From 4c01286e062aff9d06f6a50d65db21d9ec7a5754 Mon Sep 17 00:00:00 2001
From: Young Yang <young.yang03@sap.com>
Date: Fri, 18 Nov 2022 15:30:23 +0800
Subject: [PATCH] MBT docker image mbtci-java17-node16's installation of FOSS
 tools to enforcement SAP security policies

---
 .circleci/config.yml    |  22 ++--
 Dockerfile_mbtci_java17 | 228 ++++++++++++++++++++++++++++------------
 2 files changed, 173 insertions(+), 77 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 1a7b5b07..0217c737 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -161,7 +161,7 @@ jobs:
           name: "build Java 17 & Node 16 image"
           command: |
               MBT_VERSION=$(cat ./VERSION)
-              sh $PWD/scripts/build_image 17 16.18.0 ${MBT_VERSION}
+              sh $PWD/scripts/build_image 17 16.18.1 ${MBT_VERSION}
       - run:
           name: publish image
           command: |
@@ -173,11 +173,16 @@ jobs:
             echo "Image release: ${MBT_VERSION}"
             #Push to Docker Hub
             echo "$DOCKER_HUB_TOKEN" | docker login --username $DOCKER_HUB_USER --password-stdin
-            sh $PWD/scripts/publish_image 17  16.18.0  ${MBT_VERSION} "devxci"
+            sh $PWD/scripts/publish_image 17  16.18.1  ${MBT_VERSION} "devxci"
 
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
-            sh $PWD/scripts/publish_image 17  16.18.0  ${MBT_VERSION} "ghcr.io/sap"
+            sh $PWD/scripts/publish_image 17  16.18.1  ${MBT_VERSION} "ghcr.io/sap"
+      - run:
+          # This won't run if previous commands have failed so the tag should be removed **manually**
+          name: remove dummy release tag
+          command: |
+            git push https://github.com/SAP/cloud-mta-build-tool.git --delete release
 
   publish-to-npm:
     docker:
@@ -203,11 +208,6 @@ jobs:
             npm install
             npm run ci
             npm publish
-      - run:
-          # This won't run if previous commands have failed so the tag should be removed **manually**
-          name: remove dummy release tag
-          command: |
-            git push https://github.com/SAP/cloud-mta-build-tool.git --delete release
 
 workflows:
   version: 2
@@ -288,7 +288,7 @@ workflows:
               only: /release/
             branches:
               ignore: /.*/
-      - publish-to-dockerhub:
+      - publish-to-npm:
           requires:
             - release-to-github
           filters:
@@ -296,9 +296,9 @@ workflows:
               only: /release/
             branches:
               ignore: /.*/
-      - publish-to-npm:
+      - publish-to-dockerhub:
           requires:
-            - publish-to-dockerhub
+            - publish-to-npm
           filters:
             tags:
               only: /release/
diff --git a/Dockerfile_mbtci_java17 b/Dockerfile_mbtci_java17
index 77599e56..1405a38c 100644
--- a/Dockerfile_mbtci_java17
+++ b/Dockerfile_mbtci_java17
@@ -1,93 +1,189 @@
-FROM sapmachine:17
+FROM debian:bullseye-slim
 
 # Build time arguments
+ARG MTA_USER="mta"
 ARG MTA_USER_HOME=/home/mta
 ARG MBT_VERSION=1.2.19
-ARG GO_VERSION=1.15.6
-# node version as found in https://nodejs.org/dist/ e.g: "v16.15.0"
+ARG GO_VERSION=1.19.3
 ARG NODE_VERSION=NODE_VERSION_TEMPLATE
-ARG MAVEN_VERSION=3.6.3
+ARG MAVEN_VERSION=3.8.6
+ARG MAVEN_BASE_URL=https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
+ARG SAPMACHINE_VERSION=17.0.5
 
 # Environment variables
 ENV PYTHON /usr/bin/python3
-ENV M2_HOME=/opt/maven/apache-maven-${MAVEN_VERSION}
+ENV MAVEN_HOME /usr/share/maven
+ENV M2_HOME ${MAVEN_HOME}
 ENV GOPATH /go
 ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
 ENV CGO_ENABLED=0
 ENV GOOS=linux
 ENV DEBIAN_FRONTEND=noninteractive
 
+# create user account and using openssl to create password
+RUN set -ex \
+  && apt-get update \
+  && apt-get install -y openssl --no-install-recommends \
+  && rm -rf /var/lib/apt/lists/* \
+   # smoke test
+  && openssl version \
+  && useradd --home-dir ${MTA_USER_HOME} \
+            --create-home \
+            --shell /bin/bash \
+            --user-group \
+            --uid 1000 \
+            --comment 'Cloud MTA Build Tool' \
+            --password "$(echo weUseMta | openssl passwd -1 -stdin)" ${MTA_USER} \
+  # allow anybody to write into the image user home directory
+  && chmod a+w ${MTA_USER_HOME}
+
 ADD http://aia.pki.co.sap.com/aia/SAP%20Global%20Root%20CA.crt \
     /etc/ssl/certs/SAP_Global_Root_CA.crt
 
-# Download required env tools
-RUN apt-get update && \
-    apt-get install --yes --no-install-recommends \
-		ca-certificates \
-		git \
-		curl && \
-
-    # Change security level as the SAP npm repo doesnt support buster new security upgrade
-    # the default configuration for OpenSSL in Buster explicitly requires using more secure ciphers and protocols,
-    # and the server running at http://npm.sap.com/ is running software configured to only provide insecure, older ciphers.
-    # This causes SSL connections using OpenSSL from a Buster based installation to fail
-    # Should be remove once SAP npm repo will patch the security level
-    # see - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912759
-    sed -i -E 's/(CipherString\s*=\s*DEFAULT@SECLEVEL=)2/\11/' /etc/ssl/openssl.cnf && \
-
 # install node
-	NODE_HOME=/opt/nodejs; mkdir -p ${NODE_HOME} && \
-    curl --fail --silent --output - "https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-x64.tar.gz" \
-     | tar -xzv -f - -C "${NODE_HOME}" && \
-    ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/node" /usr/local/bin/node && \
-    ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/npm" /usr/local/bin/npm && \
-    ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/npx" /usr/local/bin/ && \
-    npm install --prefix /usr/local/ -g grunt-cli && \
-	
-# install ui5-cli temporay solution
-	npm install --prefix /usr/local/ -g @ui5/cli && \
+RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
+    && case "${dpkgArch##*-}" in \
+      amd64) ARCH='x64';; \
+      ppc64el) ARCH='ppc64le';; \
+      s390x) ARCH='s390x';; \
+      arm64) ARCH='arm64';; \
+      armhf) ARCH='armv7l';; \
+      i386) ARCH='x86';; \
+      *) echo "unsupported architecture"; exit 1 ;; \
+    esac \
+    && set -ex \
+    && apt-get update \
+    && apt-get install -y ca-certificates curl gnupg dirmngr xz-utils libatomic1 --no-install-recommends \
+    && rm -rf /var/lib/apt/lists/* \
+    && for key in \
+      4ED778F539E3634C779C87C6D7062848A1AB005C \
+      141F07595B7B3FFE74309A937405533BE57C7D57 \
+      74F12602B6F1C4E913FAA37AD3A89613643B6201 \
+      61FC681DFB92A079F1685E77973F295594EC4689 \
+      8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
+      C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
+      890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \
+      C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \
+      108F52B48DB57BB0CC439B2997B01419BD92F80A \
+    ; do \
+      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
+      gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
+    done \
+    # check downloaded archive matches the checksum
+    && curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-linux-$ARCH.tar.gz" \
+    && curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/SHASUMS256.txt" \
+    && grep " node-$NODE_VERSION-linux-$ARCH.tar.gz\$" SHASUMS256.txt | sha256sum -c - \
+    # check downloaded checksum file signature
+    && curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/SHASUMS256.txt.sig" \
+    && gpg --verify SHASUMS256.txt.sig SHASUMS256.txt \
+    && tar -zxv -f "node-$NODE_VERSION-linux-$ARCH.tar.gz" -C /usr/local --strip-components=1 --no-same-owner \
+    && rm "node-$NODE_VERSION-linux-$ARCH.tar.gz" SHASUMS256.txt.sig SHASUMS256.txt \
+    && apt-mark auto '.*' > /dev/null \
+    && find /usr/local -type f -executable -exec ldd '{}' ';' \
+      | awk '/=>/ { print $(NF-1) }' \
+      | sort -u \
+      | xargs -r dpkg-query --search \
+      | cut -d: -f1 \
+      | sort -u \
+      | xargs -r apt-mark manual \
+    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+    && ln -s /usr/local/bin/node /usr/local/bin/nodejs \
+    # smoke tests
+    && echo "node ${NODE_VERSION} install smoke tests!" \
+    && node --version \
+    && npm --version
 
-# installing Golang
-	curl -O https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz && tar -xvf go${GO_VERSION}.linux-amd64.tar.gz && \
-    mv go /usr/local && \
-    mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" && \
-    mkdir -p ${GOPATH}/src ${GOPATH}/bin && \
+# install ui5-cli temporay solution
+RUN	set -ex \
+    && npm install --prefix /usr/local/ -g @ui5/cli \
+    && npm cache clean -g --force \
+    # smoke tests
+    && echo "ui5 install smoke tests!" \
+    && ui5 --version
 
-# update maven home
-	M2_BASE="$(dirname ${M2_HOME})" && \
-    mkdir -p "${M2_BASE}" && \
-    curl --fail --silent --output - "https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
-    | tar -xzvf - -C "${M2_BASE}" && \
-    ln -s "${M2_HOME}/bin/mvn" /usr/local/bin/mvn && \
-    chmod --recursive a+w "${M2_HOME}"/conf/* && \
+# install Golang
+RUN	set -ex \
+    && apt-get update \
+    && apt-get install -y ca-certificates curl --no-install-recommends \
+    && rm -rf /var/lib/apt/lists/* \
+    && curl -O https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz \
+    && tar -xvf go${GO_VERSION}.linux-amd64.tar.gz \
+    && rm -rf /usr/local/go \
+    && mv go /usr/local \
+    && mkdir -p "$GOPATH/src" "$GOPATH/bin" \
+    && chmod -R 777 "$GOPATH" \
+    && mkdir -p ${GOPATH}/src ${GOPATH}/bin \
+    # smoke tests
+    && echo "go ${GO_VERSION} install smoke tests!" \
+    && go version
 
-# Download MBT
-	curl -L "https://github.com/SAP/cloud-mta-build-tool/releases/download/v${MBT_VERSION}/cloud-mta-build-tool_${MBT_VERSION}_Linux_amd64.tar.gz" | tar -zx -C /usr/local/bin && \
-    chown root:root /usr/local/bin/mbt && \ 
+# install sapmachine
+RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
+    && case "${dpkgArch##*-}" in \
+      amd64) ARCH='amd64';; \
+      *) echo "unsupported architecture"; exit 1 ;; \
+    esac \
+  && set -ex \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends wget ca-certificates gnupg \
+  && export GNUPGHOME="$(mktemp -d)" \
+  && wget -q -O - https://dist.sapmachine.io/debian/sapmachine.old.key | gpg --batch --import \
+  && gpg --batch --export --armor 'DA4C 00C1 BDB1 3763 8608 4E20 C7EB 4578 740A EEA2' > /etc/apt/trusted.gpg.d/sapmachine.old.gpg.asc \
+  && wget -q -O - https://dist.sapmachine.io/debian/sapmachine.key | gpg --batch --import \
+  && gpg --batch --export --armor 'CACB 9FE0 9150 307D 1D22 D829 6275 4C3B 3ABC FE23' > /etc/apt/trusted.gpg.d/sapmachine.gpg.asc \
+  && gpgconf --kill all \
+  && rm -rf "$GNUPGHOME" \
+  && echo "deb http://dist.sapmachine.io/debian/amd64/ ./" > /etc/apt/sources.list.d/sapmachine.list \
+  && apt-get update \
+  && apt-get install -y sapmachine-$(echo ${SAPMACHINE_VERSION} | cut -d. -f1)-jdk=${SAPMACHINE_VERSION} --no-install-recommends \
+  && rm -rf /var/lib/apt/lists/* \
+  && apt-get remove --purge --autoremove -y ca-certificates gnupg wget \
+  # smoke test
+  && echo "sapmachine ${SAPMACHINE_VERSION} install smoke tests!" \
+  && java --version
 
-# handle users permission
-	useradd --home-dir "${MTA_USER_HOME}" \
-            --create-home \
-            --shell /bin/bash \
-            --user-group \
-            --uid 1000 \
-            --comment 'Cloud MTA Build Tool' \
-            --password "$(echo weUseMta |openssl passwd -1 -stdin)" mta && \
-# allow anybody to write into the images HOME
-    chmod a+w "${MTA_USER_HOME}" && \
+# install maven
+RUN set -ex \
+  && apt-get update \
+  && apt-get install -y ca-certificates curl gnupg dirmngr --no-install-recommends \
+  && rm -rf /var/lib/apt/lists/* \
+  && curl -fsSLO --compressed ${MAVEN_BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && curl -fsSLO --compressed ${MAVEN_BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc \
+  && for key in \
+    6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688 \
+  ; do \
+    gpg --batch --keyserver hkps://pgp.surf.nl --recv-keys "$key" || \
+    gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
+  done \
+  && gpg --batch --verify apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && mkdir -p ${MAVEN_HOME} ${MAVEN_HOME}/ref \
+  && tar -xzf apache-maven-${MAVEN_VERSION}-bin.tar.gz -C ${MAVEN_HOME} --strip-components=1 \
+  && rm -f apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && chmod --recursive a+w ${MAVEN_HOME}/conf/* \
+  && ln -s ${MAVEN_HOME}/bin/mvn /usr/bin/mvn \
+  && apt-get remove --purge --autoremove -y ca-certificates curl gnupg dirmngr \
+  # smoke tests
+  && echo "mvn ${MAVEN_VERSION} smoke tests!" \
+  && mvn --version
 
-# Install essential build tools and python, required for building db modules
-	apt-get install --yes --no-install-recommends \
-		build-essential \
-        python2.7 \
-		python3 && \
-		
-# remove build env tools
-    apt-get remove --purge --autoremove --yes \
-		curl && \
+# Install MBT
+RUN set -ex \
+  && npm install -g --unsafe-perm @young-yang217/mbt@${MBT_VERSION} \
+  && npm cache clean -g --force \
+  # smoke tests
+  && echo "mbt ${MBT_VERSION} install smoke tests!" \
+  && mbt --version
 
-    rm -rf /var/lib/apt/lists/*
+# Install essential build tools and python
+RUN set -ex \
+  && apt-get update \
+  && apt-get install -y ca-certificates build-essential python2.7 python3 --no-install-recommends \
+  && rm -rf /var/lib/apt/lists/* \
+  # smoke tests
+  && echo "python install smoke tests!" \
+  && python2.7 --version \
+  && python3 --version
 
 ENV PATH=$PATH:./node_modules/.bin HOME=${MTA_USER_HOME}
 WORKDIR /project
-USER mta
+USER ${MTA_USER}