From 1bb1d13a506ee4e608e441c86bf28acaf962f2a4 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sleede.com>
Date: Mon, 6 Jun 2022 17:23:02 +0200
Subject: [PATCH] (wip) fix folders permissions during setup

@see https://github.com/moby/moby/issues/2259
---
 CHANGELOG.md     |  1 +
 Dockerfile       | 11 ++++++++--
 Procfile         |  2 +-
 setup/setup.sh   | 28 ++++++++++++------------
 setup/upgrade.sh | 56 +++++++++++++++++++++++++++++++++++++++++-------
 5 files changed, 73 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b96592ab1..84bc29528 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## next deploy
 
 - Updated sidekiq-unique-jobs to 7.1.23 to get rid of Sidekiq's default_worker_options deprecation warning
+- Allow moving with arrows in the setup script's inputs
 - Fix a bug: unable to edit OIDC provider
 - Fix a bug: list of OIDC scopes are loading indefinitely
 
diff --git a/Dockerfile b/Dockerfile
index ca5e313be..ac0e61f7c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,9 @@
 FROM ruby:2.6.10-alpine
 MAINTAINER contact@fab-manager.com
 
+RUN addgroup --gid 1000 fabmanager && \
+    adduser --uid 1000 -G fabmanager -s /bin/bash -D fabmanager
+
 # Install upgrade system packages
 RUN apk update && apk upgrade && \
 # Install runtime apk dependencies
@@ -48,6 +51,11 @@ COPY Gemfile /tmp/
 COPY Gemfile.lock /tmp/
 RUN bundle config set --local without 'development test doc' && bundle install && bundle binstubs --all
 
+# Prepare the application directory
+RUN mkdir -p /usr/src/app && chown -R fabmanager:fabmanager /usr/src/app
+# Change to non-root user
+USER fabmanager
+
 # Install Javascript packages
 WORKDIR /usr/src/app
 COPY package.json /usr/src/app/package.json
@@ -63,8 +71,7 @@ RUN apk del .build-deps && \
            /usr/lib/ruby/gems/*/cache/*
 
 # Web app
-RUN mkdir -p /usr/src/app && \
-    mkdir -p /usr/src/app/config && \
+RUN mkdir -p /usr/src/app/config && \
     mkdir -p /usr/src/app/invoices && \
     mkdir -p /usr/src/app/payment_schedules && \
     mkdir -p /usr/src/app/exports && \
diff --git a/Procfile b/Procfile
index 64f020c5e..434aa4a6c 100644
--- a/Procfile
+++ b/Procfile
@@ -1,3 +1,3 @@
-web:    bundle exec rails server puma -p $PORT
+#web:    bundle exec rails server puma -p $PORT
 worker: bundle exec sidekiq -C ./config/sidekiq.yml
 webpack: bin/webpacker-dev-server
diff --git a/setup/setup.sh b/setup/setup.sh
index bae810904..dea618d9a 100755
--- a/setup/setup.sh
+++ b/setup/setup.sh
@@ -117,7 +117,7 @@ elevate_cmd()
 read_email()
 {
   local email
-  read -rp "Please input a valid email address > " email </dev/tty
+  read -rep "Please input a valid email address > " email </dev/tty
   if [[ "$email" == *"@"*"."* ]]; then
     EMAIL="$email"
   else
@@ -152,7 +152,7 @@ config()
 
 read_domain()
 {
-  read -rp 'Please input the domain name > ' domain </dev/tty
+  read -rep 'Please input the domain name > ' domain </dev/tty
   if [[ "$domain" == *"."* ]]; then
     DOMAINS+=("$domain")
   else
@@ -175,7 +175,7 @@ prepare_files()
   if [[ "$confirm" = "n" ]]; then exit 1; fi
 
   elevate_cmd mkdir -p "$FABMANAGER_PATH/config"
-  elevate_cmd chown -R "$(whoami)" "$FABMANAGER_PATH"
+  elevate_cmd chown -R "$(whoami):$(whoami)" "$FABMANAGER_PATH"
 
   mkdir -p "$FABMANAGER_PATH/elasticsearch/config"
 
@@ -228,7 +228,7 @@ prepare_nginx()
     printf "The two following configurations are useful if you want to install Fab-manager behind a reverse proxy...\n"
     read -rp "- Do you want to map the Fab-manager's service to an external network? (Y/n) " confirm </dev/tty
     if [ "$confirm" != "n" ]; then
-      read -rp "Please input the name of the external network (default: web) " network </dev/tty
+      read -rep "Please input the name of the external network (default: web) " network </dev/tty
       if [ "$network" = "" ]; then network="web"; fi
 
       echo "Adding a network configuration to the docker-compose.yml file..."
@@ -248,7 +248,7 @@ prepare_nginx()
     if [ "$confirm" != "n" ]; then
       current="$(yq eval '.services.*.image | select(. == "sleede/fab-manager*") | path | .[-2]' docker-compose.yml)"
       printf "=======================\n- \e[1mCurrent value: %s\e[21m\n- New value? (leave empty to keep the current value)\n" "$current"
-      read -rp "  > " value </dev/tty
+      read -rep "  > " value </dev/tty
       echo "======================="
       if [ "$value" != "" ]; then
         escaped=$(printf '%s\n' "$value" | iconv -f utf8 -t ascii//TRANSLIT//IGNORE | sed -e 's/[^a-zA-Z0-9-]/_/g')
@@ -331,7 +331,7 @@ configure_env_file()
     printf "**** \e[1mDocumentation:\e[21m ****\n"
     echo "$var_doc"
     printf "=======================\n- \e[1mCurrent value: %s\e[21m\n- New value? (leave empty to keep the current value)\n" "$current"
-    read -rp "  > " value </dev/tty
+    read -rep "  > " value </dev/tty
     echo "======================="
     if [ "$value" != "" ]; then
       esc_val=$(printf '%s\n' "$value" | sed -e 's/\//\\\//g')
@@ -340,7 +340,7 @@ configure_env_file()
     fi
   done
   # we automatically generate the SECRET_KEY_BASE
-  secret=$(cd "$FABMANAGER_PATH" && docker-compose run --rm "$SERVICE" bundle exec rake secret)
+  secret=$(docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec rake secret)
   sed -i.bak "s/SECRET_KEY_BASE=/SECRET_KEY_BASE=$secret/g" "$FABMANAGER_PATH/config/env"
 }
 
@@ -370,32 +370,32 @@ setup_assets_and_databases()
   read -rp "Continue? (Y/n) " confirm </dev/tty
   if [ "$confirm" = "n" ]; then return; fi
 
-  cd "$FABMANAGER_PATH" && docker-compose run --rm "$SERVICE" bundle exec rake db:create # create the database
-  cd "$FABMANAGER_PATH" && docker-compose run --rm "$SERVICE" bundle exec rake db:migrate # run all the migrations
+  docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec rake db:create # create the database
+  docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec rake db:migrate # run all the migrations
   # prompt default admin email/password
   printf "\n\nWe will now create the default administrator of Fab-manager.\n"
   read_email
   PASSWORD=$(read_password)
   printf "\nOK. We will fill the database now...\n"
-  cd "$FABMANAGER_PATH" && docker-compose run --rm -e ADMIN_EMAIL="$EMAIL" -e ADMIN_PASSWORD="$PASSWORD" "$SERVICE" bundle exec rake db:seed # seed the database
+  docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" run --user "$(id -u):$(id -g)" --rm -e ADMIN_EMAIL="$EMAIL" -e ADMIN_PASSWORD="$PASSWORD" "$SERVICE" bundle exec rake db:seed # seed the database
 
   # now build the assets
-  if ! docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" run --rm "$SERVICE" bundle exec rake assets:precompile; then
+  if ! docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec rake assets:precompile; then
     echo -e "\e[91m[ ❌ ] someting went wrong while compiling the assets, exiting...\e[39m" && exit 1
   fi
 
   # and prepare elasticsearch
-  cd "$FABMANAGER_PATH" && docker-compose run --rm "$SERVICE" bundle exec rake fablab:es:build_stats
+  docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec rake fablab:es:build_stats
 }
 
 stop()
 {
-  cd "$FABMANAGER_PATH" && docker-compose down
+  docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" down
 }
 
 start()
 {
-  cd "$FABMANAGER_PATH" && docker-compose up -d
+  docker-compose -f "$FABMANAGER_PATH/docker-compose.yml" up -d
 }
 
 enable_ssl()
diff --git a/setup/upgrade.sh b/setup/upgrade.sh
index fbabdab62..0557556e4 100644
--- a/setup/upgrade.sh
+++ b/setup/upgrade.sh
@@ -40,7 +40,7 @@ yq() {
 }
 
 jq() {
-  docker run --rm -i -v "${PWD}:/data" imega/jq "$@"
+  docker run --rm -i -v "${PWD}:/data" --user "$UID" imega/jq "$@"
 }
 
 docker-compose()
@@ -58,6 +58,43 @@ docker-compose()
   fi
 }
 
+
+has_sudo()
+{
+  local prompt
+
+  prompt=$(sudo -nv 2>&1)
+  if [ $? -eq 0 ]; then
+    echo "has_sudo__pass_set"
+  elif echo $prompt | grep -q '^sudo:'; then
+    echo "has_sudo__needs_pass"
+  else
+    echo "no_sudo"
+  fi
+}
+
+elevate_cmd()
+{
+  local cmd=$@
+
+  HAS_SUDO=$(has_sudo)
+
+  case "$HAS_SUDO" in
+  has_sudo__pass_set)
+    sudo $cmd
+    ;;
+  has_sudo__needs_pass)
+    echo "Please supply sudo password for the following command: sudo $cmd"
+    sudo $cmd
+    ;;
+  *)
+    echo "Please supply root password for the following command: su -c \"$cmd\""
+    su -c "$cmd"
+    ;;
+  esac
+}
+
+
 # set $SERVICE and $YES_ALL
 config()
 {
@@ -125,9 +162,9 @@ version_error()
 # set $VERSION
 version_check()
 {
-  VERSION=$(docker-compose exec -T "$SERVICE" cat .fabmanager-version 2>/dev/null)
+  VERSION=$(docker-compose exec --user "$(id -u):$(id -g)" -T "$SERVICE" cat .fabmanager-version 2>/dev/null)
   if [[ $? = 1 ]]; then
-    VERSION=$(docker-compose exec -T "$SERVICE" cat package.json | jq -r '.version')
+    VERSION=$(docker-compose exec --user "$(id -u):$(id -g)" -T "$SERVICE" cat package.json | jq -r '.version')
   fi
   target_version
   if [ "$TARGET" = 'custom' ]; then return; fi
@@ -185,13 +222,16 @@ compile_assets()
   PG_NET_ID=$(docker inspect "$PG_ID" -f "{{json .NetworkSettings.Networks }}" | jq -r '.[] .NetworkID')
   clean_env_file
   # shellcheck disable=SC2068
-  if ! docker run --rm --env-file ./config/env ${ENV_ARGS[@]} --link "$PG_ID" --net "$PG_NET_ID" -v "${PWD}/public/new_packs:/usr/src/app/public/packs" "$IMAGE" bundle exec rake assets:precompile; then
+  if ! docker run --user "$(id -u):$(id -g)" --rm --env-file ./config/env ${ENV_ARGS[@]} --link "$PG_ID" --net "$PG_NET_ID" -v "${PWD}/public/new_packs:/usr/src/app/public/packs" "$IMAGE" bundle exec rake assets:precompile; then
     restore_tag
     printf "\e[91m[ ❌ ] Something went wrong while compiling the assets, please check the logs above.\e[39m\nExiting...\n"
     exit 4
   fi
   docker-compose down
-  rm -rf public/packs
+  if ! rm -rf public/packs; then
+    # sometimes we can't delete the packs folder, because of a permission issue. In that case try with sudo
+    elevate_cmd rm -rf public/packs
+  fi
   mv public/new_packs public/packs
 }
 
@@ -239,21 +279,21 @@ upgrade()
   done
   for PRE in "${PREPROCESSING[@]}"; do
     printf "\e[91m::\e[0m \e[1mRunning preprocessing command %s...\e[0m\n" "$PRE"
-    if ! docker-compose run --rm "$SERVICE" bundle exec "$PRE" </dev/tty; then
+    if ! docker-compose run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec "$PRE" </dev/tty; then
       restore_tag
       printf "\e[91m[ ❌ ] Something went wrong while running \"%s\", please check the logs above.\e[39m\nExiting...\n" "$PRE"
       exit 4
     fi
   done
   compile_assets
-  if ! docker-compose run --rm "$SERVICE" bundle exec rake db:migrate; then
+  if ! docker-compose run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec rake db:migrate; then
     restore_tag
     printf "\e[91m[ ❌ ] Something went wrong while migrating the database, please check the logs above.\e[39m\nExiting...\n"
     exit 4
   fi
   for COMMAND in "${COMMANDS[@]}"; do
     printf "\e[91m::\e[0m \e[1mRunning command %s...\e[0m\n" "$COMMAND"
-    if ! docker-compose run --rm "$SERVICE" bundle exec "$COMMAND" </dev/tty; then
+    if ! docker-compose run --user "$(id -u):$(id -g)" --rm "$SERVICE" bundle exec "$COMMAND" </dev/tty; then
       restore_tag
       printf "\e[91m[ ❌ ] Something went wrong while running \"%s\", please check the logs above.\e[39m\nExiting...\n" "$COMMAND"
       exit 4