From 53775585ace0d0c0bdbc0389a826dc530d9154e0 Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Sun, 22 Dec 2019 14:44:44 +0100
Subject: [PATCH] Re-add jq for default config generation, ignore CVE
---
pica-mattermost/Dockerfile | 1 +
pica-mattermost/README.md | 14 +++++-----
pica-mattermost/clair-whitelist.yml | 2 ++
pica-mattermost/entrypoint.sh | 42 +++++++++++++++++++++++++++--
4 files changed, 50 insertions(+), 9 deletions(-)
diff --git a/pica-mattermost/Dockerfile b/pica-mattermost/Dockerfile
index 4f87f6b0..2e6507d3 100644
--- a/pica-mattermost/Dockerfile
+++ b/pica-mattermost/Dockerfile
@@ -13,6 +13,7 @@ ARG PGID=5000
RUN apk add --no-cache \
ca-certificates \
curl \
+ jq \
libc6-compat \
libffi-dev \
libcap \
diff --git a/pica-mattermost/README.md b/pica-mattermost/README.md
index cbc62d19..210c1dbf 100644
--- a/pica-mattermost/README.md
+++ b/pica-mattermost/README.md
@@ -13,16 +13,16 @@ Aussi, on n'utilise pas le système de sauvegarde `WAL-e`, ce qui nous permet d'
Enfin, le Docker Compose est adapté à notre configuration.
-### Utilisation
+### Création d'une nouvelle instance
-Assurez-vous que les volumes suivants existent (`docker volume`). Sinon, créez-les avec `docker volume create`.
-* mattermost-config
-* mattermost-db
-* mattermost-data
-* mattermost-plugins
+Assurez-vous que les volumes suivants existent (`docker volume ls`). Sinon, créez-les avec `docker volume create`.
+* `mattermost-config`
+* `mattermost-db`
+* `mattermost-data`
+* `mattermost-plugins`
-qduchemi@pica01-test:~/dockerfiles/pica-mattermost$ docker volume create mattermost-plugins
Copier `secrets/mattermost-db.secrets.example` dans `secrets/mattermost-db.secrets` et remplacer les valeurs des identifiants.
+
Lancer `docker-compose up -d`. On notera l'utilisation de la variable `DB_HOST` dans le fichier Docker Compose, qui ne devrait pas avoir à être modifiée si on ne touche pas le nom du service de base de données.
### Procédure de mise à jour
diff --git a/pica-mattermost/clair-whitelist.yml b/pica-mattermost/clair-whitelist.yml
index e69de29b..519b80a6 100644
--- a/pica-mattermost/clair-whitelist.yml
+++ b/pica-mattermost/clair-whitelist.yml
@@ -0,0 +1,2 @@
+generalwhitelist:
+ CVE-2016-4074: jq -> pas de contre mesure, pas utilisé par Mattermost mais juste par l'entrypoint, pas de risque en remote
diff --git a/pica-mattermost/entrypoint.sh b/pica-mattermost/entrypoint.sh
index 7d14b183..437e24ae 100644
--- a/pica-mattermost/entrypoint.sh
+++ b/pica-mattermost/entrypoint.sh
@@ -11,11 +11,49 @@ if [ "${1:0:1}" = '-' ]; then
fi
if [ "$1" = 'mattermost' ]; then
+ # Check CLI args for a -config option
+ for ARG in $@;
+ do
+ case "$ARG" in
+ -config=*)
+ MM_CONFIG=${ARG#*=};;
+ esac
+ done
+
+ if [ ! -f $MM_CONFIG ]
+ then
+ # If there is no configuration file, create it with some default values
+ echo "No configuration file" $MM_CONFIG
+ echo "Creating a new one"
+ # Copy default configuration file
+ cp /config.json.save $MM_CONFIG
+ # Substitue some parameters with jq
+ jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+ else
+ echo "Using existing config file" $MM_CONFIG
+ fi
+
# Configure database access
if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
then
- echo -ne "Configure database connection..."
- export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$MM_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
+ # URLEncode the password, allowing for special characters
+ ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
+ export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
echo OK
else
echo "Using existing database connection"
--
GitLab