Merge pull request #7 from owncloud-ops/fix-encryption

add option to template security.php
owncloud-ops · Jul 29, 2020 · 77ee05c · 77ee05c
2 parents b57436e + 66c2207
commit 77ee05c
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,4 @@
+- BUGFIX
+  - add option to create security.php from env variables
+- ENHANCEMENT
+  - upgrade upstream version
diff --git a/Dockerfile b/Dockerfile
@@ -7,8 +7,8 @@ LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
 
 # Database migrations work for releases from 4.x.x on upwards. From 4.x.x to 5.x.x testing is neccesary!!!!
 # Migrations from 3.x.x to 4.x.x break the underlying yii framework.
-ARG BUILD_VERSION=4.3.2+200629
-ENV SURVEY_VERSION="${BUILD_VERSION:-4.3.2+200629}"
+ARG BUILD_VERSION=4.3.5+200721
+ENV SURVEY_VERSION="${BUILD_VERSION:-4.3.5+200721}"
 
 ENV SURVEY_ADMIN_USER=admin
 ENV LD_PRELOAD="/usr/lib/preloadable_libiconv.so php-fpm7 php"

diff --git a/README.md b/README.md
@@ -28,6 +28,10 @@ LIME_MAILER_PASSWORD=****
 LIME_MAILER_ENCRYPTION=ssl
 LIME_MAILER_PROTOCOL=smtp
 
+LIME_ENCRYPTION_KEYPAIR=
+LIME_ENCRYPTION_PUBLIC_KEY=
+LIME_ENCRYPTION_SECRET_KEY=
+
 LIME_SSL_DISABLE_ALERT=false
 
 # This variable need to be set to enable LDAP queries

diff --git a/overlay/etc/templates/security.php.tmpl b/overlay/etc/templates/security.php.tmpl
@@ -0,0 +1,7 @@
+<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
+
+$config = array();
+$config['encryptionkeypair'] = '{{ getenv "LIME_ENCRYPTION_KEYPAIR" }}';
+$config['encryptionpublickey'] = '{{ getenv "LIME_ENCRYPTION_PUBLIC_KEY" }}';
+$config['encryptionsecretkey'] = '{{ getenv "LIME_ENCRYPTION_SECRET_KEY" }}';
+return $config;
diff --git a/overlay/usr/bin/entrypoint b/overlay/usr/bin/entrypoint
@@ -5,7 +5,19 @@ set -eo pipefail
 /usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl
 /usr/local/bin/gomplate -V -o /var/www/app/application/config/config.php -f /etc/templates/config.php.tmpl
 
-printf "\nPrepare survey ...\n"
+if [ -f application/config/security.php ]; then
+    printf '\nFile security.php already provisioned ...\n'
+else
+    printf '\nCreating security.php ...\n'
+    if [ -n "$LIME_ENCRYPTION_KEYPAIR" ]; then
+        /usr/local/bin/gomplate -V -o /var/www/app/application/config/security.php -f /etc/templates/security.php.tmpl
+    else
+        printf 'No encryption keys was provided. A security.php config will be created by the application ...\n'
+        printf 'THIS FILE NEEDS TO BE PERSISTENT\n'
+    fi
+fi
+
+printf "\nPrepare LimeSurvey ...\n"
 
 if [ -n "$LIME_DB_HOST" ]
 then
@@ -18,31 +30,31 @@ fi
 
 # Automated install of limesurvey is quite fragile and so we have to avoid that the install command is ever executed more than once.
 # If so, it will avoid the container from being restarted but also from being updated.
-# Lime survey isn't offering any good mechanism to catch the failing as there are side effects that influence the thrown exception.
+# LimeSurvey isn't offering any good mechanism to catch the failing as there are side effects that influence the thrown exception.
 # Plugins is a persisted volume that we use for creating our custom "installation done" flag
-printf "\nSetup lime survey\n"
-printf "\nCheck if install has been performed already\n"
+printf "\nSetup LimeSurvey ...\n"
+printf "\nCheck if install has been performed already ...\n"
 INSTALLER_FLAG=plugins/install.done
 if ! [ -f "$INSTALLER_FLAG" ]; then
-    printf "\nInstall lime survey\n"
+    printf "\nInstall LimeSurvey ...\n"
     php /var/www/app/application/commands/console.php install "${LIME_ADMIN_USER}" "${LIME_ADMIN_PASSWORD}" "${LIME_ADMIN_USER}" "${LIME_ADMIN_EMAIL}" true
     touch $INSTALLER_FLAG
     echo "$(php -r 'include("application/config/version.php"); echo $config["versionnumber"];')" > $INSTALLER_FLAG
     echo $INSTALLER_FLAG >> $INSTALLER_FLAG
 else
-    printf "\nInstall already performed at former container start\n"
+    printf "\nInstall already performed at former container start ...\n"
 fi
 
 # Database update shall only be performed if there is a new version installed to avoid updatedb to cause a php stacktrace...
 # updatedb breaks if email.php has been templated in a former container start
-printf "\nPerform database update check\n"
+printf "\nPerform database update check ...\n"
 VERSION_LATEST_INSTALL=$(tail -1 $INSTALLER_FLAG)
 VERSION_NEW="$(php -r 'include("application/config/version.php"); echo $config["versionnumber"];')"
 if [ "$VERSION_LATEST_INSTALL" = "$VERSION_NEW" ]; then
-    printf "\nNo database update needed\n"
+    printf "\nNo database update needed ...\n"
 else
-    printf "\nPerform database update and see if version offset needs database migration\n"
-    # Lime Devs told that it's sometimes neccesary to clean the runtime cache to run db migrations 
+    printf "\nPerform database update and see if version offset needs database migration ...\n"
+    # Lime Devs told that it's sometimes neccesary to clean the runtime cache to run db migrations
     rm -r tmp/runtime/*
     php /var/www/app/application/commands/console.php updatedb
     sed -i "2s/.*/$VERSION_NEW/" $INSTALLER_FLAG
@@ -51,10 +63,10 @@ fi
 # updatedb will break if we execute the command with a templated email.php
 # Since we check the versionnumber from the former install against the latest folder version, we can keep
 # the templating in here without condition as updatedb is only executed when the version changed and then it's working as expected
-printf "\nSetup lime survey email config\n\n"
+printf "\nSetup LimeSurvey email config ...\n\n"
 /usr/local/bin/gomplate -V -o /var/www/app/application/config/email.php -f /etc/templates/email.php.tmpl
 
-printf "\nSetup lime survey ldap config\n\n"
+printf "\nSetup LimeSurvey ldap config ...\n\n"
 /usr/local/bin/gomplate -V -o /var/www/app/application/config/ldap.php -f /etc/templates/ldap.php.tmpl
 
 printf "\nStarting survey ...\n\n"