.py file -->
-	<version>1.0.0</version>
+	<version>1.0.1-SNAPSHOT</version>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<sonar.sources>.</sonar.sources>
diff --git a/mod/genprocessor/nginx.conf b/mod/genprocessor/nginx.conf
index bd53c07..b6bdb24 100644
--- a/mod/genprocessor/nginx.conf
+++ b/mod/genprocessor/nginx.conf
@@ -1,5 +1,5 @@
 server {
-    listen       80;
+    listen       8080;
     server_name  localhost;
 
     location / {
diff --git a/mod/genprocessor/pom.xml b/mod/genprocessor/pom.xml
index 6afc9de..ccc1ce3 100644
--- a/mod/genprocessor/pom.xml
+++ b/mod/genprocessor/pom.xml
@@ -26,7 +26,7 @@ limitations under the License.
   </parent>
   <groupId>org.onap.dcaegen2.platform.mod</groupId>
   <artifactId>genprocessor</artifactId>
-  <version>1.0.0</version>
+  <version>1.0.1-SNAPSHOT</version>
   <name>dcaegen2-platform-mod-genprocessor</name>
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -139,6 +139,10 @@ limitations under the License.
                     </files>
                   </inline>
                 </assembly>
+		<runCmds>
+		  <runCmd>groupadd -g 1000 dcaemod &amp;&amp; useradd --shell /bin/bash -u 1000 -g 1000 -m dcaemod</runCmd>
+		</runCmds>
+		<user>dcaemod</user>
                 <entryPoint>
                   <exec>
                     <arg>nginx</arg>
@@ -161,12 +165,16 @@ limitations under the License.
                 <assembly>
                   <descriptorRef>artifact-with-dependencies</descriptorRef>
                 </assembly>
+		<runCmds>
+		  <runCmd>groupadd -g 1000 dcaemod &amp;&amp; useradd --shell /bin/bash -u 1000 -g 1000 -m dcaemod &amp;&amp; mkdir -p /work &amp;&amp; chown dcaemod:dcaemod /work</runCmd>
+		</runCmds>
                 <workdir>/maven</workdir>
                 <env>
                   <GENPROC_WORKING_DIR>/work</GENPROC_WORKING_DIR>
-                  <GENPROC_ONBOARDING_API_HOST>http://onboarding-api/onboarding</GENPROC_ONBOARDING_API_HOST>
+                  <GENPROC_ONBOARDING_API_HOST>http://onboarding-api:8080/onboarding</GENPROC_ONBOARDING_API_HOST>
                   <GENPROC_SLEEP_SEC>10</GENPROC_SLEEP_SEC>
                 </env>
+		<user>dcaemod</user>
                 <entryPoint>
                   <exec>
                     <arg>java</arg>
diff --git a/mod/onboardingapi/ChangeLog.md b/mod/onboardingapi/ChangeLog.md
index 21d0f0c..28578d2 100644
--- a/mod/onboardingapi/ChangeLog.md
+++ b/mod/onboardingapi/ChangeLog.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 
+## [2.12.1]
+
+* Run as non-root
+
 ## [2.12.0]
 
 * Add HTTP support using Flask/flask-restplus
diff --git a/mod/onboardingapi/Dockerfile b/mod/onboardingapi/Dockerfile
index 606ca5b..2c3cd0d 100644
--- a/mod/onboardingapi/Dockerfile
+++ b/mod/onboardingapi/Dockerfile
@@ -1,12 +1,18 @@
 FROM python:3.7-alpine
 
-RUN apk update && \
-    apk add --virtual build-deps gcc python-dev musl-dev && \
-    apk add postgresql-dev bash
+ARG UID=1000
+ARG GID=1000
+
 COPY . /code
 WORKDIR /code
-RUN pip install . \
-    && mkdir -p ~/.config/dcae-cli
-EXPOSE 80
+RUN apk update && \
+    apk add --virtual build-deps gcc python-dev musl-dev && \
+    apk add postgresql-dev bash && \
+    addgroup -g $GID dcaemod && \
+    adduser -s /bin/bash -u $UID -G dcaemod -D dcaemod && \
+    pip install .
+
+EXPOSE 8080
+USER dcaemod
 
 CMD /code/start.sh
diff --git a/mod/onboardingapi/dcae_cli/_version.py b/mod/onboardingapi/dcae_cli/_version.py
index e1ceca3..b61bd9a 100644
--- a/mod/onboardingapi/dcae_cli/_version.py
+++ b/mod/onboardingapi/dcae_cli/_version.py
@@ -19,4 +19,4 @@
 # ECOMP is a trademark and service mark of AT&T Intellectual Property.
 
 # -*- coding: utf-8 -*-
-__version__ = "2.12.0"
+__version__ = "2.12.1"
diff --git a/mod/onboardingapi/dcae_cli/http.py b/mod/onboardingapi/dcae_cli/http.py
index 792cd7f..4d3ae0c 100644
--- a/mod/onboardingapi/dcae_cli/http.py
+++ b/mod/onboardingapi/dcae_cli/http.py
@@ -498,4 +498,4 @@ def start_http_server(catalog, debug=True):
     if debug:
         _app.run(debug=True)
     else:
-        _app.run(host="0.0.0.0", port=80, debug=False)
+        _app.run(host="0.0.0.0", port=8080, debug=False)
diff --git a/mod/onboardingapi/pom.xml b/mod/onboardingapi/pom.xml
index 588a9b2..be5e683 100644
--- a/mod/onboardingapi/pom.xml
+++ b/mod/onboardingapi/pom.xml
@@ -22,7 +22,7 @@ limitations under the License.
   <groupId>org.onap.dcaegen2.platform.mod</groupId>
   <artifactId>dcaegen2-platform-mod-onboardingapi</artifactId>
   <name>dcaegen2-platform-mod-onboardingapi</name>
-  <version>2.12.0</version>
+  <version>2.12.1-SNAPSHOT</version>
   <url>http://maven.apache.org</url>
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/mod/onboardingapi/start.sh b/mod/onboardingapi/start.sh
index 6d7d9e5..a938c98 100755
--- a/mod/onboardingapi/start.sh
+++ b/mod/onboardingapi/start.sh
@@ -6,6 +6,7 @@ if [ -z $PG_CONN ]; then
     exit 1
 fi
 
+mkdir -p ~/.config/dcae-cli
 if [ ! -f ~/.config/dcae-cli/config.json ]; then
     echo "Creating dcae-cli config"
     # TODO: Make this into a variable that gets fed in via docker run
diff --git a/mod/runtimeapi/runtime-web/pom.xml b/mod/runtimeapi/runtime-web/pom.xml
index ff08ac1..4cc5a66 100644
--- a/mod/runtimeapi/runtime-web/pom.xml
+++ b/mod/runtimeapi/runtime-web/pom.xml
@@ -25,7 +25,7 @@ limitations under the License.
 		<version>1.0.1</version>
 	</parent>
 	<artifactId>runtime-web</artifactId>
-	<version>1.0.1</version>
+	<version>1.0.2-SNAPSHOT</version>
 	<packaging>jar</packaging>
 	<name>runtime-web</name>
 	<description>MOD Runtime Web Module</description>
@@ -118,6 +118,9 @@ limitations under the License.
 								<assembly>
 									<descriptorRef>artifact</descriptorRef>
 								</assembly>
+								<runCmds>
+								  <runCmd>addgroup -g 1000 dcaemod &amp;&amp; adduser -s /bin/bash -u 1000 -G dcaemod -D dcaemod</runCmd>
+								</runCmds>
 								<workdir>/maven</workdir>
 								<volumes>
 									<volume>/tmp</volume>
@@ -125,6 +128,7 @@ limitations under the License.
 								<ports>
 									<port>9090</port>
 								</ports>
+								<user>dcaemod</user>
 								<entryPoint>
 									<exec>
 										<arg>java</arg>
-- 
cgit 1.2.3-korg